Messages

1

Hardware and Performance / Re: Lenovo M920q NIC and RAM recommendation

« on: March 25, 2023, 12:44:57 pm »

Intel i350. Beware fake Intel cards on eBay though.

RAM - 8GB are plenty for Opnsense. More could be required only if you need a lot of additional services.  Have a look at your current RAM usage to check.

Incidentally, I'll be moving to an m720q 8500T or 9400T soon, too ;-)

2

Tutorials and FAQs / Re: HOWTO - Redirect all DNS Requests to Opnsense

« on: March 24, 2023, 12:32:31 am »

Cool, thanks!

3

22.1 Legacy Series / Re: os-ddclient

« on: March 24, 2023, 12:28:12 am »

I'm spamming this advice as it was "hidden" on github:

How to enable ddclient cloudflare API token use:

username:   token           (!!)
password:   API Token

(taken from Github - just tried it on 23.1 and it works. Goodbye Global API Key!)

4

22.1 Legacy Series / Re: Dynamic DNS - Cloudflare

« on: March 24, 2023, 12:26:39 am »

How to enable ddclient cloudflare API token use:

username:   token
password:   API Token

(taken from Github - just tried it on 23.1 and it works. Goodbye Global API Key!)

5

German - Deutsch / Re: DynDNS Legacy to OS-DDClient Umstellung - Cloudflare - Fehlende auth methode

« on: March 24, 2023, 12:25:41 am »

Cloudflare API token geht wie folgt bei ddclient:

How to enable ddclient cloudflare: EASY!
username:   token
password:   API Token

6

23.1 Production Series / Re: SSL DPI

« on: March 06, 2023, 08:41:25 pm »

You could also block access to the Snapchat servers based on its ASN IPs.

7

Intrusion Detection and Prevention / Re: Suricata Policies not working as expected?

« on: February 23, 2023, 04:38:10 pm »

For most of these, you shouldn't use Suricata at all but use firewall aliases and rules to block these IPs directly, as it is (said to be) a lot more performant.

In Suricata, only use the following:
   
    abuse.ch/SSL Fingerprint Blacklist
 

Not sure if this is a rules or IP based list:
    abuse.ch/ThreatFox
   

8

23.1 Production Series / Re: Upgrade vs Clean Install

« on: January 30, 2023, 01:16:09 pm »

Is it worth a clean upgrade just to get on ZFS

Absolutely.

Being able to do snapshots and backup boot environments (bectl) prior to upgrades is a god-send.

The thing that holds me back is recreating all the "custom" stuff that isn't backed up normally e.g. I have scripts that execute speed tests against 5 servers, some custom commands for Unbound and who know how many other tweaks I have probably forgotten about. I'd be installing to a new drive so getting anything back shouldn't be too difficult, just a pain, also fully reverting will be simple.

You could try to run a "diff" (compare directories etc.) between the two filesystems to find esp. custom scripts, config files etc.

Also, is it just a case of backing up the current installation, copying that to a USB drive then pointing the installer to that file?

Basically yes. You may have issues initially e.g. having to reinstall plugins  / repos but those can usually be sorted out pretty easily.

9

22.7 Legacy Series / Re: "No space left on device" upgrading 22.7.9 -> 22.7.9_3

« on: December 29, 2022, 10:24:20 pm »

[pls disregard]

10

22.7 Legacy Series / Chrony - NTS server

« on: December 06, 2022, 10:37:20 pm »

I noticed that the standard installation of the chrony plugin may not work as an NTS server. Can't tell for sure as I am not using a clean install. So putting this out here in case (1) it helps someone and/or (2) someone can help me improve / simplify my setup.

my issues:
chrony clients could not connect because of certificate errors.
1. the chrony plugin in server mode needs read access to the certificate and key. Without it, I got the following error:

Code: [Select]

# chronyd -Q -t 3 'server [myserver] iburst nts maxsamples 1'
...
... TLS handshake with [myserver] failed : The TLS connection was non-properly terminated.
...
2. the certificate needs to be the full chain. Without it, I got

Code: [Select]

# chronyd -Q -t 3 'server [myserver] iburst nts maxsamples 1'
...
... TLS handshake with [myserver] failed : Error in the certificate verification. The certificate is NOT trusted. The certificate issuer is unknown....
3. the standard OPNsense certificate & key at /var/etc/cert.pem / ..key.pem are read root only. I did not want to grant chrony access to it or include chrony in the "wheel" group.

What did I do?

1. set up a DNS alias for time.MYDOMAIN.TLD
2. set up a separate letsencrypt certificate for time.MYDOMAIN.TLD
3. set up an automation to have the certificate (full chain + key) be copied over to /var/lib/chrony and chmod those to chronyd and restart chrony:
a) set up the following backend action (https://docs.opnsense.org/development/backend/configd.html):

Code: [Select]

[NTS_renewal]
command:cp /var/etc/acme-client/home/time.XXXXX/fullchain.cer /var/lib/chrony/chrony.fullchain.cer && cp /var/etc/acme-client/home/time.XXXXX/time.XXXXX.key /var/lib/chrony/chrony.key && cp /var/etc/acme-client/home/time.XXXXX/time.XXXXX.cer /var/lib/chrony/chrony.cer && chown chronyd /var/lib/chrony/chrony.key /var/lib/chrony/chrony.cer /var/lib/chrony/chrony.fullchain.cer && /usr/local/etc/rc.d/chronyd stop && /usr/local/etc/rc.d/chronyd start
type:script
message: copy NTS certificates into chrony directory and make them readable
description: Renew NTS certificate & restart chrony (all in one go)b) enable it:

Code: [Select]

service configd restartc) setup an automation using this action in the ACME client for the NTS certificate.
4. Point chrony to his certificate and key:

Code: [Select]

ntsservercert /var/lib/chrony/chrony.fullchain.cer
ntsserverkey /var/lib/chrony/chrony.key(not sure this will persist an update of the plugin though ...)

Now it seems to work. Hooray! 

resources:
- https://docs.opnsense.org/development/backend/configd.html
- https://unix.stackexchange.com/questions/712784/chrony-fails-to-sync-with-nts-enabled

pinging @mimugmail in case some of this could be intregrated into the plugin itself (as it purports to create a working NTS server which it _may_ not do).

Especially, it seems that the manual edits to the config file - specifically the "ntsservercert" / "ntsserverkey" part -- seem to be over-written ...

11

22.7 Legacy Series / Re: Crontab is not keeping job related to user entries

« on: November 24, 2022, 12:04:36 pm »

PS: https://forum.opnsense.org/index.php?topic=30993.0

Thanks!

12

General Discussion / Re: Periodic.conf tunables?

« on: November 24, 2022, 12:04:09 pm »

Thank you both - I'll set up a .local on my system too to enable trim, scrub and snapshots.

13

22.7 Legacy Series / Re: Crontab is not keeping job related to user entries

« on: November 23, 2022, 10:11:41 pm »

You should add a permanent backend job as per https://docs.opnsense.org/development/backend/configd.html

Great - thank you for the pointer (and apologies for not RTFM).

Here is a very simple action for ZFS scrub and ZFS trim:

Code: [Select]

[trim]
command:zpool trim
parameters: %s
type:script_output
message: Run ZFS trim on specified pool
description: zpool trim [zpool]

[scrub]
command:zpool scrub
parameters: %s
type:script_output
message: Run ZFS scrub on specified pool
description: zpool scrub [zpool]
Is it possible to permanently save a script like zrep, zrepl, znapzend or syncoid/sanoid to the OPNsense system to enable periodic snapshots (and automatic pruning thereof)?

Or would it be possible to use and persistently configure the FreeBSD periodic.conf system?

14

22.7 Legacy Series / Re: AcmeClient upload_sftp debugging

« on: November 10, 2022, 06:07:41 pm »

I can connect but cannot upload to my ESXi server. IIRC, it was an issue with a filesystem command that SFTP wanted to run that ESXi didn't recognise/implement.  (manual scp from opnsense works)

15

22.7 Legacy Series / Re: unbound dns stops sporadically

« on: November 07, 2022, 06:17:54 pm »

config changes -> could this be an update / re-loading of DNSBL or a DCHP registration update?