Messages

PS: Wo ist der Knopf für "Latest Posts" hingekommen?

You mean "Last Post", I assume? I just noticed that that very handy link is now missing too. I was very handy for catching up on running discussions :(

If you bookmark this

https://forum.opnsense.org/index.php?action=recent;start=0

it'S still there, but I don't see a button to access it directly from the forum main paige, as in the past.

PS: Wo ist der Knopf für "Latest Posts" hingekommen?

Runde Avatare sind doof. Wenn man nicht eingeloggt ist gibt's keinen "Reply" button, mit dem man schnell einloggt und direkt antworten kann? Dämliche ajax.googleapis.com sind bei mir standardmäßig geblockt... :-p

Jupp, if names von der frischen Installation übernehmen, am Besten manuell zuweisen, die Interfaces, dann hast du den genauen Überblick, welches physische Interface welchen Namen hat.
Und mit find die Config nach dem alten Interfacenamen durchsuchen, sollte aber eigentlich wirklich nur diesen eine Treffer jeweils (wie in deinem Beispiel) geben...

Vor dem Einspielen der config.xml die Interfaces händisch im .xml umbenennen. Die Plugins nach dem ersten Boot auf der neuen Hardware dann installieren, deren Konfiguration ist dann ja in derconfig.xml.

Yepp, IPS is not "fire and forget" but I like to get a feeling for what is going on the various levels-of-trust LANs. Warnings/blockings by Suricata give a feeling if some client tries e.g. to resolve fishy domains or contact known malware IPs.

Problems normally originate from the LAN side and IPS should be active on LAN, not WAN, correct.

,,,: "Operative Hektik ersetzt geistige Windstille".

Operative Hektik verdeckt geistige Windstille. ;-)

Or maybe

System -> Settings -> General -> Networking -> DNS

127.0.0.1

...works just fine and stable here for years. Why complain?

I would never use DoT with less than 4-5 servers configured...

[from]

If I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)

Well... I have a lots of different subnets. And for some clients the traffic is surely allowed to reach the LAN, depending on the use case of the VLAN/Subnet. But I was still surpised, that its just routed.
Like already mentioned, this is a OPNsense design then. Because with any enterprise FW you do not have this behavior. For a good reason.

But maybe an additional Help-Text would be good to make this clear.
"Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care."
This is definitely not that clear. At least not to me. Because the initial connection was not coming from the LAN interface ingress.
If you know this behavior, sure its clear then.

If you allow HTTPS to any, I see no good reason why this should not include any random LAN/VLAN in your setup. It might be "surprising", but it's absolutly covered by the general rules of logic ;-)

If I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)

That's why I proposed booting linux to see which hardware exactly lives in this box... ;-)

Serial for serial, VGA if you plan to have a monitor pluged in (from time to time).

Haven't tried recently installing with only one interface.

There should be a login promt at that stage, as can be seen here:

https://docs.opnsense.org/manual/install.html

under "Live Environment"...

Try to install your favourite linux (or BSD, if applicable) distro and have a look for the details of the hardware. Post info...