Topics

1

General Discussion / Can I restore part of a config.xml?

« on: May 16, 2021, 03:44:44 pm »

On a old 18.7.9 build,

due to ssd failure and an outdated cold standby build, I am in urgent need to "transplant" only the <monit>, <openvpn> and various <ca> and <cert> sections.


Some context: I do have a recent backup, but its of the failed device, not the currently running slight different hardware cold standby one. And I cannot get onsite. Therefore reboots must be a "sure thing" and I am scared to apply the entire backup XML.


Can such partial config transplant be done easily, with little to no risk to the core routing?

Can I simply remove anything except the <monit>  from XML, and then import it via the GUI? Or would such import overwrite everything, leaving a nearly emtpy config.

Or should I manually edit and merge both XML before importing it?

Or do I need to really re-enter every monit line and ca/cert manually one by one?



Many thanks for any advise.

2

General Discussion / DNS-DHCP and multi-homed (wifi-eth) clients

« on: April 09, 2021, 09:14:40 am »

Hi

I ran into a problem today where DNS was returning a IP address for a DHCP client. However that client had plugged in a Cable and shutdown WiFi. Of course both were in the leases table, under the same name.

And this was sufficiently long ago that even in OpenSense the WiFi was labeled as "offline"

I guess DNS just returns the first match, but can we customize it to return the first active match, and anyway if both are active, return the Eth link?
Any idea's how to achieve this?

Alternatively, I guess I could bridge WiFi and Eth into a single bridge with a single MAC, but I tried that a few years back and found it also not very stable.

Thanks

3

18.7 Legacy Series / Firewall: No logging for "default deny rule"

« on: December 27, 2018, 11:36:05 pm »

So I understand there is a default deny rule. Anything not mentioned in a user rule, meaning anything not visible in any rule, is denied. Simple enough.

But it jams up the log. I am not at all interested in all these old Bittorrent (port 8999) and other sniffers/scanners/beggars/whatever hitting my WAN interface from the outside.

Can I turn off logging for the default deny rule?  On the WAN interface specifically, because there is nothing I can do against those scanners anyway.
Mind you, I am interested in seeing logs for the default deny rule for the internal interfaces. But that is a lot less, and also something I can actually do something with (by locating the client and de-installing whatever offending program)

Right now I made an extra user rule to deny everything rule at the bottom of my WAN rules, which works, but it would seem nicer to just change the logging default for WAN?

4

18.7 Legacy Series / Secondary IP range on interface

« on: December 20, 2018, 10:05:30 pm »

Hello


I would like to have a secondary IP address & range on the same LAN interface.
While I would prefer it to be a full VLAN, there are reasons why it cannot be, it has to be on untagged LAN


I made it work by adding a Virtual IP range to the Firewall, and almost all is working as I like.
Except I would like to have hardcoded DHCP leases for this secondary range for specific MAC devices. (In fact, the entire secondary range is for IoT devices, that I can thus easily block or temporary open from the internet, but many IoT devices are not VLAN tag capable.).

And that is where I struggle. The DHCP server only allows the primary address range.

So I would to add the secondary address, somehow, as a n actual interface on the same untagged NIC, or something like that.
Alternatively, I would like to trick the DHCP server to serve leases for specific MAC to addresses outside of its normal range.


Any suggestions?

5

18.7 Legacy Series / Empy update and other selection lists

« on: December 17, 2018, 10:27:40 pm »

I recently updated replaced my V16 by V18.7.3 by making a clean install

Mostly it seems to work, except I have some weirdness in some screens
The install and config actually was uneventfull. Downloaded vga image, made USB using dd tool, ran the install. Nothing special happened

Also setup up interfaces and making the network work is OK. It is actually working.
But ....

In several windows I have empty selections. Like traffic shaping, I cannot select a metric, it is am empty choice list, so I cannot make a pipe

Same for the update window. It is hanging in a 'checking please wait', and shows no versions, not even the installed base version. But also the repository lists (updates, packages, settings) are empty and cannot have anything added.

Also, there seems to be a PHP error constantly reported.


Any suggestions? (other then reinstalling from scratch again....)
Thanks!

6

17.1 Legacy Series / Backup / migrate OpnSense

« on: January 22, 2018, 09:35:05 pm »

Quick question:

I need to replace the PC. Due to reasons, I cannot have both systems side-by-side to try one before loosing the other (remote access and travel issues)

Is it sufficient to backup "System: Configuration: Backups" to completely restore functionality?
Can I / Should I install 17.7 right away, or best stick to 17.1?
I suspect I will need to check/redo the interfaces, as they may be new devices? Especially since I am using VLAN's

Any tips/hints/warnings are appreciated.

Many thanks


Current version:
OPNsense 17.1.8-amd64
FreeBSD 11.0-RELEASE-p10
OpenSSL 1.0.2l 25 May 2017

7

17.1 Legacy Series / Insight graphs on peak in stead of average?

« on: July 10, 2017, 06:54:02 pm »

Is it possible to collect the insight graphs on peak values rather then average?

For example, to judge whether I need to upgrade my campground fiber from 100Mb to 250Mb (probably not, but lets not get ahead of ourselves) I would like to see the 2-second average. Or if that is too much data, aggregate into 5 minute blocks on peak (2 second) bandwidth instead of average bandwidth.

(PS : I suggest 2-second, because that is what the "Traffic Graph" seems to be using, so likely that value is already processed somewhere.)

Or is there some other way I can detect if web browsing is sometimes slow due to congestion?

8

17.1 Legacy Series / Captive Portal service does not start

« on: June 28, 2017, 11:08:19 pm »

So I got OPNsense to run, seems to work.
Its to replace OpenWRT box with more power, but also more ease and comfort.

The only thing I seem to still have a problem with is the Captive Portal.
No authentication needed, splash-page only. I configured it, but it does not want to start.

And I am not really sure where to get logs, the only log I got is rather thin.
See the attached pics.

Any assistance appreciated.

9

17.1 Legacy Series / Set DHCPD option MTU 26

« on: June 28, 2017, 08:39:05 pm »

I am trying to have DHCP on a VLAN interface direct the clients to set MTU to 1492 instead of 1500

The DHCP option for that is 26, followed by a hardcoded 2 and then a 16 bit unsigned value
http://www.networksorcery.com/enp/protocol/bootp/option026.htm


The hardcoded 2 is the 8 bit type/length, which is what I am guessing is the selection of the 16 bit unsigned in OPNsense? So in OPNsense's DHCP option fields I put:   26; "Unsigned 16 bit"; 1492


But neither my phone nor my laptop responds to this, so I am not sure, someone either confirming or correcting me would be nice. Especially because when I did the same in an OpenWRT based router, it did work on the same phone and laptop.