Messages

..post screenshot of NAT outbound... Again, here it works just fine ;-)

Bei meinen Mininetzen geht seit Jahren kein ICMP,  nicht rein nicht raus. Bisher ist die Welt nicht untergegangen...

Würde ich im privaten Bereich grundsätzlich so machen, es sei denn, der Samsung-TV muss dringend irgendwohin leaken, damit er funktioniert.

So the traffic is apparently not leaving the LAN interface. Anything in the firewall logs?

Have a look here again, it works for me just fine:

Why it will not work:
1) you mess up with the outbound NAT rules.
2) you are blocking private/invalid on OPNSense's WAN
3) there isn't any rule that allows it (there should be, the default allow LAN to any, assuming you are connecting from OPNSense's LAN interface)
4) your modem is bridged, possibly using a specific port for the bridge, while leaving the rest as a "local tech support" access. ie port 1 is bridged, port 2+3 are not, port 4 is for a VOIP setup.

...installed and rebooted. Stable for the moment...

Many thanks! Any way to store this unbound 1.8.1 locally and install via console, in case I decide to update my production systems? :-)

PS: Stored a copy on my computer (wget....) and on the opnsense (fetch). But how to install it from my computer on another opnsense? Do I need to setup a webserver on my computer? No idea how to mount an USB-stick on my sense by hand...

IDS / IPS als shortcut? Ein lokaler Emailserver ist keine kleine Nummer mehr...

do a package capture (Interfaces -Diagnostics), first on LAN then on WAN while you try to access the modiem via http or https (depends...) and see, where your packages go to.

Yepp, if I disable "Block private" on WAN, I can access the modem even without the NAT rule. However, with block private on WAN, the NAT rule takes over and allows the otherwise blocked private IP   of my modem...

fun!

SOURCE, not Destination is 192.168.100.0/24 (if that's your modems network)...

Interfaces -> Diagnostics -> Ping is the direct way ;-) And you have to allow ICMP in the firewall rules for LAN to make a ping work. And http/https to reach the web interface of your modem

Firewall -> NAT -> Outbound (set to Hybrid)

Interface WAN

Source "Network of your MODEM, e.g. 192.168.100.0/24"

Translation/target INTERFACE address


____________

Save, apply, works here...

...same difference, w/o DNSsec reboot came back fine, but trying to update the only client in LAN kills off unbound after some seconds.

1.9.1 installed, on reboot:

Code Select Expand

Mar 19 09:34:27 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.11.1 ::)
Mar 19 09:34:27 kernel: em4: permanently promiscuous mode enabled
Mar 19 09:34:27 kernel: em3: link state changed to DOWN
Mar 19 09:34:27 kernel: em3: permanently promiscuous mode enabled
Mar 19 09:34:08 kernel: pid 38636 (unbound), uid 59: exited on signal 11
Mar 19 09:34:07 kernel: OK
Mar 19 09:34:06 kernel: OK
Mar 19 09:33:13 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Mar 19 09:33:13 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '192.168.199.1'

...and after manual restart:

Code Select Expand

Mar 19 09:36:52 kernel: -> pid: 5881 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Mar 19 09:36:52 kernel: [HBSD SEGVGUARD] [unbound (5881)] Suspension expired.
Mar 19 09:36:52 kernel: pid 5881 (unbound), uid 59: exited on signal 11
Mar 19 09:35:37 kernel: pid 6235 (unbound), uid 59: exited on signal 11


I disabled DNSsec for the moment to see, if it makes a difference...

Yes I'm able to reach my cable modem through OPNSense.

How? :-D

PS: OK, I added an outbound NAT rule for the network my cable modem is running its web interface on, inserted the IP in the browser and was there. As I suggested in the beginning. ;-)

That worked well, but now the console doesn'T stop throwing text lines for minutes now. Is it making the WHOLE sense? I thought it was just unbound I ordered... :-D


PS: some minutes later...

Code Select Expand

root@OPN0119:/usr/ports/dns/unbound # make package deinstall install

***skipped some million lines of text outpt here...***

ln -sf "tls_init.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_new.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_clear_keys.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_file."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_mem.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_path."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_cert_fil"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_cert_mem"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_crl_file"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_crl_mem."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_key_file"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_key_mem."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ocsp_sta"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ocsp_sta"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_verify_d"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_verify_clien"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_verify_clien"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_unload_file.3"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_close.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_error.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_handshake.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_reset.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_write.3"
/bin/mkdir -p '/usr/obj/usr/ports/security/libressl/work/stage/usr/local/libdata/pkgconfig'
install  -m 0644 libcrypto.pc libssl.pc libtls.pc openssl.pc '/usr/obj/usr/ports/security/libressl/work/stage/usr/l'
/bin/rm -f -r /usr/obj/usr/ports/security/libressl/work/stage//usr/local/etc/ssl/cert.pem
====> Compressing man pages (compress-man)
===>  Installing for libressl-2.7.4
===>  Checking if libressl already installed
===>   libressl-2.7.4 is already installed
      You may wish to ``make deinstall'' and install this port again
      by ``make reinstall'' to upgrade it properly.
      If you really wish to overwrite the old port of libressl
      without deleting it first, set the variable "FORCE_PKG_REGISTER"
      in your environment or the "make install" command line.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/libressl
*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound



...now we have:

Code Select Expand

root@OPN0119:/usr/ports/dns/unbound # make package deinstall install
===>   unbound-1.8.1 depends on package: autoconf>=2.69 - found
===>   unbound-1.8.1 depends on package: automake>=1.16.1 - found
===>   unbound-1.8.1 depends on executable: libtoolize - not found
===>  License GPLv2 accepted by the user
===>   libtool-2.4.6 depends on file: /usr/local/sbin/pkg - found
=> libtool-2.4.6.tar.xz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://ftpmirror.gnu.org/libtool/libtool-2.4.6.tar.xz
libtool-2.4.6.tar.xz                          100% of  950 kB 3227 kBps 00m00s
===> Fetching all distfiles required by libtool-2.4.6 for building
===>  Extracting for libtool-2.4.6
=> SHA256 Checksum OK for libtool-2.4.6.tar.xz.
===>  Patching for libtool-2.4.6
===>   libtool-2.4.6 depends on executable: gm4 - found
===>   libtool-2.4.6 depends on executable: gmake - found
===>   libtool-2.4.6 depends on executable: makeinfo - not found
===>  License GPLv3+ accepted by the user
===>   texinfo-6.5,1 depends on file: /usr/local/sbin/pkg - found
=> htmlxref.cnf doesn't seem to exist in /usr/ports/distfiles/texinfo/6.5.
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137,6
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 2016
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137, actual 6
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/texinfo/6.5 and try again.
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/print/texinfo
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/devel/libtool
*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound

...still sumfink missing

"Block private networks" on WAN? The modems IP is allowed on LAN firewall rules? Might be that in the setup of the modem the concurrent use of the private address has to be configured?