Topics

1

22.7 Legacy Series / Netdata monitoring assistance

« on: October 02, 2022, 10:38:37 pm »

I'm on 22.7.4 and have the netdata plugin enabled.  I set it to be bound to the LAN interface.  Sockstat shows that netdata is listening on the LAN interface on port 19999, but trying to access the URL times out.

I figure I need to make sure its working locally before troubleshooting why its not sending to the configured backend.

Any suggestions is appreciated.

2

22.1 Legacy Series / Unbound DNSBL update errors

« on: March 19, 2022, 08:36:04 pm »

I have Unbound DNSBL enabled, and a selection of the built-in blocklists set in Cron to update once a day.  However, I get this error for each of the blocklists when it tries to update:

Code: [Select]

2022-02-21T16:18:21-06:00 Error unbound blocklist download : unable to download file from https://adaway.org/hosts.txt (error : HTTPSConnectionPool(host='adaway.org', port=443): Max retries exceeded with url: /hosts.txt (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8025ca850>: Failed to establish a new connection: [Errno 8] Name does not resolve')))

2022-02-21T16:17:20-06:00 Error unbound blocklist download : unable to download file from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (error : HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /StevenBlack/hosts/master/hosts (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8025ca460>: Failed to establish a new connection: [Errno 8] Name does not resolve')))
Is there some configuration I might have missed beyond the checkmark in the Unbound DNSBL config, and adding the Cron job?  I don't have any custom blocklist URLs or such.

Any insight is appreciated.

3

22.1 Legacy Series / AT&T and IPv6

« on: February 09, 2022, 03:35:16 am »

I recently upgraded my router to 22.1 and also got AT&T fiber.  My RG is in passthrough mode so my OPNsense router gets the public IP.

I'd like to get IPv6 working properly, and have found a couple of threads from a year or more ago regarding changes to the dhcp6 conf file for multiple ia-pd and id-assoc entries to get multiple /64 delegations, for pfsense.

https://forum.netgate.com/topic/153288/multiple-ipv6-prefix-delegation-over-at-t-residential-gateway-for-pfsense-2-4-5

https://forums.att.com/conversations/att-fiber-equipment/ipv6-prefix-delegation-to-3rd-party-router-not-working-2020-edition/5e98da19fd08354359ccd447?commentId=5e9b3ea5758fed7722fd4361&replyId=5eb1a6b372a09d7a3fc8f1fb

I just wanted to check with anyone who might be able to confirm that this is proper for OPNsense 22.1 before I go mucking about in the conf files manually.

Thanks!

4

21.7 Legacy Series / Blank netdata

« on: August 26, 2021, 04:20:09 am »

I installed the netdata plugin on my router with the intent of ultimately feeding the data to a backend DB and making a Grafana display.

However, before I do that, I'd like to ensure that netdata itself is working properly.  But all I have is a blank grey screen that says "Netdata - Real-time performance monitoring done right!" at http://router:19999

It has no graphs or menus or any other elements.

Could someone perhaps point me toward what configs might need to be tweaked to get some sort of display out of it?

The settings in the OPNsense menu are Enabled / Listen address:  127.0.0.1  /  Listen port: 19999

I thought maybe I needed to change the listen address from localhost to the LAN address, but if it weren't listening at all, I wouldn't even get the grey page.

Any help is appreciated.

5

General Discussion / Need help understanding VLAN rules

« on: August 14, 2021, 12:23:50 am »

My network has four VLANs, each represented by an interface on my OPNsense host - WAN, LAN, management (MGMT) and IoT - each with their own IP subnet.  The MGMT VLAN is for SNMP traffic, VM movement, accessing iLO/DRAC, etc.

My goal is to restrict anything originating from within MGMT or IoT VLANs from getting out, but to allow only my LAN-based hosts to initiate sessions with devices on the MGMT and IoT VLANs.

I have the default "LAN to anywhere" rules, but that doesn't seem to allow me to get into the management VLAN from my LAN-connected host.  And so I'm sure I'm just confused as to where I would put the rules for accessing the other VLANs from the LAN VLAN.  Would that be on the MGMT and IoT interfaces, or the LAN interface?  I've tried putting in rules for allowing traffic from LAN to MGMT (using both "in" and "out") on the MGMT interface, but I still can't ping or access any hosts.

Or is this a routing issue?  I was under the impression that OPNsense automatically knew routing between its own interfaces.

Might anyone be able to point me to something up to date on managing inter-VLAN traffic?  I've looked at a few blogs and such, but they seem to be for much older versions and the interface and rule management have changed over time.

Thanks!

6

20.1 Legacy Series / Firewall rule guidance

« on: April 24, 2020, 06:21:07 pm »

I have three VLANs configured, connecting to three interfaces on my opnsense, and I'm trying to isolate one of them so that no traffic comes in or out, and hosts can only get DNS from opnsense and talk to each other.  No access to or from other VLANs or the Internet at large.  We'll call them A B and C.  I'd like to isolate C.

I configured a firewall rule as follows:

Interface: C
Direction: In
Protocol: Any
Source: Any
Destination: C net
Destination port range: Any

But I was still able to access web services on the hosts at IP addresses in that subnet from my primary VLAN.

Any guidance is appreciated.

7

19.7 Legacy Series / "Forwarding" a port directly to OPNsense

« on: September 06, 2019, 01:55:14 am »

I am trying to get a reverse proxy running on OPNsense, but I need to point 80 and 443 on the WAN interface to it.  I currently have two WAN firewall rules that are simply Source: WAN IP and Destination This Firewall for port ranges HTTP and HTTPS.

I just get timeouts when I attempt to connect from outside my home network.

Any help would be appreciated.

8

19.7 Legacy Series / Config file questions

« on: September 01, 2019, 07:18:17 pm »

I was following the tutorial for getting Caddy up and running, but at one point, the writer mentions adding a line to the /etc/rc.conf file.  I'm not sure about the previous version, but my recently updated 19.7 install doesn't have this file.  Where would that be?

Also, if I'm running a reverse proxy directly on my OPNsense box, what would the firewall rules for 80 and 443 look like?  I've done port forwarding to other hosts, but never opened a port for my router itself.  Localhost?  The LAN IP?

Any guidance is appreciated.

9

19.1 Legacy Series / WAN speed issue - 19.1 on XCP 7.5

« on: February 11, 2019, 10:47:26 pm »

I am experiencing a WAN speed issue that I'm hoping someone more knowledgeable than I can help diagnose.

I'm running OPNsense 19.1 in a VM on XCP 7.5 over AT&T gigabit fiber, which means I have the required AT&T box (required, as it acts as the filter for unsubscribed services on the same line) set for "passthrough" to have the router VM get the public IP.  That part works fine, and my two port forwards work.  The hypervisor host physical interface is connected to a switch, in a three-port VLAN, to allow the OPNsense VM to be migrated to another host without downtime.  However, I have taken the switch out of the equation for testing, with no change.

If I run an iperf test between LAN clients and the router, I get the expected line speed of ~1000Mb/s.  If I run the speed test that is built into the AT&T box, I get the expected ~900Mb/s both up and down.  If I run an iperf test from the router to a public iperf server, or run a generic web-based speed test from a LAN client, it gets ~40Mb/s down and 100Mb/s up.  Something between the router and the AT&T box is bogging down, but I don't know how to diagnose that segment.

When I first got my AT&T connection, the full speed was available, but I don't remember if the slowdown coincided with an upgrade on the OPNsense or the XCP.

My physical link LED says the link is 1000Mb/s.  I've disabled offload and set the NIC type in the router VM to e1000 instead of the RTL819 that is default, based on googling.  I've got the xen-tools plugin loaded and XCPCenter confirms the use of the paravirtualized drivers.  I don't know for sure what the link speed is for the virtual interface, as ifconfig in OPNsense only says "ethernet manual" for media, and there's no ethtool that might otherwise tell me.

Anyone have an idea what my issue might be and how I might go about diagnosing and resolving the issue?  Any help would be greatly appreciated.

10

19.1 Legacy Series / 19.1 Prod upgrade in Xen VM w/ AT&T fiber - WAN IP conflict

« on: February 01, 2019, 09:34:42 pm »

I upgraded from 18.7 to 19.1, and now I am getting this in the logs:

Feb 1 14:26:00   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!
Feb 1 14:25:59   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!
Feb 1 14:25:58   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!
Feb 1 14:25:55   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!
Feb 1 14:25:54   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!

With AT&T fiber, the router provided by them is required, as it does some sort of authentication and acts as the filter for TV signals over the fiber.  However, it can be configured for a "passthrough" for a host behind it to receive the public IP.  That MAC address is the AT&T box and the IP is the public IP address.  It was fine under 18.7 but now the network is pretty slow, I'm guessing due to the conflict.

The only thing I've changed is the upgrade.

Any ideas would be appreciated.

11

18.7 Legacy Series / Port forwarding rule not working?

« on: December 14, 2018, 02:44:57 am »

I'm on OPNsense 18.7.8, and I have a port forward rule that doesn't seem to work, and I'm not sure why.

WAN   TCP/UDP   *   *   WAN address   2400           192.168.1.200   2400      <--Works fine
WAN   TCP           *   *   WAN address   2222           192.168.1.100   2222      <--Connection timeout

The service on 192.168.1.100:2222 responds fine if I'm on the LAN.  And it is definitely TCP-only, as it is an SSH-based service.  But I have tried changing it to TCP/UDP, but it made no difference.

The port forward that works fine is used for an automated system with a remote client, so I have no way to manually confirm that it is working, I just have to take the reports' word for it.  Which is "Yes, the service is accessible."

I don't know exactly what to look for in the logs.  If someone could give me a clue on that one, I can go poke around in there and see if maybe the firewall is acting like this rule doesn't exist or something.

Any suggestions?

Thanks!

12

18.7 Legacy Series / OPNsense 18.7.8 in VM on XCP-ng 7.5.1 ... slow throughput

« on: November 30, 2018, 07:16:26 pm »

I am having issues with slow speed on my wan interface.  I have gigabit fiber, but my DL is only 50Mbit, with ~100Mbit upload.  If I run iperf between a LAN PC and the OPNsense LAN interface, I get my 1Gb.  If I run iperf from a machine directly connected to the "modem" to a public iperf server, I get pretty close to my 1Gb.  If I run iperf from my OPNsense to a public iperf server, I get 50Mbit down, 120Mbit up.

I've googled a bunch, and made sure all the offloads are disabled, IPS/IDS are disabled.  But I am not all that deep into actual system administration to know how to achieve the next bit, which seems to be to force my NICs away from the xn* to en1000 drivers.

How would I go about doing that?  Any help is appreciated.

13

18.1 Legacy Series / Multiple NICs and routing and such

« on: March 08, 2018, 11:00:58 pm »

I have a couple of VM hosts with multiple NICs - 1Gbe (LAN) and 10Gbe (NFS/CIFS storage) - and the VM guests have virtual NICs coinciding with each network.  On the switch, these connections are isolated in their own VLANs, with OPNsense having interfaces coinciding with each VLAN.

How do I go about forcing the hosts (both hypervisor and guest) to use their 1Gbe LAN connections instead of their 10Gbe connections for getting out into the world?  Firewall rule?  Remove any gateways?  I'd like their 10Gbe data network to be almost isolated.  I'd like to get to it from my LAN connected workstation for reasons, but they should really only see each other.

I'm not super familiar with all the full ins and outs of IP networks as far as routing and subnets go.

Thanks for any help you can provide.