151
20.1 Legacy Series / Re: Corrupted line in firewall logs
« on: April 25, 2020, 05:12:08 pm »
Hi,
same issue here, I think it's a bug.
br
same issue here, I think it's a bug.
br
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
152
20.1 Legacy Series / Re: Unbound DNS advanced options
« on: April 19, 2020, 12:02:40 pm »
Hi,
Hi, please see https://github.com/opnsense/plugins/issues/1503#issue-493737939
br
Quote
The only question is : whenever the advanced option field will be removed, how can we achieve the same result ?
Hi, please see https://github.com/opnsense/plugins/issues/1503#issue-493737939
br
153
20.1 Legacy Series / Re: two dns servers ? one for parents and one for kids?
« on: April 03, 2020, 10:00:28 pm »
Hi, you can also use views with unbound.
br
br
154
20.1 Legacy Series / Re: please help on wireguard
« on: March 29, 2020, 09:49:50 pm »
Hi,
please double check:
br
please double check:
- Outbound NAT Rule
- Firewall Rules to Access Internal Networks/Devices
- Look at the firewall log (Filter to Wireguard Interface)
br
155
20.1 Legacy Series / Re: please help on wireguard
« on: March 29, 2020, 06:46:07 pm »
Try this one:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
The point "Add the WireGuard Interface" was not necessary in my case, cause it was created automatically.
br
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
The point "Add the WireGuard Interface" was not necessary in my case, cause it was created automatically.
br
156
20.1 Legacy Series / Re: What's the point of linking users to certificates for OpenVPN?
« on: March 29, 2020, 02:35:46 pm »
I'm not sure if I got your point but let's give it a try.
Basically you can use to establish a VPN connection with "any" valid certificate signed by your trusted CAs and the associated private key. It is not necessary that you link those to the user (except you use the CN match option).
But you must not share private keys with multiple users. Therefore you create for each user a separate certificate (and private key) which you can individually revoke (e.g employee leaves the company, private key compromised etc ...). With the linkage to the user you've a clear assignment and ownership.
You'll get in a lot of trouble if you use the same certificate and private key for multiple users. In worst case if the VPN is used by 1000 Users and only one if compromised you need to block access for all and provision to all new ones.
br
Basically you can use to establish a VPN connection with "any" valid certificate signed by your trusted CAs and the associated private key. It is not necessary that you link those to the user (except you use the CN match option).
But you must not share private keys with multiple users. Therefore you create for each user a separate certificate (and private key) which you can individually revoke (e.g employee leaves the company, private key compromised etc ...). With the linkage to the user you've a clear assignment and ownership.
You'll get in a lot of trouble if you use the same certificate and private key for multiple users. In worst case if the VPN is used by 1000 Users and only one if compromised you need to block access for all and provision to all new ones.
br
157
20.1 Legacy Series / Cleanup IPSec automatic created rules
« on: March 27, 2020, 08:18:44 pm »
Hi.
One question. How can I cleanup auto-generated rules if not needed anymore.
I tested some IPSec topics and now the auto-generated NAT rules are still in place.
I prefer to keep a clear ruleset therefore I want to delete them.
br
One question. How can I cleanup auto-generated rules if not needed anymore.
I tested some IPSec topics and now the auto-generated NAT rules are still in place.
I prefer to keep a clear ruleset therefore I want to delete them.
br
158
20.1 Legacy Series / Re: OPNsense 20.1 - problems with DNS
« on: March 26, 2020, 01:57:58 pm »
Hi,
now that you said. I experienced partly also some "small" issues.
Error from the log:
Im using DoT with certificate validation, but this seems not be the problem.
br
now that you said. I experienced partly also some "small" issues.
Error from the log:
Code: [Select]
info: error sending query to auth server
error: outgoing tcp: connect: Address already in use for
error: tcp connect: Operation timed out forIm using DoT with certificate validation, but this seems not be the problem.
br
159
20.1 Legacy Series / Re: OPNsense 20.1 - problems with DNS
« on: March 22, 2020, 08:29:08 am »
Hi,
Unbound doesn't perform the verification of the server certificate by itself. You have to configure ist to prevent MiM.
Source for other DNS Servers supporting DoT (DoH)
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c9
Unbound doesn't perform the verification of the server certificate by itself. You have to configure ist to prevent MiM.
Code: [Select]
server: tls-cert-bundle: "/etc/ssl/cert.pem"
forward-addr: 1.1.1.1#cloudflare-dns.comThis should be fine for cloudflare.Source for other DNS Servers supporting DoT (DoH)
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c9
160
20.1 Legacy Series / Re: update firmware
« on: March 20, 2020, 07:36:29 pm »
Hi,
try the following
br
try the following
- connect via ssh
- flashrom -r backup-bios-xxxxxxx.rom -p internal
- fetch https://3mdeb.com/open-source-firmware/pcengines/apu2/apu2_v4.XX.X.X.rom
- flashrom -w apu2_v4.XX.X.X.rom -p internal
br
161
General Discussion / 2FA Access to GUI (admin) - regain access when token lost?
« on: February 15, 2020, 10:12:42 am »
Hi,
I plan to use 2FA for access to the opnsense GUI (administrative tasks).
What is the procedure to regain access if the token generator is lost?
br
I plan to use 2FA for access to the opnsense GUI (administrative tasks).
What is the procedure to regain access if the token generator is lost?
br
162
German - Deutsch / Re: Floating Rules für Blacklists?
« on: February 08, 2020, 01:41:42 pm »
Hallo.
Ich habe es ähnlich umgesetzt, allerdings zusätzlich noch eine Block Regel wo die Source die Blacklists sind.
lg
Ich habe es ähnlich umgesetzt, allerdings zusätzlich noch eine Block Regel wo die Source die Blacklists sind.
lg
163
German - Deutsch / Re: Windows-Clients bekommen kein Internet, macOS- und Linux-Clients bekommen Intern
« on: January 23, 2020, 07:43:57 pm »
Hallo,
Host Firewall (Windows) schon geprüft, eventuell liegt es daran?
lg
Host Firewall (Windows) schon geprüft, eventuell liegt es daran?
lg
164
19.7 Legacy Series / Re: Unbound custom parameters
« on: November 10, 2019, 03:09:58 pm »
Hi Stilez.
See also my posts. I'm also using "View" in unbound. https://github.com/opnsense/plugins/issues/1503#issue-493737939
br
See also my posts. I'm also using "View" in unbound. https://github.com/opnsense/plugins/issues/1503#issue-493737939
br
165
General Discussion / Re: Config Two completely separate home networks with one shared internet connection
« on: October 24, 2019, 12:57:16 pm »
Hi.
You need to differenciate between you NEIGHBOR_LAN Range and the neighbor Interface.
Neigbhor Lan IP-Range is 192.168.100.0/24
Your rule :
Every packte which enters (incoming the Neighbour LAN Interface) the Neigbour LAN Interface Blocks Traffics if IPv4 or IPv6 and Destination IP is within 192.168.1.0/24 Range.
Br
You need to differenciate between you NEIGHBOR_LAN Range and the neighbor Interface.
Neigbhor Lan IP-Range is 192.168.100.0/24
Your rule :
Every packte which enters (incoming the Neighbour LAN Interface) the Neigbour LAN Interface Blocks Traffics if IPv4 or IPv6 and Destination IP is within 192.168.1.0/24 Range.
Br