Messages

1

22.1 Legacy Series / Re: powerD seem not working

« on: August 15, 2022, 10:46:50 pm »

Sorry I can't diagnose at the moment. All my Intel freebsd machines are switched off, only amd in use at present. At a glance however it seems the cpu or bios is not reporting scaling frequencies available.

2

22.1 Legacy Series / Re: powerD seem not working

« on: August 15, 2022, 12:08:30 pm »

What's set to in System > Settings > Miscellaneous > Thermal Sensors and Power Savings ?
They might need a review.

3

General Discussion / Re: OPNsense - installing other software on the same hardware - security risk?

« on: August 15, 2022, 12:04:11 pm »

To an extent, it depends.
In a corporate envrionment, it's discouraged and even forbidden. It can be a security vector. In a home envrionment, you make your own assessments.
You need to find the balance between following accepted wisdom of keep it with as little addition as possible to avoid problems unrelated to the distribution, and the best use of your hardware.
I'd say as long as is part of the core firewall, there are bits that are fine to do. Data collection for your example is in my opinion, well within that scope. For instance installing containers, jails, media apps like plex, etc. no.
The argument of well I have all these compute resources underutilised and saves me from having another device consuming power, etc. doesn't fly with me but hey, each to their own.
For influxdb, there's a community plugin I think.

4

22.7 Production Series / Re: No carrier after install

« on: August 12, 2022, 05:27:58 pm »

To get a different modem, without a built-in router, I would have to get the business plan. They do not sell modem-only units to home users, gave me some BS about providing better security this way.
To get a second external IP address, I would have to buy the business modem and get the business plan. Depending on which customer support person I talk to, they may require a copy of a business license to get the business plan. Anyway, the business plan would raise my monthly cost from $65 to $245, not work it for me. A business plan is not faster either, I'm limited by their DSL technology.
The home modem/router does not have a bridge mode, their support tech could not understand why anyone would want an insecure connection. So far the best I can do to eliminate their stuff is to turn off the WiFi of their modem/router unit, and put my own solution behind it (along with the double NAT issues that causes).

I wasn't suggesting to attempt going for that, just because you wrote "I can only get internal IP addresses from it, even when I place something in the DMZ." so I assumed you wanted to say host your own webserver on a different public IP to your "main one".
I understand the pickle with Isp though. Same in the UK, some IPS provide a router that their custom UI doesn't allow bridge mode. The solution here is to replace it completely with any other that does. BUT that works because it's easy to find the required authentication details needed to enter in the replacement unit for PPoE, or by the identification of the plant i.e. the IDs of physical cable.
Anyhow, if you can get those, easy solution: replace just the modem part, put in bridge, OPN after.

In the meantime we're digressing a little. Post what dmesg shows, we're looking for clues what might be the problem despite the double nat.

5

22.7 Production Series / Re: No carrier after install

« on: August 11, 2022, 10:28:10 pm »

It doesn't explain why the behaviour changes from live to installed but yes, it would help and preferable when not fully conversant with the networking ways.
[quote ]
That is correct, my ISP modem/router combo unit. I can only get internal IP addresses from it, even when I place something in the DMZ.
I can see on my desktop that I sometimes get port scanned from various IPs outside the US. So I don't really trust the "advanced cyber security" provided by the ISP router. I'm putting the OPNsense between the ISP modem/router and my internal network (NAS, Proxmox, workstations)
[/quote]
That is the expected behaviour. Your current modem/router combo is terminating the line, dialing up and getting the WAN ip. A machine on the DMZ zone won't be doing another request for a public ip unless setup to do so, and would only get one if your isp has assigned multiple public ips on your service -something you had to pay for and be on a business or specialised prosumer package-. Maybe you do have it but you haven't stated it.

For a simple check, see if your modem/router can be put in passthrough ie. bridge mode. Then it will only get the wan.
Alternatively, take the modem/router out of the chain i.e. power down and disconnect, and connect only OPN and go through the installation routine so it gets a clean chance to detect the WAN.

6

22.7 Production Series / Re: Unbound did not start - how to debug?

« on: August 11, 2022, 10:16:29 pm »

My guess is that Unbound not starting is only a symptom, especially if there are "hung" interfaces.
Check that is not a case of an interface with VLANs and without assigned parent interfaces, for instance as some of the latest significant changes in interfaces since the last two major releases.
Apart from that is all about hunting the dmesg and system logs for clues.

7

22.7 Production Series / Re: Unbound did not start - how to debug?

« on: August 10, 2022, 11:20:58 pm »

I'd start with "configctl unbound check" without quotes on the console.

8

Tutorials and FAQs / Re: How to Read and Unblock/Block With Unbound?

« on: August 10, 2022, 10:58:29 pm »

I could very well be wrong as I use Unbound but not block/allow lists on it.  But I don't think it logs them. It'll look up ips in the lists and allow/block the ip. It works with ips, not uris after lookup. Will only log ips.

9

22.7 Production Series / Re: No carrier after install

« on: August 10, 2022, 10:54:33 pm »

inet 192.168.0.14 netmask 0xffffff00 broadcast 192.168.0.255
That is a private IP, so it suggests there's another device in front of OPN getting the WAN address when you're in live mode testing.
Not necessarily wrong but curious.
I'd check with dmesg what happens with that interface (WAN) during boot.

10

General Discussion / Re: How to ensure DoT is working correctly?

« on: August 07, 2022, 12:23:27 am »

I went through this whilst setting up DoT in my network. You are correct, there are "test" websites and to this day they report to me that I'm not using DoT. I had to resort to empirical test that confirmed it was working as it was intended.
Anecdotally, I used quad9 and cloudflare, on 9.9.9.9 and 1.1.1.1. My setup had them in round-robin loadbalancing algorithm. That meant when I used a test page for one and the connection was via their resolver, it showed OK. Other times, not OK. If I changed my config to only go to them, it was OK always. That told me test pages were checking only for themselves, not that it was "any" connection over DoT. Also I recall there was a defect reported for one of them to this effect, I think it was solved.
So it left me that niggling thought. The next thing to do for certainty (for my own peace of mind) was to packet capture.
It was only then that I realised that indeed the traffic was DoT even when the test page said different.
You need to do your verification without trusting completely these test sites IMO.

11

22.7 Production Series / Re: FTP port 21 reporting open when scanning from external

« on: August 07, 2022, 12:01:23 am »

It's OK for me.  Upgraded to 22.7 and external scan doesn't find port 21 open.

12

Hardware and Performance / Re: how to upgrade drives after install?

« on: August 06, 2022, 03:30:53 am »

Careful, not exactly applicable directly to an apple Mac. This procedure is for the user who had already installed the OS on a zfs mirror (think of it as a software raid, two disks with the same contents in sync).

13

22.1 Legacy Series / Re: New OpnSense 22.1 install fails to boot from hard drive

« on: August 06, 2022, 03:19:46 am »

It might be worth installing freebsd and using the opn bootstrapping tool to convert it.

14

22.7 Production Series / Re: no internet from lan

« on: August 06, 2022, 02:41:03 am »

A very strange setup, it's unsurprising some services aren't working as desired.
When OPN is setup, some sane assumptions are made, like the WAN and LAN interfaces based on discovery, and the system is setup accordingly and it will in general, just work. In your setup, which appears unorthodox, it will require you to set everything up, including firewall rules.
To be honest from:
ISP Router (192.168.1.1) -> (ISP DHCP 192.168.1.33) OPNsense (OPNsense 192.168.0.1) -> (OPNsense DHCP 192.168.0.100) PC
I literally can't make head or tail. And all are private addresses, even the ISP one !

15

General Discussion / Re: Crowdsec firewall blacklists

« on: August 03, 2022, 11:48:04 pm »

It will probably have more visibility on github https://github.com/crowdsecurity/opnsense-plugin-crowdsec/issues