Messages

151

22.1 Legacy Series / having bad issues ...

« on: May 28, 2022, 02:32:57 pm »

Hi,

while trying to create a somewhat more complicated setup, I have found the following issues:


When trying to create a second WLAN interface with pppoe, it it not possible to assign an interface to the pppoe connection unless that connection is up.  The only way to bring the connection up is to disable and to re-enable the interface the connection is assigned to.  That requires you to log in via ssh and to figure out how to bring up the pppoe connection manually.  Is it supposed to be that way?


I'm trying to isolate some networks by using an interface group as described here: https://forum.opnsense.org/index.php?topic=28447.msg138309#msg138309

This does work in theory, but opnsense can't seem to figure out which rules to apply in which order.  I'm attaching screenshots of the firewall log and some of the rules on the group interface.  When I'm trying to connect to an XRDP server with remmina, I'm getting to the login screen and can't log in.   (ho_management is alias for 192.168.220.18)

Why does the rule that explictly allows me to connect not apply?  What is with the non-existing rule?

It seems as if "first match" doesn't apply here.

It gets worse when I change the rules a bit.  I'll make a comment to keep the screenshots sorted.

152

22.1 Legacy Series / Re: Wireguard peer [subnet<->subnet]

« on: May 25, 2022, 12:36:09 pm »

Why don't you put your server behind OPNsense instead?  That's more like it's supposed to be

153

22.1 Legacy Series / Re: USB installer boot hangs at pflog0: permanently promiscuous mode enabled

« on: May 25, 2022, 12:30:37 pm »

That doesn't make it any better

154

22.1 Legacy Series / Re: Lose WAN connectivity every few days

« on: May 25, 2022, 12:29:47 pm »

Maybe you are using similar hardware?

155

22.1 Legacy Series / Re: USB installer boot hangs at pflog0: permanently promiscuous mode enabled

« on: May 25, 2022, 12:22:01 pm »

Last time I tried that, it didn't make a difference in speed.  USB is no more than a bad crutch anyway, so what does it matter

156

22.1 Legacy Series / Re: how to deal with IPv6?

« on: May 25, 2022, 11:46:16 am »

Ah, now I see!  It's basically what I did, only you have a lot more VLANs, and you always explicitly use VLAN30 as source in all the rules (Where else could the packets come from?).

The solution Patrick (pmhausen) came up with that uses an interface group might save you all these rules.  I'll try that in a couple days.

157

22.1 Legacy Series / Re: Wireguard peer [subnet<->subnet]

« on: May 25, 2022, 02:37:29 am »

You may need to add the 192.168.44.0/24 network as allowed in 'Allowed IPs' for the Endpoint at the peer where that network is not (i. e. at the pear which is remote from the peer where that network is).  Otherwise traffic from/to 192.168.44.0/24 will not be allowed to go over the tunnel.  (Don't add it at the wrong peer or it's gona really suck

(It's kinda weird and takes some getting used to, but it kinda makes sense ...)

158

22.1 Legacy Series / Re: questions about multiple WAN setup

« on: May 25, 2022, 02:30:35 am »

Thank you, that is a good pointer!

Is it possible to use gateway groups in firewall rules instead of gateways?

Is it possible to put the same WAN connection into multiple gateway groups?  I. e. when I have two WAN connections, can I make gateway groups A and B and put both WAN connections into both gateway groups?

(It's a trick to get around the problem that I would have to manually alter firewalls rules in case a gateway is down.  The first gateway group would use WAN connection 1 as default and WAN connection 2 as failover; the second gateway group would use WAN connection 2 as default and WAN connection 1 as failover.  Then I could make firewall rules which by default use the WAN connection I want them to use and automatically switch over to the other WAN connection in case the default WAN connection is down.)

In case we can't do that, what's the alternative way?

159

22.1 Legacy Series / Re: (22.1.6) (VM) Unraid becoming unreachable & taking down network.

« on: May 25, 2022, 01:29:33 am »

Never buy Realtek network cards.  Use Intel cards; Broadcom seems ok, too.

160

22.1 Legacy Series / Re: Using alias on WAN to access local wifi bridges sort of works, sort of doesn't

« on: May 25, 2022, 01:23:38 am »

Are you perhaps missing a route entry?

161

22.1 Legacy Series / Re: Lose WAN connectivity every few days

« on: May 25, 2022, 01:12:48 am »

You could test with not using a bridge but a single LAN interface and, if you need the ports, an external switch.  TPLink makes inexpensive switches that work extremely well for things like that.

If the problem goes away, it would seem to be some issue with the bridge.  If it comes back, at least we know that it's probably not due to the bridge and you can try one interface after the other to see if a particular interface is faulty.

It could be a problem with the gateway of your ISP, but when rebooting OPNsense fixes the problem, it seems somewhat unlikely.  You could try with another router ...

Have you tried to unplug the cable that goes to your ISP?  Does that fix the problem instead of rebooting?

162

22.1 Legacy Series / Re: How to disable unbound scrubbing?

« on: May 25, 2022, 12:59:55 am »

It's a general feature of consumer routers to filter DNS responses of external servers that point to internal addresses. There are attack techniques that use this.

What would be attacked by that?

I am not familiar with OPNsense and unbound in this regard, because I am running BIND.

Same here ...  Unbind could be useful, though.  If it would only be configurable such that I can specify which upstream DNS servers to use per interface and/or if I could disable the scrubbing per interface ...  It's kinda nice when the gateway takes care of DNS without clients needing to go any further.  So far, I've never been happy with any such forwarder.

163

22.1 Legacy Series / Re: USB installer boot hangs at pflog0: permanently promiscuous mode enabled

« on: May 24, 2022, 11:39:52 pm »

Not really, this is a new one. Also tried with another USB stick.

edit: used following command on both USB sticks: sudo dd if=OPNsense-22.1.2-OpenSSL-serial-amd64.img of=/dev/disk2 bs=1M

Please try without the 'bs' option.  I tried that option a long time ago once with Debian or Fedora and it did not work.  Never specify the block size when writing images like that.

dd if=OPNsense-22.1.2-OpenSSL-serial-amd64.img of=/dev/disk2


PS: As to the explanaiton, what is the "end of the USB stick"?  Somehow it doesn't make sense to me that you should write stuff to the "end" of a medium, like a 32GB USB stick, when writing an ~1.6GB image to it.  Who says that, in other situations, you don't overwrite some data that you don't want to overwrite?  Besides, the controller built into the medium will have its own ideas about what and where the "end" is.

I have OPNsense-22.1.2-OpenSSL-vga-amd64.img, which is 1600698880 bytes.  1600698880 / 1024 / 1024 is 1526.54541015625.  How is dd supposed to write such an odd number of blocks?  It can't write one block more because it might overwrite something, so it would have to stop at 1526 blocks, thus some data doesn't make it onto the USB stick (571904 bytes).


PPS: I looked at the source of dd and it seems to use integers.  I made a test with a file, and dd copied the 31 bytes of the file just fine despite bs=1024.  Is there a difference between a file and directly writing to a block device that causes disk images not to get written correctly when a non-default block size is being used which doesn't agree with the native block size (sector size) the block device may have?

I guess I'd have to do some testing with USB sticks and some block sizes ...

164

22.1 Legacy Series / Re: How to disable unbound scrubbing?

« on: May 24, 2022, 10:26:10 pm »

I thought so and tried different options, to no avail.  At least transparent and nodefault should work, but they don't.  It's like unbound does the query and then scrubs the result, and there's no option to turn that off.

Are we supposed to create networks without name resolution?

165

22.1 Legacy Series / Re: USB installer boot hangs at pflog0: permanently promiscuous mode enabled

« on: May 24, 2022, 07:27:55 pm »

Your USB stick is damaged?  It says


GEOM: da0: the secondary GPT header is not in the last LBA.
GEOM: diskid/DISK-08TQL07IE3OAQ9FV: the secondary GPT header is not in the last LBA.
mountroot: waiting for device /dev/ufs/OPNsense_Install...
Mounting filesysGEOM: diskid/DISK-08TQL07IE3OAQ9FV: the secondary GPT header is not in the last LBA.
GEOM: diskid/DISK-08TQL07IE3OAQ9FV: the secondary GPT header is not in the last LBA.
GEOM: diskid/DISK-08TQL07IE3OAQ9FV: the secondary GPT header is not in the last LBA.


I don't think it's supposed to be like this, and it's suspicious.  Have you tried to write the installer image to another USB stick?