"Recent posts
#1
26.1 Series / Re: list_hosts.py -n (python3....
Last post by qballcow - Today at 06:33:30 PMI had the same things, and tons and tons of I/O during it.
Turned out my hosts.db-wal was very large.
On every run it would read for 10s of seconds and re-create hosts.db-shm that each time grew to 100s of mbytes.
-rw-r--r-- 1 hostd hostd 4.0M Mar 2 17:14 hosts.db
-rw-r--r-- 1 hostd hostd 197M Mar 2 17:13 hosts.db-shm
-rw-r--r-- 1 hostd hostd 99G Mar 2 17:14 hosts.db-wal
After executing a checkpoint with truncate and vacuuming it now runs pretty normal again, still keeping an eye on it.
(Not sure if that was a safe action to do, but current state was not sustainable).
Turned out my hosts.db-wal was very large.
On every run it would read for 10s of seconds and re-create hosts.db-shm that each time grew to 100s of mbytes.
-rw-r--r-- 1 hostd hostd 4.0M Mar 2 17:14 hosts.db
-rw-r--r-- 1 hostd hostd 197M Mar 2 17:13 hosts.db-shm
-rw-r--r-- 1 hostd hostd 99G Mar 2 17:14 hosts.db-wal
After executing a checkpoint with truncate and vacuuming it now runs pretty normal again, still keeping an eye on it.
(Not sure if that was a safe action to do, but current state was not sustainable).
#2
German - Deutsch / Re: OpenVPN: User oder Group -...
Last post by stefanpf - Today at 06:28:25 PMIch habe es nie probiert, aber das soll wohl über Openvpn-Group Aliase funktionieren. Die kann man dann in den Rules verwenden.
https://docs.opnsense.org/manual/aliases.html#openvpn
#3
German - Deutsch / Re: Captive Portal: Diverse Fr...
Last post by TheExpert - Today at 06:17:26 PMQuote from: viragomann on Today at 09:18:23 AMAber das CARP Service selbst wird ja nicht an eine IP gebunden.
Du meinst vermutlich das Captive Portal und nicht CARP Service, oder? Denn CARP ist an Schnittstellen und IP-Adressen gebunden. Ich lege lediglich fest, für welche Netzwerke, aber in der Tat nicht, über welche IP-Adresse das Captive Portal erreichbar sein soll.
Quote from: viragomann on Today at 09:18:23 AMIch frag mich daher, was da nicht funktioniert.
Wenn man die URL des Captive Portal mit http://<CARP-IP-Adresse>:8000/ aufruft, kommt ein Timeout. Wenn man http://<IP-Adresse des HA-Knotens>:8000/ aufruft, dann erscheint das Captive Portal.
#4
26.1 Series / Re: Upgrade Failed, signature ...
Last post by LineF - Today at 05:56:33 PMFor me the same. No LTE connection but standard DSL connection. signature invalid
#5
German - Deutsch / Re: OpenVPN: User oder Group -...
Last post by sashak - Today at 05:45:10 PMQuote from: viragomann on Today at 05:10:07 PMEinen Client Specific Override einzurichten, ist aber doch nicht wirklich ein großes Unterfangen?
Vielen Dank für die Antwort :)
CSO ist kein großes Unterfangen, aber: Ich kann dort genau eine feste IP für den User definieren, was zur Folge hat, dass der User sich gleichzeitig nur einmal "einwählen" kann. Und: Ich arbeite viel lieber mit Gruppen statt mit Usern, was mich anscheinend weg von CSO hin zur zusätzlichen OVPN-Instanz führt.
Nein, alles ist kein großes Unterfangen, solange man das für einen User definieren muss. Mit mehreren Usern und mehreren Hosts wird es dann schnell kompliziert.
Weiß jemand, ob sowas wie Per-User/Group-Routing geplant ist oder mit externen Add-Ons gemacht werden kann?
#6
26.1 Series / Re: Firewall Live view
Last post by nero355 - Today at 05:40:34 PMQuote from: locus on Today at 10:16:33 AMSo my confusion is: where does this block come from?Default Block Rule because it's traffic none of your Clients need/generated ?!
#7
26.1 Series / Re: What to do with "Rules" no...
Last post by nero355 - Today at 05:38:26 PMQuote from: ProximusAl on Today at 03:00:18 PMI have no plans at all to move to the new rules, until it is forced upon me. :)+1 :)
The old rules work fine, and until such point @franco starts asking for us to move, they can stay where they are :)
#8
General Discussion / Re: VLAN with Synology RT600AX...
Last post by nero355 - Today at 05:34:06 PMQuote from: Tobanja on Today at 05:11:42 PMI wished there was some kind of rule to "allow all outgoing to WAN". At least I know the FW rules do kick in, just not the way I expect.You can create Allow Rules with the statement inverted : !LAN or !HOME_NETWORK will make sure to Allow Traffic to what ever ISN'T that specific network :)
You could also check if there is a preconfigured Alias for something like this and if not, then you could create one Alias that contains all your local networks except the Guest Network and then use !<name of your Alias> in one single Allow Rule to only allow traffic to WAN and block the rest.
About the Synology :
I am not very impressed by it's webGUI options either after reading the Manual to be honest...
Maybe it's time to start thinking about a real dedicated Accesspoint instead of it ?!
#9
General Discussion / Re: VLAN with Synology RT600AX...
Last post by Tobanja - Today at 05:11:42 PMGosh.... One week attempting to create a simple VLAN... and counting.
I have started from scratch. This time, I disabled the built in VLAN 1/PVID 1 wireless network as well as the built in guest network on the synology AP. I have created two new networks, set their VLAN to 10 (guest - for isolation, 192.168.10.x) and 20 (trusted, fully open, 192.168.20.x). The 192.168.1.x network will not be used wirelessly at all for better clarity. I think Seimus suggested this?
I have created rules according to what you said @nero355. And yet, I can ping and connect to resources freely from guest to any network... If I remove the final "allow all" rule, I do block ping - as well as everything else. Instead of allowing "all", I wished there was some kind of rule to "allow all outgoing to WAN". At least I know the FW rules do kick in, just not the way I expect.
Instead of using the built in "LAN Net" in opnsense, I have instead blocked guest net -> 192.168.1.0/24 and guest net -> 192.168.20.0/24 for clarity.
The settings the synology manual suggests are nowhere to be found. I'm suspecting they are only available when it's in the standard router mode. In its current AP mode, it's a very simple interface for creating new networks, basically just a name and what VLAN to use. The only thing related to VLAN is the attached image, but I can't change anything there so I guess it's just informative.
In switch, all VLAN 1 ports are set to untagged, and for VLAN 10 and 20, the ports 1 and 3 (AP <-> switch <-> opnsense) are set to tagged.
I will not give up since others have managed to segment using this AP. Just a little briefing of my struggles. Starting to feel like a lost cause here.
I need a break. Next attempt will be to ditch VLAN 1 completely, but I don't see how that logically can help with my isolation problem.
By the way, I have Tailscale active with subnet access on opnsense as well, if that matters. Disabling it didn't change anything though.
I have started from scratch. This time, I disabled the built in VLAN 1/PVID 1 wireless network as well as the built in guest network on the synology AP. I have created two new networks, set their VLAN to 10 (guest - for isolation, 192.168.10.x) and 20 (trusted, fully open, 192.168.20.x). The 192.168.1.x network will not be used wirelessly at all for better clarity. I think Seimus suggested this?
I have created rules according to what you said @nero355. And yet, I can ping and connect to resources freely from guest to any network... If I remove the final "allow all" rule, I do block ping - as well as everything else. Instead of allowing "all", I wished there was some kind of rule to "allow all outgoing to WAN". At least I know the FW rules do kick in, just not the way I expect.
Instead of using the built in "LAN Net" in opnsense, I have instead blocked guest net -> 192.168.1.0/24 and guest net -> 192.168.20.0/24 for clarity.
The settings the synology manual suggests are nowhere to be found. I'm suspecting they are only available when it's in the standard router mode. In its current AP mode, it's a very simple interface for creating new networks, basically just a name and what VLAN to use. The only thing related to VLAN is the attached image, but I can't change anything there so I guess it's just informative.
In switch, all VLAN 1 ports are set to untagged, and for VLAN 10 and 20, the ports 1 and 3 (AP <-> switch <-> opnsense) are set to tagged.
I will not give up since others have managed to segment using this AP. Just a little briefing of my struggles. Starting to feel like a lost cause here.
I need a break. Next attempt will be to ditch VLAN 1 completely, but I don't see how that logically can help with my isolation problem.
By the way, I have Tailscale active with subnet access on opnsense as well, if that matters. Disabling it didn't change anything though.
#10
German - Deutsch / Re: OpenVPN: User oder Group -...
Last post by viragomann - Today at 05:10:07 PMHallo,
wie du selbst schon recherchiert hast, können Usernamen in Firewall-Regeln nicht verwendet werden. Dabei ist wohl auch zur Sprache gekommen, wie die Regeln funktionieren: mit Interfaces, Netzwerkprotokollen, IPs und Ports
Als Unterscheidung der User bleibt da nur die IP.
Auch wenn du die Umsetzung in OpenVPN über CSO oder eigene Instanzen als wenig elegant empfindest, es ist die gängige Praxis.
Soweit ich weiß, bieten da die VPN-Alternativen auch nichts besseres.
Einen Client Specific Override einzurichten, ist aber doch nicht wirklich ein großes Unterfangen?
Wenn du dann noch einen FW-Alias für die User-IP hinzufügst, kannst du übersichtlich den Usernamen in Regeln verwenden.
wie du selbst schon recherchiert hast, können Usernamen in Firewall-Regeln nicht verwendet werden. Dabei ist wohl auch zur Sprache gekommen, wie die Regeln funktionieren: mit Interfaces, Netzwerkprotokollen, IPs und Ports
Als Unterscheidung der User bleibt da nur die IP.
Auch wenn du die Umsetzung in OpenVPN über CSO oder eigene Instanzen als wenig elegant empfindest, es ist die gängige Praxis.
Soweit ich weiß, bieten da die VPN-Alternativen auch nichts besseres.
Einen Client Specific Override einzurichten, ist aber doch nicht wirklich ein großes Unterfangen?
Wenn du dann noch einen FW-Alias für die User-IP hinzufügst, kannst du übersichtlich den Usernamen in Regeln verwenden.
