Messages

1

22.1 Production Series / Re: Unbound DNSBL update errors

« on: March 26, 2022, 03:46:11 am »

If someone could let me know where the files go, I could manually download and place them on the router, and restart Unbound.

2

22.1 Production Series / Re: Unbound DNSBL update errors

« on: March 25, 2022, 06:22:29 pm »

Doing that curl command dumps out the file, and I'm able to check for opnsense updates on the repo which requires it, so name resolution seems to be working

3

22.1 Production Series / Re: Unbound DNSBL update errors

« on: March 25, 2022, 12:36:17 am »

Might anyone know where the files are for the built-in DNSBLs?  Perhaps I can get in there and check why it can't find them to refresh.  I don't know for sure, but the error seems like it is trying to resolve just a base path, and not a full URL.

4

22.1 Production Series / Unbound DNSBL update errors

« on: March 19, 2022, 08:36:04 pm »

I have Unbound DNSBL enabled, and a selection of the built-in blocklists set in Cron to update once a day.  However, I get this error for each of the blocklists when it tries to update:

Code: [Select]

2022-02-21T16:18:21-06:00 Error unbound blocklist download : unable to download file from https://adaway.org/hosts.txt (error : HTTPSConnectionPool(host='adaway.org', port=443): Max retries exceeded with url: /hosts.txt (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8025ca850>: Failed to establish a new connection: [Errno 8] Name does not resolve')))

2022-02-21T16:17:20-06:00 Error unbound blocklist download : unable to download file from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (error : HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /StevenBlack/hosts/master/hosts (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8025ca460>: Failed to establish a new connection: [Errno 8] Name does not resolve')))
Is there some configuration I might have missed beyond the checkmark in the Unbound DNSBL config, and adding the Cron job?  I don't have any custom blocklist URLs or such.

Any insight is appreciated.

5

22.1 Production Series / AT&T and IPv6

« on: February 09, 2022, 03:35:16 am »

I recently upgraded my router to 22.1 and also got AT&T fiber.  My RG is in passthrough mode so my OPNsense router gets the public IP.

I'd like to get IPv6 working properly, and have found a couple of threads from a year or more ago regarding changes to the dhcp6 conf file for multiple ia-pd and id-assoc entries to get multiple /64 delegations, for pfsense.

https://forum.netgate.com/topic/153288/multiple-ipv6-prefix-delegation-over-at-t-residential-gateway-for-pfsense-2-4-5

https://forums.att.com/conversations/att-fiber-equipment/ipv6-prefix-delegation-to-3rd-party-router-not-working-2020-edition/5e98da19fd08354359ccd447?commentId=5e9b3ea5758fed7722fd4361&replyId=5eb1a6b372a09d7a3fc8f1fb

I just wanted to check with anyone who might be able to confirm that this is proper for OPNsense 22.1 before I go mucking about in the conf files manually.

Thanks!

6

21.7 Legacy Series / Blank netdata

« on: August 26, 2021, 04:20:09 am »

I installed the netdata plugin on my router with the intent of ultimately feeding the data to a backend DB and making a Grafana display.

However, before I do that, I'd like to ensure that netdata itself is working properly.  But all I have is a blank grey screen that says "Netdata - Real-time performance monitoring done right!" at http://router:19999

It has no graphs or menus or any other elements.

Could someone perhaps point me toward what configs might need to be tweaked to get some sort of display out of it?

The settings in the OPNsense menu are Enabled / Listen address:  127.0.0.1  /  Listen port: 19999

I thought maybe I needed to change the listen address from localhost to the LAN address, but if it weren't listening at all, I wouldn't even get the grey page.

Any help is appreciated.

7

General Discussion / Re: Need help understanding VLAN rules

« on: August 19, 2021, 11:27:54 pm »

If the VLANs are created in OPNsense it should work no problem. On my bare metal OPNsense I use two NICs and have four VLANs plus LAN, and have never had to manually specify routes. Maybe a config issue with the VM in your case?

That's what I was thinking.  I was under the impression that regardless of IP space used, if I put a known IP into a browser or SSH client or whatever on a device connected on VLAN 1, it would know "Oh, I have that IP space on Interface 2!  I'll send that over there" and I get a connection.

I went through, and I realized I didn't have VLAN interfaces configured under "Interfaces->Other->VLAN" but I didn't think tagging was necessary if the interfaces are physically distinct, and the switch ports are configured for all traffic on each of the ports to be for the appropriate VLAN.

8

General Discussion / Re: Need help understanding VLAN rules

« on: August 18, 2021, 12:57:02 am »

Based on my knowledge, you need to create static routes.

If the physical interfaces of VLANs 200 and 300 have IPs 10.10.20.1/24 and 10.10.10.1/24 then you need to create static route of 10.0.0.1/8 to either 10.10.10.1 or 10.10.20.1

Basically you need to specify a gateway which both VLANs are using as gateway to point traffic towards different networks

Reason why you won't be able to gain access to VLANs from LAN is because VLANs are both in differnet IP space

Okay, so I was mistaken that OPNsense just inherently "knows" routes between its interfaces, regardless of IP subnets used.  I will look at setting up routes.

Thanks!

9

General Discussion / Re: Need help understanding VLAN rules

« on: August 18, 2021, 12:53:48 am »

Also gotta say that I find it odd that WAN is set up as a VLAN…

I'm not sure how else I would set up having four physical ports on the switch involved to provide connectivity between the router and the ISP.  I have three physical hypervisor hosts, each with a NIC in the VLAN, allowing me to migrate the OPNsense VM between them without losing connectivity to the ISP.

10

General Discussion / Re: Need help understanding VLAN rules

« on: August 16, 2021, 06:02:57 pm »

First make sure that if your switch has the feature, it allows access to it's Webgui from right VLAN (some manufacturers like Zyxel allow you to restrict management access to specific VLAN.

I have four VLANs configured on my OPNsense router, each with a distinct NIC

10 (LAN, 192.168.0.0/24)
100 (WAN, IP from ISP)
200 (MGMT, 10.10.20.0/24)
300 (IoT, 10.10.10.0/24)

10 is the PCs, tablets, media devices, etc
100 allows the OPNsense VM to move from VM host to VM host while maintaining connection to the world.
200 is iLOs, SNMP and netdata traffic, VM movement
300 is smart home stuff - cameras, etc.

VLAN 200 and 300 have a DHCP server configured with IPv4 reservations, but each host has its corresponding IP configured as static.  VLAN 10 has dynamic DHCP assignments.

My LAN interface has the default "Allow LAN to Any" rules for IPv4 and IPv6.
There are currently no rules on the MGMT interface, because I couldn't get any to work, so I have it back to how it was at initial installation and configuration.

Also if you run opnsense on custom build PC or virtual machine, make sure it's ethernet ports support IEE 802.1q (also known VLAN tagging). Opnsense vlan relies on VLAN tags and without that support, it doesn't work properly.

I was under the impression that VLAN tagging shouldn't be necessary if each VLAN is on a distinct interface, as the switch is configured for the corresponding port to be a member of the VLAN and all traffic on that port is assumed to be for that VLAN.

I was also under the impression that OPNsense is aware of its various VLANs, and configuring specific routing isn't necessary between them.

My goal is to prevent anything coming in from WAN from getting to IoT or MGMT, or anything from IoT and MGMT from getting out to WAN and LAN (initiating a session that direction) but LAN able to get to MGMT and IoT.

11

General Discussion / Need help understanding VLAN rules

« on: August 14, 2021, 12:23:50 am »

My network has four VLANs, each represented by an interface on my OPNsense host - WAN, LAN, management (MGMT) and IoT - each with their own IP subnet.  The MGMT VLAN is for SNMP traffic, VM movement, accessing iLO/DRAC, etc.

My goal is to restrict anything originating from within MGMT or IoT VLANs from getting out, but to allow only my LAN-based hosts to initiate sessions with devices on the MGMT and IoT VLANs.

I have the default "LAN to anywhere" rules, but that doesn't seem to allow me to get into the management VLAN from my LAN-connected host.  And so I'm sure I'm just confused as to where I would put the rules for accessing the other VLANs from the LAN VLAN.  Would that be on the MGMT and IoT interfaces, or the LAN interface?  I've tried putting in rules for allowing traffic from LAN to MGMT (using both "in" and "out") on the MGMT interface, but I still can't ping or access any hosts.

Or is this a routing issue?  I was under the impression that OPNsense automatically knew routing between its own interfaces.

Might anyone be able to point me to something up to date on managing inter-VLAN traffic?  I've looked at a few blogs and such, but they seem to be for much older versions and the interface and rule management have changed over time.

Thanks!

12

20.1 Legacy Series / Firewall rule guidance

« on: April 24, 2020, 06:21:07 pm »

I have three VLANs configured, connecting to three interfaces on my opnsense, and I'm trying to isolate one of them so that no traffic comes in or out, and hosts can only get DNS from opnsense and talk to each other.  No access to or from other VLANs or the Internet at large.  We'll call them A B and C.  I'd like to isolate C.

I configured a firewall rule as follows:

Interface: C
Direction: In
Protocol: Any
Source: Any
Destination: C net
Destination port range: Any

But I was still able to access web services on the hosts at IP addresses in that subnet from my primary VLAN.

Any guidance is appreciated.

13

19.7 Legacy Series / Re: "Forwarding" a port directly to OPNsense

« on: September 06, 2019, 02:27:15 am »

I do have a "modem" before OPNsense, in "passthrough" mode so that the OPNsense WAN interface gets the WAN IP.  Port forwarding to other machines behind OPNsense works just fine.  I just can't seem to get traffic coming in on port 80 or 443 to get to the service running directly on OPNsense.

14

19.7 Legacy Series / "Forwarding" a port directly to OPNsense

« on: September 06, 2019, 01:55:14 am »

I am trying to get a reverse proxy running on OPNsense, but I need to point 80 and 443 on the WAN interface to it.  I currently have two WAN firewall rules that are simply Source: WAN IP and Destination This Firewall for port ranges HTTP and HTTPS.

I just get timeouts when I attempt to connect from outside my home network.

Any help would be appreciated.

15

Tutorials and FAQs / Re: Caddy Proxy - Install and Use

« on: September 05, 2019, 08:28:57 pm »

I removed some extraneous quotation marks and everything seemed to go.  Running it from CLI on its own, the console output said a certificate had been issued. Running "service caddy status" returns its PID consistently, so now I think it's my firewall rules. 

I've put port 443 (HTTPS) into my WAN firewall rules with a source of "WAN net" and destination of "This Firewall" but I still get a timeout.  I had CloudFlare's proxy service both enabled and disabled, to no effect.  I can't get to my services.

If I forward the port on my router and use my WAN IP:port the login comes up immediately.  If I try to go through HTTPS and the domain name used in the reverse proxy, the connection times out.  I'm still trying to find a log file to parse separate from the one specified in the Caddyfile, as that seems to only log what I would call "superficial" events such as loading this or that image file into the proxy cache, not system type events, like "Yes, I've contacted the upstream DNS, certificate issued/loaded" except what I got when running Caddy directly from command line.