Messages

I beat my head on this for a while then just reinstalled opnsense, I forgot to try opnsense-bootstrap instead of a clean install. But since its a vm its not like its a huge deal to load another VM.

I will say that whatever happened it was with an old config that I had kept going from 16.7 so who knows what got stuck misconfigured as things changed. And whatever it was doing was crushing unbound DNS on boot. It would take several minutes to not at all to load past that service.

I really have no clue what I did here. And its bugging the crap out of me. I have my OpnSense running in a VM, it has been this way for quite a while with no issues.

My LAN was hooked up to an access point to provide WIFI.
Another NIC(on the same network card) was plugged in to a computer for VPN access.

At some point I have lost internet connection with the clearnet LAN, it does log into the WebGUI fine but cant access any external pages.

Anything attached to the VPN works fine. I switched the accses point to the VPN NIC and that worked fine, so its not the AP. I swapped the ethernet interfaces in the WebGUI and the problem didnt stay with one interface. It just stays in whatever is connected to the LAN.

Unplugging the AP and plugging a computer directly with the ethernet cable also only allows access to webGUI and nothing else. So, again, Im doubting its the AP but rather some configuration that broke somewhere.

I appreciate the strict security measures but it is pretty annoying.

I forgot to also mention, both of these NICs did work when I had Opnsense installed as standalone.

I have Opnsense in a xen HVM. I have passed several realtek 8111 NICs to Opnsense with no issues. But I have 1 card with two Intel 82576 NICs on it that has issues.

Opnsense 'sees' these NICs and identifies them as igb0 and igb1 which implies to me that the correct drivers are also loaded. But when I plug in a device to a NIC it is unable to get DHCP configuration from Opnsense and cannot communicate through the card(one orange light and one green light). Plugging in the same device into one of the Realtek NICs works fine.

All rules are the same between an 8111 NIC and the 82576 NICs as far as I can tell.
Each device has its own static IPv4 addy.
A firewall rule of let ipv4 from (yournamehere)net to any.
An autocreated NAT outbound rule for all networks to wan.
DHCP enabled on each lan giving a range of assignable addresses.
Unbound DNS resolver enabled and 'Enable Forwarding mode' set.

I am unsure of where to start to localize the issue and figured I would ask here and save some time.
Thanks

So wireshark showed me the mac address of the device and it appears to be a Cisco device coming from my ISP since the first two ipv4 values match that of my assigned wan ip.

The firewall is seeing a 10.102.0.1 address from the Cisco MAC but this is not what matches the Cisco MAC and IP address shown in the ARP table.

But why then is the firewall blocking it as a private network?Why would it be showing up with a different IP but same MAC?

Further down the wireshark log under Bootp it shows:
Client IP address: 0.0.0.0 (to which i think this just means any IP, could be wrong)
Your(client)IP address: 10.102.155.99(Its not)
Next server IP address: 0.0.0.0(any again?)
Relay agent IP address: 10.102.0.1  <---The offending IP, but nothing I have configured uses an IP like this

For what its worth the only interface receiving an IP from my ISP is the WAN IP. The other LANS are their own DHCP servers.

Thanks, i thought it was odd the level of detail wasnt changing.

I have numerous firewall entries from an IP address trying to call the 255.255.255.255.68 address internally.

packet capture log set to full(not any different in detail from other settings)
13:33:32.895203 IP 10.102.0.1.67 > 255.255.255.255.68: UDP, length 250

When I look at the firewall log the explanation for the blocking is
@61 block drop in log quick on bce0 on inet from 10.0.0.0/8 to any label "Block private networks from WAN"

These incidents happen every minute or so. There doesn't seem to be any issues. 67 and 68 are related to dhcp and that seems to be working properly. I have three lans that have their own dns servers and they are being assigned IP addresses and dns addresses correctly.

Any thoughts? I thought packet capture might give me more detail on the source of this IP but it didnt return much detail.

I noticed some new settings in IPSEC that are complicating the transition a bit. (Thanks for fixing the missing certificate authority field in 17.1.4)

In phase 1 what do you enter for "remote gateway"? In 16.7 this defaulted to 'mobile client'.

A similar problem is in phase 2. Before remote subnet defaulted to 'mobile client' but now it wants an address or network entered.

Lastly, and probably has nothing to do with anything, what is 'disable mobike'?

empty

 empty

I guess this just isnt going to work

I have an hp and it was quite slow to install and boot up at first but after a few times it picked up 'slightly'. I say slightly because whatever is going on in the QPI synchronization, ecc ram checks, trusted computing, and what else still take forever. I imagine Dell is very similar in terms of features.
Once it was running everything is fairly snappy, and thats on an sd card. So I could only imagine your delays might be a hardware issue.
For instance on the tech specs for my hp they cry and cry about not using their approved drives and whatnot so perhaps its just an issue with a setting or two on whatever hd you are using.

Ok good to know on the sizing. The card sizing was mostly because smaller cards are cheaper, no sense paying for 32gb+ when you need 4 or whatever.

What plugins wont work if the os isnt allowed to write to the card? I will be using the ramdisk options. Like I said I really only am using the firewall and the opnvpn plugin, so I assume I can just load all that after booting via a saved config file.

I have opnsense on a server handling vpn traffic. I like the idea of using a read-only install on an SD card and just loading a config file onto it and using ram disks for logs(which I don't really need to check or keep). So my question is, will the firewall and opnvpn function fine without being able to write data? What functions need to write data in opnsense? I get that caching and storage do but what else?

If the img file is 400mb about why do you need a 4gb SD card? Is this to write data to? If so what would the minimum size?