Messages

106

24.7 Production Series / Re: DynDNS and MX-record

« on: November 17, 2024, 05:08:25 pm »

No, it may not, according to RFC 2181, at least you cannot specify a CNAME pointing to your dynamic entry.

There are also other types of records that cannot be specified as a CNAME, e.g.: @ (meaning the domain itself), because there are usually other entries that may be needed apart from an address, like MX or SOA or TXT records.

107

Hardware and Performance / Re: Hardware overkill for dedicated OpnSense?

« on: November 16, 2024, 10:36:12 pm »

That machine is O.K. to use as a router (albeit it is far more power-hungry when compared to something more modern, that performs at the same level - like an N100).

Under Proxmox, it is seriously questionable, mostly because it has too little RAM. Proxmox itself eats up some of it, such that you only have ~4 GByte for each of two VM instances. Sharing memory by balooning does not work too well with FreeBSD/OpnSense either.

So you may be able to have a NextCloud instance besides your OpnSense, but do not expect anything more.

108

Hardware and Performance / Re: Hyper-V OpnSense drops traffic

« on: November 16, 2024, 06:44:16 pm »

Did you have that running as bare-metal installation before and it worked?

While such problems CAN be attributed to virtualisation, they do not HAVE to. You should try to chase the problem down to a single source.

IPTV is a beast because it sometimes is done via multicast, which brings its own problems. You could probably try if you experience multicast problems if you watch time-shifted shows - those are usually transmitted using unicast only, whereas live TV can use multicast to save traffic.

109

German - Deutsch / Re: Neue Hardware wird benötigt

« on: November 16, 2024, 02:43:09 pm »

https://parkroyk.blogspot.com/2024/07/surprising-openvpn-and-wireguard-result.html

Vorsicht mit Vergleichen zwischen pfSense und OpnSense - das ist manchmal nicht das selbe.

https://parkroyk.blogspot.com/2024/07/surprising-openvpn-and-wireguard-result.html
Weiß Du vielleicht, ob beim n100 irgendwas außer TPD in den Bios-Einstellungen zu beachten ist?
Hast du ein Referenzwert für TPD für mich?

Nein und nein.

Der N100 hatt ein offzielles Power Limit von 6 Watt, das der Hersteller aber bis auf 35 Watt hochdrehen kann - wenn die Kühlung ausreicht. Das tut sie bei den passiv gekühlten Boxen nicht. Es gibr ja zwei Powerlimits (eins für kurrzeitig und eins für länger), meine Erfahrung ist aber, dass man auch das kurze nicht auf Werte > 20 Watt hochdrehen kann, wenn die Box nur passiv gekühlt ist.

Ich nehme immer beide auf denselben Wert, teste und sehe, ob die CPU-Temperatur bei Volllast mit stress-ng noch auf vernünftigen Werten bleibt (< 70°C). Wirklich gefährlich wird es sowieso nie, weil im Zweifel ein Thermal Throttling auftritt, allerdings willst Du dann das Gehäuse nicht mehr anfassen.

Wenn ich dann das langfristige Limit herausgefunden habe (hängt u.a. auch von der Wärmeableitkapazität des Gehäuses ab, wobei das HUNSN R39 ganz ordentlich ist), stelle ich eventuell das kurzzeitige Limit noch ein bisschen höher ein.

Es bringt aber auch nur sehr bedingt etwas, da höher zu pokern. Bei 25 Watt statt 6 Watt ist die Performance vielleicht 15% schneller.

110

German - Deutsch / Re: Neue Hardware wird benötigt

« on: November 16, 2024, 10:37:10 am »

Die schnellste CPU hat eindeutig der RJ39, ich nutze den. Man muss ein bisschen an der TDP schrauben, sonst wird er zu warm, aber sonst gut. Die anderen haben m.E. zu schwache CPUs. Für VPN-Traffic ist selbst die N100 noch ziemlich schwach, wenn man eine Gigabit-Verbindung hat.

Es gibt vom N100 auch Modelle mit 5 oder 6 Ports, wenn Du das brauchst.

111

24.7 Production Series / Re: zfs bootcode upgrade "not enough space"

« on: November 16, 2024, 10:29:35 am »

Probably an old installation. Mine shows:

# gpart show
=>       40  500118112  nda0  GPT  (238G)
         40     532480     1  efi  (260M)
     532520       1024     2  freebsd-boot  (512K)
     533544        984        - free -  (492K)
     534528   16777216     3  freebsd-swap  (8.0G)
   17311744  482805760     4  freebsd-zfs  (230G)
  500117504        648        - free -  (324K)

So the order of partitions has changed and also, the boot partition is larger and it has a gap after it.

You could do a fresh install and restore your configuration to fix it. I think that because of the newer ZFS, all new features should be enabled from the start, then.

112

Development and Code Review / Re: Attack Surface Reduction - lighttpd as non-root

« on: November 15, 2024, 12:28:04 am »

That would not help much, because most of the operations that the web UI does, need higher privileges.

So, in order to do that, you would need to identify all the spots where this is neccessary and allow the lighhttp user to sudo the commands (which is tedious work) and even then, there is a bunch of operations that could be exploited just because they actually will be executed as root.

The logical approach is to only allow access to your web UI from trusted sources - i.e. interfaces, networks or specific IPs. If you want to access the web UI from outside, use a VPN.

113

General Discussion / Re: Too stupid for one nic setup (Omada)

« on: November 13, 2024, 10:39:22 pm »

What configuration does your ISP need? DHCP? VLAN? If the latter, you would either need QinQ or leave Port 1 untagged - that is, if your ISP wants DHCP over VLAN 100.

Some providers also lock in the MAC of their own router...

114

24.7 Production Series / Re: Update ACME DNS-01 TXT using (eg.) curl possible?

« on: November 11, 2024, 04:45:04 pm »

If you want to keep that registrar, and if you are able to create arbitrary DNS entries, you could use DNS alias delegation to another domain on a FreeDNS provider for _acme-challenge.yourdomain.com.

Your registrar should put up a script and see that it gets included in ACME.sh. When the new version gets included in OpnSense, it can be used natively.

What registrar is that?

115

24.7 Production Series / Re: Few Rookie Questions

« on: November 11, 2024, 10:21:02 am »

1. Login to the actual device? I disabled the root account, and made a new account for login to the GUI. Now I seem to have no available logins to the actual device itself. I disabled the root account originally, as an extra layer of security. However perhaps now looking at my new user account, it doesn't have the same exact permissions as root. I can do everything from the GUI, I just can't seem to log into the shell at the device itself. Should I care?

There are two ways that someone could get account privileges:

1. By logging in via standard mechanisms (Password or SSH private key)
2. By circumventing the login via some security hole in an application or in the kernel.

By using 2FA you would raise the bar to a very high level for #1. The second problem cannot be solved by disabling legitimate access for any user. Ergo: Your approach is unsuited and only leads to additional inconvenience.

2.  The devices I use do actually get frequent BIOS updates. Do I still need the os-cpu-microcode-intel / Intel microcode updates Plugin?

It won't hurt, either, and if your manufacturer ceases to support your device in the future (which he will), you will still be safe.

3. I've been messing with one of my opnsense boxes recently, and so that's been leading my to swap in my backup. This got me to thinking is there a "HA" type setup for the opnsense box that I can setup? Rather than swapping the boxes physically, if one went down, the other would take over?

Yes. See documentation. If you are on fiber, you could even use two redundant ONTs on the same fiber.

4. From reading, it appears usually only inbound stuff is blocked. When I did all my rules, I blocked stuff in both directions. For example

• Block INCOMING Traffic from IOT_VLAN to KID_VLAN
• Block OUTGOING Tracffic from IOT_VLAN to KID_VLAN

I figured I didn't want any traffic going in either direction between these networks. Did I do something wrong?

No, But you you not have to do that unless you have some other rules allowing traffic to the internet, which typically is VLAN to "any". This is the only place where I use outgoing rules of the type "Block Outgoing from <INSECURE_VLAN> to <SECURE_VLAN>" at all. You do not need blocking rules otherwise, because there is a default BLOCK rule after any other rule.

More often than not, you will need access from LAN to IoT, but not vice-versa, for example if you have web-administrable IoT devices you want to access from your LAN.

116

24.7 Production Series / Re: [AUSTRALIA]Opnsense on N100 - Optus NBN

« on: November 11, 2024, 10:03:11 am »

crashed again, but my N100 is DDR5 so if you say Samsung/ SKYHNIX ?

That time, there was a crash accessing the NVME, which seems to be a Seagate Firecuda 510, of which there are reports of unreliability when you search for it. You can check if the drive has a problem with "smartctl -a /dev/nvme0".

117

24.7 Production Series / Re: How to set static IPV6 mapping for LAN interface

« on: November 10, 2024, 02:12:16 am »

True if the OpnSense itself is the DNS server. If another server, like pihole or something of that sort is to be announced, you can either use its IPv4 address or you could resort to ULA addresses on top of the routeable GUAs,

118

German - Deutsch / Re: Magenta TV im Guest VLAN offline wegen DNS

« on: November 09, 2024, 03:18:00 pm »

Wenn die Box sich den Eintrag nur per DOT holt und sonst den Dienst verweigert, offensichtlich nicht. Aber wieso sollte man das blocken, wenn man aus Sicherheitsgründen die Magenta Box sowieso schon in ein "unsicheres" Netz ausgelagert hat?

Das ist doch der Zweck der Netz-Segmentierung: Schließe unsichere Kantonisten in ein Netz ein, das zwar Internet-Zugang hat, aber keinen Zugriff auf Deine wichtigen Netze. Es ist nun mal ein gegebener Fakt, dass es Geräte gibt, die Internet-Zugriff brauchen, denen man aber nicht traut. Entweder man verzichtet ganz auf solche Geräte oder man sperrt sie aus. Der unzulängliche Versuch, sie zu kontrollieren, scheitert spätestens, wenn sie verschlüsselte Verbindungen nach draußen aufnehmen, wie in diesem Fall.
 

119

24.7 Production Series / Re: After Upgrade to 24.7.8 - faild to boot from zfs

« on: November 08, 2024, 11:22:15 pm »

Then it is not the new kernel.

120

24.7 Production Series / Re: After Upgrade to 24.7.8 - faild to boot from zfs

« on: November 08, 2024, 10:25:56 pm »

The new kernel has some new Intel drivers in it. So if it really is the kernel (which you could try by locking the kernel to the 24.7.7 one), I would guess that your specific boot disk driver is no longer working.