Messages

1666

Hardware and Performance / Reboots without attached monitor

« on: May 10, 2022, 05:32:39 pm »

Wow. You won't believe this - I at least would not, had I not seen it myself.

I moved a Topton N5105-based system (I wrote about this https://forum.opnsense.org/index.php?topic=27938) from my office to the would-be location, only to find out that the unit resets itself every 5 minutes. This behaviour is consistent and reproducable.

Since it worked without a hitch at the office, I wondered what causes this and to my great surprise, the reason is that I attached no monitor at the new location. This was really hard to find out with no log entries whatsoever and whenever I looked at the console (attaching a monitor), nothing happened.

The HDMI cable has to be plugged into a display that is turned on for the problem not to occur. When I turn the display off, the problem is as without any display. From the looks of it, I would assume that just when the screen should go blank (i.e. after 5 minutes), the system just reboots when no active display is attached, like "duh, I cannot blank a non-existent display".

I know this does not happen on similar X64-based systems I have, so there must be a BIOS bug (it has an EFI firmware) or an incompatibility to OpnSense/FreeBSD.

I already tried to set the console to "Mute console", "None", disabled the VT driver to no avail. I know that there are images for serial-only installation, I wonder if that helps?

Is there an easy way to have the system act as if it was installed from the "serial" image, thereby disabling any video drivers that may be active and try to blank the display? Or can I disable blanking, maybe with some tuneable?

1667

German - Deutsch / Re: APIPA-Adresse routen

« on: May 10, 2022, 02:53:07 pm »

"Nicht geroutet werden" bedeutet ja, dass die Adresse nur im lokalen Netzsegment sichtbar ist. Von einer anderen Adresse im selben Netzsegment ist sie sichtbar, also von der OpnSense selbst aus. Das heißt: entweder NAT oder Du nutzt Squid auf der OpnSense als Web-Proxy, dann findet der Zugriff von technisch von der OpnSense aus statt.

1668

General Discussion / Re: VLAN and untagged on same interface?

« on: May 10, 2022, 12:07:12 pm »

Usually, all VLANs share the MAC address of the physical device, so if you leave the MAC unset, all should work fine by itself.

I had problems with assigned MACs on some occasions. In FreeBSD, there is a difference between hwaddr and ether. When you change the ether address, other network devices have to learn that for ARP, so there can be short outages. Also, there may be problems when you set the MAC during runtime for some specific NIC hardware,

1669

22.1 Legacy Series / Re: Strange behavior - facebook.com TCP paquets droped by default deny rule

« on: May 06, 2022, 03:40:41 pm »

I sometimes see packets originating from port 443 getting rejected in my firewall, e.g. from some Microsoft servers. Those are most often packets that are rejected for the invalid tcp state (e.g. "PA").
I just tried facebook and see the same kind of log entries, while the connection itself does work.

I suspect that effect being attributable to some kind of late TCP FIN packets (https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html) for web servers trying to reuse connections with HTTP, or maybe even artifacts of QUIC (https://engineering.fb.com/2020/10/21/networking-traffic/how-facebook-is-bringing-quic-to-billions/).

1670

22.1 Legacy Series / Re: Users Client Certificates and OTP seeds

« on: May 06, 2022, 01:28:04 pm »

Download the configuration XML and process it for user/otpseed and user/authorizedkeys path sub expressions.

You can do that with XSLT and something like this:

Code: [Select]

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:foo="http://www.foo.org/" xmlns:bar="http://www.bar.org">
<xsl:template match="/">
     <xsl:for-each select="opnsense/system/user">"<xsl:value-of select="name"/>","<xsl:value-of select="authorizedkeys"/>","<xsl:value-of select="otp_seed"/>"
     </xsl:for-each>
</xsl:template>
</xsl:stylesheet>
Try it here: https://www.freeformatter.com/xsl-transformer.html, but be warned to expose any real data to an arbitrary website...

1671

German - Deutsch / Re: IPv6 bei deutschen Providern - ein Trauerspiel

« on: May 06, 2022, 01:21:44 pm »

Das kommt tatsächlich sehr auf den Provider an. Ich hatte z.B. rein technisch bei T-Online oder M-Net nie Probleme, bei Deutsche Glasfaser schon (die entsprechenden Foren sind voller Beschwerden). Konkret ist die IPv6-Verbindung extrem unzuverlässig und hat eine Ausfallquote von ca. 1% - sehr unregelmäßig.

Ein typisches Bild ist angehängt - im gleichen Zeitraum war IPv4 komplett stabil. Und ja, mir ist klar, dass Pings niedrig priorisiert sind und daher als Messgröße eigentlich nicht taugen, außerdem könnte die Gegenseite auch Schuld sein, usw. usf., aber ich kann Euch versichern, dass das Problem noch im Netz der DG liegt, was umso ärgerlicher ist, als IPv6 die einzige Möglichkeit ist, um trotz CGNAT Dienste zu exponieren.


Allen deutschen Providern gemeinsam ist bei IPv6 aber das Thema "dynamische Zuweisung von Präfixen". Es gibt aber auch keinen Wunsch bei den ISPs dazu, das zu ändern, weil feste Zuweisungen ein diskriminierendes Feature für Business-Anschlüsse sind, die mehr Ertrag versprechen.

1672

German - Deutsch / Re: Hardware Token für 2FA (2 Faktor Authentfizierung)

« on: May 06, 2022, 01:12:05 pm »

Google Authenticator ist nur eine Möglichkeit für die Authentifizierung per TOTP (RFC 4226), es gibt einige andere Software-Lösungen:

https://www.kaspersky.de/blog/best-authenticator-apps-2022/27947/

Und natürlich gibt es auch Hardware-Lösungen dafür, z.B: von Reiner SCT, Token2, Protectimus und anderen, suche einfach nach "TOTP Hardware". Die Einrichtung erfolgt genauso wie mit der App, wenn das Gerät eine Kamera hat, an sich ist der Seed aber nur ein String, der auch anders eingebracht werden könnte.

1673

22.1 Legacy Series / Re: incorrect MTU upon WAN(pppoe) interface reload from INTERFACES: OVERVIEW

« on: May 05, 2022, 08:30:34 pm »

As I expected. Ethernet MTU is 1500 or 1460 bytes and PPP takes another 8 bytes, so the calculated MTU of 1452 seems about right.

Same thing here, except that my physical ethernet interface can do >=1500 bytes minus PPP, so my calculated value is 1492.

1674

22.1 Legacy Series / Re: incorrect MTU upon WAN(pppoe) interface reload from INTERFACES: OVERVIEW

« on: May 05, 2022, 08:08:56 pm »

I just tried and any MTU that was larger than the physical interface cannot accomodate is overruled.

Your hardware probably has an MTU of 1460 and there is a VLAN oder PPPoE around it (or a VPN tunnel).

1675

General Discussion / Re: Update! Switched to 1 gig fiber and now it looks like i am double nat. Help!

« on: May 05, 2022, 01:38:48 pm »

My fiber ONT is a 10-gig model # 621 XGS-PON ONT.  It has a 10 Gbps ethernet port.

To benefit from the additional speed, I would need to upgrade my current USW-24-G1 switch and add 10-gig card to my OPNsense box and any additional computers in my house.

Any suggestions on what equipment to purchase?   What about 2.5 gig cards?  How about only adding the 10-gig card to my OPNsense box, NAS and one computer.

I am looking for any suggestions.

First, a few comments:

1. I envy you.
2. 10 GbE over RJ45 has a serious problem: it draws 1 Watt per port or 2 Watts per connection. That is why whenever possible, you should use DAC cables with SFP+, altough that can only support 10 GBit/s. Alas, Adtran's 621 does not offer that and it seems to have 10 GbE only with no support for 2.5 or 5 GBit/s.
3. 2.5 GbE technology has much less power draw, is cheaper, is supported by more and more common equipment and can be run over existing CAT.5 cabling (unlike 10 GbE). Been there - done that.

You could go with a Mikrotik CRS309-1G-8S+IN and use SFP+ Modules that can support 1, 2.5, 5 and 10 GBit/s.
Considering your internet plan at 2 GBit/s, I would prefer a Ubiquiti USW-Enterprise-24-PoE for obvious reasons.

However, that does not solve the problem you have with the OpnSense machine itself. That must be capable to connect at 10 GbE over RJ45 to the Adtran and to transport it over at (preferably) 10 GbE to the switch.
The machine in question must have a lot of punch to be able to route / firewall at 2 GBit/s and preferably has a small power draw.
You could use a Deciso DEC 7x0 or 8x0 for that, it has to be a machine that offers at least 2 SFP+ ports, one with a DAC cable to the switch and one with an SFP+ module for RJ45 to the Adtran.

1676

General Discussion / Re: Block ICMP to/from interfaces

« on: May 05, 2022, 01:16:13 pm »

There is a default rule that allows anything coming from the LAN that is automatically created on install, did you disable that?

If not, do you have an (automatic or specific) outbound NAT rule for your LAN being too general?

1677

General Discussion / Re: How to remove provider DNS servers from list

« on: May 04, 2022, 09:59:45 pm »

I do not let the system DNS servers be served to local interfaces via DHCP, but instead present only the firewall IP there. And when I uncheck the box, I can see that on my OpnSense, /etc/resolv.conf does contain my ISPs name servers.

The first line is 127.0.0.1, but that is expected for local name resolution. I do not use unbound, however, but dnsmasq.

If you are sure that this is a bug, you can file a bug report on github.

1678

General Discussion / Re: How to remove provider DNS servers from list

« on: May 04, 2022, 09:14:32 pm »

Uncheck System->Settings->General->"Allow DNS server list to be overridden by DHCP/PPP on WAN".

1679

22.1 Legacy Series / Re: [Solved] Clients don't get an IPv6 address

« on: May 04, 2022, 09:09:50 pm »

For example, radvd needs a MAC to assign an EUI-64, because the lower 64 bits are made up based on that.
Since bridges do not have a MAC per default, that assignment cannot be made.

1680

German - Deutsch / Re: PPPoE-Einwahl 1&1 Glasfaser/FTTH im Telekom-Netz

« on: May 04, 2022, 01:41:49 pm »

Du hast Deine Zugangsnummer ja teilweise verschleiert, ich erkenne aber, dass sie mit "H1un1" beginnt.
Sind die 1&1-Zugangsdaten nicht immer "H1und1/<login>@online.de"?