Messages

946

19.1 Legacy Series / Re: How to setup and use 1:1 NAT

« on: February 27, 2019, 08:30:04 am »

Thanks for that, it's...quite unfortunate. I was aware of the completely inappropriate .com issue and the lousy 'stick with OpenSSL 'cause I trust a guy' justification.

While I never looked into their development model much, the rather slow release cycle ond occasional patches were a growing concern from a security appliance point of view - otherwise simply from the FreeBSD's perspective pf would work just fine anywhere for a simplet set of rules.


My only headache so far in many months with OPN has been the recent unbound/DoT mess ongoing since 18.7.10 but I'll wait for 19.1.2 update which hopefully will be ready soon to see if the HBSD related issues persist.

947

19.1 Legacy Series / Re: How to setup and use 1:1 NAT

« on: February 27, 2019, 05:37:06 am »

...aging APU1D4...

Not aging, but arguably out of date. Chec out the Hardware subforum in the APU 1-5 thread on how to get the latest firmware on it - securely. Pages 5-6.

pfSense is not requiring AES-NI for 2.5 - unsure whether the API was the major factor though...

The original plan was to include a RESTCONF API in pfSense 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense 2.5.0 will not require AES-NI.

https://forum.netgate.com/topic/140586/heads-up-snapshots-moving-to-pfsense-2-5-0-on-freebsd-12-expect-initial-instability


Have you looked into Avahi at all ? Might be the solution you're looking for while voiding all those stray packages that will likely be difficult to maintain given OPNsense's rather aggresive patching cycle.

948

General Discussion / Re: NGINX: Connection gets dropped

« on: February 27, 2019, 03:30:25 am »

Once a patch will be available you'll be able to test it before it's rolled out.

For the time being however, it's still a bug.

949

18.7 Legacy Series / Re: No Wifi (APU2. WLE200NX)

« on: February 27, 2019, 03:10:50 am »

I think he was inquiring about physical slots on the board...

950

German - Deutsch / Re: Upgrade auf 19.1 nicht möglich, weil "Disk full"?

« on: February 27, 2019, 03:08:32 am »

...and backup the config first, just in case something goes awfully wrong hardware wise. :-)

951

19.1 Legacy Series / Re: Tearing hair out - packets passing fw but not being received by Unbound

« on: February 26, 2019, 08:04:09 am »

There's no default allow in on WAN - doesn't matter how many services are listening on the FW. That's why I asked for the rules.

Also, you should be able to see in Firewall-Logs-Live what's happening with all your VIPs taking advantage of the filtering facility provided.

952

19.1 Legacy Series / Re: Tearing hair out - packets passing fw but not being received by Unbound

« on: February 26, 2019, 07:37:59 am »

The same rules would have to be defined for all IPs. Somehow it would appear you're expecting identical results for different settings

953

19.1 Legacy Series / Re: Installation of 19.1 on Pc Engine APU4C4 fails on mSata but works on SD card

« on: February 26, 2019, 06:36:38 am »

Glad it all worked out. Please prepend [Solved] to the thread name as it would likely help others and it's a good filter when looking at a bunch of different threads.

954

19.1 Legacy Series / Re: Tearing hair out - packets passing fw but not being received by Unbound

« on: February 26, 2019, 06:33:56 am »

Can you post the WAN rules ?

955

General Discussion / Re: nintendo switch what port to NAT

« on: February 26, 2019, 05:10:27 am »

Your better option it to have at least one dedicated VLAN for IoT devices. Having it on your LAN is a security risk.

The information in the link basically tells you in the clear that it's rather poor security to make it work

Important:

    While Nintendo provides this information for our consumers' use, it is up to each consumer to determine what security needs they have for their own networks, and to decide how best to configure their network settings to meet those needs.
   

956

General Discussion / Re: how to monitor ip port traffic

« on: February 26, 2019, 04:32:07 am »

Firewall-Logs-Live section, filter by desired IP

957

General Discussion / Re: cold reboot : network inactive

« on: February 26, 2019, 04:29:58 am »

Define 'strange' please.

Also, is there any other DHCP server on the network ?

958

Hardware and Performance / Re: PCENGINES APU[1-5] Bios

« on: February 26, 2019, 04:16:07 am »

Hello Dear OPNsense community,

Signatures and hashes for all previous firmware release are now available: https://pcengines.github.io/

Hi miczyg

Any chance I could remotely identify the chip running on this APU1C4 ? Dmidecode isn't helpful

Code: [Select]

flashrom -w apu1v4.9.0.2.rom -p internal
flashrom v1.0 on FreeBSD 11.2-RELEASE-p6 (amd64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
coreboot table found at 0xdffdf000.
Found chipset "AMD SB7x0/SB8x0/SB9x0".
Enabling flash write... OK.
Found Macronix flash chip "MX25L1605" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Found Macronix flash chip "MX25L1605D/MX25L1608D/MX25L1673E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Multiple flash chip definitions match the detected chip(s): "MX25L1605", "MX25L1605A/MX25L1606E/MX25L1608E", "MX25L1605D/MX25L1608D/MX25L1673E"
Please specify which chip definition to use with the -c <chipname> option.


Hi newsense,

Yes this is a common problem with apu1, since few Macronix SPI chips have the same JEDEC ID and flashrom can not distinguish them. Try passing:

-c "MX25L1605A/MX25L1606E/MX25L1608E"

to flashrom as an argument and it will be ok. We have mentioned it here too: https://github.com/pcengines/apu2-documentation/blob/master/docs/firmware_flashing.md#corebootrom-flashing

Thank you miczyg, I already updated two APU1s without issues from their factory version, both using the OPNsense live method I described a few post back and from a fully deployed production running FW - following the steps in the Live method described followed by the reboot command when the upgrade was succesful.

959

Hardware and Performance / Re: Zotac nano ci323 LAN Problem

« on: February 26, 2019, 04:02:50 am »

Hi,  i invert the ports on the Zotac my port 01 stay to 100baseTX...

Thank you.

So if I understand correctly the port01 has an issue.

Is the behaviour consistent if you boot Ubuntu live on it ?

Also, any BIOS updates available or configuration switches that may lock down that port to 100 ?


If after all of the above you don't move any closer to the desired resolution, the last thing I'd do before RMA would be to unplug everything from it for a few minutes, BIOS reset or baterry removal if you have access inside the box, then check OPNsense/Ubuntu live one more time.

960

19.1 Legacy Series / Re: No TLS Connection between two OPNsense 19.1

« on: February 26, 2019, 03:52:40 am »

I'm not 100% sure what you were trying to achieve with TLS, but the errors you posted clearly shows that the trust was incomplete to begin with

Code: [Select]

no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported