16
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
18
General Discussion / Re: Time based captive portal for kids internet?
« on: April 04, 2024, 06:31:10 pm »
...in pfsense I had a cron job one min after the FW expired (don't remember if scheduled allow or deny rules though...) that killed states for the specific IPs in question. Later that didn't work well and I established cron jobs to kill ALL states when rules expired.
Nowadays the scheduled rules for isolated IP are gone, kiddies grown up, but the cron jobs remind during nighttime frequently that IT'S LATE NOW, GO TO BED... :-D
PS: how-to for CRON job for state killing
https://forum.opnsense.org/index.php?topic=10740.msg49334#msg49334
...and nano is installed by default nowadays iirc.
Nowadays the scheduled rules for isolated IP are gone, kiddies grown up, but the cron jobs remind during nighttime frequently that IT'S LATE NOW, GO TO BED... :-D
PS: how-to for CRON job for state killing
https://forum.opnsense.org/index.php?topic=10740.msg49334#msg49334
...and nano is installed by default nowadays iirc.
19
General Discussion / Re: Time based captive portal for kids internet?
« on: April 04, 2024, 11:50:35 am »
Deliver IPs based on MAC of devices and have scheduled firewall rules for these IPs and the services (ports) you want to regulate. You can adjust the time for the schedules. Have an eye on the states after access expires, otherwise the party will last until states expire...
20
General Discussion / Re: Can't ping or connect to devices on same subnet
« on: March 31, 2024, 07:10:00 pm »
The feature is called "wireless isolation" and can be turned off normally, no idea if this is supported in BSD driver. Many people think it's not a good idea to have wireless hardware in your BSD-based firewall.
21
General Discussion / Re: Many ssh conncetion attempts from WAN interface
« on: March 30, 2024, 05:31:18 pm »I am by no means an X-pert! I discovered the same thing while looking at the log's. I had enabled opnsense admin page to wan. My setup had no business being setup that way. Control everything local lan.
iirc the GUI listens by default on all interfaces, but in WAN there is no FW rule allowing to access. Normally.
22
Virtual private networks / Re: Wireguard - Unable to open tunnel from one side
« on: March 28, 2024, 10:02:11 pm »
This is not the traffic for initiating the tunnel (public IP to public IP), but some traffic (PING?) for LAN clients on both sides.
Start with package captures on WAN of both OPNsense and have a look at the status of the tunnel.
How do you "stop" your tunnel? If you enable wireguard on both sides the tunnel will come up and stay up until you stop wireguard on one side.
Start with package captures on WAN of both OPNsense and have a look at the status of the tunnel.
How do you "stop" your tunnel? If you enable wireguard on both sides the tunnel will come up and stay up until you stop wireguard on one side.
23
Virtual private networks / Re: Wireguard - Unable to open tunnel from one side
« on: March 28, 2024, 09:49:35 pm »
once the tunnel is established (with keep-alive) its up and running. no further initiation necessary.
do a package capture on the data center side to see if UDP is arriving at your wireguard client (OPNsense?)
do a package capture on the data center side to see if UDP is arriving at your wireguard client (OPNsense?)
24
General Discussion / Re: Need help with new setup/install Mini PC, 6x2.5GbE 1 subnet, DHCP on 5 ports
« on: March 28, 2024, 09:48:07 pm »
see below...
25
Virtual private networks / Re: Wireguard - Unable to open tunnel from one side
« on: March 28, 2024, 09:44:06 pm »
mildly related: Why do you want to initiate the tunnel from both sides? One side ist totally enough and for road warrior setups standard and working just fine...
And: Is port 51820 on your data center WAN open?
And: Is port 51820 on your data center WAN open?
26
Virtual private networks / Re: OPNsense as Wireguard client
« on: March 28, 2024, 05:27:35 pm »
more likely than not it's just a question of the allowed ips on either side of the tunnel. and/or FW rules.
27
German - Deutsch / Re: Mein LAN Client kann sein eigenes Gateway nicht erreichen
« on: March 28, 2024, 04:06:04 pm »
äääh, wenn die Sense 10.10.11.2 als Adresse hat kann sie nicht auf pings an 10.10.11.1 antworten, oder?
28
German - Deutsch / Re: MBUF-Auslastung wächst stetig bei WLAN Verwendung
« on: March 26, 2024, 06:34:03 pm »
Hi,
ich benutze einen WLAN-stick als WAN-Interface für meine OPNsense auf Reisen und habe damit keine Problem (ist halt oft auch nur ein paar Tage am Stück online und wenig traffic).
Allgemein wird nicht empfohlen, wifi hardware in BSD direkt zu betreiben (Treiber...). Daher nutze ich @home als wifi APs raspberry pis (2B reicht bei mir völlig, aber ich habe auch nur ein-zwei Hände voll clients) mit einem WIFI stick ohne NAT (LAN und WIFI gebridged, DHCP etc. kommt alles direkt von der OPNsense).
https://www.raspberrypi.com/documentation/computers/configuration.html#use-your-raspberry-pi-as-a-network-bridge
(mit RaspiOS Bookworm habe ich es noch nicht selbst aufgesetzt meine APs sind noch Bullseye)
ich benutze einen WLAN-stick als WAN-Interface für meine OPNsense auf Reisen und habe damit keine Problem (ist halt oft auch nur ein paar Tage am Stück online und wenig traffic).
Allgemein wird nicht empfohlen, wifi hardware in BSD direkt zu betreiben (Treiber...). Daher nutze ich @home als wifi APs raspberry pis (2B reicht bei mir völlig, aber ich habe auch nur ein-zwei Hände voll clients) mit einem WIFI stick ohne NAT (LAN und WIFI gebridged, DHCP etc. kommt alles direkt von der OPNsense).
https://www.raspberrypi.com/documentation/computers/configuration.html#use-your-raspberry-pi-as-a-network-bridge
(mit RaspiOS Bookworm habe ich es noch nicht selbst aufgesetzt meine APs sind noch Bullseye)
29
24.1 Production Series / Re: Firewall Rule - Block Device on Schedule
« on: March 05, 2024, 06:09:48 pm »
The scheduled block rule has to be the first (!) on LAN. Direction is always relative to the interface, so IN is correct. You should spend SOME time to understand the logic of a stateful firewall and opnsense. ;-)
The allow any any rule is just for the start, you don't control anything outgoing from your LAN. That's not what a firewall is intended for. ;-)
If you don't use ipv6 disable it completely in your opnsense, otherwise there might be surprises waiting.
The allow any any rule is just for the start, you don't control anything outgoing from your LAN. That's not what a firewall is intended for. ;-)
If you don't use ipv6 disable it completely in your opnsense, otherwise there might be surprises waiting.
30
24.1 Production Series / Re: Firewall Rule - Block Device on Schedule
« on: March 05, 2024, 04:55:49 pm »
Highly depends on your existing ruleset ;-)
With "allow any any" you have to have a scheduled blockrule for the respective client(s) on top of your list of rules. If your rules are more fine grain you can have scheduled allow rules.
Have an eye on existing states (allowing further traffic to go back and forth) after the block kicks in or the allow rule expires...
With "allow any any" you have to have a scheduled blockrule for the respective client(s) on top of your list of rules. If your rules are more fine grain you can have scheduled allow rules.
Have an eye on existing states (allowing further traffic to go back and forth) after the block kicks in or the allow rule expires...