106
Tutorials and FAQs / Re: HOWTO - Redirect all DNS Requests to Opnsense
« on: November 25, 2021, 09:01:51 am »
same issue for me as well...
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
107
General Discussion / Full Backup / Clone SSD possible, how?
« on: November 24, 2021, 12:46:21 pm »
Hello,
as i have do add a lot of customization like for Unbound, NTOpng / GeoMaps and DNSCrypt
Proxy, i was wondering if i can clone the whole SSD to another SSD (Cold Standby)
in case if a Power Outage happens, or the System complete crash, etc..
Thx!
as i have do add a lot of customization like for Unbound, NTOpng / GeoMaps and DNSCrypt
Proxy, i was wondering if i can clone the whole SSD to another SSD (Cold Standby)
in case if a Power Outage happens, or the System complete crash, etc..
Thx!
108
Hardware and Performance / Re: LAGG Switch 16 Port for Opnsense
« on: November 19, 2021, 08:38:38 pm »
Thank You for your Help
109
Hardware and Performance / Re: LAGG Switch 16 Port for Opnsense
« on: November 19, 2021, 07:14:26 pm »
I would have 6-8 Clients accessing the servers in parallel, so would LACP not the right way to go?
I will check how to disable L4 on FreeBSD, thx
I will check how to disable L4 on FreeBSD, thx
110
Hardware and Performance / Re: LAGG Switch 16 Port for Opnsense
« on: November 19, 2021, 05:02:31 pm »
Thanks for your Reply. I'm planning to migrate my File Servers to Ubuntu, and would then use Nic Bonding, to have a bit more throughput, hopefully. As i have on my LAN Interface several Vlans, would it made sense to expand the LAG from 2 till 4 Interfaces, to balance all the traffic better?
Are the Hash Layer Values like L2 / L3 depending if the Switch is in Layer 2 or Layer 3 Routing Mode?
Regarding the Option to mark Fast Timeout, would I have to mark this if I change on the switch LACP Timeout from Long to Short?
Are the Hash Layer Values like L2 / L3 depending if the Switch is in Layer 2 or Layer 3 Routing Mode?
Regarding the Option to mark Fast Timeout, would I have to mark this if I change on the switch LACP Timeout from Long to Short?
111
Hardware and Performance / Re: LAGG Switch 16 Port for Opnsense
« on: November 19, 2021, 11:50:26 am »
Hello,
i got yet my cisco switch, and managed to get the lag setup running.
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=900028<VLAN_MTU,JUMBO_MTU,NETMAP>
ether 00:e7:68:29:3b:fc
inet6 fe90::2e0:68ff:fe29:3bfc%lagg0 prefixlen 64 scopeid 0xb
inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255
laggproto lacp lagghash l2,l3,l4
laggport: igb4 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb5 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
groups: lagg
media: Ethernet autoselect
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
I have at the moment the attached settings in Opnsense Interfaces - Other Types - LAGG
Can you please give me some advice, if i should change here some settings? Or if i do need to change some Tuneables in Opnsense, to get the best performance out between switch and opnsense LACP?
Thx!
i got yet my cisco switch, and managed to get the lag setup running.
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=900028<VLAN_MTU,JUMBO_MTU,NETMAP>
ether 00:e7:68:29:3b:fc
inet6 fe90::2e0:68ff:fe29:3bfc%lagg0 prefixlen 64 scopeid 0xb
inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255
laggproto lacp lagghash l2,l3,l4
laggport: igb4 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb5 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
groups: lagg
media: Ethernet autoselect
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
I have at the moment the attached settings in Opnsense Interfaces - Other Types - LAGG
Can you please give me some advice, if i should change here some settings? Or if i do need to change some Tuneables in Opnsense, to get the best performance out between switch and opnsense LACP?
Thx!
112
21.7 Legacy Series / Re: DNSCrypt Proxy with 21.7.1 question / Issue
« on: November 17, 2021, 09:23:09 pm »
@gpb Thanks so much for the detailed information, upgraded now to 211, all working as advertised 
Now the next days i will test the new features and see how it goes
@pugs Thank you too for the hint with the service template
Now the next days i will test the new features and see how it goes
@pugs Thank you too for the hint with the service template
113
21.7 Legacy Series / Re: DNSCrypt Proxy with 21.7.1 question / Issue
« on: November 17, 2021, 10:39:17 am »
adapted yet the example .toml in the downloaded package. Just to be really sure, its just the .toml file structure what i have to adapt, the binary File itself in the downloaded package (dnscrypt-proxy) i have not to copy over to opnsense???
Thank You!
Thank You!
114
General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate
« on: November 17, 2021, 09:10:37 am »
With this scenario it would also not be possible to set the Root CA offline.
Thank You for your Help
Thank You for your Help
115
21.7 Legacy Series / Re: DNSCrypt Proxy with 21.7.1 question / Issue
« on: November 16, 2021, 05:02:02 pm »
Indeed, I can also confirm the latency results on opnsense are much better…
Thanks for sharing the workaround, this would be perfect if I could get this to work for further testing, without scrambling my opnsense..
I have some understanding questions, regarding your previous information
Where did you exactly copy / extract the package content https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-freebsd_amd64-2.1.1.tar.gz in OPNsense ?
I compared my Raspi .toml file with the Example https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml , unfortunately i cant find the difference regarding the brackets, can you please point me in the right direction ?
Thanks a Lot!
Thanks for sharing the workaround, this would be perfect if I could get this to work for further testing, without scrambling my opnsense..
I have some understanding questions, regarding your previous information
Quote
Also, I copied the 2.1.1 executable over the current opnsense package version.
Where did you exactly copy / extract the package content https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-freebsd_amd64-2.1.1.tar.gz in OPNsense ?
Quote
It required some manual updates to the toml config file because of changes made in 2.1.1
I compared my Raspi .toml file with the Example https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml , unfortunately i cant find the difference regarding the brackets, can you please point me in the right direction ?
Thanks a Lot!
116
General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate
« on: November 16, 2021, 10:35:47 am »
thank you, i exported yet the user certificate with the private key in PKS #12 (.p12) format as you mentioned and imported it to current User – personal certificates, and yes now I’m able to select the user certificate when connecting to the Wifi..
but still connection is not possible, and result in this errors in the log:
2021-11-16T08:40:09 Auth: (13) Login incorrect (eap_tls: (TLS) OpenSSL says error 2 : unable to get issuer certificate): [testuser/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)
2021-11-16T08:40:09 ERROR: (13) eap_tls: ERROR: (TLS) Server : Error in error
2021-11-16T08:40:09 ERROR: (13) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
2021-11-16T08:40:09 ERROR: (13) eap_tls: ERROR: (TLS) OpenSSL says error 2 : unable to get issuer certificate
2021-11-16T08:40:00 Auth: (6) Login incorrect (eap_tls: (TLS) OpenSSL says error 2 : unable to get issuer certificate): [testuser/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)
2021-11-16T08:40:00 ERROR: (6) eap_tls: ERROR: (TLS) Server : Error in error
2021-11-16T08:40:00 ERROR: (6) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
2021-11-16T08:40:00 ERROR: (6) eap_tls: ERROR: (TLS) OpenSSL says error 2 : unable to get issuer certificate
then i went back to the FreeRadius – EAP – settings and changed for testing the root certificate from radius-intermediate-ca to radius-ca, and tried again to connect, and the connection was directly established
2021-11-16T08:43:33 Auth: (7) Login OK: [testuser] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)
switched back to the radius-intermediate-ca and the connection stopped working..
As you mentioned previously, the Intermediate CA should be the one issuing certificates to the Clients, why is the connection not working with the radius-intermediate-ca, but with the radius-ca?
PS: also MacOs can establish the connection via eap-tls, with selected radius-ca
but still connection is not possible, and result in this errors in the log:
2021-11-16T08:40:09 Auth: (13) Login incorrect (eap_tls: (TLS) OpenSSL says error 2 : unable to get issuer certificate): [testuser/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)
2021-11-16T08:40:09 ERROR: (13) eap_tls: ERROR: (TLS) Server : Error in error
2021-11-16T08:40:09 ERROR: (13) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
2021-11-16T08:40:09 ERROR: (13) eap_tls: ERROR: (TLS) OpenSSL says error 2 : unable to get issuer certificate
2021-11-16T08:40:00 Auth: (6) Login incorrect (eap_tls: (TLS) OpenSSL says error 2 : unable to get issuer certificate): [testuser/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)
2021-11-16T08:40:00 ERROR: (6) eap_tls: ERROR: (TLS) Server : Error in error
2021-11-16T08:40:00 ERROR: (6) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
2021-11-16T08:40:00 ERROR: (6) eap_tls: ERROR: (TLS) OpenSSL says error 2 : unable to get issuer certificate
then i went back to the FreeRadius – EAP – settings and changed for testing the root certificate from radius-intermediate-ca to radius-ca, and tried again to connect, and the connection was directly established
2021-11-16T08:43:33 Auth: (7) Login OK: [testuser] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)
switched back to the radius-intermediate-ca and the connection stopped working..
As you mentioned previously, the Intermediate CA should be the one issuing certificates to the Clients, why is the connection not working with the radius-intermediate-ca, but with the radius-ca?
PS: also MacOs can establish the connection via eap-tls, with selected radius-ca
117
General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate
« on: November 15, 2021, 02:34:30 pm »
thanks, i had the certificates not correctly placed in the specific stores, so i placed them to the recommended stores now.
When i try to connect to the Wifi Network i get asked to select a certificate, but under the selection is the user (client) certificate not available, to select (even with the corrected stores now) Restarted the client pc several times, and configured the connection several times from scratch..
When i try to connect to the Wifi Network i get asked to select a certificate, but under the selection is the user (client) certificate not available, to select (even with the corrected stores now) Restarted the client pc several times, and configured the connection several times from scratch..
118
General Discussion / DNSBL Filtering when using DNSCrypt Proxy together with Unbound
« on: November 14, 2021, 12:48:35 pm »
Hello,
as i use Unbound with DNSCrypt Proxy Plugin, and have in both the Option for DNSBL, im trying to understand if i should configure DNSBL in both, or just unbound or just DNSCrypt Proxy?
What would be the correct way to do.
Thx!
as i use Unbound with DNSCrypt Proxy Plugin, and have in both the Option for DNSBL, im trying to understand if i should configure DNSBL in both, or just unbound or just DNSCrypt Proxy?
What would be the correct way to do.
Thx!
119
21.7 Legacy Series / Re: DNSCrypt Proxy with 21.7.1 question / Issue
« on: November 14, 2021, 12:37:15 pm »
Hi @gpb,
thanks for the information and the workaround! I have DNSCrypt Proxy on my PI installed, works great, but would like to permanent move this task to OPNsense. Yes, the restore with backup of .toml and restart of the service works, but imho should be a more permanent solution without tampering with the files.. and if information is changed, should survive a reboot of the firewall..
@mimugmail when could the changes be implemented in DNSCrypt Proxy Plugin?
Thx!
thanks for the information and the workaround! I have DNSCrypt Proxy on my PI installed, works great, but would like to permanent move this task to OPNsense. Yes, the restore with backup of .toml and restart of the service works, but imho should be a more permanent solution without tampering with the files.. and if information is changed, should survive a reboot of the firewall..
@mimugmail when could the changes be implemented in DNSCrypt Proxy Plugin?
Thx!
120
General Discussion / Re: FreeRadius EAP Settings Root and Server Certificate
« on: November 14, 2021, 12:21:26 pm »
creating a new wifi profile on mac an choose WPA2 Enterprise i need to add user / password, have not the option there to somehow choose certificate tls.
tried now also with windows 10 client to set this up, created certificate for the win client exported all 4 Certificates and imported and Trusted the Certs (local computer ). used this guide to created then to configure the wifi connection:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/905663/configuring-windows-10-wireless-profile-to-use-certificate
Trying to connect results in error certificate is needed
Checking the Log in Opnsense give me some errors:
2021-11-14T10:51:46 Auth: (6) Login incorrect (eap_tls: (TLS) OpenSSL says error 20 : unable to get local issuer certificate): [host/admin/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)
2021-11-14T10:51:46 ERROR: (6) eap_tls: ERROR: (TLS) Server : Error in error
2021-11-14T10:51:46 ERROR: (6) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
2021-11-14T10:51:46 ERROR: (6) eap_tls: ERROR: (TLS) OpenSSL says error 20 : unable to get local issuer certificate
2021-11-14T10:35:48 Info: Ready to process requests
2021-11-14T10:35:48 Info: Loaded virtual server check-eap-tls
2021-11-14T10:35:48 Info: Loaded virtual server default
2021-11-14T10:35:48 Info: Loaded virtual server inner-tunnel
2021-11-14T10:35:48 Info: # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:330
Updated also Opnsense now to 21.7.5 and freeradius to 1.9.17
Really dont know, what im doing wrong here to get this working...
Thx!
tried now also with windows 10 client to set this up, created certificate for the win client exported all 4 Certificates and imported and Trusted the Certs (local computer ). used this guide to created then to configure the wifi connection:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/905663/configuring-windows-10-wireless-profile-to-use-certificate
Trying to connect results in error certificate is needed
Checking the Log in Opnsense give me some errors:
2021-11-14T10:51:46 Auth: (6) Login incorrect (eap_tls: (TLS) OpenSSL says error 20 : unable to get local issuer certificate): [host/admin/<via Auth-Type = eap>] (from client WIFI_AP port 0 cli C4-XX-XX-XX-XX-XX)
2021-11-14T10:51:46 ERROR: (6) eap_tls: ERROR: (TLS) Server : Error in error
2021-11-14T10:51:46 ERROR: (6) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
2021-11-14T10:51:46 ERROR: (6) eap_tls: ERROR: (TLS) OpenSSL says error 20 : unable to get local issuer certificate
2021-11-14T10:35:48 Info: Ready to process requests
2021-11-14T10:35:48 Info: Loaded virtual server check-eap-tls
2021-11-14T10:35:48 Info: Loaded virtual server default
2021-11-14T10:35:48 Info: Loaded virtual server inner-tunnel
2021-11-14T10:35:48 Info: # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:330
Updated also Opnsense now to 21.7.5 and freeradius to 1.9.17
Really dont know, what im doing wrong here to get this working...
Thx!