Messages

Hi,

I'm trying to get the hights score in the SSL test: https://www.ssllabs.com/ssltest/index.html
I have it to a A status and everyting is green except this:
Cipher Suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   128

I Googled for solutions, and I found multiple requests and even a pull request on GitHub but no working solution. Can this be accomplished?

https://forum.opnsense.org/index.php?topic=19230.msg88253
https://forum.opnsense.org/index.php?topic=17151.msg86631
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11
https://forum.opnsense.org/index.php?topic=15701.msg71853

Hi,

I have OPNsense 21.7.3_3 running on a XCP-ng host as a VM.
We have several IPv4 ranges and one IPv6 range.

IPv4 works as expected, I'm having trouble getting IPv6 working.

Our DC gave us this information (I changed some letters!):
Prefix: 2a00:xxx:13x::/48
Subnet: 48
Router 1: 2a00:xxx:13x::1 (don't use as a gateway)
Router 2: 2a00:xxx:13x::2 (don't use as a gateway)
Gateway: 2a00:xxx:13x::3

Start Range: 2a00:xxx:13x:0:0:0:0:4
End Range: 2a00:xxx:13x:ffff:ffff:ffff:ffff:ffff

I created a single gateway with address: 2a00:xxx:13x::3
I gave my WAN address 2a00:xxx:13x::5 /48 (4 is in use on another Linux VM)
I gave my LAN address 2a00:xxx:13x::6 /48
I gave a Windows VM behind the OPNsense 2a00:xxx:13x::7 /48

If I ping from OPNsense to Google IPv6 DNS I get a response when I use the WAN as a source.
When I use the LAN as the source, no dice.

Windows VM also has no Internet connection using IPv6.

What am I doing wrong here? and yes I'm pretty new in the IPv6 game, I have it running at home, also in OPNsense but my ISP provides a DHCPv6 address.

Kind regards,

Marcel

Are you using a custom policy to filter, or the default one? In case of a custom policy, it might be necessary to add the wg0 interface there.

When I did the test I disabled the custom policy, so only the default one was active.
I disconnected my phone from WireGuard, disabled WiFi and enabled hotspot
I used my laptop to test the blocked site (was blocked).
I then disconnected from my WiFi and connected to my mobile hotspot
I could now browse the blocked website (this is as expected).
I then connected to one of my daughters WireGuard profiles, but was still able to browse to the websites that should have been blocked, the profile was working as I had my fixed line WAN IP address and I could browse local LAN devices.

Hi marcelmah,

Can you try with tcpdump when Sensei is active? If there is no packet with tcpdump as well, then take the bypass Sensei Packet Engine (Status - Services - Packet Engine - Enter Bypass Mode) and run tcpdump again.

tcpdump -s0 -ni wg0 -vvv

Hi, when I enter this command on my OPNsense shell it shows a lot of traffic.
No filtering happens tho..., when I'm connected on my LAN I can no longer visit the sites I've blocked.

Hi,

I'm using Sensei (premium home edition) to protect my daughters from certain sites.
I also want them protected when they use their tablets on someone else's WiFi.
So I created WireGuard profiles for all devices.

WireGuard works fine, but no filtering happens...

I'm running OPNsense 21.1.9_1-amd64.

I read that It wasen't possible at first, but this was months ago and SV was funding netmap to get is to work.
I can and I have selected my wg0 interface as one of the protected interfaces.

Can this work now? If not, is it being developed? can we track progress? if It's possible, what am I doing wrong?

I reinstalled Sensei, same configuration, all seems fine now...

Alright so maybe It's not Sensei...

I disabled Sensei, problem did not go away.
I uninstalled Sensei, problem did not go away.
I rebooted OPNsense, problem did not go away.
I rebooted my cable modem and initial 'reports' show the problems are gone.

Will monitor and if It's stays fixed I will reinstall Sensei, see if the problem returns.

Hi,

I want to block certain content for my children (porn, phishing etc) and wife (phishing etc).
I installed Sensei and got a home subscription as I require more then one policy.

I just noticed (weren't at home a lot last couple of days) that my Internet hangs a lot since installing Sensei.
Sometimes It's a short hiccup, sometimes It's long enough to disconnect an RDP session. It happens a lot, sometimes multiple times a minute and then a couple of minutes no problem at all.

I'm running OPNsense OPNsense 21.1.9_1-amd64 on VMware ESXi 7 with 8 2.4 Ghz cores and 16 GB of memory.

I tried switching to L3 mode with generic drivers, but everything gets really really slow and switching to bypass mode does not help either. OPNsense shows em interfaces.

Any thoughts?

Misschien heb je hier wat aan?

https://blog.firewallonline.nl/how-to-en-tutorials/xs4all-glasvezel-internet-iptv-op-pfsense-opnsense/

Hi,

Any news ons this?

If you use the commercial source for the updates you will lag behind on the updates, this saves the business users from the LIGHTPPD and Unbound issues that recently popped up :)

Hi,

I created a screencap of a OPNsense 20.1 VM with more then 4 NIC's and one of OPNsense 20.7 with 4 NIC's running.

I then add a NIC and reboot the VM, it then ends up in a kernel panic. If I force shutdown the VM and remove the 5th NIC all is fine again(after some automatic filesystem fixes at next boot).

You can view the video on YouTube:
https://www.youtube.com/watch?v=qh6KTYLYya8

Upgrading from the 20.1 to 20.7 ends up in the kernel panic.

I hope someone can identify (and fix) the problem.
I assume it has to do with he XN drivers for the network interfaces where the need for more then 4 NIC's comes from because the lack of VLAN support. In this case I can't use option 2 for VLAN's because I don't have any free network ports (you can't use the management NIC).

This also happens without the plugin os-xen, no difference.

Oh please note the IP ranges you see 130.62.x.x are internal ranges even though they're officially not... don't ask.

how i can purge the missing plugin from list?

+1 on that one

I have the same, but only when I add more then 5 networks (so it works fine with only 4 networks).
Because how Xen (we use XCP-ng) works with VLAN's we require 7 networks.

The mail backup plugin is currently not available pending a response from the maintainer. Users are advised to avoid using it for the moment. 

https://forum.opnsense.org/index.php?topic=20389.msg70368

From your perspective, would it make sense to discussion unresolved security issues in public?

That depends on the security issue. You can tell a bit more about the issue without telling the details I would guess.

Now I don't know if I have to actively remove the plugin from all devices or maybe it's a risk I'm willing to take...