Messages

1

20.1 Legacy Series / Re: Split DNS & Rebind Attacks

« on: July 23, 2020, 02:55:24 am »

Well, I got things a bit better after I discovered the NAT Reflection options in Advanced.

Ticking the Reflection for Port Forwards and Automatic Outbound Reflection got me to the server.

Unfortunately, Apache's DNS site detection is broken because of this on the LAN.  www.mysecretsite.com resolves as the "first" site, but www.myREALLYsecretsite.com resolves to the first.

What I really need to understand is why Unbound's overrides are not working for this but are for other items.  If my LAN clients are hitting it, shouldn't its overrides be honored?

2

20.1 Legacy Series / Split DNS & Rebind Attacks

« on: July 23, 2020, 12:20:51 am »

All, I have an internal DNS server that I want to retire in favor of using the built in UnboundDNS.  Everything works except my web server behind NAT.

Externally www.mysecretdomain.com resolves and works perfectly.

Internally www.mysecretdomain.com throws a rebind error because it tries to go to the admin page of OpnSense instead of www which is on a different system.

Indeed, internally pinging www.mysecretdomain.com resolves to my PUBLIC IP when it should resolve to my INTERNAL IP.

Even going to the Overrides section of Unbound and making sure www.mysecretdomain.com resolves to 10.0.1.201 does nothing.  It insists on resolving to my Public/Opnsense WAN IP.

What the heck am I doing wrong?

3

Hardware and Performance / What's the word with NVMe?

« on: March 19, 2020, 06:46:31 pm »

A long time ago when I started running OpnSense it was advised not to use SSDs.

Has this changed?  I have a mini PC with an EVO Plus NVMe drive I can upgrade with.

4

19.7 Legacy Series / Re: Hanging at /boot/defaults/loader.conf

« on: December 10, 2019, 09:22:37 pm »

*solved*

Over in the FreeBSD bug tracker I found this link, and see comment #48.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230172

I have to add this to /boot/loader.conf.local on my systems - I figured I try it on the Dell (which I am using) and the Apple which had the same issue.  It fixed both systems.

kern.vty="vt"
hw.vga.acpi_ignore_no_vga="1"

5

19.7 Legacy Series / Re: Hanging at /boot/defaults/loader.conf

« on: December 10, 2019, 07:18:01 pm »

Thanks for responding. I did download vga.  I've sense tried it on a Dell 3050 also with EFI firmware.... same thing.

Did I download the wrong image?

I was looking in Tuneables as someone in the FreeBSD forum thought disabling vesa would do it.

6

19.7 Legacy Series / Re: Hanging at /boot/defaults/loader.conf

« on: December 08, 2019, 02:12:54 pm »

Okay, I went back to this with fresh eyes.  Maybe someone has an idea about this:

Only the local console on the display is "hanging". OPNSense is alive and well both via the web and ssh ports. It works.

I was used to seeing information on my old setup after the loader, so it must be something in that loader.conf for video drivers?

I don't know how much I even need that since I run it headless, but it was nice to have a working monitor with it as a diagnostic tool as OPNsense loads/shutsdown if there is a problem.

Thoughts?

7

19.7 Legacy Series / Hanging at /boot/defaults/loader.conf

« on: December 07, 2019, 06:34:35 pm »

This is a culmination of my two other posts. My simple morning project has turned into a nightmare. That's how it goes for me.

I decided to switch out my OpnSense hardware. I have a decent i5 Mac mini not doing much, so I download the image, got it installed and my configuration imported. The initial boot after the installer was successful and everything came up and I'm ready to swap. Awesome!

I shut down to move it into it's new home and it's hanging at /boot/defaults/loader.conf

I reloaded, was successful again, ...and again... shutdown and first cold boot, it hangs.

I don't get it and I don't know enough about FreeBSD to even begin to figure out why this seems to work fine then fails.

Um, help?

8

19.7 Legacy Series / Reinstall "Import Configuration" Drive Format

« on: December 07, 2019, 04:07:51 pm »

I've had OpnSense for years, but might move to new hardware.  Over those years I've tried and failed many, many, times to get my configuration imported at install time.

Daily, I don't live in the *nix world. My desktops are Windows or Mac.

What format of, say, a USB flash drive is OpnSense expecting to find that contains my config? Is there a formatter for Mac/Windows that I can use as well as a tool to copy the config onto it?

Thanks for any advice!

9

19.7 Legacy Series / OpnSense WAN Speed Issues

« on: December 07, 2019, 12:56:39 am »

I had 100Mbps service and I would typically get from speedtest-cli that speed.

Today my provider doubled our speed to 200Mbps.  Still, the most I can get with my OpnSense box is 104Mbps.

If I connect my laptop directly to my ISP's box, I'll get 220Mbps which is what I expect.

What should I look for on OpnSense to get the speed I expect?  I'm running it on HP hardware that has GIG Ethernet to the ISP.

10

19.1 Legacy Series / VPN Setup

« on: March 09, 2019, 03:12:44 am »

Hi All,

I've followed the instructions here, as they seem to offer compatibility with macOS, iOS, Windows, and Android.

https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-rsamschapv2.html

I've done everything per those instructions and the test user.  ...and... now what?  How do I configure the clients?  That seems to be missing.

I initially followed this guide, which at least had instructions for the clients, which seems to have additional steps for the firewall (which makes sense and the first link doesn't have) but it didn't work:

https://docs.opnsense.org/manual/how-tos/ipsec-road.html

I'm not a VPN/IPsec expert at all, but there seems to be a lot of work done in this area with a lot of changes, and as someone who doesn't work at lot with VPN and isn't familiar with setting it up, I'm finding the documentation either a bit out of date and/or confusing.

Does anyone have a guide, external blog, anything with clear and simple to follow directions to get this working?

Thanks!

11

17.1 Legacy Series / Re: Port 80 and 443 to more than one computer.

« on: March 12, 2017, 06:23:16 pm »

Has anyone made any progress with this... man, haproxy is just a beast.

I can't figure out if BOTH frontends and backends are necessary for my purpose and, I assume, the purpose of the original poster.  I have two domains on two different servers behind NAT.  I'd like:

www.example.com to point to 10.0.1.200 on both port 80 and 443

and

www.example.net to point to 10.0.1.201 on both port 80 and 443

I assume the "frontend" will need to watch for the particular fqdn on those ports and direct to the appropriate system, I again assume defined in "servers"?

Not sure where the backend fits into it all...

12

17.1 Legacy Series / Re: Port 80 and 443 to more than one computer.

« on: March 08, 2017, 10:06:06 pm »

I didn't realize haproxy was a plugin... definitely interested in any configuration tips one finds.  I'm in the same situation with Lets Encrypt.

13

17.1 Legacy Series / Re: Install Freezes at Guided Installation

« on: February 25, 2017, 08:06:15 pm »

I guess note this somewhere. What I ended up doing was installing 16.7 which worked perfectly, then upgraded to 17.1 which went well, but I had to follow the directions in this post (including making the change with the GUI) in order to get it to boot every time.

https://forum.opnsense.org/index.php?topic=4470.msg17092#msg17092

I guess I'll keep that 16.7 DVD I made handy!

14

17.1 Legacy Series / Install Freezes at Guided Installation

« on: February 25, 2017, 06:13:15 pm »

I'm trying to do a fresh install on a 2nd machine to use as a backup incase the main router goes down.  I never had problems installing v15 or v16, but man, the FreeBSD underpinnings of v17 seem to be making what was once simple, frustrating.

First it wouldn't boot until I did the steps here:
https://forum.opnsense.org/index.php?topic=4389.msg17200#msg17200

Now, I make it all the way to "Guided Installation" but on that screen I can't select anything. It's just frozen. No keyboard input. Nothin'. I have to force reset the PC.

15

General Discussion / Re: USB Flash Drive Format to store backup Configuration

« on: February 21, 2017, 12:11:25 am »

Actually, I'm positive you can. I've done it.

When I had a crash with 16.1 due to a failing hard drive, I had the fresh drive in while the old drive was still connected.  During install I was able to select the old drive where it found my configuration and built it into the new install perfectly.

This is just putting the configuration on a flash drive so if that happens again it can recover the configuration for it.

Thank you for your replies, but I'd prefer we not debate over what can and cannot be done, I'd prefer any help to my actual question: help with formatting the flash drive properly.  If you have any guidance in that direction, please share!

Thanks!