Messages

1

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« on: Today at 04:20:08 pm »

Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else?

They would be in /var/unbound/etc/dot.conf

Hmm, ok the link he quoted mentioned the unbound.conf.  My dot.conf file other than a single forwarding zone is empty.

The documentation for `unbound.conf` just shows every available option - Unbound is one of the (sensible) apps which allows for options to be spread across multiple configuration files, for example some provided by a package manager (eligible for overwriting) and some manually (which should not be overwritten). Or separated out by purpose/feature.

So `/var/unbound/etc/dot.conf` will contain a rendered config file with the configuration entries from the `unbound.conf` man page, which are relevant for DNS-over-TLS (or `dot`).

2

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« on: Today at 03:59:08 pm »

Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else?

They would be in /var/unbound/etc/dot.conf

3

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« on: Today at 03:53:58 pm »

Patch works for me.

4

22.7 Legacy Series / Weird states behaviour when using "Inspect"

« on: August 25, 2022, 12:18:18 am »

I have an OPNsense 22.7.2 box where I was trying to debug some traffic.

I have a Floating rule with the settings:

• Interface: Guest, VPN
• Direction: In
• Protocol: IPv4+6 TCP
• Source: any
• Destination: ALIAS (The alias contains 2 RFC1918 IPv4 addresses)
• Port: MS DS (445)
• Description: server CIFS

On the Floating Rules page, if I push "Inspect" then the UI updates to show me a new "States" column, which shows 1 session. This is as I expect (there is currently one client connected from the VPN interface, so this lines up).

If I click the "1" text, then I get taken to the Firewall/Diagnostics/States screen where there are several matches, one of which is the one I expect, and several of which don't match the criteria. For example there are matches with the destination port of 80, there are IPv6 matches even though the alias only contains IPv4 addresses, etc. I've attached a couple of screenshots, some redacting has been done but there's enough to show that these states should not match the rule they claim to be matching

5

22.1 Legacy Series / Re: scattered issues OPNsense version 22.1.9_1 (the very latest)

« on: June 30, 2022, 12:35:39 am »

the GUI reboot works if and especially when it wants: after giving it, think about it, go back to the "dashboard" and, with ease, start again, obviously whatever you do you will need to log in.

Out of interest, do you use the memory filesystem, and have features like Insights enabled with backups to disk?

On a previous release, I used to see that when I had this combination of features, during the reboot OPNsense would try to back up the memory-backed mountpoint to disk. This took so long that the "check for when the box has rebooted" spinner thing would start firing, see that the UI was up, and assume the reboot was finished even though it wasn't. Then when the backup script actually finished, the reboot would happen.

I did some tinkering a while back and opened https://github.com/opnsense/core/issues/5278 about changing the compression algorithm; by default it uses gzip which gives good compression but is slow. I changed my appliance to use zstd level-1 which was slightly larger but compressed in around 15% of the time

6

22.1 Legacy Series / Re: [CALL FOR TESTING] FreeBSD 13.1 / 22.7 operating system preview

« on: June 23, 2022, 04:17:23 pm »

Is there anything to be aware of if someone applied this test base/kernel, with 22.1.9 being released? i.e. should you avoid 22.1.9 altogether? Should you upgrade to 22.1.9, then reapply this preview? Should you do something else?

7

General Discussion / How does the firewall interact with the shaper?

« on: December 21, 2020, 09:47:10 pm »

I'm looking to use the shaping functionality to make for smoother audio calls (like everyone else, I'm working at home...)

The UI for the shaper is "enough", but it's less feature rich than I might like (ports specified manually, can't use aliases, etc). So one thought I had is simply to create myself some low/med/high priority queues and then configure rules for certain DSCP values which could then be applied by firewall rules. However, to know whether that would work properly depends on how the packets flow through the firewall, which could be (for example):

Code: [Select]

ingress --> filter --> shaper --> egress(this could work because the filter could apply a DSCP class to the packet, the shaper could see it and handle it in the correct queue)

Code: [Select]

ingress --> shaper --> filter --> egress(this could not work because by the time the filter saw the packet to mark it, the shaping decision would have already been made)

So in a system with both packet filtering and shaping enabled, does anyone know what's the order?