Topics

Hi,

currently I'm trying to setup a condition that checks if a SNI is present in a request (HTTPS) or if there is no SNI (OpenVPN traffic). However, in the dropdown for the "Condition Type" there are multiple SNI related entries, but all seem to need a server name configured.

Is there a way to simply check if SNI is there, ignoring which server name exactly is requested?

Thanks a lot in advance,

Thomas

Hi,

I am wondering if there is a cool idea, best practice, etc. for the assignment/organization of static IPv4 addresses on devices with multiple network interfaces on different subnets (to easily see which IPs belong to which device).
For example, a router has a downstream interface where it acts as a gateway and, therefore, uses the x.x.x.254 address. However, on its upstream interface the router is only a "client" to the next router and, therefore, uses maybe the x.x.x.100. So it is hard to see that the 100 on subnet A and the 254 on subnet B is on the same device.

If a device is not a router but acts in multiple VLANs, it would be nice to have something like x.x.x.25 and y.y.y.25 on its interfaces, so that it is (for humans) easy to remember that 25 is this specific device in all subnets. I am fully aware that this will not work in all use-cases, but an uncontrolled growth of IP assignments could be even worse.

Simply assigning everything via DHCP and not considering any static addresses is not an option, because subnets like "Management" shall use static addresses that the management subnet still works in case a DHCP server would fail.

How do you organize your static IPv4 addresses in your subnets?

Thanks a lot in advance,

Thomas

Hi,

is it possible to have different groups in the mDNS Repeater plugin?
Meaning that one mDNS Repeater instance works between VLAN 10 and VLAN 20, while another mDNS Repeater instance works between VLAN 30 and VLAN 40? The goal shall not be to have all four VLANs on the same repeater.

Thanks a lot in advance,

Thomas

Hello,

does someone know if there is any user plugin available for OPNsense which provides a simple DNS server for only serving TXT records?

I would like to run something similar to https://github.com/pawitp/acme-dns-server on OPNsense with port 53 open to the Internet to provide a minimalistic DNS server for only providing TXT records used for DNS-01 wildcard certificate validation. The linked project describes the purpose as "This is a very simple DNS server written in Python for serving DNS TXT records for the purpose of ACME (Let's Encrypt) DNS-01 validation, which is required for generating wildcard certificates.".

Is something similar already available on OPNsense (without having to install it manually via console)?

Thanks a lot in advance,

Thomas

Hello,

if OPNsense is installed behind a proxy server, is there any way to make Internet access possible to clients behind OPNsense without using proxy settings on them?
I am thinking about simply configuring the IP address of OPNsense as DNS server and Gateway to those clients network configuration and OPNsense redirects all those requests coming from the clients via the proxy to the Internet (also including authentification at the proxy done by OPNsense).
I'm aware of the fact, that this would not allow "full" Internet access, but only limited to HTTP traffic (or whatever the proxy allows).

Can this be done with OPNsense? If so, any hints?

Thanks a lot in advance,

Thomas

Hallo,

mein aktuelles Setup sieht wie folgt aus:

LAN [192.168.10.0/24]  <----> OPNsense <----> DSL-Modem <----> Internet
(inkl. Webserver)

OPNsense ist via PPPoE und einem DSL-Modem mit dem Internet verbunden (dynamische IPv4).
Im internen LAN gibt es einen Webserver, welcher problemlos aus dem Internet über Portforwarding + HAproxy (auf der OPNsense) erreichbar ist.

Mein Problem ist, dass der Webserver mit seiner URL aber nicht aus dem LAN erreichbar ist. Die URL wird korrekt in die WAN-IP aufgelöst und anschließend routet OPNsense die Anfrage in das Internet weiter, anstatt diese an sein eigenes WAN-Interface (als eingehender Traffic) umzuleiten.

1) Wie kann ich OPNsense mitteilen, dass Traffic vom LAN an die WAN-IP und nicht ins Internet gesendet wird, sondern als "eingehender Traffic" auf dem WAN-Interface behandelt werden soll? Wo in OPNsense muss ich das Routing anpassen und was ist dabei die korrekte Konfiguration?
2) Ist dies ohne Modifikation der DNS-Auflösung möglich? Dies würde ich gerne vermeiden, für den Fall, dass ein User im LAN einen eigenen DNS-Server verwendet.

Vielen Dank,

Thomas

Hello,

right now I updated to OPNsense 21.7.4-amd64 and, afterwards, I recognized that my FreeRADIUS is not starting anymore.

In the FreeRADIUS log file I can find:

Code Select Expand


2021-11-04T20:20:46 Error: /usr/local/etc/raddb/mods-enabled/pap[13]: Failed to link to module 'rlm_pap': Cannot open "/usr/local/lib/freeradius-3*/rlm_pap.so"
2021-11-04T20:20:46 Info: Debugger not attached


Any ideas how to fix this?

Thanks in advance,

Thomas

Hello,

how does the IDS (Services => Intrusion Detection) receive the incoming packets?

Is it getting the packets before the Firewall? I'm asking, because my IDS is currently listening to LAN & WAN and on the WAN side I see a lot of traffic to ports which are closed in the Firewall.

Can someone confirm please, that the IDS sniffs before the Firewall?

Thanks,

Thomas

Hello,

in the log "System => Log Files => Backend" of my OPNsense 20.7.3-amd64 I'm getting a lot of errors regarding "Broken Pipe":

Code Select Expand


2020-10-03T18:22:04 configd.py[99296] unable to sendback response [OK ] for [dyndns][reload][None] {9760f158-f647-47c8-a6bf-4636d2ebf47a}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-10-03T18:12:04 configd.py[99296] unable to sendback response [OK ] for [dyndns][reload][None] {8bae6717-80e7-4052-a4c2-de7c14ee0e35}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-10-03T18:05:02 configd.py[99296] unable to sendback response [OK ] for [interface][newip][['ix0']] {2002f95d-cf17-4130-8dad-27338170a6a1}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-10-03T18:04:52 configd.py[99296] unable to sendback response [OK ] for [interface][linkup][['start', 'ix0']] {fa705b72-dcbe-49af-95f2-bd4966c646f7}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe


As far as I know, the problem is that OPNsense loses its Pipe to the specific backend service. Whenever a module runs into the "BrokenPipeError" the GUI cannot provide any data about this module anymore (e.g. loading "Services => Dynamic DNS" hangs).

Does someone know this problem and how to fix it? As you can see in my attached lines of the log, different modules are affected.

Thanks,

Thomas

Hallo,

mir ist heute aufgefallen, dass im Log ständig die folgenden Fehler auftauchen.
Sobald der Fehler mit dem Teil "[dyndns]" auftaucht, dauert das Laden der Seite "Services => Dynamic DNS" eine Ewigkeit und sobald die Seite angezeigt wird, sind die "Cached IP" in Rot dargestellt, anstatt in Grün wie im Normalfall.

Neben den "[dyndns]" Fehler tauchen auch einige mit "[interface]" auf.

Code Select Expand


2020-09-16T22:02:04 configd.py[41126] unable to sendback response [OK ] for [dyndns][reload][None] {5d61e983-c1ba-4db0-8888-a4e0835b607d}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T21:52:04 configd.py[41126] unable to sendback response [OK ] for [dyndns][reload][None] {5eecbabe-ce94-4c3c-94df-473e7c13e73a}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T21:42:04 configd.py[41126] unable to sendback response [OK ] for [dyndns][reload][None] {d8bdc2ba-a882-493f-a7d6-a23c43532c17}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T21:32:04 configd.py[41126] unable to sendback response [OK ] for [dyndns][reload][None] {c6d67902-1bbb-4591-89b6-3adbe430e5d3}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T21:22:04 configd.py[41126] unable to sendback response [OK ] for [dyndns][reload][None] {b69028b8-9aff-4bb7-88c9-9d78224f473f}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T21:12:04 configd.py[41126] unable to sendback response [OK ] for [dyndns][reload][None] {d69e22cc-90f7-433f-968e-22be8c19bf7d}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T21:02:04 configd.py[41126] unable to sendback response [OK ] for [dyndns][reload][None] {b933e95e-fc7c-4934-81b8-8f62f8a8ee22}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T20:52:04 configd.py[41126] unable to sendback response [OK ] for [dyndns][reload][None] {19d71343-1bac-46cc-a08c-80bf74fc7231}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T20:40:50 configd.py[41126] unable to sendback response [OK ] for [interface][newip][['ix0']] {ffcab560-061f-4b42-9e3e-14b0c9a27844}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

2020-09-16T20:40:41 configd.py[41126] unable to sendback response [OK ] for [interface][linkup][['start', 'ix0']] {4dfe3e5a-4267-4ca9-aab7-c2a76eef54e5}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe


Hat jemand einen Hinweis wo das Problem liegt bzw. wie man es beheben kann?

Vielen Dank,

Thomas

Hallo,

ich verwende aktuell OPNsense mit Unbound DNS und DHCPv4.
Unter Services => DHCPv4 => LAN habe ich einige "DHCP Static Mappings for this Interface" hinzugefügt, welche auch wunderbar für die Geräte im Netz funktionieren, welche sich per DHCP eine IP-Adresse bei OPNsense holen.

Nun habe ich aber auch einige Geräte im Netz, welche zwingend eine statische IP-Adresse benötigen. Wo kann ich denn hierfür statische Mapping von Hostname bzw. FQDN auf die IP-Adresse in OPNsense hinterlegen? Unter den genannten ""DHCP Static Mappings for this Interface" funktiuoniert es nicht, da OPNsense dann anmeckert, dass die IP-Adresse bereits in verwendung ist. Vom Gefühl würde ich sagen, dass es ja eine reine DNS-Auflösung ist und somit irgendwo unter Unbound DNS erfolgen sollte. Kann mir hier bitte jemand auf die Sprünge helfen?

Vielen Dank,

Thomas

[Services => Unbound DNS => Blacklist]

Hallo,

ich möchte unter Services => Unbound DNS => Blacklist unter dem Punkt "URLs of Blacklists" eine weitere Blacklist hinzufügen. Mir ist nun aufgefallen, dass es Blacklists im Format

Code Select Expand

www.blockeddomain.de oder auch

Code Select Expand

127.0.0.1 www.blockeddomain.de gibt. Welches Format benötigt Unbound DNS unter OPNsense denn? Die Variante mit oder ohne der IP-Adresse? Oder ist es egal?

Vielen lieben DAnk im Voraus,

Thomas

Hello,

for now I already searched for a while without success :(
Where can I find details about the threads which are shown on the "Alert" page. Where I can find a more detailled description to a given SID?

Thanks,

Thomas

Hello,

in the future I would like to use OPNsense as Router/Firewall and, therefore, I'm looking for a powerful and energy-efficient hardware.

My requirements are:
- Usage of OPNsense
- the case shall be a server-case for 19 inch racks
- my current Internet connection is 100/40 MBit/s, but I want to have the option for future GBit FTTH
- having the option for using Snort/Suricata
- having the option for using a DNS filter
- using HAproxy
- maximum of around 6-8 simultaneous VPN connections via IPsec/OpenVPN (IPsec for Windows notebooks, OpenVPN to use HTTPS to bypass some networks which try to block VPN)
- Support for AES-NI
- IPMI

The hardware I'm tending to at the moment:
- SuperMicro A2SDi-4C-HLN4F
  - CPU: Intel Atom C3558, 4 Cores
  - 4x GBit-LAN, Intel C3000 SoC
- Case: SuperChassis 505-203B
- 8 GB RAM ECC
- SSD: Samsung EVO

My questions:
- Do you have concerns regarding compatibility of my setup with OPNsense? Are there any known bugs/issues?
- Do you recommend any other components?
- OPNsense appliances are often found with i3, i5, Celeron or Xeon CPUs.
  - Would those CPUs provide a huge benefit over my "Intel Atom C3558, 4 Cores"?
  - Do you have any experiences regarding power consumption of such more powerful CPUs? (the Intel Atom C3558 has TDP 16W)
  - Do you recommend another CPU which provides more power at a comparable power consumption?
- Do you have some experience about the other OPNsense systems which are often used?
  - IPU662 with i5-6200U (Skylake Dual Core (4 Threads) 2.3 GHz, Turbo Boost bis zu 2.8 GHz, 15W TDP)
  - Celeron J3160 (4 Cores, 1.6GHz)
  - other i3, i5, Celeron, Xeon systems?
- My proposed board uses Intel C3000 SoC network controllers. Are they compatible to OPNsense? Are they better/worse/comparable to widely-used Intel controllers like i210/i211?

Thanks a lot in advance,

Thomas