1
General Discussion / Re: OPNsense as VM on HDD pool?
« on: September 29, 2023, 10:24:15 am »
typing at the same time Patrick(s).
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
General Discussion / Re: OPNsense as VM on HDD pool?
« on: September 29, 2023, 10:23:31 am »
Most of the IO is for logging, the working is in memory as far as I can see. IMHO Nvme is unnecessary, SSDs nice to have and spinning hard disks can be fine too. There have never been requirements for fast IO and many ran firewalls with HDs for ages.
In short, SSDs shall be plenty and mirrored pair is pretty ideal for redundancy.
In short, SSDs shall be plenty and mirrored pair is pretty ideal for redundancy.
3
23.7 Production Series / Re: Near constant PTR lookups in DNS logs
« on: September 29, 2023, 10:10:55 am »
Glad is fixed.
4
Hardware and Performance / Re: The barebone pc doesn't really sleep when not in use, almost full watt usage?
« on: September 29, 2023, 10:08:27 am »
a firewall will always be running some services, that's its duty so it will draw power. Sleep/hybernate hasn't been a desired or built in option on any distribution that I am aware of.
They rely on idle states cpu to os and viceversa to reduce power at a cost of responsiveness. PowerD is what you can use and you have. If with that the power draw is inadequate, it is a question for the cpu maker, the freebsd people or the manufacturer. Or all three
. Not for OPN.
By the way 10 watts at idle is not bad, in fact it is good. I doubt you can get less. You've squeezed that lemon to the max.
They rely on idle states cpu to os and viceversa to reduce power at a cost of responsiveness. PowerD is what you can use and you have. If with that the power draw is inadequate, it is a question for the cpu maker, the freebsd people or the manufacturer. Or all three
. Not for OPN.By the way 10 watts at idle is not bad, in fact it is good. I doubt you can get less. You've squeezed that lemon to the max.
5
General Discussion / Re: Rules association
« on: September 29, 2023, 12:05:10 am »
Not trying to be contrary here. The LAN clients are connecting to the switch and the switch to the LAN port of the firewall, yes. But the OPT1 interface on the firewall there's nothing there except a single appliance client. So the traffic between them must go through the firewall.
You are making me think of the problem in different ways so thank you. If you have any more thoughts, please share.
This I got wrong "As soon as I enable the identical one for OPT1, DNS packets get from LAN clients to LAN. Picture 3, port forward."
It should read: "As soon as I enable the identical one for OPT1, DNS packets get from LAN clients 192.168.5.0/24 to OPT1 address 192.168.6.1. Picture 3, port forward.".
You are making me think of the problem in different ways so thank you. If you have any more thoughts, please share.
This I got wrong "As soon as I enable the identical one for OPT1, DNS packets get from LAN clients to LAN. Picture 3, port forward."
It should read: "As soon as I enable the identical one for OPT1, DNS packets get from LAN clients 192.168.5.0/24 to OPT1 address 192.168.6.1. Picture 3, port forward.".
6
General Discussion / Re: Several Questions - New User and brain pain.
« on: September 28, 2023, 11:44:13 pm »
Ah the joys of newly born. Glad mine is grown now.
Anyways. Disclaimer: I don't do gamins so this is out of my experience. That said isn't the strong NAT a thing about the console/pc needing some way to connect and be connectable with some ports on the game platform?
I seem to recall a number of threads with works/doesn't work for port forwards and nats as workarounds to upnp.
Anyways. Disclaimer: I don't do gamins so this is out of my experience. That said isn't the strong NAT a thing about the console/pc needing some way to connect and be connectable with some ports on the game platform?
I seem to recall a number of threads with works/doesn't work for port forwards and nats as workarounds to upnp.
7
General Discussion / Re: Host override requries local domain name to resolve
« on: September 28, 2023, 11:33:50 pm »
maybe a look from the client side. I normally run freebsd for infra and ubuntu for desktops at home.
Code: [Select]
$ resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp0s31f6)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 3 (wlp58s0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.5.1
DNS Servers: 192.168.5.1
DNS Domain: moomoolandI don't have any domains in the DHCP settings. All via Unbound and AdGuard.8
23.7 Production Series / Re: Unable to access web GUI - But able to access ssh - Please Help
« on: September 28, 2023, 06:07:02 pm »
We can't guess 
, what happens. Do you get an error, what's in the logs, etc?
, what happens. Do you get an error, what's in the logs, etc?
9
General Discussion / Re: Upload a file in a custom created plugin
« on: September 28, 2023, 04:41:05 pm »
Not specific to plugins or development but to my knowledge there is no way to upload files to the appliance from the UI.
Needs to drop to a console and use commands like scp, etc.
There are ways to use winscp and that sort of clicky ways but IMO not worth the effort when a simple command will do it in a fraction of a second.
Needs to drop to a console and use commands like scp, etc.
There are ways to use winscp and that sort of clicky ways but IMO not worth the effort when a simple command will do it in a fraction of a second.
10
General Discussion / Re: Rules association
« on: September 28, 2023, 04:24:02 pm »
Right, and that's what is puzzling.
I am asking exactly that, ignore NAT, why the port forward rule for LAN all is good.
As soon as I enable the identical one for OPT1, DNS packets get from LAN clients to LAN. Picture 3, port forward.
edit: it should read:
As soon as I enable the identical one for OPT1, DNS packets get from LAN clients 192.168.5.0/24 to OPT1 address 192.168.6.1. Picture 3, port forward.
I am asking exactly that, ignore NAT, why the port forward rule for LAN all is good.
As soon as I enable the identical one for OPT1, DNS packets get from LAN clients to LAN. Picture 3, port forward.
edit: it should read:
As soon as I enable the identical one for OPT1, DNS packets get from LAN clients 192.168.5.0/24 to OPT1 address 192.168.6.1. Picture 3, port forward.
11
23.7 Production Series / Re: Near constant PTR lookups in DNS logs
« on: September 27, 2023, 04:15:46 pm »
This is usually not to do with the firewall/DNS resolver. It is doing what is asked of it, to give the domain for an internal ip address.
Usually it is some device in the internal network asking "around" for a reverse name resolution. You're going to have to track it. A packet caputre would quickly help.
Also when AdG/Pi-hole is in the mix, there can be a ping-pong loop.
AdG for instance has the setting section:
Private reverse DNS servers
The DNS servers that AdGuard Home uses for local PTR queries. These servers are used to resolve PTR requests for addresses in private IP ranges, for example "192.168.12.34", using reverse DNS. If not set, AdGuard Home uses the addresses of the default DNS resolvers of your OS except for the addresses of AdGuard Home itself.
AdGuard Home could not determine suitable private reverse DNS resolvers for this system.
check how that your settings there are what you expect.
Usually it is some device in the internal network asking "around" for a reverse name resolution. You're going to have to track it. A packet caputre would quickly help.
Also when AdG/Pi-hole is in the mix, there can be a ping-pong loop.
AdG for instance has the setting section:
Private reverse DNS servers
The DNS servers that AdGuard Home uses for local PTR queries. These servers are used to resolve PTR requests for addresses in private IP ranges, for example "192.168.12.34", using reverse DNS. If not set, AdGuard Home uses the addresses of the default DNS resolvers of your OS except for the addresses of AdGuard Home itself.
AdGuard Home could not determine suitable private reverse DNS resolvers for this system.
check how that your settings there are what you expect.
12
General Discussion / Re: Rules association
« on: September 27, 2023, 03:20:31 pm »
I appreciate the attempt to help but I'm more interested in understanding the behaviour that should work but appears that doesn't, -why it does what it does-, than applying a workaround or different approach.
The NAT outbound rule works for one interface but the same rule for the other seems to cause a loop.
Why? If you could give an insight on that, I'll be most grateful.
The NAT outbound rule works for one interface but the same rule for the other seems to cause a loop.
Why? If you could give an insight on that, I'll be most grateful.
13
23.7 Production Series / Re: TCP connections fail after ISP IP renewal
« on: September 27, 2023, 03:16:06 pm »Hi, I have a weird problem:Some terminology clarity would be useful.
I am using dyndns to host some services at home. If my ISP is providing me with a new public ip address, all is synced correctly vis ddclient. DNS is resolving the correct address and also wireshark VPN (UDP!) works fine. But all requests to my piblic IP based on TCP are dropped. Or at least my self hosted websites cant be resolved.
If I reload my PPPoE connection till I get a new IP from the ISP (3 times normally), TCP traffic to my public IP is resolved correctly again. This is a very inconvenient issue, because I need to monitor my service constantly and if it's down, I need to log in via VPN to reload the PPPoE Interface till I get a new IP.
Any ideas how to debug this further? I contacted the ISP and also tried a different router. No problems there. That's why I assume it is something buggy in OPNsense...
- "But all requests to my piblic IP based on TCP are dropped" . Are they being dropped by the firewall and can be seen from the OPN side? Or do you mean connections from another network (mobile phone for instance) time out, get rejected, what? And are they done to the new ip or to an url?
- "Or at least my self hosted websites cant be resolved.". Which one is it, dns is updated or not? Done an external dns query? Resolves or not to the new ip?
These websites, how are they being served through OPN, haproxy, port forwarding, nginx, etc?
14
General Discussion / Re: Rules association
« on: September 27, 2023, 11:26:19 am »
Thanks for the suggestion newsense, I will likely try it.
Any thoughts on why it currently behaves the way it does and breaks things? Surely it is possible to port forward traffic incoming into each interface to the service running on it. This is what I'm trying to understand what I am doing wrong.
Any thoughts on why it currently behaves the way it does and breaks things? Surely it is possible to port forward traffic incoming into each interface to the service running on it. This is what I'm trying to understand what I am doing wrong.
Code: [Select]
# sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
unbound unbound 85075 5 udp4 *:5353 *:*
unbound unbound 85075 6 tcp4 *:5353 *:*
unbound unbound 85075 7 udp4 *:5353 *:*
unbound unbound 85075 8 tcp4 *:5353 *:*
unbound unbound 85075 9 tcp4 127.0.0.1:953 *:*
root AdGuardHom 16088 13 tcp4 192.168.5.1:8080 *:*
root AdGuardHom 16088 14 udp46 *:53 *:*
root AdGuardHom 16088 15 tcp46 *:53 *:*
root stubby 65272 3 udp4 127.0.0.1:8053 *:*
root stubby 65272 4 tcp4 127.0.0.1:8053 *:*
root stubby 65272 5 udp6 ::1:8053 *:*
root stubby 65272 6 tcp6 ::1:8053 *:*