Messages

946

General Discussion / Re: Block range of LAN hosts from ANY Internet access

« on: January 07, 2021, 07:00:38 am »

You mentioned you have a multi WAN gateway group. I wonder if there is some routing issue relating to that, eg the camera traffic is only being blocked out of one WAN interface but not the other? I don’t have experience with a mutli WAN setup but presumably you want the block to apply to the gateway group? Do you need to select that as the Gateway in the rule?

947

General Discussion / Re: Block range of LAN hosts from ANY Internet access

« on: January 07, 2021, 06:53:22 am »

And applied the changes after moving them, right?

948

General Discussion / Re: Block range of LAN hosts from ANY Internet access

« on: January 06, 2021, 11:49:32 pm »

If you haven’t created any firewall groups, then you won’t see any rules

Are you sure your Alias is right? Maybe test with a separate rule that just uses the device’s IP directly?

949

General Discussion / Re: Block range of LAN hosts from ANY Internet access

« on: January 06, 2021, 11:13:57 pm »

The device might still be pinging, but are the pings getting through?

You don’t have any relevant floating or group rules that are applying in priority?

950

General Discussion / Re: Block range of LAN hosts from ANY Internet access

« on: January 06, 2021, 10:08:01 pm »

Block them on the LAN interface

951

20.7 Legacy Series / Re: Question after lighttpd patch

« on: January 06, 2021, 10:05:08 pm »

Lighttpd runs the OPNsense web GUI

Just leave the files as they are

952

General Discussion / Re: Creating a DNS entry in Unbound without a domain?

« on: January 06, 2021, 08:31:49 pm »

Couldn't agree more - I use a distribution script for LE wildcards: https://github.com/bartsmit/distcerts

I’m lazier than that. I just run nginx and acme.sh in a LXD container and reverse proxy everything else from there

953

General Discussion / Creating a DNS entry in Unbound without a domain?

« on: January 06, 2021, 08:27:37 pm »

Again, using .local will conflict with mDNS if that is enabled on a device in the network (and the OP said they had Apple devices)

See the RFC: https://tools.ietf.org/html/rfc6762#section-3

Devices using mDNS will not be able to resolve the DNS records for devices not using mDNS

The domain .lan as suggested by @flushell is likely to be better, with a low (admittedly not zero) chance of conflict with a future gTLD

Edit: Or .localdomain could be used. Or even something bespoke like .davynet

954

General Discussion / Re: Creating a DNS entry in Unbound without a domain?

« on: January 06, 2021, 07:58:09 pm »

I registered my own domain name and have a free Letsencrypt certifacte in place to use on my network.

I’ve done the same. I use local.mydomain.com as my local network domain, and have a LE wildcard for it so that all my internal web services are on https (because why not?!). And I access everything  internally through DNS records on that local domain (server.local.mydomain.com, router.local.mydomain.com ...).

955

General Discussion / Re: Creating a DNS entry in Unbound without a domain?

« on: January 06, 2021, 10:25:07 am »

Actually better not to use .local as the local domain given that will cause issues with mDNS

956

20.7 Legacy Series / Re: Regular LAN detached event, sometimes results in failure of resolv.conf and IPv6

« on: January 06, 2021, 01:58:45 am »

I’ve now resorted to running a custom cronjob a bit after 3am each day to check for external IPv6 connectivity and if there is none to restart dhcp6c. Bit hacky, but means I don’t need to check and restart manually every few days.

I really would like to solve the underlying issue though. Still no-one out there with any thoughts?

957

20.7 Legacy Series / Unbound service routinely stopping/crashing following 20.7.7 update

« on: January 04, 2021, 12:42:06 pm »

Looks like you missed the post above - see post #37

958

Virtual private networks / Re: Wireguard & Mullvad - I'm lost.....

« on: January 03, 2021, 09:41:03 pm »

As an aside, I get the sense that what “Allowed IPs” means may be confusing you. Allowed IPs are not the IPs that are permitted on the local side to access the endpoint through the tunnel. Rather, they are the IPs that able to be accessed through the tunnel via the endpoint, by whatever IPs on the local side are otherwise configured to use the tunnel by routes/firewall rules. Think of it as - “what IPs do I want to reach through the tunnel?”

959

Virtual private networks / Wireguard & Mullvad - I'm lost.....

« on: January 03, 2021, 08:59:58 pm »

This is it: Multiple Wireguard VPN Clients
 https://r.tapatalk.com/shareLink/topic?share_fid=197904&share_tid=20494&url=https%3A%2F%2Fforum%2Eopnsense%2Eorg%2Findex%2Ephp%3Ftopic%3D20494&share_type=t&link_source=app

Again, the key is configuring the firewall rules and outbound NAT so that they are specific to the particular VLAN you want to use the relevant interface and gateway. It’s really an expansion of the idea of configuring a specific IP to use the VPN (which is discussed by me in a topic linked in the above topic) - instead of a single IP, you are wanting a single subnet

960

Virtual private networks / Re: Wireguard & Mullvad - I'm lost.....

« on: January 03, 2021, 08:55:26 pm »

OK, then you should leave Allowed IPs as 0.0.0.0/0, and simply set up the firewall rules and outbound NAT for each VLAN to use the relevant gateway. There was a topic recently where someone did essentially the same thing - I will dig it out