Messages

1

23.1 Production Series / Re: ddclient with opnsense backend doesn't start

« on: May 04, 2023, 10:30:36 am »

I could not get the OPNsense backend to work with a CloudFlare token using only v4. It would generate this error:

Account XXX [cloudflare - XXX ddns] error receiving ZoneID [[{"code": 6003, "message": "Invalid request headers", "error_chain": [{"code": 6102, "message": "Invalid format for X-Auth-Email header"}, {"code": 6103, "message": "Invalid format for X-Auth-Key header"}]}]]

I think that "Invalid format for X-Auth-Email header" indicates that you are not using Cloudflare "token" service (if token auth is used, it would read something like "bearer authentication").

You need to use username "token" (literally "token"!) or leave it empty to use the token authorisation. DO NOT USE YOUR CLOUDFLARE EMAIL / USERNAME!

2

23.1 Production Series / Re: Secure NTP

« on: May 04, 2023, 10:05:59 am »

Running adguard and chrony and never had an issue between those two.

I assume you have disabled the regular NTP server service? (Services -> Network Time -> General -> "Time Servers" empty and "Client Mode" ticked)

And another wild shot in the dark: You have disabled the rate limit in Adguard Home (Settings -> DNS Settings -> Rate Limit set to "0")?

3

23.1 Production Series / Re: Secure NTP

« on: April 27, 2023, 10:44:27 pm »

you can install Chrony and use NTS.

Yep. Here's a list of NTS servers:
- https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
- https://gitlab.com/-/snippets/2481323

I use:
time.cloudflare.com,ptbtime1.ptb.de,ptbtime2.ptb.de,ptbtime3.ptb.de,ntp2.glypnod.com,nts.sth1.ntp.se,nts.sth2.ntp.se,ntp.3eck.net,ntp.trifence.ch,ntp.zeitgitter.net,nts1.adopo.net,www.jabber-germany.de,www.masters-of-cloud.de,ntppool1.time.nl,ntppool2.time.nl,ptbtime4.ptb.de,paris.time.system76.com,ntp3.fau.de

4

23.1 Production Series / Re: Firewall: Diagnostics: Aliases / add address / remove address works for 30 secon

« on: April 20, 2023, 01:12:29 pm »

1. Create an IP alias with a NOT ("!") setting, e.g. "!1.2.3.4".
2. Create an alias that combines your IP list and the not-IP-alias
3. Use the new combined alias.
4. Done.

5

23.1 Production Series / Re: LetsEncrypt issues after v23.1 upgrades? (likely just mine)

« on: April 06, 2023, 09:26:37 am »

No help here, but I also had some issues a few weeks back where renewals would no longer work.

I *think* it was failing the DNS challenge...?

I ended up deleting and newly creating my acme/letsencrypt config. 

That was end of February.

6

Hardware and Performance / Re: Lenovo M920q NIC and RAM recommendation

« on: April 01, 2023, 08:25:07 pm »

Re: fake i350:

https://forums.servethehome.com/index.php?threads/comparison-intel-i350-t4-genuine-vs-fake.6917/

https://www.hardwareluxx.de/index.php/news/hardware/netzwerk/58048-gefaelschte-netzwerkkarten-von-intel-bei-namhaften-deutschen-shops.html

7

22.1 Legacy Series / Re: os-ddclient

« on: April 01, 2023, 08:19:49 pm »

Username should be either empty or just use the word "token". That tells ddclient to use the API token bearer mechanics. You then put your (newly generated) API token into the password field.

Note: The API token is NOT the same as your Global API Key. See https://developers.cloudflare.com/fundamentals/api/get-started/create-token/. Your token needs both DNS Read and DNS Write permissions. Lots of tutorials on the interweb.

Do NOT use any kind of individual username (such as Zone ID, account ID, email, etc.) - if you do, only your Global API Key works.

Also note this is for OPNsense 23.1 -- not sure if it already works for 22.1 legacy series.

8

Hardware and Performance / Re: Lenovo M920q NIC and RAM recommendation

« on: March 25, 2023, 12:44:57 pm »

Intel i350. Beware fake Intel cards on eBay though.

RAM - 8GB are plenty for Opnsense. More could be required only if you need a lot of additional services.  Have a look at your current RAM usage to check.

Incidentally, I'll be moving to an m720q 8500T or 9400T soon, too ;-)

9

Tutorials and FAQs / Re: HOWTO - Redirect all DNS Requests to Opnsense

« on: March 24, 2023, 12:32:31 am »

Cool, thanks!

10

22.1 Legacy Series / Re: os-ddclient

« on: March 24, 2023, 12:28:12 am »

I'm spamming this advice as it was "hidden" on github:

How to enable ddclient cloudflare API token use:

username:   token           (!!)
password:   API Token

(taken from Github - just tried it on 23.1 and it works. Goodbye Global API Key!)

11

22.1 Legacy Series / Re: Dynamic DNS - Cloudflare

« on: March 24, 2023, 12:26:39 am »

How to enable ddclient cloudflare API token use:

username:   token
password:   API Token

(taken from Github - just tried it on 23.1 and it works. Goodbye Global API Key!)

12

German - Deutsch / Re: DynDNS Legacy to OS-DDClient Umstellung - Cloudflare - Fehlende auth methode

« on: March 24, 2023, 12:25:41 am »

Cloudflare API token geht wie folgt bei ddclient:

How to enable ddclient cloudflare: EASY!
username:   token
password:   API Token

13

23.1 Production Series / Re: SSL DPI

« on: March 06, 2023, 08:41:25 pm »

You could also block access to the Snapchat servers based on its ASN IPs.

14

Intrusion Detection and Prevention / Re: Suricata Policies not working as expected?

« on: February 23, 2023, 04:38:10 pm »

For most of these, you shouldn't use Suricata at all but use firewall aliases and rules to block these IPs directly, as it is (said to be) a lot more performant.

In Suricata, only use the following:
   
    abuse.ch/SSL Fingerprint Blacklist
 

Not sure if this is a rules or IP based list:
    abuse.ch/ThreatFox
   

15

23.1 Production Series / Re: Upgrade vs Clean Install

« on: January 30, 2023, 01:16:09 pm »

Is it worth a clean upgrade just to get on ZFS

Absolutely.

Being able to do snapshots and backup boot environments (bectl) prior to upgrades is a god-send.

The thing that holds me back is recreating all the "custom" stuff that isn't backed up normally e.g. I have scripts that execute speed tests against 5 servers, some custom commands for Unbound and who know how many other tweaks I have probably forgotten about. I'd be installing to a new drive so getting anything back shouldn't be too difficult, just a pain, also fully reverting will be simple.

You could try to run a "diff" (compare directories etc.) between the two filesystems to find esp. custom scripts, config files etc.

Also, is it just a case of backing up the current installation, copying that to a USB drive then pointing the installer to that file?

Basically yes. You may have issues initially e.g. having to reinstall plugins  / repos but those can usually be sorted out pretty easily.