"
meh, it took a while but the time did not resync for my client. So it must be misconfigured the way I had it setup
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#17
20.7 Legacy Series / How to switch from ntpd to chrony? [SOLVED]
January 26, 2021, 02:03:25 AM
I currently have the opnsense ntpd setup to provide time sync for all connected clients and to force any client trying to use its own ntp address to sync with the opnsense ntp.
I would like to do a similar thing using chrony so that I can also take advantage of NTS since that is now available.
This is how I configured it
enabled: true
listen port: 123 (it defaulted to 323 for some reason)
nts client support: true
ntp peers: time.cloudflare.com
allowed networks: 192.168.1.1 , 192.168.2.1 (my subnets)
Then I stopped the ntp service, there seemed to be no way to explicitly disable ntpd in the gui.
Is this set up correct?
how can I disable ntpd in opnsense? I assume it will just restart after a reboot.
I would like to do a similar thing using chrony so that I can also take advantage of NTS since that is now available.
This is how I configured it
enabled: true
listen port: 123 (it defaulted to 323 for some reason)
nts client support: true
ntp peers: time.cloudflare.com
allowed networks: 192.168.1.1 , 192.168.2.1 (my subnets)
Then I stopped the ntp service, there seemed to be no way to explicitly disable ntpd in the gui.
Is this set up correct?
how can I disable ntpd in opnsense? I assume it will just restart after a reboot.
#18
18.7 Legacy Series / Re: No web access from LAN interface, full web access from VPN interface, same WAN
October 18, 2018, 05:07:06 AM
I beat my head on this for a while then just reinstalled opnsense, I forgot to try opnsense-bootstrap instead of a clean install. But since its a vm its not like its a huge deal to load another VM.
I will say that whatever happened it was with an old config that I had kept going from 16.7 so who knows what got stuck misconfigured as things changed. And whatever it was doing was crushing unbound DNS on boot. It would take several minutes to not at all to load past that service.
I will say that whatever happened it was with an old config that I had kept going from 16.7 so who knows what got stuck misconfigured as things changed. And whatever it was doing was crushing unbound DNS on boot. It would take several minutes to not at all to load past that service.
#19
18.7 Legacy Series / No web access from LAN interface, full web access from VPN interface, same WAN
October 17, 2018, 03:10:20 AM
I really have no clue what I did here. And its bugging the crap out of me. I have my OpnSense running in a VM, it has been this way for quite a while with no issues.
My LAN was hooked up to an access point to provide WIFI.
Another NIC(on the same network card) was plugged in to a computer for VPN access.
At some point I have lost internet connection with the clearnet LAN, it does log into the WebGUI fine but cant access any external pages.
Anything attached to the VPN works fine. I switched the accses point to the VPN NIC and that worked fine, so its not the AP. I swapped the ethernet interfaces in the WebGUI and the problem didnt stay with one interface. It just stays in whatever is connected to the LAN.
Unplugging the AP and plugging a computer directly with the ethernet cable also only allows access to webGUI and nothing else. So, again, Im doubting its the AP but rather some configuration that broke somewhere.
I appreciate the strict security measures but it is pretty annoying.
My LAN was hooked up to an access point to provide WIFI.
Another NIC(on the same network card) was plugged in to a computer for VPN access.
At some point I have lost internet connection with the clearnet LAN, it does log into the WebGUI fine but cant access any external pages.
Anything attached to the VPN works fine. I switched the accses point to the VPN NIC and that worked fine, so its not the AP. I swapped the ethernet interfaces in the WebGUI and the problem didnt stay with one interface. It just stays in whatever is connected to the LAN.
Unplugging the AP and plugging a computer directly with the ethernet cable also only allows access to webGUI and nothing else. So, again, Im doubting its the AP but rather some configuration that broke somewhere.
I appreciate the strict security measures but it is pretty annoying.
#20
18.7 Legacy Series / Re: Issue with pci-passthrough Intel 82576 NIC
September 26, 2018, 01:07:34 AM
I forgot to also mention, both of these NICs did work when I had Opnsense installed as standalone.
#21
18.7 Legacy Series / Issue with pci-passthrough Intel 82576 NIC
September 26, 2018, 12:53:48 AM
I have Opnsense in a xen HVM. I have passed several realtek 8111 NICs to Opnsense with no issues. But I have 1 card with two Intel 82576 NICs on it that has issues.
Opnsense 'sees' these NICs and identifies them as igb0 and igb1 which implies to me that the correct drivers are also loaded. But when I plug in a device to a NIC it is unable to get DHCP configuration from Opnsense and cannot communicate through the card(one orange light and one green light). Plugging in the same device into one of the Realtek NICs works fine.
All rules are the same between an 8111 NIC and the 82576 NICs as far as I can tell.
Each device has its own static IPv4 addy.
A firewall rule of let ipv4 from (yournamehere)net to any.
An autocreated NAT outbound rule for all networks to wan.
DHCP enabled on each lan giving a range of assignable addresses.
Unbound DNS resolver enabled and 'Enable Forwarding mode' set.
I am unsure of where to start to localize the issue and figured I would ask here and save some time.
Thanks
Opnsense 'sees' these NICs and identifies them as igb0 and igb1 which implies to me that the correct drivers are also loaded. But when I plug in a device to a NIC it is unable to get DHCP configuration from Opnsense and cannot communicate through the card(one orange light and one green light). Plugging in the same device into one of the Realtek NICs works fine.
All rules are the same between an 8111 NIC and the 82576 NICs as far as I can tell.
Each device has its own static IPv4 addy.
A firewall rule of let ipv4 from (yournamehere)net to any.
An autocreated NAT outbound rule for all networks to wan.
DHCP enabled on each lan giving a range of assignable addresses.
Unbound DNS resolver enabled and 'Enable Forwarding mode' set.
I am unsure of where to start to localize the issue and figured I would ask here and save some time.
Thanks
#22
17.7 Legacy Series / Re: DHCP issue with firewall: IP on port 67 getting blocked from 68
November 15, 2017, 02:17:49 AM
So wireshark showed me the mac address of the device and it appears to be a Cisco device coming from my ISP since the first two ipv4 values match that of my assigned wan ip.
The firewall is seeing a 10.102.0.1 address from the Cisco MAC but this is not what matches the Cisco MAC and IP address shown in the ARP table.
But why then is the firewall blocking it as a private network?Why would it be showing up with a different IP but same MAC?
Further down the wireshark log under Bootp it shows:
Client IP address: 0.0.0.0 (to which i think this just means any IP, could be wrong)
Your(client)IP address: 10.102.155.99(Its not)
Next server IP address: 0.0.0.0(any again?)
Relay agent IP address: 10.102.0.1 <---The offending IP, but nothing I have configured uses an IP like this
For what its worth the only interface receiving an IP from my ISP is the WAN IP. The other LANS are their own DHCP servers.
The firewall is seeing a 10.102.0.1 address from the Cisco MAC but this is not what matches the Cisco MAC and IP address shown in the ARP table.
But why then is the firewall blocking it as a private network?Why would it be showing up with a different IP but same MAC?
Further down the wireshark log under Bootp it shows:
Client IP address: 0.0.0.0 (to which i think this just means any IP, could be wrong)
Your(client)IP address: 10.102.155.99(Its not)
Next server IP address: 0.0.0.0(any again?)
Relay agent IP address: 10.102.0.1 <---The offending IP, but nothing I have configured uses an IP like this
For what its worth the only interface receiving an IP from my ISP is the WAN IP. The other LANS are their own DHCP servers.
#23
17.7 Legacy Series / Re: DHCP issue with firewall: IP on port 67 getting blocked from 68
November 14, 2017, 03:51:52 AM
Thanks, i thought it was odd the level of detail wasnt changing.
#24
17.7 Legacy Series / DHCP issue with firewall: IP on port 67 getting blocked from 68
November 12, 2017, 10:53:14 PM
I have numerous firewall entries from an IP address trying to call the 255.255.255.255.68 address internally.
packet capture log set to full(not any different in detail from other settings)
13:33:32.895203 IP 10.102.0.1.67 > 255.255.255.255.68: UDP, length 250
When I look at the firewall log the explanation for the blocking is
@61 block drop in log quick on bce0 on inet from 10.0.0.0/8 to any label "Block private networks from WAN"
These incidents happen every minute or so. There doesn't seem to be any issues. 67 and 68 are related to dhcp and that seems to be working properly. I have three lans that have their own dns servers and they are being assigned IP addresses and dns addresses correctly.
Any thoughts? I thought packet capture might give me more detail on the source of this IP but it didnt return much detail.
packet capture log set to full(not any different in detail from other settings)
13:33:32.895203 IP 10.102.0.1.67 > 255.255.255.255.68: UDP, length 250
When I look at the firewall log the explanation for the blocking is
@61 block drop in log quick on bce0 on inet from 10.0.0.0/8 to any label "Block private networks from WAN"
These incidents happen every minute or so. There doesn't seem to be any issues. 67 and 68 are related to dhcp and that seems to be working properly. I have three lans that have their own dns servers and they are being assigned IP addresses and dns addresses correctly.
Any thoughts? I thought packet capture might give me more detail on the source of this IP but it didnt return much detail.
#25
17.1 Legacy Series / New IPSEC settings?
March 30, 2017, 05:59:53 AM
I noticed some new settings in IPSEC that are complicating the transition a bit. (Thanks for fixing the missing certificate authority field in 17.1.4)
In phase 1 what do you enter for "remote gateway"? In 16.7 this defaulted to 'mobile client'.
A similar problem is in phase 2. Before remote subnet defaulted to 'mobile client' but now it wants an address or network entered.
Lastly, and probably has nothing to do with anything, what is 'disable mobike'?
In phase 1 what do you enter for "remote gateway"? In 16.7 this defaulted to 'mobile client'.
A similar problem is in phase 2. Before remote subnet defaulted to 'mobile client' but now it wants an address or network entered.
Lastly, and probably has nothing to do with anything, what is 'disable mobike'?
#28
16.7 Legacy Series / IPSEC with BB10
February 25, 2017, 01:14:51 AM
I guess this just isnt going to work
#29
Hardware and Performance / Re: Performance on Dell servers
February 01, 2017, 01:16:44 AM
I have an hp and it was quite slow to install and boot up at first but after a few times it picked up 'slightly'. I say slightly because whatever is going on in the QPI synchronization, ecc ram checks, trusted computing, and what else still take forever. I imagine Dell is very similar in terms of features.
Once it was running everything is fairly snappy, and thats on an sd card. So I could only imagine your delays might be a hardware issue.
For instance on the tech specs for my hp they cry and cry about not using their approved drives and whatnot so perhaps its just an issue with a setting or two on whatever hd you are using.
Once it was running everything is fairly snappy, and thats on an sd card. So I could only imagine your delays might be a hardware issue.
For instance on the tech specs for my hp they cry and cry about not using their approved drives and whatnot so perhaps its just an issue with a setting or two on whatever hd you are using.
#30
Hardware and Performance / Re: Minimums for sd card installs
January 30, 2017, 04:22:14 PM
Ok good to know on the sizing. The card sizing was mostly because smaller cards are cheaper, no sense paying for 32gb+ when you need 4 or whatever.
What plugins wont work if the os isnt allowed to write to the card? I will be using the ramdisk options. Like I said I really only am using the firewall and the opnvpn plugin, so I assume I can just load all that after booting via a saved config file.
What plugins wont work if the os isnt allowed to write to the card? I will be using the ramdisk options. Like I said I really only am using the firewall and the opnvpn plugin, so I assume I can just load all that after booting via a saved config file.
