Messages

1

German - Deutsch / Re: Neue Hardware wird benötigt

« on: December 02, 2024, 11:04:28 am »

Wer zu wenige Ports hat, sollte einen Switch kaufen.

2

24.7 Production Series / Re: IPv6 router advertisements problems in 24.7/24.1.x

« on: November 29, 2024, 01:44:57 pm »

If you need to solve this in KEA, it can be done via client classes like so:

Code: [Select]

"Dhcp6": {
    "client-classes": [
        {
            "name": "Client_enterprise",
            "test": "substring(option[1].hex,0,6) == 0x0002AABBCCDD",

You can test on pretty much any content of the packet: https://kea.readthedocs.io/en/kea-2.2.0/arm/classify.html

3

Hardware and Performance / Re: Is this a good device for Opnsense?

« on: November 29, 2024, 01:19:51 pm »

A Lenovo M920q is about $140.  Add the PCIE16 Riser Card 01AJ940 with baffle for $35 and attach that to a Intel i350-t2 or t4 and you'll have something much better and dependable than those Aliexpress boxes in my opinion.


https://forums.servethehome.com/index.php?threads/lenovo-thinkcentre-thinkstation-tiny-project-tinyminimicro-reference-thread.34925/

Exactly this! Been Using a m720q with a 9100T, 16gb ram and Intel i350-AM2 SFP card directly connected to my AON and it has been rock solid!
Consumption is 11w idle which is almost the same as those n100 boxes which most of them have non optimized BIOS or even are unable to tweak them because of pore architecture…

Intel 9100T: 35WTDP
Intel 8500T: 35W TDP
Intel N100: 6W TDP

I use a Beelink EQ12 as router at the moment.

4

24.7 Production Series / Re: IPv6 router advertisements problems in 24.7/24.1.x

« on: November 29, 2024, 01:15:33 pm »

NM, have you selected the "Agent Information" option? If so, try without it.

Configurability of dhcrelay is unfortunately limited, so opnsense mostly has to depend on it doing the right thing:

Code: [Select]

The options are as follows:

-d
Do not daemonize. If this option is specified, dhcrelay6 will run in the foreground and log to stderr.
-E enterprise-number
Choose the enterprise-number that will be used by the Remote-ID option (this only has effect when using -R).
-I interface-id
The interface-id relay agent information option value that dhcrelay6 should use on relayed packets. If this option is not specified, it will use the interface name by default.
Avoid using this option when using Lightweight DHCPv6 Relay Mode (layer 2 relay), otherwise dhcrelay6 will always send replies back to the client interface, which will break networks with multiple DHCPv6 layer 2 relay agents.

-i interface
The name of the network interface which will receive client DHCPv6 requests. For layer 3 mode at least one IPv6 local, site or global address has to be configured on this interface.
-l
Use the Lightweight DHCPv6 Relay Agent mode (layer 2 relaying).
-o
Add the Interface-ID option. This option is activated by default when using layer 2 relaying.
-R remote-id
Enable and add the specified Relay Agent remote-id to identify this relay segment.
-v
Debug mode. This option will make dhcrelay6 run in the foreground, log to stderr and show verbose messages.

5

General Discussion / Re: Configuration import verification

« on: November 29, 2024, 12:50:00 pm »

I am not sure DHCP leases should be in the backup, personally.

6

24.7 Production Series / Re: ISP hacked OPNSense Router

« on: November 28, 2024, 04:39:04 pm »

Yepp, IPS is not "fire and forget" but I like to get a feeling for what is going on the various levels-of-trust LANs. Warnings/blockings by Suricata give a feeling if some client tries e.g. to resolve fishy domains or contact known malware IPs.

Problems normally originate from the LAN side and IPS should be active on LAN, not WAN, correct.

You can get that by dynamic IP blocklists (firehol, crowdsec) and DNS blocking.

7

General Discussion / Re: Migration of network structure

« on: November 28, 2024, 10:35:36 am »

3. AFAIK, no. But why would you? The SIP IPs are known beforehand, so you can put them into a firewall alias. SIP nowadays does need a port forward, but if you know your ISP, you can also limit inbound connections to their ASN.
I always restrict such devices to my IoT network, where they cannot do much harm, anyway.

I have had quite a few SIP setups that worked without inbound forwarding, modern SIP is supposed to be able to detect NAT and work through it.

8

24.7 Production Series / Re: ISP hacked OPNSense Router

« on: November 28, 2024, 10:25:24 am »

4. Installed Suricata IPS

No idea, I do not believe in IPS.

Expand on this please...

Not because I want to debate, but I think you're brilliant, and I've been going back & forth on the decision to implement this in our network.

This is well worth discussing, but maybe in a different thread. I, btw, also don't believe in most of the things IPS is supposed to do.

9

24.7 Production Series / Re: ISP hacked OPNSense Router

« on: November 27, 2024, 11:07:11 am »

First, if you think some device of yours has been penetrated by an attacker, reinstall it cleanly.

10

General Discussion / Re: How to resolve SRV record to use Active Directory

« on: November 26, 2024, 11:13:20 am »

You can also use another DNS server, like the opnsense firewall, but you MUST forward DNS resolution for the AD domain to the DC.

11

Zenarmor (Sensei) / Re: Updating the packet engine resets web filtering to moderate

« on: November 21, 2024, 03:50:20 pm »

Thanks, I did that.

12

Zenarmor (Sensei) / Updating the packet engine resets web filtering to moderate

« on: November 20, 2024, 10:28:10 pm »

Free edition, as the subject says.
Kind of annoying.

13

24.7 Production Series / Re: BAD STATE

« on: November 18, 2024, 01:58:49 pm »

That's how it's supposed to work. A host will always prefer a locally connected interface over a static route. Don't connect hosts via more than one interface/network.

NM didn't read enough of the posts .

Just a comment though, more specific routes are always preferred regardless of connection, but in this case, the subnet mask was the same, and then, distance / metric / connection are relevant.

14

General Discussion / Re: IPV6 setup problem

« on: November 18, 2024, 10:13:49 am »

Multi-WAN is quite complicated. Multi-WAN with IPv6 is even more complicated. Did your TP-Link/Omada setup support it?

In your earlier posts, you weren't even sure if your ISPs provide IPv6 at all. I'd suggest getting it working with one ISP first (or maybe you have, and I missed it?), then the other ISP, then worry about multi-WAN.

Multi-WAN with opnsense is actually quite simple. IPv6 Multi-WAN is broken on a design level, nothing to do with the actual firewall you use.
Here's more to read: https://datatracker.ietf.org/doc/draft-fbnvv-v6ops-site-multihoming/

15

General Discussion / Re: IPV6 setup problem

« on: November 16, 2024, 10:07:29 pm »

Choose one, NPTv6 the other one.

Our you can read: https://blog.ipspace.net/2023/01/dc-ipv6-small-site-multihoming/