Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - bunchofreeds

#1
Hi,

Any thoughts on adding a 'Block' button next to the 'Add Static Mapping' and 'Delete' buttons in the DHCP lease section?

For when my kids piss me off and I want to quickly block their access for a specific MAC at that time.
And then an unblock for after they apologise.

lol

I'm sure it would have other uses..
#2
General Discussion / Unbound and DNS Round Robin
March 03, 2024, 08:16:52 PM
HI,

Does anyone know if it's possible to have a simple failover using unbound and round robin DNS?
Also configurable within OPNsense?

From the unbound documentation it seems possible... assuming I'm reading this right...

https://nlnetlabs.nl/documentation/unbound/unbound.conf/
       rrset-roundrobin: <yes or no>
              If yes, Unbound rotates RRSet order in response (the random num-
              ber  is  taken  from the query ID, for speed and thread safety).
              Default is yes.

Just not sure how to implement or if it would actually work?

My requirement is a simple failover of a web GUI presented by Proxmox hosts.
Currently, each host presents the GUI and allows access to the cluster underneath. I can browse to each host directly and have this experience.
When a host restarts for maintenance etc. perhaps DNS Round Robin would resolve to another host.

I do currently use HAproxy for this so understand this approach, however I'm looking to remove the proxy entirely as I have moved to Cloudflared tunnels for my other services.
But not for this last simple fail over scenario with Proxmox.

This is not production and just my home lab. But I still strive for 'good' :)
#3
Hi all,

I currently proxy through Cloudflare (strict/full) then to HAproxy (OPNsense plugin) then to a local instance of Home Assistant.

I'd like to keep the Client IP intact so I can see in Home Assistant what originating Client IP connected.
Currently I see the Cloudflare IP which is not 'ideal' for me :)

From reading I see that Cloudflare, being the first Proxy in my chain, DOES pass on the Client IP but not using the usual X-Forwarded-For but instead within the http header as CF-Connecting-IP
https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

This means my HAproxy cannot pass this onto Home Assistant through X-Forward-For currently

From further reading, I see I could 'possibly' configure my HAproxy to pick up the CF-Connecting-IP and add to X-Forward-For when a Cloudflare IP Address is seen
https://github.com/haproxy/haproxy/issues/90#issuecomment-718286982

Can anyone help me with how I can apply this configuration to my OPNsense/HAProxy?

Thanks for any help with this

Furthermore, I have X-Forwarded-For disabled in HAProxy for my Public Service as I've read this should only be added once at the first proxy, all other proxies in the chain should add their respective IP's to this header as they are passed. Enabling this also breaks Home Assistant for me, complaining it sees two when there should only be one.

Also... :) I have aliases for Cloudflare IP ranges which would be good to use for this if possible, to replace what is in the linked script... 

#4
Hello,

I am seeing these errors in my haproxy.conf file and wondering if it's related to an issue I'm having with haproxy.
They're within the #logging options secition of one of my Front Ends.

   # ERROR: ACL data not found (3b074c79-c094-4ee9-ba9e-5f5axxxxb2f2)
   # ACL INVALID:  (3b074c79-c094-4ee9-ba9e-5f5axxxxb2f2)

Firstly, I'm not even sure they're real errors as they are commented out in the conf file??

I have three sites I host for personal use:
Proxmox Cluster - Internal only
Apache Guacamole - External
Home Assistant - External

I access the External sites via Cloudflare proxy using their Strict Full and Origin cert applied to haproxy.
There is a single Public Service for these sites that uses the Cloudflare origin certificate.

I access the internal site directly via a VIP associated to haproxy.
There is a second public service for this site that OPNsense uses letsencrypt to obtain a cert for.

This setup works great but after each restart of OPNsense, the haproxy service fails to start.
It's related to the Cloudflare public service.
I have to log into Cloudflare and disable the DNS proxy for each CNAME associated to these sites.
Then wait a minute or two and restart the haproxy service.
Then enable the Cloudflare proxy for these CNAME's again.

Once done everything works great, but is annoying :)

Thanks for any advice on this.

#5
Hi all,

I've recently been updating my HAproxy setup to use Cloudflare Proxy then onto my local HAproxy for distribution into my home network.

I've noticed the Services>HAproxy>Maintenance>SSL Certificates GUI is empty and pretty sure this has always been empty. Saying 'No Results Found!'

Is this supposed to sync with System>Trust>Certificates and show alignment with what certs are used in HAproxy?

Just wondering why it's empty and if it should be empty?

My HAproxy setup is working correctly with a set of ULR's being available externally via cloudflare using my cloudflare origin cert and a set being available internally using lets encrypt certs.

Thanks
#6
Hi,

Is it possible to update an OPNsense Firewall Alias that holds all Cloudflare IP addresses using their API?

https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/
https://www.cloudflare.com/ips/
https://developers.cloudflare.com/api/#cloudflare-ips-properties

Thanks for any help with this

#7
Hi,
Looking forward to updating to the next release 23.7 and thought I'd try os-ddclient again in preparation.

Seems I'm struggling again getting it to work with a Cloudflare API token.

Is anyone able to to get this to work and perhaps provide a detailed config to get it running.
I'm trying to update two names using two separate API keys.
I'd prefer not to have to use the Global API key for this.

#8
Hi,

I have Home Assistant running behind HAproxy on OPNsense successfully.

My issue is that on the first browse to home assistant (opening home assistant in a new browser session), it seems to complete one refresh after about 30 seconds. This returns you to the login screen.
After this it is fine and keeps you logged in.
Opening another tab and logging into Home Assistant after this does not cause the refresh.

The android app works fine.

I've read a bit about possible timeouts and entering extended times into HAproxy.
OPNsense/HAproxy has a web GUI and I'm not sure where to enter these options as the GUI does not seem to match what would be put into HAproxy config.

Home Assistant configuration.yaml has 'use_x_forwarded_for: true' and my OPNsense as trusted.

Has anyone encountered this or have any ideas how to resolve it? 
#9
22.7 Legacy Series / System Log WAN errors on boot
August 04, 2022, 06:22:04 AM
Hi,

I'm seeing this set of errors in the System>General logs on a reboot.
My connectivity seems fine however

Just wondering what they are about as I hate seeing errors
I've recently applied some fixes regarding a WAN DHCP lease renewal issue, but pretty sure these were showing before that.


2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.routing_configure: The WAN_DHCP monitor address is empty, skipping.
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.routing_configure: ROUTING: keeping current default gateway '100.100.100.1'
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.routing_configure: ROUTING: setting IPv4 default route to 100.100.100.1
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.routing_configure: ROUTING: IPv4 default gateway set to wan
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.routing_configure: ROUTING: entering configure using defaults
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.newwanip: The WAN_DHCP monitor address is empty, skipping.
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '100.100.100.1'
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to 100.100.100.1
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: 100.100.100.100) (interface: WAN[wan]) (real interface: vtnet1).
2022-08-04T15:35:30 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'vtnet1'
2022-08-04T15:35:23 Error opnsense /usr/local/etc/rc.newwanip: IP renewal deferred during boot on 'vtnet1'
#10
Hi,

Firstly I've just noticed this now in the System>Logs>General and not sure if this is new to 22.7.
I am seeing this error every two and a half minutes.
It's not causing any noticeable issue to connectivity.
I'm on OPNsense 22.7_4-amd64 running as a Proxmox VM.
I've hidden my real WAN IP address.

Anyone else seeing this or know how to resolve it?

2022-08-01T09:07:33   Notice   opnsense   plugins_configure hosts (execute task : unbound_hosts_generate())   
2022-08-01T09:07:33   Notice   opnsense   plugins_configure hosts (execute task : dnsmasq_hosts_generate())   
2022-08-01T09:07:33   Notice   opnsense   plugins_configure hosts ()   
2022-08-01T09:07:33   Error   opnsense   /usr/local/etc/rc.newwanip: On (IP address: 100.100.100.100) (interface: WAN[wan]) (real interface: vtnet1).   
2022-08-01T09:07:33   Error   opnsense   /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'vtnet1'   
2022-08-01T09:07:33   Notice   dhclient   Creating resolv.conf   
2022-08-01T09:05:04   Notice   opnsense   plugins_configure hosts (execute task : unbound_hosts_generate())   
2022-08-01T09:05:04   Notice   opnsense   plugins_configure hosts (execute task : dnsmasq_hosts_generate())   
2022-08-01T09:05:04   Notice   opnsense   plugins_configure hosts ()   
2022-08-01T09:05:04   Error   opnsense   /usr/local/etc/rc.newwanip: On (IP address: 100.100.100.100) (interface: WAN[wan]) (real interface: vtnet1).   
2022-08-01T09:05:04   Error   opnsense   /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'vtnet1'   
2022-08-01T09:05:03   Notice   dhclient   Creating resolv.conf   
2022-08-01T09:02:33   Notice   opnsense   plugins_configure hosts (execute task : unbound_hosts_generate())   
2022-08-01T09:02:33   Notice   opnsense   plugins_configure hosts (execute task : dnsmasq_hosts_generate())   
2022-08-01T09:02:33   Notice   opnsense   plugins_configure hosts ()   
2022-08-01T09:02:33   Error   opnsense   /usr/local/etc/rc.newwanip: On (IP address: 100.100.100.100) (interface: WAN[wan]) (real interface: vtnet1).   
2022-08-01T09:02:33   Error   opnsense   /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'vtnet1'   
2022-08-01T09:02:33   Notice   dhclient   Creating resolv.conf
#11
I'm looking in Reporting > Insight and can't find out how to isolate what specific device used a large lump of data in a 10 minute period a day ago.
Is it possible to set a smaller time window within the 'Details' TAB, like an hour on a certain day to show usage results rather than a whole day? Then I would be able to isolate the device more easily.
#12
Hi,

What will the experience be like after an upgrade from 22.1 to 22.7 if I am currently using the legacy DynDNS plugin?
If I need to - Will I be able to complete an in-place upgrade and still keep running the legacy plugin for the time being as os-ddclient is progressed.

Thanks
#13
General Discussion / Remove NTOPNG
February 28, 2022, 02:15:04 AM
Hi,

I'd like to completely remove ntopng beyond removing the plugin and redis.

Can anyone help with what files/folders/logs I can safely remove from the system to recover any space it consumed.

Thanks for any help with this
#14
Hi,

Is version 22.x of OPNsense being built on FreeBSD 13 now instead of Hardened BSD.

I ran up a test OPNsense and set to development, but the updated version still said hardened BSD in the dashboard.

Thanks
#15
Hardware and Performance / Intel x710 and PPPoE
November 15, 2021, 12:29:46 AM
Hi,

Does anyone know if the Intel x710 Network cards are good for hardware accelerating a WAN PPPoE type connection with OPNsense?

https://www.intel.com/content/www/us/en/developer/articles/technical/dynamic-device-personalization-for-intel-ethernet-700-series.html

Thanks
#16
Hi,

Is anyone able to confirm if Receive Packet Steering would allow a PPPoE connection to be distributed across multiple CPU's and therefore increase the performance of this type of connection in a multi CPU deployment?
https://forum.opnsense.org/index.php?topic=24409.msg121444#msg121444

This is a feature available in Linux but is not current in FreeBSD
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rps

There is a FreeBSD version but it was created in 2011 during Googles Summer of Code I think
https://github.com/gokzy/freebsd-rps/wiki/Receive-Packet-Steering-on-FreeBSD
#17
Hi,

If I have Reporting>Traffic open and displaying the realtime traffic graph in a browser, a speedtest.net from a device behind OPNsense reports about half of my Gigabit connection. I have a 900/400 plan.

Is anyone else seeing this?

My instance is virtual on Proxmox
Connection to WAN is PPPoE with VLAN 10 tagged on the proxmox virtio device

With Reporting>Traffic open
    Latency:     1.45 ms   (0.06 ms jitter)
   Download:   429.59 Mbps (data used: 691.8 MB)
     Upload:   164.40 Mbps (data used: 294.3 MB)
Packet Loss:     0.0%

Without Reporting>Traffic open
    Latency:     1.22 ms   (0.15 ms jitter)
   Download:   918.34 Mbps (data used: 800.9 MB)
     Upload:   497.61 Mbps (data used: 263.9 MB)
Packet Loss:     0.0%
#18
Hi all,

I'm after some help with achieving the following goals:

-Near Gigabit throughput WAN>LAN
-OPNsense as a Proxmox Guest
-Running using virtio adapters for live migration
-Ideally running IPS and NTOPNG

This is for a home setup to sit in front of a home LAN with loads of IoT and some general IT lab work.
It's a real budget setup and I don't wan't to go to crazy on upgrades.

Hardware I have is:

2x
HP desktop 8300 SFF
Intel i7-3770
32GB RAM
Onboard Intel Gig Nic
Intel 82576EB dual port Gig Nic

48 port managed Gigabit switch

900/400 WAN via PPPoE on VLAN 10

I want to run OPNsense virtual on Proxmox as I'd like to be able to live migrate this when doing any work on the host. I have had this running in the past successfully but only had 100/20 WAN at that time.
The most I could get through this setup then was ~600Mbit. This was after trying most everything including tunables.

Can anyone help with where the bottle neck is with not being able to reach near Gigabit?
I have an old Linksys router running Tomato firmware that can reach 900+ Mbps so the possibility exists.
Would upgrading to 10Gbe adapters (e.g. Intel x540-T2) give me the head room or is the limit somewhere else, maybe the CPU?

Thanks for any helpful advice


 

#19
General Discussion / IPv6 Questions
August 17, 2021, 01:33:00 AM
Hi all,

I recently moved ISP and am now behind CGNAT for IPv4. There were other benefits :)
Rather than obtaining a static IPv4, I thought I'd investigate IPv6 as provided by my new ISP.

I've got what I believe to be a working WAN and LAN setup for IPv6 although have not received any info from the ISP about how to do this...

WAN
DHCPv6 through the same PPPoE connection as IPv4
Request only an IPv6 prefix
Use IPv4 connectivity
Has an IPv6 delegated prefix /56, Gateway and Link local addresses

LAN
Track WAN Interface
IPv6 Prefix ID of 0
Has obtained an IPv6 AND Link local addresses

My devices are obtaining both link-local and IPv6 addresses

I'm a bit stuck now with my understanding of IPv6 and how to proceed with OPNsense.
My goal is to be able to connect back to IPv6 devices on my network from external.

Because I'm on DHCPv6, my ISP can give me a new IPv6 at any time.
I've been able to use Dynamic DNS with Cloudflarev6 to send the updated IP to their DNS, but this is the LAN address and not the address of the host behind the router.

Does anyone know if its possible to update a remote DNS using the host IPv6 address from unbound, then also create associated firewall rules to match?
This is so I can connect back into these devices from outside reliably after an IP change.

Also do I only need to create a WAN firewall rule, allowing for example port 443 to the destination device's IPv6 address. Or do I also need to create a LAN rule?

Thanks for any help with this   




#20
Hi,

Whats the best way to configure a Private Domain 'plex.direct' within unbound in 21.7.1

It used to be done using custom options.

I've found Services>Unbound DNS>Blocklist>Private Domains but need help as this does not work on its own it seems.

Do I need to 'enable the use of DNS Blocklists' and also choose a DNSBL?
If so, which one??

Thanks for any help with this.