Topics

I was happily using a US based VPN to get around the geolock for pandora.com (I don't live in the US).

I think an update might have broken that setup, so I'm trying to re-create it.

I have the US VPN connected as a VPN client and showing as connected in the status page.

Then I go to interfaces, and create a USVPN interface using ovpnc1 as the interface. Once I do that, I can't setup that interface to be DHCP for IPv4 (I'm getting an error message: "Cannot assign an IP configuration type to a tunnel interface.")

If I create the interface anyway and leave it at None for IPv4 config, and then add a rule on my LAN network in the firewall to pass packets to pandora.com over the USVPN gateway, the packets are caught by the rule but go over the regular WAN gateway instead; and pandora.com sees my non-US IP.

How do I selectively route packets to pandora.com over the US VPN, and all the rest over the regular WAN interface?

I have tried making a shaper rule with over 100 subnets in it, and the rule just gets ignored. If I edit that rule to only have 10 subnets, then it shows in the live status page and it is actually enforced.

So is there a limit to the number of subnets we can put in any given shaper rule? What is that limit?

I'm trying to block all DNS queries, and only allow queries to the opnsense firewall's DNS or nextdns.io's DNS.

Attached is my config.

I try to enable or disable logging for these two rules and run `dig @1.1.1.1 example.com` but it never ever shows anything in the log (either in the web UI, or using option 10 on the serial/ssh console to opnsense) and it gets a response for any domain name I try. I would expect dig to timeout instead, and the firewall logs to show the packets were caught by the rule.

What's going on? How do I block ALL DNS queries and only allow devices inside my network to query OPNsense's internal DNS or nextdns'?

Nutzt jemand OPNsense mit Swisscom FTTH? Ich kann es nicht zum Laufen bringen.....

Dies ist meine Konfiguration:

 


 


 


 

Code Select Expand


# /usr/local/etc/dhclient_wan.conf
interface "igb0_vlan10" {
        #DHCP Protocol Timing Values
        timeout 60;
        retry 15;
        select-timeout 0;
        initial-interval 1;

        #DHCP Protocol Options
        send dhcp-class-identifier "100008,0001,,OPNsense dhclient";
        script "/sbin/dhclient-script";
}


Wenn ich eine IP bekomme, die mit 100.x.x.x beginnt, dann kann ich zu swisscom.com/registration gehen, aber es fragt nach einem 6-stelligen Code, den ich nicht habe und bei dem der Kundenservice ahnungslos ist. Wenn sie fragen, welches Modem ich benutze und ich sage, dass es nicht das Swisscom-Modem ist, sagen sie: "Viel Glück, dass du alleine bist".

Wenn ich eine IP ab 85.x.x.x erhalte, kann ich nicht einmal auf die Swisscom-Registrierungsseite zugreifen.

Wie haben Sie Ihren FTTH-Anschluss mit OPNsense funktioniert?

I have found the settings for IPv4 which is the default. But how do I update my he.net AAAA record on a dynamic IPv6?

Here: https://wiki.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html

In the screenshot, it shows that GIF tunnel local address should have /64 after the address.

If you try to save with that setting, the UI complains that this isn't a valid address. The only way to save the settings is to remove the /64.

I don't know if this is a bug in the form validation or if it is an error in the wiki. Either way, it's confusing and blocks the process.

Thoughts?

For example, I don't want Spotify (which I pay for) to get a free ride and fill up my cache with music. I'd rather cache useful stuff like apt packages etc.

How do I tell squid to not cache certain domains and their subdomains? I don't want a particular host to bypass the proxy and cache, and I want to use domain names rather than IPs.

Is there a way? Or can I edit the squid.conf file manually and add it there? The header in the file says not to.

I have setup a squid transparent proxy, my SSD is 16GB and I have set the limit for Squid's cache (under General proxy settings > show advanced > Cache size in MB) to 8500.

And yet I was bitten again: squid used up all the free space, the disk was full, and OPNsense freaked out. I was lucky this time, I was able to make some space and reboot (it got corrupt last time and I had to reinstall).

df -h shows I have 13G on /, out of which 1.8G are used by OPNsense (that's what I have after deleting squid's cache). So why is a hard limit on the cache size of 8.5G still makes it use up all the free space?

Code Select Expand


root@router:~ # df -h
Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs     13G    1.8G     11G    14%    /
devfs              1.0K    1.0K      0B   100%    /dev
tmpfs              2.8G    308K    2.8G     0%    /tmp
devfs              1.0K    1.0K      0B   100%    /var/dhcpd/dev


What am I missing? How much space does OPNsense need to live happily?

My configuration is as follows:

igb0 is WAN
igb1 is LAN (192.168.1.0/24)
igb2 is OPT1 (192.168.0.0/30)

I have added rules to OPT1's firewall to let traffic through. I don't think I need to add anything to LAN's rules?

But I can't ping 192.168.0.2 from the LAN or the router. I can ping 192.168.0.1.

When I take a look at the routes, it knows that 192.168.0.0/30 should go on Link#3, but 192.168.0.2 goes out the WAN gateway.

Why is that? How does it make any sense if 192.168.0.0/30 is on Link#3? Why would it send 192.168.0.2 out WAN?

I have setup my LAN port to the 192.168.1.0/24 subnet, and the OPT1 interface to be the 192.168.0.0/30 subnet (only two IPs, the interface itself at 192.168.0.1, and a DNS server at 192.168.0.2).

From a device on the LAN side, I can ping OPT1 at 192.168.0.1. I can also ping it from the router. But I can only ping 192.168.0.2 from the router.

I thought it was a missing route, but I see that it knows about the 192.168.0.0/30 route in the router's admin GUI, and it says not to add any route related to one of the interfaces.

So what gives? How do I access 192.168.0.2 from my 192.168.1.0/24 subnet?

I would like to setup an OpenVPN server on my OPNsense so I can encrypt my connection when using public WiFis.

I also have Letsencrypt setup with the os-acme-client plugin.

Can I use Letsencrypt for my OpenVPN server certificate? It seems the only option is to self-sign the OpenVPN certificate in the wizard.

I have setup the ACME/LE plugin, and I'm able to get a valid certificate issued.

The problem is that the GUI keeps serving the self-signed certificate instead of the LE certificate. I don't know how to force it to use the LE cert instead of the self-signed one.

Attached are the Trust and LE screens. `openssl s_client -conect <my fqdn>` shows the self signed cert being sent.

Any ideas?

Once in a while, I am getting this error on apu2 via the serial console when cold starting:

Code Select Expand


usbus1: EHCI version 1.0
usbus1 on ehci0
usbus1: 480Mbps High Speed USB v2.0
isab0: <PCI-ISA bridge> at device 20.3 on pci0
isa0: <ISA bus> on isab0
sdhci_pci0: <Generic SD HCI> mem 0xf7f27000-0xf7f270ff at device 20.7 on pci0
sdhci_pci0: 1 slot(s) allocated
orm0: <ISA Option ROM> at iomem 0xef000-0xeffff on isa0
ppc0: cannot reserve I/O port range
uart0: <16550 or compatible> at port 0x3f8 irq 4 flags 0x10 on isa0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> at port 0x2f8 irq 3 on isa0
hwpstate0: <Cool`n'Quiet 2.0> on cpu0
Timecounters tick every 1.000 msec
nvme cam probe device init
ugen1.1: <AMD EHCI root HUB> at usbus1
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <SATA SSD SBFM01.1> ACS-4 ATA SATA 3.x device
uhub0: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
ada0: Serial Number 8EFA077A1AE701738346
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
ada0: Command Queueing enabled
ada0: 15272MB (31277232 512 byte sectors)
ugen0.1: <0x1022 XHCI root HUB> at usbus0
[ thread pid 15 tid 100066 ]
Stopped at      vga_bitblt_one_text_pixels_block+0x135: movl    (%rax,%r13,4),%ebx
db>


Not sure what to make of it, the only way is to unplug and replug the power. Then it will boot like nothing happened. Any ideas?

My WAN is currently set to PPPoE. I have switched to a cable provider, so I need to have it as DHCP now.

But nope, it won't let me.

The error is "you have to reassign the interface to be able to configure as dhcp"

What does that even mean? I tried removing PPPoE from the Point to Point devices, but no difference.

I would like to block ads network wide, similar to what pfBlockerNg/PiHole does. I would also like the firewall to block the ad domains, not only for the DNS to resolve them to a dummy IP. This is for the Android YouTube app for example that does its own DNS and for which DNS ad blocking isn't effective.

How would I go about it in OPNsense? There doesn't seem to be a pfBlockerNg plugin available.

I have installed the os-upnp plugin. In the install log, it says:

Code Select Expand


For this daemon to work, you must modify your pf rules to add an anchor
in both the NAT and rules section.  Both must be called 'miniupnpd'.
Example:

# NAT section
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

# Rules section
# uPnPd rule anchor
anchor "miniupnpd"

I don't understand what that means, and I don't know what to do with this information. UPnP doesn't work with this plugin installed, and I don't see it in the Services list on the Dashboard.

What am I missing?

The documentation is missing some steps, namely what role to choose for the backups to work?

Link to the docs: https://docs.opnsense.org/manual/how-tos/cloud_backup.html

I have copied the nano image on my SSD since I can't boot from USB3 with the normal installer.

It works well, but my SSD is 16GB and only 3.4GB are in use. I can't run any update because it says it's ran out of space while decompressing the packages.

Code Select Expand

root@router:~ # df -h
Filesystem                Size    Used   Avail Capacity  Mounted on
/dev/ufs/OPNsense_Nano    3.0G    949M    1.8G    34%    /
devfs                     1.0K    1.0K      0B   100%    /dev
tmpfs                     3.5G     13M    3.5G     0%    /var
tmpfs                     3.5G    540K    3.5G     0%    /tmp
devfs                     1.0K    1.0K      0B   100%    /var/dhcpd/dev


How do I make use of the other 13GB?

[TLDR: The solution is just to try another USB memory stick. I used a 16GB Kingston USB2 on the APU's USB3 port and it worked without a hitch whereas I couldn't get the SanDisk UltraFit 16GB USB3 stick to work.]

TLDR: The solution is just to try another USB memory stick. I used a 16GB Kingston USB2 on the APU's USB3 port and it worked without a hitch whereas I couldn't get the SanDisk UltraFit 16GB USB3 stick to work.

I can't boot the OPNsense serial image on an APU2 using a USB3 flash drive.

I tried the serial images for 18.1 and 17.7.5 (couldn't find any other version anywhere)

The error is:

Code Select Expand

da0 at umass-sim0 bus 0 scbus2 target 0 lun 0
da0: <SanDisk Ultra Fit 1.00> Removable Direct Access SPC-4 SCSI device
da0: Serial Number xxxxxxxxxxxxxxxxxxxxxxx
da0: 400.000MB/s transfers
da0: 14663MB (30031250 512 byte sectors)
SMP: AP CPU #2 Launched!
SMP: AP CPU #1 Launched!
SMP: AP CPU #3 Launched!
da0: quirks=0x2<NO_6_BYTE>
Timecounter "TSC" frequency 998163109 Hz quality 1000
Trying to mount root from ufs:/dev/ufs/OPNsense_Install [ro,noatime]...
Mounting filesystems...
tunefs: soft updates set
GEOM_MIRROR: Force device OPNsenseMirror start due to timeout.
GEOM_MIRROR: Device mirror/OPNsenseMirror launched (1/2).
(da0:umass-sim0:0:0:0): WRITE(10). CDB: 2a 00 00 00 00 10 00 00 10 00
(da0:umass-sim0:0:0:0): CAM status: CCB request completed with an error
(da0:umass-sim0:0:0:0): Retrying command
(da0:umass-sim0:0:0:0): WRITE(10). CDB: 2a 00 00 00 00 10 00 00 10 00
(da0:umass-sim0:0:0:0): CAM status: CCB request completed with an error
(da0:umass-sim0:0:0:0): Retrying command
(da0:umass-sim0:0:0:0): WRITE(10). CDB: 2a 00 00 00 00 10 00 00 10 00
(da0:umass-sim0:0:0:0): CAM status: CCB request completed with an error
(da0:umass-sim0:0:0:0): Retrying command
(da0:umass-sim0:0:0:0): WRITE(10). CDB: 2a 00 00 00 00 10 00 00 10 00
(da0:umass-sim0:0:0:0): CAM status: CCB request completed with an error
(da0:umass-sim0:0:0:0): Retrying command
(da0:umass-sim0:0:0:0): WRITE(10). CDB: 2a 00 00 00 00 10 00 00 10 00
(da0:umass-sim0:0:0:0): CAM status: CCB request completed with an error
(da0:umass-sim0:0:0:0): Error 5, Retries exhausted
tunefs: /: failed to write superblock


I don't have a USB2 bracket to connect like this blog post suggests https://eerielinux.wordpress.com/2017/06/20/building-a-bsd-home-router-pt-5-installing-opnsense/

How do I install OPNsense?