Messages

Thanks that was the issue...
Seems like with the move from HardenedBSD to FreeBSD the module needs to be loaded explicitly now...?

Will you create a PR or shall I?

Hi,
I've also checked both settings and my mount points look like this:

Code Select Expand


mf@houston:~ % mount
/dev/gpt/rootfs on / (ufs, local, noatime, soft-updates)
devfs on /dev (devfs, local, multilabel)
tmpfs on /var (tmpfs, local)
tmpfs on /tmp (tmpfs, local)
devfs on /var/dhcpd/dev (devfs, local, multilabel)
devfs on /var/unbound/dev (devfs, local, multilabel)


Checked on OPNsense 21.7.7 (but having this set since many releases).

The default_server option has been implemented in 21.7.7.

Unfortunately only for http - for https it's still missing. See https://github.com/opnsense/plugins/issues/2741

What about using interface groups to group rules?

I'm struggling since a few days to establish a simple IPsec tunnel between two 22.1 systems or a 21.7 and a 22.1 system. Finally I've tried precisely the same configuration between to 21.7 systems and it works.
The error on the 22.1 side is

Code Select Expand


15[KNL] <con1|3> unable to add SAD entry with SPI c6651939: Invalid argument (22)


I could not find many useful details to this error, except that some specific situation might not be supported by the kernel. But my example is really simple and I've even tried very many other scenarios.

One suspicious thing I saw is during startup of charon is:

Code Select Expand


2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)


Any ideas?

Attached the complete log from charon startup incl. one session initiation cycle. P1 succeeds, only the SAD of P2 cannot be written.

Thanks for the update!
I'm not an expert on BSD like licenses, but how is such a "limitation" even possible? Need to do some research on that issue...

Was OPNsense ever explicitly addressed by the author? Or you're just acting precautionary?

BR

Hi,
the IDS plugin (part of core) uses an interface selection (ids.general.interfaces).

For the logging part, unfortunately the diagnostics/log view requires an extension of the LogController (which is part of core). You need to create a new view + LogController in your project. I'd have a look at the security/acme-client plugin - there's also logging implemented using diagnostics/log. The API controller can be re-used (as done in acme-client).

BR
Manuel

Hi,

I just recognized that mail/fetchmail was removed (6673bb86). I could not find the reason for this (neither here nor on Github)... Any background information to share here?

Ich bin auch gerade in dieses Problem gelaufen... Was ist das Problem mit dem CloudFlare mirror? Sollte man überdenken ihn aus der Liste zu entfernen wenn es hier offenbar öfters Probleme gibt?

Hi,
Firefox checks websites you browse for malicious URLs. I assume the list is hosted within that CDN and Firefox therefore blocks the access.

Hi,
Where is my domain.com hosted? Do you use OPNsense as DNS resolver? Not sure if I understand your question. Maybe a drawing might help.

BR
Manuel

Hi,
I'm facing a problem with OpenVPN's Client Specific Overrides: even overrides are configured, no entry is generated to /var/etc/openvpn-csc/<serverid>.

What is the trigger to generate these entries?

Thanks

Can you actually ping any host on the internet from the firewall?

Sent from my ONEPLUS A6003 using Tapatalk

Hi,
In System > Settings > Administration, is Listening Interfaces configured to "All interfaces"?

Maybe a packet trace reveals more details about the issue? Either via the web UI Interfaces > Diagnostics > Packet Capture or via the shell using

Code Select Expand

tcpdump -i ovpns1 -n port 443

Br
Manuel

Sent from my ONEPLUS A6003 using Tapatalk

Thanks for explanation! So the reason is more a stability issue than a security issue?