Messages

1

General Discussion / Unbound DNS, WAN Down and Local DNS Resolves

« on: November 03, 2022, 12:14:19 am »

I have Unbound DNS configured as my DNS. I do use DHCP also with some static IPs defined to hosts. I have some LAN hostnames defined and it all seems to work okay... except when the WAN goes down (like it is now, I'm on my phone's hot spot).

I'd think that local hosts should still be able to resolve to each other. I must be missing a setting or maybe a rule to allow this.  Is this enough information to get a few suggestions?

2

21.7 Legacy Series / Re: Input Error Detected: Certificate webConfigurator default...

« on: October 07, 2021, 08:28:03 pm »

Thank you! That seems to have done it.

3

21.7 Legacy Series / Input Error Detected: Certificate webConfigurator default...

« on: October 07, 2021, 05:45:40 pm »

I'm getting an error in System -> Settings -> Administration.

Even though I have only http selected, I'm getting an error when I save: "Certificate webConfigurator default is not intended for server use."

This cert does exist in the https dropdown, but I'm not using https.

I installed a fresh copy on a test machine and there appears to be a different default TLS cert on a clean install which is NOT in my production install.  I have upgraded many, many times so perhaps that is part of it.

Obviously, with this error, I cannot Save any changes in that section.

4

20.1 Legacy Series / Re: Split DNS & Rebind Attacks

« on: July 23, 2020, 02:55:24 am »

Well, I got things a bit better after I discovered the NAT Reflection options in Advanced.

Ticking the Reflection for Port Forwards and Automatic Outbound Reflection got me to the server.

Unfortunately, Apache's DNS site detection is broken because of this on the LAN.  www.mysecretsite.com resolves as the "first" site, but www.myREALLYsecretsite.com resolves to the first.

What I really need to understand is why Unbound's overrides are not working for this but are for other items.  If my LAN clients are hitting it, shouldn't its overrides be honored?

5

20.1 Legacy Series / Split DNS & Rebind Attacks

« on: July 23, 2020, 12:20:51 am »

All, I have an internal DNS server that I want to retire in favor of using the built in UnboundDNS.  Everything works except my web server behind NAT.

Externally www.mysecretdomain.com resolves and works perfectly.

Internally www.mysecretdomain.com throws a rebind error because it tries to go to the admin page of OpnSense instead of www which is on a different system.

Indeed, internally pinging www.mysecretdomain.com resolves to my PUBLIC IP when it should resolve to my INTERNAL IP.

Even going to the Overrides section of Unbound and making sure www.mysecretdomain.com resolves to 10.0.1.201 does nothing.  It insists on resolving to my Public/Opnsense WAN IP.

What the heck am I doing wrong?

6

Hardware and Performance / What's the word with NVMe?

« on: March 19, 2020, 06:46:31 pm »

A long time ago when I started running OpnSense it was advised not to use SSDs.

Has this changed?  I have a mini PC with an EVO Plus NVMe drive I can upgrade with.

7

19.7 Legacy Series / Re: Hanging at /boot/defaults/loader.conf

« on: December 10, 2019, 09:22:37 pm »

*solved*

Over in the FreeBSD bug tracker I found this link, and see comment #48.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230172

I have to add this to /boot/loader.conf.local on my systems - I figured I try it on the Dell (which I am using) and the Apple which had the same issue.  It fixed both systems.

kern.vty="vt"
hw.vga.acpi_ignore_no_vga="1"

8

19.7 Legacy Series / Re: Hanging at /boot/defaults/loader.conf

« on: December 10, 2019, 07:18:01 pm »

Thanks for responding. I did download vga.  I've sense tried it on a Dell 3050 also with EFI firmware.... same thing.

Did I download the wrong image?

I was looking in Tuneables as someone in the FreeBSD forum thought disabling vesa would do it.

9

19.7 Legacy Series / Re: Hanging at /boot/defaults/loader.conf

« on: December 08, 2019, 02:12:54 pm »

Okay, I went back to this with fresh eyes.  Maybe someone has an idea about this:

Only the local console on the display is "hanging". OPNSense is alive and well both via the web and ssh ports. It works.

I was used to seeing information on my old setup after the loader, so it must be something in that loader.conf for video drivers?

I don't know how much I even need that since I run it headless, but it was nice to have a working monitor with it as a diagnostic tool as OPNsense loads/shutsdown if there is a problem.

Thoughts?

10

19.7 Legacy Series / Hanging at /boot/defaults/loader.conf

« on: December 07, 2019, 06:34:35 pm »

This is a culmination of my two other posts. My simple morning project has turned into a nightmare. That's how it goes for me.

I decided to switch out my OpnSense hardware. I have a decent i5 Mac mini not doing much, so I download the image, got it installed and my configuration imported. The initial boot after the installer was successful and everything came up and I'm ready to swap. Awesome!

I shut down to move it into it's new home and it's hanging at /boot/defaults/loader.conf

I reloaded, was successful again, ...and again... shutdown and first cold boot, it hangs.

I don't get it and I don't know enough about FreeBSD to even begin to figure out why this seems to work fine then fails.

Um, help?

11

19.7 Legacy Series / Reinstall "Import Configuration" Drive Format

« on: December 07, 2019, 04:07:51 pm »

I've had OpnSense for years, but might move to new hardware.  Over those years I've tried and failed many, many, times to get my configuration imported at install time.

Daily, I don't live in the *nix world. My desktops are Windows or Mac.

What format of, say, a USB flash drive is OpnSense expecting to find that contains my config? Is there a formatter for Mac/Windows that I can use as well as a tool to copy the config onto it?

Thanks for any advice!

12

19.7 Legacy Series / OpnSense WAN Speed Issues

« on: December 07, 2019, 12:56:39 am »

I had 100Mbps service and I would typically get from speedtest-cli that speed.

Today my provider doubled our speed to 200Mbps.  Still, the most I can get with my OpnSense box is 104Mbps.

If I connect my laptop directly to my ISP's box, I'll get 220Mbps which is what I expect.

What should I look for on OpnSense to get the speed I expect?  I'm running it on HP hardware that has GIG Ethernet to the ISP.

13

19.1 Legacy Series / VPN Setup

« on: March 09, 2019, 03:12:44 am »

Hi All,

I've followed the instructions here, as they seem to offer compatibility with macOS, iOS, Windows, and Android.

https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-rsamschapv2.html

I've done everything per those instructions and the test user.  ...and... now what?  How do I configure the clients?  That seems to be missing.

I initially followed this guide, which at least had instructions for the clients, which seems to have additional steps for the firewall (which makes sense and the first link doesn't have) but it didn't work:

https://docs.opnsense.org/manual/how-tos/ipsec-road.html

I'm not a VPN/IPsec expert at all, but there seems to be a lot of work done in this area with a lot of changes, and as someone who doesn't work at lot with VPN and isn't familiar with setting it up, I'm finding the documentation either a bit out of date and/or confusing.

Does anyone have a guide, external blog, anything with clear and simple to follow directions to get this working?

Thanks!

14

17.1 Legacy Series / Re: Port 80 and 443 to more than one computer.

« on: March 12, 2017, 06:23:16 pm »

Has anyone made any progress with this... man, haproxy is just a beast.

I can't figure out if BOTH frontends and backends are necessary for my purpose and, I assume, the purpose of the original poster.  I have two domains on two different servers behind NAT.  I'd like:

www.example.com to point to 10.0.1.200 on both port 80 and 443

and

www.example.net to point to 10.0.1.201 on both port 80 and 443

I assume the "frontend" will need to watch for the particular fqdn on those ports and direct to the appropriate system, I again assume defined in "servers"?

Not sure where the backend fits into it all...

15

17.1 Legacy Series / Re: Port 80 and 443 to more than one computer.

« on: March 08, 2017, 10:06:06 pm »

I didn't realize haproxy was a plugin... definitely interested in any configuration tips one finds.  I'm in the same situation with Lets Encrypt.