Topics

1

24.7 Production Series / unable to delete alias

« on: November 21, 2024, 06:40:33 am »

Hi,

how do I get rid of an unused firewall alias that appears as still being referenced and can not be deleted?

When I try to delete it, I'm getting an info that a rule is still using it, but I deleted the rule and then deleted the whole interface the rule was used with.  There is no way that this alias should still be used in any way.

So far, I was only to disable the alias.  It's for a host and contains an IPv4 address.

2

24.7 Production Series / KEA: how to specify DNS server(s) per subnet?

« on: October 11, 2024, 01:49:25 am »

Hi,

how can I specify different DNS server(s) per subnet when using KEA?

3

Virtual private networks / wireguard floating rules interface not present

« on: May 28, 2024, 12:42:22 am »

Hi,

I have set up a wireguard peer and assigned an interface to the connection.  Now I want to create a floating firewall rule to allow the remote peer on the wireguard interface to access hosts on a local subnet.  In this case, the peer is a single host.

But OPNsense doesn't allow me to pick the wireguard interface but only the wireguard group for creating floating rules

Since there will be some site-to-site connections as well that will also be hidden in the wireguard group, I can't use the wireguard group in the floating rules.  I need the particular interfaces that are hiding in the wirguard group.  The rules for all the wireguard conections will be different.

How do I get the wirguard interface usable to create floating firewall rules?

4

24.1 Legacy Series / BIND is resolving to IPv6 instead of IPv4

« on: May 25, 2024, 08:23:31 pm »

Hi,

using the BIND plugin, it turns out that when asterisk running on my server requests an IP address of the server of the VOIP provider, OPNsense responds with IPv6 addresses instead of IPv4 addresses.

Running BIND on the server where asterisk is running, asterisk gets IPv4 addresses.

Since the trasports asterisk uses must be bound to the IPv4 address of the server because I can't get a static IPv6 prefix, the server of the VOIP provider becomes unreachable.

Shouldn't BIND on OPNsense resolve to IPv4 addresses when they are requested like BIND on the server does?  This seems like a bug.

How can I fix that other than to keep using the name server running on the server?

5

24.1 Legacy Series / kea and ipv6?

« on: May 24, 2024, 09:05:58 pm »

Hi,

are we supposed to still use DHCPv6 instead of kea for IPv6, or is there a way to have kea serve IPv6 as well?

If there is, what's the way?

6

General Discussion / use alias to specify DNS server

« on: May 22, 2024, 10:26:50 pm »

I need to  use an alias to specify a name server address for clients on a VLAN.

The address of the name server is an IPv6 address on another VLAN.  It's assigned to the server through DHCPv6.  I have created an alias for the server as a dynamic IPv6 host because the IPv6 prefix may change at any time.  So the only way to somehow specify the address of the DNS server seems to be using the alias.

Unfortunately, in the DHCPv6 configuration of the interface the client is connected to, the web interface won't let me use the alias to specify a name server but says "A valid IPv6 address must be specified for the primary/secondary DNS servers."

So how am I supposed to specify a valid IPv6 address for DNS server?


I've given the DNS server also the address fd53::11/16 on one of its interfaces.  I could use that as address for the DNS server for the clients, but opnsense does not have an interface in that network.  Since the interface for the VLAN the clients are in is tracking the WAN interface to get IPv6 addresses, there doesn't seem to be any way to put an additional IPv6 address on that interface, and the DNS server remains unreachable.

How can I give interfaces that are tracking the WAN interface for IPv6 addresses additional addresses?

I guess I could add another VLAN and give opnsense another interface to make the DNS server reachable, but that seems like a rather convoluted solution and overkill for a problem that should be easy to solve.

7

General Discussion / How do I know which IPv6 prefix length has been assigned by the provider?

« on: May 21, 2024, 10:01:41 pm »

How do I know which IPv6 prefix length has been assigned by the provider?

8

23.7 Legacy Series / bind (plugin): specify slave zones?

« on: October 02, 2023, 09:37:03 pm »

Hi,

how can I specify slave zones?  The bind plugin doesn't seem to have options for that.  I wouldn't mind editing some configuration files directly, but I wouldn't want such changes automatically overwritten.

PS: Is that what the secondary zones are for?  I haven't heard that term before.

9

23.1 Legacy Series / How can I use an alias made for a dynamic ipv6 host to specify the name server i

« on: May 25, 2023, 09:30:25 pm »

How can I use an alias made for a dynamic ipv6 host to specify the name server in the DHCPv6 server settings?

Or is there another good solution for specifying the DNS server for ipv6 when you don't get static ipv6 addresses for it?

10

22.7 Legacy Series / critical: failed to initialize guest agent channel

« on: December 15, 2022, 05:13:20 pm »

Hi,

what do I need to get the qemu guest agent to work?  It seems like this should be working fine now, yet it doesn't.

11

22.7 Legacy Series / additional uses?

« on: November 30, 2022, 11:56:29 am »

Hi,

would it be feasible and reasonable to give the router additional use as a file server?

It's a waste of hardware and power to run OPNsense to run directly on the hardware when the only thing it does is routing, firewalling and handling VPN connections.

12

22.7 Legacy Series / default traffic distribution

« on: November 06, 2022, 07:26:18 am »

Hi,

is there some kind of default traffic distribution in place that works to the effect that when, for example, two clients on the LAN are downloading something over the WAN connection, each client receives an even share of the incoming bandwidth?  If so, how does that even work when OPNsense has no information about the maximum bandwidth of the WAN connection?

I'm asking because some ppl are saying that routers do that kind of traffic shaping, and I have difficulties believing that, at least when the router doesn't know what the maximum bandwidth is it can distribute between its clients.

13

22.7 Legacy Series / fw-rule processing seems to continue despite first match happened

« on: October 21, 2022, 06:08:33 pm »

Please take a look at these screeshots of rules and the resulting log file.  The rule allowing traffic to port 5061 is definitely set to "Apply the action immediately on match.".

Why is being logged that the traffic was blocked by the rule at the bottom of the list of rules?  Is this a bug or did I configure something wrong?

(I'm guessing that traffic is only sometimes being logged as passed because there's a state established.)

So far, it seems that the traffic is not being blocked because the SIP client does work.

14

22.1 Legacy Series / easy way to add crontab entry sending output by email?

« on: June 28, 2022, 10:19:49 am »

Hi,

is there an easy way to add a contrab entry and have the output of the command(s) sent to some email address?  If there is, how do I add one?

15

22.1 Legacy Series / use watchdog

« on: June 19, 2022, 01:06:47 am »

Hi,

on hardware that has a hardware watchdog, do I need to do anything other than to enable the watchdog in the BIOS?