Messages

391

19.1 Legacy Series / Re: Many virtual terminals (tty) in 19.1.6

« on: April 20, 2019, 11:15:21 pm »

Right, since I set a pretty complex password, I unlocked console during setup. My other already installed senses are locked. Does unlocking start more than one terminal?I

I just use

Code: [Select]

# w
Will lock console on Tuesday and check.

Update
It is the unlock terminal option. Without password on console, seven additional virtual terminals are spawned. Reapply password returns to just one physical console.

392

General Discussion / Re: Sensei requires at least 4GB of physical memory! Installer will exit now.

« on: April 19, 2019, 07:48:46 am »

Oh Damn.  Thank you so much for your help.

Can I just backup and download the settings and import them to a new VM with 64bit build?

Any issues on going from 18.7 to 19.1 and upgrade at the same time?

Should both be possible.

• export config
• install 19.1.
• import config

If you install over your 32 bit installation, it could be possible that configuration can be directly imported into new installation. Installer scans for previous installations with config.

393

General Discussion / Re: Sensei requires at least 4GB of physical memory! Installer will exit now.

« on: April 18, 2019, 11:37:08 pm »

OPNsense 18.7.10_4-i386

You are running 32bit version. It cannot address more than 4gb.

You need to install 64bit version.

394

19.1 Legacy Series / [Solved] Many virtual terminals (tty) in 19.1.6

« on: April 16, 2019, 05:53:31 pm »

Usually when I check uptime and my ssh sessions I just use w to displaythis information.

Now I did a fresh install with 19.1.4 and upgraded to 19.1.6.

When I now check sessions, I get many virtual tty-sessions (7). I edited /etc/ttys and disabled virtual ttys, but after reboot /etc/ttys is restored and all virtuall ttys are present again.

19.1.6

Code: [Select]

11:17AM  up 17:38, 10 users, load averages: 0.90, 0.74, 0.69
USER       TTY      FROM                                      LOGIN@  IDLE WHAT
admin      pts/0    nb-mn01                                  11:17AM     - w
root       v1       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell
root       v5       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell
root       v2       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell
root       v3       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell
root       v0       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell
root       v6       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell
root       v7       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell
root       u0       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell
root       v4       -                                        Tue05PM 17:34 /bin/sh /usr/local/sbin/opnsense-shell

I checked my older opnsense installations (19.1.4) and there virtual ttys are also enabled in /etc/ttys, but finally there is just one v0 session.

19.1.4

Code: [Select]

11:20AM  up 9 days,  2:18, 2 users, load averages: 0.66, 0.76, 0.73
USER       TTY      FROM                                      LOGIN@  IDLE WHAT
admin      pts/0    nb-mn01                                  11:20AM     - w
root       v0       -                                        08Apr19 5days -

Is there any chance to revert 19.1.6 behaviour to just one tty session?

395

Tutorials and FAQs / Re: HOWTO - Setup working wpad.dat with web gui on alternative port

« on: April 14, 2019, 06:11:47 pm »

One related issue that I found is that if you disable redirection from 80->443 you lose the ability to load wpad from HTTP. See https://github.com/opnsense/core/issues/3416

For this reason, I wrote this HOWTO. No matter what port you use for webgui, WPAD will be provided via HTTP.

396

German - Deutsch / Re: ASN-Aliase erstellen

« on: April 13, 2019, 11:20:18 pm »

Nutz doch einfach diesen Dienst und trage die URL mit angehängtem ASN als Alias ein:

http://asn.blawk.net/

z.B.http://asn.blawk.net/2906 für ASN 2906 (Netflix)

397

General Discussion / Re: HAProxy in a High Availability scenario. How to enable statistics on both nodes?

« on: April 12, 2019, 08:28:52 pm »

If it is a HA setup, usually it's active-passive, one node should have the traffic and the passive one none. So why monitor the inactive node? Statistics should be zero. Just monitor the VIP. So you always get the statistics of the active node.

398

German - Deutsch / Re: Aliastabelle wird nicht aktualisiert

« on: April 12, 2019, 07:06:35 am »

Damit bist Du nicht allein.
https://forum.opnsense.org/index.php?topic=12407.0;topicseen

Hast Du auf Github einen Issue eröffnet, damit es gefixt wird?

Wie hast Du die OPNsense zurückgesetzt? Ich hatte letztlich es über opnsense-revert probiert. Das schlug leider fehl und ich musste neuinstallieren.

399

19.1 Legacy Series / Re: Wifi access point does not have internet access

« on: April 11, 2019, 01:09:30 pm »

I looked into the outbound section. Its set to autorules and has two rules per interface (Auto created rule and Auto created rule for ISAKMP). All of them have "127.0.0.0/8". The "ISAKMP" have also static port set to yes and destination port 500.

127.0.0.1/8? Shouldn't it look like this?

Code: [Select]

Interface Source Source Port Destination Destination Port NAT Address         NAT Port Static Port Description
WAN         WLAN *         *              *                 Interface address *         NO              WLAN_NAT

400

19.1 Legacy Series / Re: Wifi access point does not have internet access

« on: April 10, 2019, 10:29:26 pm »

Did you setup outbound nat for your wireless interface? I think for some releases 18.7.+ the automatic outbound nat will not work and create the needed rule.
So you have to add it manually and map your wireless subject to your wan ip.

401

German - Deutsch / Re: Subnet routing im LAN

« on: April 10, 2019, 05:28:29 pm »

Innerhalb eines Interfaces sollte ich doch kein Routing und auch keine Firewall Regeln brauchen?

Da Du auf dem Interface mehrere Subnetze laufen hast, musst Du natürlich routen. Weiß ja deine OPNsense nur durch die IP-Aliase, das es mehrere Netze gibt, aber denke nicht, das damit auch automatisch die nötigen Routen für das Interface angelegt werden.

Was die Firewallregeln angeht, gibt's glaub irgendwo Option, wo man aktivieren/deaktivieren kann, ob Traffic der auf dem selben Interface rausgeht, wo er reinkam, gefiltert werden soll.

402

General Discussion / Re: SNMP Support

« on: April 10, 2019, 01:53:27 pm »

There is no SNMP trap support in gui and hey: OPNsense is a firewall. To limit SNMP to specific hosts, just create a  rule 

403

Web Proxy Filtering and Caching / Re: Proxy-Server Authentication after PC-Reboot

« on: April 10, 2019, 01:04:21 pm »

HTTP is a stateless protocol. Your proxy server will not recognize whether the user is rebooting its device and no requests are coming or he is just idle, off from pc or just doing something else that does not generate web traffic?

If a user is authenticated at the proxy you cannot "log out" and re-authenticate. The user usually has to close and re-open the browser windows to be able to re-login at the proxy.

See here:
https://wiki.squid-cache.org/Features/Authentication#Does_Squid_cache_authentication_lookups.3F

Since a reboot is like closing the browser and if you changed the credential caching to nothing, then it must be your browser that caches credentials between sessions/reboots.

404

German - Deutsch / Re: Subnet routing im LAN

« on: April 10, 2019, 11:03:05 am »

Kannst über Firewall: Virtual IPs: Settings beliebig viele IP-Aliase auf ein Interface legen.

Da es ohne VLANs schließlich auch nur ein Interface über das mehrere Subnetze laufen, kannst Du folglich in den Regeln auch nur das eine Interface auswählen. Für Deine "Netze" mußt Du halt entsprechende Aliase erstellen, dann kannst Du das schon in Regeln packen.
Problematisch wird es dann eher mit DHCP. Woher soll der wissen, ob es nun LAN, VoIP oder IoT ist? Außer Du hast da bestimmte Hersteller und kannst das auf MAC-Prefixe eingrenzen, aber ich vermute dann meckert OPNsense, wenn die IP-Range nicht in dem Subnetz des Interfaces liegt. Da wirste dann wohl eher statisch deine Adressen vergeben müssen.

Dir muß halt klar sein, daß ohne VLANs Deine Firewall mehr Makulatur ist und nicht wirklich eine Netztrennung macht. Ein Sniffer bekommt Traffic aus allen IP-Netzen mit und man braucht sich dann nur eine IP aus dem entsprechenden Subnetz geben, um ohne Firewall Zugriff auf das andere Netz zu haben. 

405

19.1 Legacy Series / Re: Slow bandwidth from lan to wan (OPNsense on Proxmox VE)

« on: April 09, 2019, 05:44:59 pm »

Did you try the "new" netmap enabled kernel? Should perform better with virtual nics.

See here:
https://forum.opnsense.org/index.php?topic=11477.0