Messages

Well done!

The thing is that nobody knows better what do you need or expect from your firewall, and so, it is better to read first, to learn about its features and most of all, learn its limits.

I don't know guys.. is it worth it to label people (even if it's true)? :-)

Got my answer (there is no other logging level), thanks Franco!

Closing this.

I would, but I try to avoid the use of proxies. My reasons are maintenance & performance related. I managed to do so for many years now, and I'm kinda outdated with regards to OPNsense & its proxy implementation. I tried it not to die stupid, it works, but I'm no expert, hence I cannot write any more helpful tutorial than the one already existing in the manual :)

Well, I see you have deleted your account. But just in case you are reading this, know that there are, most of the times, reasons why something is not done the way you want it to be done, reasons which sometimes are complicated enough that you won't get a satisfactory answer. Although you might have found most answers in all the guides available for contributors.

Impulsively acting in such cases is never a good idea. Forcing your way into something is an even worse idea. This is not only true with OPNsense, but also generally in life. You will accumulate so many frustrations that one day you will burst into a ball of flames.

I do appreciate the work you have put into your theme, but in your case i think it was healthier for Franco to drop the theme than fighting you. It goes without saying that if you cannot deliver (which means deliver the way it must be done), it doesn't matter how valuable your work was, it is not a deliverable in the end.

I'm sure that if you would have given it some time, listen to what Franco suggested, I mean really listen, your theme would have made its way into OPNsense somehow, even in a form of a joint theme with the existing black theme.

Where/how can I change the default logging level to a more verbose logging level of the entire OPNsense system? Except maybe for services that have this feature built-in the GUI, of course.

Thank you.

I have a few posts and comments on my radar, but I can't be sure if it's the case, and so I will not point them out, in case I'm wrong. This will only add negative feedback to the OPNsense community, and that is not the scope of this topic, so I'll stick to a general approach :)

When you say:

"1. Whenever I restart the box, I have no internet connectivity on the LAN clients; pinging from the OPNsense GUI works fine, pinging from the LAN clients (using IP or FQDN) fails"

Do you mean LAN1, LAN2 or both?


Cheers,
Franco

I have only tried LAN1

And more interestingly: Is IPv4 or IPv6 not working, or both?

I don't remember trying IPv6 (maybe I did), but it's a definitive yes for IPv4 :)

Do you want me to revert the patch and try LAN2 & IPv6?

It's not bad if it's done in good faith. It's quite good, it means there's a healthy competitive market in play to which each player reacts in some way.
But it's bad if false stuff are thrown publicly. Bad for them, as these are easily verifiable, can be confirmed as being bogus and leads to nowhere in the end. I was referring to these cases (if my judgement is not faulty), where bad faith is the single fuel of these posts.

Yeah, ignorance is bliss, I know, I do it all the time, with a few exceptions :)

Great, good work!

There you go, I'm fairly certain that's the reason. With UPnP disabled, the fw should not open any ports.
As a personal rule, I never use UPnP :)

You're very welcome.

It's just a feeling, not a certainty, can't know for sure, so I can't really point fingers and I won't. But if it's true, I certainly stand by my comment.

I got a feeling that some users here report false bugs or issues (or repeat existing ones) just to highlight how well pfsense works.

Please stop. If pfsense works out that good for you, you have no reason to be threatened by OPNsense. Any other intentions will only discredit pfsense by your actions, and not OPNsense.

This is getting really annoying, it's childish and ridiculous. And will have a significant negative impact on pfsense. Please, stay on your forum, it's better for everyone.

With carefully crafted firewall rules.
You will delete the default allow any to any rule on the LAN, create one to allow *any* access for hw2, another one to allow access from hw1 only to hw2 (so only on the LAN side), and finally bring up the local firewall of each OS, adding exceptions to whatever is needed. You will also have to assign static dhcp leases for each hw on the LAN, as manually configuring IP addresses on the LAN clients is not recommended in locked down environments. You should also consider static arp entries (read about it before enabling this, otherwise you may get locked out). You should also use limited local users (without admin privileges) on hw's on the LAN.

Without any other exceptions (rules), access to hw2 from the internet is not allowed. This is what almost all firewalls do by default, allow all outgoing, block all incoming.