Topics

1

21.1 Legacy Series / update oddities

« on: February 10, 2021, 01:05:13 pm »

Hi,
for a while already I have the problem that one of my firewalls won't update via UI anymore.
It always resonds with

Code: [Select]

"Timeout while connecting to the selected mirror."Updating from shell works. Though it throws a warning:

Code: [Select]

Fetching change log information, please wait... fetch: transfer timed out
fetch: /tmp/changelog/changelog.txz.sig appears to be truncated: 0/1332 bytes
Checking that folder, it is indeed empty:

Code: [Select]

root@OPNsensemil:~ # ls -la /tmp/changelog/
total 8
drwxr-xr-x  2 root  wheel   512 Feb 10 13:01 .
drwxrwxrwt  6 root  wheel  1024 Feb 10 12:59 ..
root@OPNsensemil:~ #
Any advise how to fix this?
I am on 21.1, but this problem existed before.

Update:
this seems to be similar to this:
https://forum.opnsense.org/index.php?topic=21087.msg98506#msg98506

thanks, Till

2

20.7 Legacy Series / Can pppoE break a DSL sync?

« on: December 02, 2020, 06:54:07 pm »

Not sure if the topic attracts a reader but let me give it a try:

I have, since a few months, the problem that my VDSL connection breaks once or twice a day.
My setup so far was OPNsense with pppoE on WAN -> Draytek Vigor 165 as modem.
It's not only the pppoe that breaks, it is the DSL wich re-syncs and then 2 min later the connection is back.

I replaced the modem - > same issue.
I called the ISP, they came and changed the port in the DSLAM and also the a different pair of cables.
-> same issue.
So I bought an original Telekom Smart 3 router, put it into modem only mode and tried that -> same issue.
So finally, I put the Telekom Smart 3 back into router mode, reconfigured OPNsense to not use pppoe but just send packets to the Telekom router. -> Now the connection is stable.
How can that be? Did OPNsense 20.7 introduce some major changes to the pppoe client that brakes my connection? I can't imagine. I am a bit out of ideas and want my old setup back but I need to get it stabilized (was running well before). I can't really say if this started with the 20.7 upgrade, but it falls into the same timeframe.
Any feedback, suggestions are highly appreciated!
cheers, Till

3

Sensei / Sensei always switches back to bypass mode?

« on: November 01, 2020, 09:02:43 pm »

I am currently testing Sensei on my system and realized that it often switches back to bypass mode automatically.
Why is that?
My VDSL connection is a bit unstable which leads to frequently changing IPv6 addresses on my LAN interfaces. Could that be a reason?
thanks! Till

4

20.7 Legacy Series / Interfaces lose IPv6 after DSL reconnect

« on: October 28, 2020, 08:52:02 am »

Scenario:
Vigor 165 modem mode
OPNsense runs pppoe on WAN and tags VLAN 7 (Deutsche Telekom)

I am currently having the problem that my VDSL is a bit flaky and loses sync at least twice a day and rebuilds the DSL connection.
When that happens, all my interfaces lose their IPv6 address (all configured to track WAN if).
This can be solved by manually navigating to Interfaces->overview->WAN and hit the "reload" button.

Is that a known issue?

thanks! Till

5

20.7 Legacy Series / Ubbound ACLs after IPv6 prefix change

« on: October 14, 2020, 03:46:04 pm »

I found this in the archive:
https://forum.opnsense.org/index.php?topic=13196.msg72076#msg72076
I have the same problem with current version. Once IPv6 prefix changes, unbound refuses my queries.
Should OPNsense automatically restart unbound after prefix change? Is this a bug or a feature?

thanks! Till

6

20.7 Legacy Series / Compatible plugins?

« on: August 28, 2020, 03:58:19 pm »

How can I know if all installed plugins are compatible / available with 20.7 before upgrading?

thanks!

7

20.1 Legacy Series / How to use monit to reboot firewall when VPN gateway is not reachable for X min

« on: March 13, 2020, 02:59:14 pm »

I am looking for some advise for how to use monit to achieve the following:
I have a remote OPNsense which uses an OPNvpn site to site tunnel to my main site.
Now when the remote OPNsense can't reach the destination gateway, i want to wait for X min and then reboot.
Now after reboot, if it doesn't reconnect  - obviously the problem is somewhere else and I want to add an additional delay before rebooting again and so on. Once connection is established it shoud revert back to the default delay of course.
Do I need to write some shell script for that exercise or can monit do it out of the box?

thanks!

8

20.1 Legacy Series / WireGuard interface assignment

« on: February 16, 2020, 05:00:44 pm »

After long time pushing this out, I have started to migrate my road warriors over to WireGuard.
Quick question on the server side config:
The docu says:

Is that still necessary? The NAT setup also offers me the automatically created WireGuard Interface. Why can’t I use that instead of doing a new assignment?
Thanks!

9

20.1 Legacy Series / PPPoE logging

« on: February 03, 2020, 10:23:08 am »

Upgraded two boxes yet.
One dials in per PPPoE which works but the is no diagnostic log for PPPoE. The link in the UI is there (Interfaces, Point to Point, Log File), but the log seems empty even though the interface is connected.

10

19.7 Legacy Series / IPv6 ULA + track interface

« on: January 15, 2020, 01:09:02 pm »

Can someone advise me how to setup IPv6 properly for the following scenario:

4 VLANS
IPv6 assignment to all VLANS via track interface WAN -> works
IPv6 may change during DSL - reconnect (Deutsche Telekom).

piHole as a DNS server in VLAN-DMZ should be reachable as IPv6 DNS server. As my public IPv6 adresses may change, I cannot assign statically an adress from my public range to piHole. Distributing a dynamic adress for a DNS server sounds like a bad idea.
So my idea (open for others) is to assign ULA adresses in addition to the public ones. Then I can distribute the piHole ULA adress via DHCP6 to the clients and they can reach the DNS server.

So far the idea. I couldn't figure out how to set this up in OPNsense though. How can I assign ULA static addresses in addition to the dynamic ones?

thanks!

11

19.7 Legacy Series / Experience with Sonos over multiple VLANs

« on: November 10, 2019, 01:27:46 pm »

I am looking for someone who has experience running a Sonos controller in a different VLAN than the players.
I read some article in the sonos community https://en.community.sonos.com/troubleshooting-228999/multiple-subnets-vlans-and-sonos-workable-clavister-solution-30950.
But it requires multicast forwarding. I am using igmp proxy to forward multicast for my IPTV already, but that proxy allows only one upstream interface. So i can't add sonos to it as my players obviously reside in a different network than the IPTV senders.
Any hint is appreciated!

12

19.7 Legacy Series / quick Q on cold-standby setup

« on: October 31, 2019, 12:18:21 pm »

After my OPNsense died last night (complete SSD failure), I decided to build a cold-standby system.
I don't want to run CARP, I am fine with a manual failover.
Can someone confirm this is a good setup?

Primary firewall (4 NICs) auto backup ever day.
Second firewall, only primary NIC connected, minimal configuration with some IP so it can reach internet and run updates.
So everytime I update my primary, I would power-up the spare unit and update it as well.
Once the primary fails, I import the config to the spare device, plug-in all NIC cables and it should work?
I assume I manually have to deploy all plugins, or is that part of the backup?

thanks!
 

13

Web Proxy Filtering and Caching / Limit squid logging to avoid unnecessary messages

« on: October 25, 2019, 09:29:02 pm »

My squid log gets flooded with messages like this:
127.0.0.1 TCP_MISS/200 1690 GET cache_object://localhost/counters

Anyone know how to filter out those messages so I can focus on real access log from my clients?

thanks! Till

14

General Discussion / Feature - make DHCP leases searchable?

« on: October 25, 2019, 02:54:33 pm »

Is something on the roadmap to make the DHCP lease screen filterable/searchable? In a bigger list of leases, it can be quite painful to find an entry.

thanks, Till

15

Intrusion Detection and Prevention / IPS in VLAN only environment

« on: July 25, 2019, 03:18:11 pm »

I haven't used the IPS so far and currently working on making use of it.
From what I  gatherered so far, blocking does not work on VLANs, correct? So i would need to change my complete network architecture?
So far, on LAN side I have everything VLAN'ed and WAN runs PPPoE over VLAN7 (DT VDSL).