1
18.7 Production Series / Re: Hosts behind LAN cannot get ipv6 addresses
« Last post by marjohn56 on Today at 08:27:04 am »Naughty pfsense... 
Recent Posts
2
General Discussion / Re: nginx listen ip
« Last post by patrick7 on Today at 08:11:55 am »I see several usecases.
One is that the webinterface already listens on the same ports :-)
One is that the webinterface already listens on the same ports :-)
3
German - Deutsch / Openvpn client fragen
« Last post by b4unty on Today at 06:02:11 am »Der Server hat eine feste iP, als Client iPhone läuft um als Client opnsense anzumelden bekomme ich nicht hin.
Die log Dateien zeigen nur Verbindung kann nicht hergestellt werden. Darum glaube ich das ich die Zuordnungen aus der Datei in die Zertifikate falsch mache. In der Anleitung steht auch Mann soll den privat key bei einem Zertifikat leer lassen, doch da bekomme ich dann eine rote Meldung das der key rein muss.
Gesendet von iPhone mit Tapatalk
Die log Dateien zeigen nur Verbindung kann nicht hergestellt werden. Darum glaube ich das ich die Zuordnungen aus der Datei in die Zertifikate falsch mache. In der Anleitung steht auch Mann soll den privat key bei einem Zertifikat leer lassen, doch da bekomme ich dann eine rote Meldung das der key rein muss.
Gesendet von iPhone mit Tapatalk
4
German - Deutsch / Re: Dyndns Update
« Last post by b4unty on Today at 06:00:09 am »Hi b4unty,Genau ein Fallback mit Update des Dyndns Zugang.
leider verstehe ich deine Frage nicht so ganz. Du willst die externe IP der WAN Schnittstelle dynamisch ändern ?QuoteHintergrund ist das ein wan über PPPoE die iP bekommt und die Ersatz Verbindung über dhcp des Nachbarn läuft.Dann hast Du also zwei Schnittstellen nach aussen und willst eine als Fallback ?
Gesendet von iPhone mit Tapatalk
5
18.7 Production Series / Re: Hosts behind LAN cannot get ipv6 addresses
« Last post by posixbofh on Today at 03:44:33 am »D'oh. I self-solved the issue. OPNSense was not sending RAs because the pfsense box on the same network was still sending RAs, even though it didn't have a prefix from which to allocate.
6
18.7 Production Series / Re: Hosts behind LAN cannot get ipv6 addresses
« Last post by posixbofh on Today at 03:29:05 am »Does the LAN interface show a valid IPv6 address and is dhcpd6 showing running too?
Hey Marjohn, thanks for the reply. Yes, I do see a valid ipv6 address on the opnsense LAN interface and I do see a ipv6 dhcpd running.
Code: [Select]
root@blah:~ # pgrep -fla dhcpd
24034 /usr/local/sbin/dhcpleases6 -c /usr/local/sbin/configctl dhcpd update prefixes -l /var/dhcpd/var/db/dhcpd6.leases
23728 /usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid igb1
86320 /usr/local/sbin/dhcpd -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igb1
13345 /usr/local/sbin/syslogd -s -c -c -P /var/run/syslog.pid -l /var/dhcpd/var/run/log -f /var/etc/syslog.conf
Code: [Select]
root@blah:~ # ifconfig igb1
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:00:00:00
hwaddr a0:36:9f:00:00:00
inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
inet6 2601:602:dead:beef:a236:aaaa:bbbb:7c59 prefixlen 64
inet6 fe80::1:1%igb1 prefixlen 64 duplicated scopeid 0x2
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
7
General Discussion / My experience switching from pfSense to OPNsense on a Watchguard XTM515
« Last post by dwasifar on Today at 03:17:30 am »Successfully made the switch, finally. Here are some things I learned along the way.
As mentioned in another thread, I was able to use a pfSense exported config file in OPNsense, after manually adding a working OPNsense user into the file so I wouldn't get locked out due to password encryption. The pfSense file was full of Snort configuration information, which I stripped out manually just to keep things clean.
I built a temporary OPNsense appliance on a spare PC, to use while working on the Watchguard. While I was waiting for some pieces to arrive in the mail (more on that later) I decided I wanted to install an SSD in the Watchguard instead of the HDD I'd previously hacked into it. (The Watchguard box originally just ran from CF and had no drive.) That SSD was currently in the old PC. I also needed my spare PC back for some other things. So I cloned the drive with dd and popped the clone into an old server (a 12-core Xeon, actually, which was way overkill). It appeared to be working but couldn't get any traffic out to the WAN. So I put that drive back in the spare PC and found it wouldn't talk to the WAN either. Looked OK in config, just wasn't working.
From this I deduce that moving a working OPNsense installation to new hardware that has a different complement of NICs causes trouble and you shouldn't do it. I'm guessing the interface assignment settings don't adapt well to that situation. I wound up doing a new fresh install and restoring settings from backup.
Shortly after that, the parts I needed for the Watchguard arrived. A CF card reader/writer (for writing OPNsense to the default Watchguard CF boot socket); a replacement CPU; and some thermal paste. These multi-thousand-dollar Watchguards came with puny Celeron 440 processors, and I found out that you can drop in a Pentium E5700 instead, for better performance. They're dirt cheap now. I bought a used pull for $3.50, shipping included, which was less than the thermal paste cost.
Prior to installation, I wiped the SSD, because I know from prior experience that the Watchguard will try to boot from disk if there's anything on it. Set up a console-to-USB connection to my laptop using minicom, booted the Watchguard from CF, installed to SSD, rebooted with CF removed, set the interfaces from console, restored my config, and from there everyone knows how it goes. I let it burn in on the benchtop for a few hours to shake out any problems with the replacement CPU, and now it's in service and working fine.
One thing I noticed with all this repeated rebooting and/or switching back and forth between firewalls is that machines on the network that have existing sessions tend to leak traffic for a few minutes afterwards. I watch the live log widget on the dashboard and see a lot of default rule denials for traffic originating on the LAN. It settles down in a little while. I have to assume it's normal, or else someone reading this will set me straight.
The Watchguard folks don't make it particularly easy to repurpose their hardware, but it's a nice little OPNsense box now, and should be sufficient until it dies. I'll cross that bridge when I get there.
As mentioned in another thread, I was able to use a pfSense exported config file in OPNsense, after manually adding a working OPNsense user into the file so I wouldn't get locked out due to password encryption. The pfSense file was full of Snort configuration information, which I stripped out manually just to keep things clean.
I built a temporary OPNsense appliance on a spare PC, to use while working on the Watchguard. While I was waiting for some pieces to arrive in the mail (more on that later) I decided I wanted to install an SSD in the Watchguard instead of the HDD I'd previously hacked into it. (The Watchguard box originally just ran from CF and had no drive.) That SSD was currently in the old PC. I also needed my spare PC back for some other things. So I cloned the drive with dd and popped the clone into an old server (a 12-core Xeon, actually, which was way overkill). It appeared to be working but couldn't get any traffic out to the WAN. So I put that drive back in the spare PC and found it wouldn't talk to the WAN either. Looked OK in config, just wasn't working.
From this I deduce that moving a working OPNsense installation to new hardware that has a different complement of NICs causes trouble and you shouldn't do it. I'm guessing the interface assignment settings don't adapt well to that situation. I wound up doing a new fresh install and restoring settings from backup.
Shortly after that, the parts I needed for the Watchguard arrived. A CF card reader/writer (for writing OPNsense to the default Watchguard CF boot socket); a replacement CPU; and some thermal paste. These multi-thousand-dollar Watchguards came with puny Celeron 440 processors, and I found out that you can drop in a Pentium E5700 instead, for better performance. They're dirt cheap now. I bought a used pull for $3.50, shipping included, which was less than the thermal paste cost.
Prior to installation, I wiped the SSD, because I know from prior experience that the Watchguard will try to boot from disk if there's anything on it. Set up a console-to-USB connection to my laptop using minicom, booted the Watchguard from CF, installed to SSD, rebooted with CF removed, set the interfaces from console, restored my config, and from there everyone knows how it goes. I let it burn in on the benchtop for a few hours to shake out any problems with the replacement CPU, and now it's in service and working fine.
One thing I noticed with all this repeated rebooting and/or switching back and forth between firewalls is that machines on the network that have existing sessions tend to leak traffic for a few minutes afterwards. I watch the live log widget on the dashboard and see a lot of default rule denials for traffic originating on the LAN. It settles down in a little while. I have to assume it's normal, or else someone reading this will set me straight.
The Watchguard folks don't make it particularly easy to repurpose their hardware, but it's a nice little OPNsense box now, and should be sufficient until it dies. I'll cross that bridge when I get there.
8
Development and Code Review / Re: Sensei on OPNsense - Application based filtering
« Last post by svn on Today at 12:49:50 am »@Csykes27 thanks for reporting. We've heard this issue for the first time actually. Let's debug what is causing this together.
I shall be contacting you soon to resolve the issue.
I shall be contacting you soon to resolve the issue.
9
Development and Code Review / Re: Sensei on OPNsense - Application based filtering
« Last post by Csykes27 on Today at 12:29:16 am »I am having an issue of when I Enable Cloud Reputation & Web Categorization all web traffic stops. all services are running and stay running from what I can tell.
10
German - Deutsch / Re: 18.7.4: Netzwerk/DNS Probleme wenn Opensense auch OPNVPN-Client
« Last post by BeNe on October 15, 2018, 09:49:00 pm »Ein Bug ist es sicher nicht. Ich betreibe ebenfalls mehrer VPN Tunnels von der OPNSense als Client.
Ohne Logs,Netze und mehr Infos ist es leider kaum möglich zu helfen.
Von PIA gibt es eine recht gute Anleitung --> https://www.privateinternetaccess.com/archive/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2
Die ist zwar für die andere Sense, ähnelt aber in den Punkten doch. Vielleicht hilft es euch ja weiter.
Ohne Logs,Netze und mehr Infos ist es leider kaum möglich zu helfen.
Von PIA gibt es eine recht gute Anleitung --> https://www.privateinternetaccess.com/archive/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2
Die ist zwar für die andere Sense, ähnelt aber in den Punkten doch. Vielleicht hilft es euch ja weiter.