Messages

1

General Discussion / Can I restore part of a config.xml?

« on: May 16, 2021, 03:44:44 pm »

On a old 18.7.9 build,

due to ssd failure and an outdated cold standby build, I am in urgent need to "transplant" only the <monit>, <openvpn> and various <ca> and <cert> sections.


Some context: I do have a recent backup, but its of the failed device, not the currently running slight different hardware cold standby one. And I cannot get onsite. Therefore reboots must be a "sure thing" and I am scared to apply the entire backup XML.


Can such partial config transplant be done easily, with little to no risk to the core routing?

Can I simply remove anything except the <monit>  from XML, and then import it via the GUI? Or would such import overwrite everything, leaving a nearly emtpy config.

Or should I manually edit and merge both XML before importing it?

Or do I need to really re-enter every monit line and ca/cert manually one by one?



Many thanks for any advise.

2

General Discussion / DNS-DHCP and multi-homed (wifi-eth) clients

« on: April 09, 2021, 09:14:40 am »

Hi

I ran into a problem today where DNS was returning a IP address for a DHCP client. However that client had plugged in a Cable and shutdown WiFi. Of course both were in the leases table, under the same name.

And this was sufficiently long ago that even in OpenSense the WiFi was labeled as "offline"

I guess DNS just returns the first match, but can we customize it to return the first active match, and anyway if both are active, return the Eth link?
Any idea's how to achieve this?

Alternatively, I guess I could bridge WiFi and Eth into a single bridge with a single MAC, but I tried that a few years back and found it also not very stable.

Thanks

3

18.7 Legacy Series / Re: Firewall: No logging for "default deny rule"

« on: December 31, 2018, 07:40:21 am »

But you can turn it off, so its all OK.

As stated, in System: Settings: Logging

4

18.7 Legacy Series / Firewall: No logging for "default deny rule"

« on: December 27, 2018, 11:36:05 pm »

So I understand there is a default deny rule. Anything not mentioned in a user rule, meaning anything not visible in any rule, is denied. Simple enough.

But it jams up the log. I am not at all interested in all these old Bittorrent (port 8999) and other sniffers/scanners/beggars/whatever hitting my WAN interface from the outside.

Can I turn off logging for the default deny rule?  On the WAN interface specifically, because there is nothing I can do against those scanners anyway.
Mind you, I am interested in seeing logs for the default deny rule for the internal interfaces. But that is a lot less, and also something I can actually do something with (by locating the client and de-installing whatever offending program)

Right now I made an extra user rule to deny everything rule at the bottom of my WAN rules, which works, but it would seem nicer to just change the logging default for WAN?

5

18.7 Legacy Series / Re: Secondary IP range on interface

« on: December 23, 2018, 08:17:17 pm »

Making a larger subnet and then splitting it into virtual smaller subnets did cross my mind.
But I was hoping there was an cleaner and easier option. As mentioned, we can add a Virtual IP network, why not simply be able to serve it?


At the danger of making this into security discussion, and thus distracting from the question of 'how', turning it into a debate on 'why', I will argue you the following
(please let that not dissuade anyone from assisting about the 'how' I could most easily do this)


In its core, you are correct. When you claim that a VLAN is best, and a shared Ethernet domain is far from ideal. But it is not true that its black and white. Doing something in the middle has some value.

To build a separate VLAN, I would have to replace not one, but a small dozen of small distributed switches. At €50 each (for a fairly cheap one) that starts to add up. Also, documenting and managing all those individual ports individually is not very desired. As well as adding yet another dozen of IP managed devices.

Spoofing, sniffing, promiscuous mode, are all things that can be expected from non-trusted devices. Mostly however, botnets are used not as spies but as slaves to do DDos attacks and cryptomining.
That is not useful if the device can then also not talk to the outside world. Arguably even spying is not useful unless reported to some agent in the outside world.

Not that it cannot be done, as I am sure you will argue. Its actually pretty simple, because all the needed routable info is in sniffed DHCP packets to other clients. But I think this is not common practice yet. So statistically, by not giving a IoT malware agent a gateway, you crippled it. Statistically.


So in principle you are correct. But there is some value to putting IoT on a separate non-routed subnet. It surely is a hell of a lot better then putting it on your normal subnet and even port forwarding it, or dropping it on the cloud, because of the handy app it came with. As happens by the vast majority of consumers, so malware writers are not even interested in adding extra footprint for extra smarts.

So, if your argument is: A separate VLAN is best, then you are correct. If your argument is: You are not doing a VLAN, so you may as well not do anything, then I disagree.

6

18.7 Legacy Series / Re: Secondary IP range on interface

« on: December 22, 2018, 11:18:19 pm »

Correct, that is what I meant to ask, sorry if not clear.

All DHCP requests go to the normal IP range.
But specific known MAC addresses if programmed, go to a hard IP address. This is also already normal function.
Just in my desired case, that IP happens to be outside of the normal pool, and part of the net that is addressed by the Virtual IP.

I can already select the MAC and add an IP address, it just will not let me serve an address from the Virtual IP range. I used to have OpenWRT, where this was less of an issue. Not that I want to go back or anything.


Alternatively, I guess I could also simply refuse to serve that MAC address completely, and have a secondary DHCP server by means of a small extra OpenWRT server, to server only those MAC's, but that would be an extra server, seems like just an extra thing that can fail.

7

18.7 Legacy Series / Re: Secondary IP range on interface

« on: December 21, 2018, 09:08:05 pm »

Somewhat agreed, but I want to avoid this to become a discussion on security.
Any suggestions on how I could achieve the alternate address DHCP serving?

After all, ignoring the why, I can add the Virtual-IP range to the system, so why not serve it too.

8

18.7 Legacy Series / Secondary IP range on interface

« on: December 20, 2018, 10:05:30 pm »

Hello


I would like to have a secondary IP address & range on the same LAN interface.
While I would prefer it to be a full VLAN, there are reasons why it cannot be, it has to be on untagged LAN


I made it work by adding a Virtual IP range to the Firewall, and almost all is working as I like.
Except I would like to have hardcoded DHCP leases for this secondary range for specific MAC devices. (In fact, the entire secondary range is for IoT devices, that I can thus easily block or temporary open from the internet, but many IoT devices are not VLAN tag capable.).

And that is where I struggle. The DHCP server only allows the primary address range.

So I would to add the secondary address, somehow, as a n actual interface on the same untagged NIC, or something like that.
Alternatively, I would like to trick the DHCP server to serve leases for specific MAC to addresses outside of its normal range.


Any suggestions?

9

18.7 Legacy Series / Re: Empy update and other selection lists

« on: December 17, 2018, 11:24:59 pm »

Hmm seems to solve it: using Edge instead of Chome seems to solve all issues?

I though Chrome was the standard nowadays, did not even MS announced Edge will use Chromium engine in the near future?

10

18.7 Legacy Series / Re: Empy update and other selection lists

« on: December 17, 2018, 11:06:26 pm »

I ran an update from the console menu (option 12)

Which seem to have both brought me to 18.7.9 and also solved the empty update/plugin/settings panels
So some improvement

But the traffic shaper metric is still blank. And the "checking , please wait (for update)" is also still never completing. So still not quite OK

11

18.7 Legacy Series / Re: Empy update and other selection lists

« on: December 17, 2018, 10:53:25 pm »

Since in other emails it is often requested, the output fro
# pkg update -f
# pkg rquery %n | grep os-

Code: [Select]

root@OPNsense:~ #
root@OPNsense:~ #
root@OPNsense:~ #
root@OPNsense:~ #
root@OPNsense:~ # pkg update -f
Updating OPNsense repository catalogue...
Fetching meta.txz: 100%    1 KiB   1.5kB/s    00:01
Fetching packagesite.txz: 100%  140 KiB 143.8kB/s    00:01
Processing entries: 100%
OPNsense repository update completed. 559 packages processed.
All repositories are up to date.
root@OPNsense:~ # pkg rquery %n | grep os-
nagios-plugins
os-acme-client
os-acme-client-devel
os-api-backup-devel
os-arp-scan
os-arp-scan-devel
os-bind
os-bind-devel
os-boot-delay
os-boot-delay-devel
os-c-icap
os-c-icap-devel
os-cache
os-cache-devel
os-clamav
os-clamav-devel
os-collectd
os-collectd-devel
os-debug
os-debug-devel
os-dnscrypt-proxy
os-dnscrypt-proxy-devel
os-dyndns
os-dyndns-devel
os-freeradius
os-freeradius-devel
os-frr
os-frr-devel
os-ftp-proxy
os-ftp-proxy-devel
os-haproxy
os-haproxy-devel
os-helloworld
os-helloworld-devel
os-igmp-proxy
os-igmp-proxy-devel
os-intrusion-detection-content-et-pro
os-intrusion-detection-content-et-pro-devel
os-intrusion-detection-content-pt-open
os-intrusion-detection-content-pt-open-devel
os-intrusion-detection-content-snort-vrt
os-intrusion-detection-content-snort-vrt-devel
os-iperf
os-iperf-devel
os-l2tp
os-l2tp-devel
os-lcdproc-sdeclcd
os-lcdproc-sdeclcd-devel
os-lldpd
os-lldpd-devel
os-mail-backup-devel
os-mdns-repeater
os-mdns-repeater-devel
os-net-snmp
os-net-snmp-devel
os-nginx
os-nginx-devel
os-node_exporter
os-node_exporter-devel
os-ntopng
os-ntopng-devel
os-nut
os-nut-devel
os-openconnect
os-openconnect-devel
os-postfix
os-postfix-devel
os-pppoe
os-pppoe-devel
os-pptp
os-pptp-devel
os-quagga
os-quagga-devel
os-redis
os-redis-devel
os-relayd
os-relayd-devel
os-rfc2136
os-rfc2136-devel
os-rspamd
os-rspamd-devel
os-shadowsocks
os-shadowsocks-devel
os-siproxd
os-siproxd-devel
os-smart
os-smart-devel
os-snmp
os-snmp-devel
os-softether-devel
os-theme-cicada
os-theme-cicada-devel
os-theme-rebellion
os-theme-rebellion-devel
os-theme-tukan
os-theme-tukan-devel
os-tinc
os-tinc-devel
os-tor
os-tor-devel
os-upnp
os-upnp-devel
os-vmware
os-vmware-devel
os-vnstat
os-vnstat-devel
os-web-proxy-sso
os-web-proxy-sso-devel
os-web-proxy-useracl
os-web-proxy-useracl-devel
os-wol
os-wol-devel
os-xen
os-xen-devel
os-zabbix-agent
os-zabbix-agent-devel
os-zabbix-proxy
os-zabbix-proxy-devel
os-zerotier
os-zerotier-devel
root@OPNsense:~ #


12

18.7 Legacy Series / Empy update and other selection lists

« on: December 17, 2018, 10:27:40 pm »

I recently updated replaced my V16 by V18.7.3 by making a clean install

Mostly it seems to work, except I have some weirdness in some screens
The install and config actually was uneventfull. Downloaded vga image, made USB using dd tool, ran the install. Nothing special happened

Also setup up interfaces and making the network work is OK. It is actually working.
But ....

In several windows I have empty selections. Like traffic shaping, I cannot select a metric, it is am empty choice list, so I cannot make a pipe

Same for the update window. It is hanging in a 'checking please wait', and shows no versions, not even the installed base version. But also the repository lists (updates, packages, settings) are empty and cannot have anything added.

Also, there seems to be a PHP error constantly reported.


Any suggestions? (other then reinstalling from scratch again....)
Thanks!

13

17.1 Legacy Series / Re: Backup / migrate OpnSense

« on: January 25, 2018, 04:33:54 pm »

It seems after restore config and reboot, there is a brief moment in the boot sequence *on the console* where you can "press any key to assign interfaces"

In my case, this was critical, because the base interface was named bge0 instead of em0, and as a result, and if you miss this, it will auto-assign some stuff, and the underlying vlan assignments did not match anymore. 

But re-restoring, and doing it again, this time assigning the interfaces correctly, and it all seems to work.


Or so I hope, lets see if the device actually works once it is shipped and hooked up.

14

17.1 Legacy Series / Re: Backup / migrate OpnSense

« on: January 22, 2018, 10:08:18 pm »

It would be highly convenient if I could finish this week (someone is traveling back Sunday, and needs to carry the new PC), so 18.1 may be to far reached.

So I need to ensure that during install I name the interfaces the same, and then just the import should make everything work. Including VLAN, rules, OpenVPN, DynDNS? Nothing else I would need to grab?


I guess if those work, in other words remote access through OpenVPN works, I am past the critical part, as I can then tune remotely.

15

17.1 Legacy Series / Backup / migrate OpnSense

« on: January 22, 2018, 09:35:05 pm »

Quick question:

I need to replace the PC. Due to reasons, I cannot have both systems side-by-side to try one before loosing the other (remote access and travel issues)

Is it sufficient to backup "System: Configuration: Backups" to completely restore functionality?
Can I / Should I install 17.7 right away, or best stick to 17.1?
I suspect I will need to check/redo the interfaces, as they may be new devices? Especially since I am using VLAN's

Any tips/hints/warnings are appreciated.

Many thanks


Current version:
OPNsense 17.1.8-amd64
FreeBSD 11.0-RELEASE-p10
OpenSSL 1.0.2l 25 May 2017