Topics

16

19.7 Legacy Series / IPv6 ULA + track interface

« on: January 15, 2020, 01:09:02 pm »

Can someone advise me how to setup IPv6 properly for the following scenario:

4 VLANS
IPv6 assignment to all VLANS via track interface WAN -> works
IPv6 may change during DSL - reconnect (Deutsche Telekom).

piHole as a DNS server in VLAN-DMZ should be reachable as IPv6 DNS server. As my public IPv6 adresses may change, I cannot assign statically an adress from my public range to piHole. Distributing a dynamic adress for a DNS server sounds like a bad idea.
So my idea (open for others) is to assign ULA adresses in addition to the public ones. Then I can distribute the piHole ULA adress via DHCP6 to the clients and they can reach the DNS server.

So far the idea. I couldn't figure out how to set this up in OPNsense though. How can I assign ULA static addresses in addition to the dynamic ones?

thanks!

17

19.7 Legacy Series / Experience with Sonos over multiple VLANs

« on: November 10, 2019, 01:27:46 pm »

I am looking for someone who has experience running a Sonos controller in a different VLAN than the players.
I read some article in the sonos community https://en.community.sonos.com/troubleshooting-228999/multiple-subnets-vlans-and-sonos-workable-clavister-solution-30950.
But it requires multicast forwarding. I am using igmp proxy to forward multicast for my IPTV already, but that proxy allows only one upstream interface. So i can't add sonos to it as my players obviously reside in a different network than the IPTV senders.
Any hint is appreciated!

18

19.7 Legacy Series / quick Q on cold-standby setup

« on: October 31, 2019, 12:18:21 pm »

After my OPNsense died last night (complete SSD failure), I decided to build a cold-standby system.
I don't want to run CARP, I am fine with a manual failover.
Can someone confirm this is a good setup?

Primary firewall (4 NICs) auto backup ever day.
Second firewall, only primary NIC connected, minimal configuration with some IP so it can reach internet and run updates.
So everytime I update my primary, I would power-up the spare unit and update it as well.
Once the primary fails, I import the config to the spare device, plug-in all NIC cables and it should work?
I assume I manually have to deploy all plugins, or is that part of the backup?

thanks!
 

19

Web Proxy Filtering and Caching / Limit squid logging to avoid unnecessary messages

« on: October 25, 2019, 09:29:02 pm »

My squid log gets flooded with messages like this:
127.0.0.1 TCP_MISS/200 1690 GET cache_object://localhost/counters

Anyone know how to filter out those messages so I can focus on real access log from my clients?

thanks! Till

20

General Discussion / Feature - make DHCP leases searchable?

« on: October 25, 2019, 02:54:33 pm »

Is something on the roadmap to make the DHCP lease screen filterable/searchable? In a bigger list of leases, it can be quite painful to find an entry.

thanks, Till

21

Intrusion Detection and Prevention / IPS in VLAN only environment

« on: July 25, 2019, 03:18:11 pm »

I haven't used the IPS so far and currently working on making use of it.
From what I  gatherered so far, blocking does not work on VLANs, correct? So i would need to change my complete network architecture?
So far, on LAN side I have everything VLAN'ed and WAN runs PPPoE over VLAN7 (DT VDSL).

22

19.7 Legacy Series / High memory utilization since upgrade to 19.7

« on: July 23, 2019, 08:39:30 am »

Since I upgraded to 19.7, my machine shows a very high memory utilization (85-95%). Machine has 8GB.
Not being a FreeBSD specialist, how can I check which component utilizes most memory?

thanks, Till

23

19.7 Legacy Series / os-wireguard-devel -> os-wireguard

« on: July 19, 2019, 05:56:23 pm »

After upgrading to 19.7, there now is a package os-wireguard.
Can I uninstall os-wireguard-devel and then install os-wireguard? Will it retain my settings?
I was kind of expecting that the upgrade would automatically replace the devel package with the released package.
thanks, Till

24

19.1 Legacy Series / PPPoE doesn't reconnect when parent interface goes down/up

« on: July 19, 2019, 05:36:41 pm »

I have the issue that my DSL modem currently hangs occasionally. Restarting the modem solves that. However the PPPoE client terminates then and doesn't reconnect when the modem is back up. I have to bounce the firewall as well which is annoying. Can that be solved somehow?
thanks!

25

19.7 Legacy Series / PPPOE over Vigor 165 dies regularly, how to debug?

« on: June 30, 2019, 12:30:40 pm »

Hi *.*,

I need some advise how to debug a braking pppoe internet connection (Telekom BNG VDSL2).
Setup is as follows:
Vigor 165 as modem with pppoe passthrough.
OPNSense tags interface em1 with VLAN7.
PPPOE sit on top of em1_VLAN7.

I had the same setup running for a while with a Vigor 130 without problems.
Now with a Vigor 165, the connection breaks sometimes ones a day and sometimes after a few days.
I don't see any indicator for that. The pppoe log indicates connection attempts without success.
The Vigor modem indicates that DSL connection is up.
I don't see anything on the vigor that let's me troubleshoot any layer on top of that.
Does anyone have a similar setup? Any hints what to look for?

The procedure to get it back up and running currently is to restart both, the modem and the firewall.
thanks a lot for any hint, Till

26

19.1 Legacy Series / Need help with wireguard basic setup

« on: June 15, 2019, 06:40:59 pm »

Can anyone point me towards the right direction with my wireguard setup please?
I have configured OPNSense as a server for roadwarriors:
listen port 51820
tunnel address: 10.2.249.1/24

Created a peer on IOS:
interface: 10.2.249.2/32
peer config: <opnsense:51820>
inserted pub key from OPNsense server

Added the peer as endpoint in OPNsense:
Tunnel address: 10.2.249.2/32
inserted the created pub key from IOS endpoint

added this endpoint as peer in the servers local peers list.

Added a firewall rule to allow udp/51820 inbound to firewall from any
Added a firewall rule to the wireguard interface to allow 10.2.249.2 -> any

Result:
When I enable the tunnel on IOS, it turns green and says connected.
No packet crosses the tunnel though.
When I "tcpdump -n udp port 51820" on opnsense, I see no packet. Why would the tunnel turn green then?
I am stuck here. Either I miss a fundamental piece of the concept or... No idea.
Handshakes also shows "0", so it doesn't look like much happened.
Anyone who could give me a push forward?
thanks so much!

27

19.1 Legacy Series / Live View filter IPv6

« on: June 06, 2019, 10:29:03 pm »

Does anyone have a smart way of filtering the Live view for IPv6 traffic only (UDP,TCP,ICMP v6)?
thanks, Till

28

German - Deutsch / Magenta TV & IGMP proxy

« on: April 07, 2019, 01:10:14 pm »

Hallo zusammen,
es gibt ja so einige Beiträge zum Thema MagentaTV hinter OPNSense aber die meisten scheinen mir etwas älter zu sein. Gibt es jemanden der das aktuell am Laufen hat und mir kurz zusammen schreiben möchte wie ich das konfigurieren muss?
Ziel ist es das als Modem ein Vigor130 oder 165 zum Einsatz kommt  und dahinter direkt die OPNSense. Gerne lege ich den IPTV Receiver auf ein separates LAN Interface falls das Sinn macht.
Offene Fragen:
IGMPProxy - welche Netze muss ich upstream eintragen damit das funktioniert?
Welche Firewall Regeln ohne das ich da Riesenlöcher aufreiße.

Vielen Dank im Vorraus, Till

29

Web Proxy Filtering and Caching / Squid access log over syslog

« on: April 23, 2018, 06:13:43 pm »

Trying to make squid logging over syslog.
There is a config in the UI to switch on syslog for squid.
I added a remote syslog server in the system settings.
Still not seeing any access logs remotely.
Does any of these config options:

Code: [Select]

System events
 Firewall events
 DHCP service events
 DNS service events
 Mail service events
 Portal Auth events
 VPN (PPTP, IPsec, OpenVPN) events
 Gateway Monitor events
 Server Load Balancer events
 Wireless eventneed to be activated? Nothing looks like proxy.
I enabled system events to validate the remote logging works at all and it does.
Any hints?
thanks, Till

30

18.1 Legacy Series / Logging view

« on: February 14, 2018, 05:14:56 pm »

Hi all,
hopefully I am not blind, but I just updated a firewall to latest 18 release after I haven't touched it for months (good sign, it was just silently working). Now I wanted to check something from the firewall log and I am missing a structured view. My "Log Files"  menu  entry just shows Live view, Overview and plain view. Wasn't there a log view where I can filter by address, port and such before?
Is that a feature or a bug?
thanks!