Messages

211

General Discussion / Re: Unbound binds to all addresses?

« on: September 26, 2024, 10:19:38 am »

It appears that Unbound still gets configued to listen on the loopback interface even when (other) interfaces are specified. That's probably where the conflict is occurring. That seems arguably a bug in OPNsense, although the (default) loopback interface seems to be a bit buried in the UI, so I'm not sure it'd be an easy fix, since there would need to be a way to actually specifically listen there - I suppose it could be a separate option or something....

Using NAT as suggested is probably a good workaround....

212

24.7 Production Series / Re: IPv6 Track on Loopback

« on: September 26, 2024, 09:24:15 am »

I'm probably missing something. Why are you trying to run DHCPv6 on the loopback interface? Can't you just set it up for "Track Interface", and check "Allow manual adjustment of DHCPv6 and Router Advertisements" so they won't apply to it?

213

General Discussion / Re: Android IPV6 not working - missing gateway

« on: September 25, 2024, 11:39:28 am »

FWIW, I see "AdvRouterAddr off;" too, but my Android (14) phone is working.

Google says Android has a long history of not supporting IPv6 well. Are we dealing with an older Android version here, perhaps?

214

General Discussion / Re: Android IPV6 not working - missing gateway

« on: September 25, 2024, 09:29:31 am »

How are you observing "no gateway" on the Android device? My Android 14 phone shows IPv6 addresses when I view the currently-connected WiFi network, but it does not show IPv6 Gateways, yet IPv6 is working. You may have something else going on....

215

General Discussion / Re: Help: Accessing VM's between two lan networks

« on: September 25, 2024, 09:09:48 am »

It's not working because hosts on the Primary LAN are pointing to your OPNsense FW, but it has no route to 192.168.220.0/24.

You could add a static route for it, but then you get into an asymmetric routing scenario, because return traffic from Test LAN will not pass through your OPNsense FW. See https://docs.netgate.com/pfsense/en/latest/routing/static.html#asymmetric-routing

Alternatively, you could add static routes for 192.168.220.0/24 to each of your LAN hosts, pointing to your OPNsense VM, but that's not going to be easy to manage.

Either way, you'd also have to make sure that NAT is disabled on the OPNsense VM.

216

24.7 Production Series / Re: public subnet behind opnsense / ip source header of opnsense not server

« on: September 24, 2024, 09:24:22 pm »

Eh? Sounds like the /29 is routed to the /32 "WAN" IP address. NAT would be on by default - needs to be turned off ... no?

217

24.7 Production Series / Re: public subnet behind opnsense / ip source header of opnsense not server

« on: September 24, 2024, 09:16:05 pm »

Firewall -> NAT -> Outbound

You'll probably have to turn off automatic rule generation, and setup your own rules as needed (or not)....

218

General Discussion / Re: Wireguard S2S issue

« on: September 24, 2024, 08:35:56 pm »

I followed this very guide myself too. Thanks

Then why are you creating floating rules? Nothing in that guide tells you to do that......

219

General Discussion / Re: Help me make my first VLAN with DHCP (it's not working)

« on: September 24, 2024, 06:11:01 pm »

You did write above that the client is untagged on port 2 and the opnsense as a trunk on port 8. So, PVID on port 2, no pvid on port 8.

Some switches require specifying the PVID for the port *in addition to* specifying that the VLAN be untagged on the port. It's not necessarily obvious, and easy to overlook.

Also, try not to mix tagged and untagged on port 8, it will probably not work.

I keep hearing this, but there's really no reason for it to not work unless there's something else in the mix, like bridges). There are some caveats, like Windows NIC drivers that blindly strip tags from VLANs that the NIC is not configured to access, but that still doesn't preclude mixing untagged and tagged on the firewall interface, and you'd still have to deal with VLANs for the Windows hosts if you tag everything......

220

General Discussion / Re: Help me make my first VLAN with DHCP (it's not working)

« on: September 24, 2024, 04:23:52 pm »

PVID for a port is the VLAN ID that untagged inbound frames will be associated with. You probably need to set it to VLAN 9 on switch port 2, unless you switch does it transparently or something.

Failing that, my next step would be to get a shell on the firewall and run something like `tcpdump -nnei igc0 'vlan and (port 67 or port 68)'` then try a DHCP client on port 2 - if VLANs are setup properly, you should see DHCP traffic on VLAN 9.

221

General Discussion / Re: Wireguard S2S issue

« on: September 24, 2024, 10:58:30 am »

Since they're VLAN interfaces, they probably wouldn't have the "Default allow LAN to any rule", so those would have to be created too. I haven't actually followed this guide myself, but it appears to cover creation of the proper rules.... https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

222

24.7 Production Series / Re: No logs for Kea DHCP when using /var/log RAM disk

« on: September 23, 2024, 01:03:22 pm »

Created https://github.com/opnsense/core/issues/7888 - I'm going to try a PR with a quick fix and see what the "powers that be" think

223

24.7 Production Series / Re: No logs for Kea DHCP when using /var/log RAM disk

« on: September 23, 2024, 12:11:22 pm »

This may be the actual error...

Code: [Select]

root@opnsense:~ # /usr/local/opnsense/scripts/syslog/queryLog.py --limit '20' --offset '0' --filter '' --module 'core' --filename 'kea' --severity 'Emergency,Alert,Critical,Error,Warning,Notice,Informational' --valid_from '1726930874.967'
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/syslog/queryLog.py", line 75, in <module>
    if valid_from and isoparse(record['timestamp']).timestamp() < valid_from:
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/dateutil/parser/isoparser.py", line 37, in func
    return f(self, str_in, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/dateutil/parser/isoparser.py", line 134, in isoparse
    components, pos = self._parse_isodate(dt_str)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/dateutil/parser/isoparser.py", line 208, in _parse_isodate
    return self._parse_isodate_common(dt_str)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/dateutil/parser/isoparser.py", line 213, in _parse_isodate_common
    len_str = len(dt_str)
              ^^^^^^^^^^^
TypeError: object of type 'NoneType' has no len()
root@opnsense:~ #
I think the issue is that it doesn't handle multi-line log entries, like:

Code: [Select]

<132>1 2024-09-23T00:01:04+00:00 opnsense kea-dhcp4 63216 - [meta sequenceId="3"] WARN  [kea-dhcp4.alloc-engine.0x82d4d90d000] ALLOC_ENGINE_V4_DISCOVER_ADDRESS_CONFLICT [hwtype=1 68:39:43:d8:11:4a], cid=[01:00:00:00:00:00:00], tid=0x16e2f536: conflicting reservation for address 10.1.1.83 with existing lease Address:       10.1.1.83
Valid life:    4000
Cltt:          1727048850
Hardware addr: 68:39:43:d8:11:4a
Client id:     01:68:39:43:d8:11:4a
Subnet ID:     2
Pool ID:       0
State:         default
Relay ID:      (none)
Remote ID:     (none)


224

24.7 Production Series / Re: No logs for Kea DHCP when using /var/log RAM disk

« on: September 23, 2024, 12:09:14 pm »

Not sure it's related to use of ramdisk, as I also have this issue (same error message), and I'm not using ramdisk. I actually just noticed yesterday that I can't see my kea logs through the web UI, but they are present in /var/log/kea, but I hadn't had a chance to look closer yet....

225

General Discussion / Re: Connect my NVR device to noip endpoint

« on: September 21, 2024, 04:46:48 pm »

If you follow that guide, it will allow VPN clients to access the internet via your OPNsense firewall, but will not allow them to access internal services on your LAN (such as your NVR) unless you add explicit rules to allow it - did you do that?

Quote:

"With these two rules, you will have access to your home’s Internet while connected remotely but no other access to your internal network(s). If you simply want a secure VPN for public WiFi hotspots, you do not need to add more rules.

If you wish to allow further access to devices/apps/services on your internal network(s), you will need to add rules above the second rule just as you would with any other network interface you have configured."