"Recent posts
#1
25.7, 25.10 Series / Re: Unable to Upgrade to 25.7....
Last post by utkonos - Today at 09:19:05 PMThe eventual and successful fix was to do a config backup, fresh install (with ZFS this time), and config import. Clean and fast. A bit longer than 30 minutes but that's because I stopped to eat lunch while OPNsense copied itself to the drive.
Here are a few notes.
I was not able to get the config to read during the import config step during console boot from the USB installer (vga type). I had formatted the USB FAT32 and copied the config downloaded from the GUI to the USB. The installer recognized the da1 USB stick but was not able to find the config.xml.
The installer had difficulty with installing to the disk that still had the old OPNsense UFS partition. I tried a partial dd from /dev/zero, but there is still a secondary GPT table at the end of the disk that you should overwrite with zeros as well. Once all that is gone, the installer works just fine.
Since I could not get the config imported from a USB, I opted to configure just the WAN and LAN interfaces and nothing else. Once the install finished, I was able to connect a laptop to the LAN port and get to the default DHCP network and GUI. From there, importing the config via GUI worked flawlessly. After import and reboot, everything was back to normal and I was then able to perform the update that wasn't working in the first place.
Here are a few notes.
I was not able to get the config to read during the import config step during console boot from the USB installer (vga type). I had formatted the USB FAT32 and copied the config downloaded from the GUI to the USB. The installer recognized the da1 USB stick but was not able to find the config.xml.
The installer had difficulty with installing to the disk that still had the old OPNsense UFS partition. I tried a partial dd from /dev/zero, but there is still a secondary GPT table at the end of the disk that you should overwrite with zeros as well. Once all that is gone, the installer works just fine.
Since I could not get the config imported from a USB, I opted to configure just the WAN and LAN interfaces and nothing else. Once the install finished, I was able to connect a laptop to the LAN port and get to the default DHCP network and GUI. From there, importing the config via GUI worked flawlessly. After import and reboot, everything was back to normal and I was then able to perform the update that wasn't working in the first place.
#2
Tutorials and FAQs / Re: ndp-proxy-go: Proxy ISP pr...
Last post by Monviech (Cedrik) - Today at 09:17:34 PMYeah it seems like my assumption was wrong it fell back after not getting an answer:
Vlan:
21:15:23.740664 IP6 2003:a:177f:8463:b40e:4343:1cc8:df32.54262 > 2003:180:2:7000::53.53: 54276+ AAAA? ipv6.google.com. (33)
21:15:25.741343 IP 172.16.1.150.52057 > 172.16.1.1.53: 54276+ AAAA? ipv6.google.com. (33)
21:15:25.751291 IP 172.16.1.1.53 > 172.16.1.150.52057: 54276 2/0/0 CNAME ipv6.l.google.com., AAAA 2a00:1450:4016:800::200e (92)
Loopback doesnt respond:
21:15:23.740672 IP6 2003:a:177f:8463:b40e:4343:1cc8:df32.54262 > ::1.53: 54276+ AAAA? ipv6.google.com. (33)
Good to know, sorry xD
Vlan:
21:15:23.740664 IP6 2003:a:177f:8463:b40e:4343:1cc8:df32.54262 > 2003:180:2:7000::53.53: 54276+ AAAA? ipv6.google.com. (33)
21:15:25.741343 IP 172.16.1.150.52057 > 172.16.1.1.53: 54276+ AAAA? ipv6.google.com. (33)
21:15:25.751291 IP 172.16.1.1.53 > 172.16.1.150.52057: 54276 2/0/0 CNAME ipv6.l.google.com., AAAA 2a00:1450:4016:800::200e (92)
Loopback doesnt respond:
21:15:23.740672 IP6 2003:a:177f:8463:b40e:4343:1cc8:df32.54262 > ::1.53: 54276+ AAAA? ipv6.google.com. (33)
Good to know, sorry xD
#3
Tutorials and FAQs / Re: ndp-proxy-go: Proxy ISP pr...
Last post by Patrick M. Hausen - Today at 09:07:32 PMCorrect - to pull that link to the FreeBSD source from that other thread so you don't need to go on a scavenger hunt:
https://cgit.freebsd.org/src/tree/sys/netinet6/ip6_input.c?h=releng/14.3#n765
FreeBSD *should* categorically refuse to send a packet with source ::1 to anything but the loopback interface itself if I read that code correctly.
https://cgit.freebsd.org/src/tree/sys/netinet6/ip6_input.c?h=releng/14.3#n765
FreeBSD *should* categorically refuse to send a packet with source ::1 to anything but the loopback interface itself if I read that code correctly.
#4
Tutorials and FAQs / Re: ndp-proxy-go: Proxy ISP pr...
Last post by meyergru - Today at 09:01:53 PMReally? I just tried and it did not work for me like that.
I used ::1 as redirect target and used: "nslookup -query=A www.google.de 2001:4860:4860::8888" and got a communications error from a Linux client. The same thing works when I use a routeable IPv6 alias for OpnSense as a redirect target. Note that by using Google's DNS IPv6 explicitely, I force the IPv6 forwarding rule to be applied.
I recently had a dicussion with Patrick over this where he was surprised as well that it did not work.
His posting is here and OpnSense seems to adhere to RFC4291: https://forum.opnsense.org/index.php?msg=246585
Maybe you got an answer over a redundant DNS over IPv4?
I used ::1 as redirect target and used: "nslookup -query=A www.google.de 2001:4860:4860::8888" and got a communications error from a Linux client. The same thing works when I use a routeable IPv6 alias for OpnSense as a redirect target. Note that by using Google's DNS IPv6 explicitely, I force the IPv6 forwarding rule to be applied.
I recently had a dicussion with Patrick over this where he was surprised as well that it did not work.
His posting is here and OpnSense seems to adhere to RFC4291: https://forum.opnsense.org/index.php?msg=246585
Maybe you got an answer over a redundant DNS over IPv4?
#5
Virtual private networks / Wireguard Local Traffic only
Last post by hagensieker - Today at 08:35:10 PMI had set up WireGuard successfully a year or three ago on Opnsense. Then one day it just stopped working. I have filled the hole with Tailscale but I need to get rolling with WG again.
I did manage while I was away this weekend to set up a new WG instance and peer. Connecting works and had a handshake issue. I have a pass rule set up for the WG instance under Firewall > Rules.
All I am getting is local traffic only. And that's fine. When I travel I want access to my Home Assistant, TrueNAS, QNAP, etc. It works perfect. I am not able to pass internet traffic though.
Only problem there is on another device (GL.Inet) travel router. I need the magic firewall rule or setting to accomplish. Somebody please let me know what I'm missing. Peer on Wireguard client:
Again this passes local traffic. I deleted DNS and have played with a few entries.
Pretty sure I need to tweak a firewall rule but not sure
I did manage while I was away this weekend to set up a new WG instance and peer. Connecting works and had a handshake issue. I have a pass rule set up for the WG instance under Firewall > Rules.
All I am getting is local traffic only. And that's fine. When I travel I want access to my Home Assistant, TrueNAS, QNAP, etc. It works perfect. I am not able to pass internet traffic though.
Only problem there is on another device (GL.Inet) travel router. I need the magic firewall rule or setting to accomplish. Somebody please let me know what I'm missing. Peer on Wireguard client:
Code Select
[Interface]
PrivateKey = redacted=
ListenPort = 51820
Address = 10.10.10.2/24
[Peer]
PublicKey = redacted=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 195.252.xxx.xxx:51820
PersistentKeepalive = 25
Again this passes local traffic. I deleted DNS and have played with a few entries.
Pretty sure I need to tweak a firewall rule but not sure
#6
German - Deutsch / Re: Verständnisfrage zu Portfo...
Last post by awado - Today at 08:26:02 PMInzwischen bin ich zu einer ähnlichen Erkenntnis gekommen. Es ist viel zu aufwändig für ein temporäres Szenario. Ich werde mir die Mühe machen und die vorhandene Wordpress-VM so weit kastrieren, dass sie von meinem Reverse Proxy angesteuert werden kann. Aber dennoch danke für Euren Input. Hab viel dazugelernt. Sollte mir noch ein Lichtlein aufgehen, werde ich es natürlich hier posten.
#7
Tutorials and FAQs / Re: ndp-proxy-go: Proxy ISP pr...
Last post by Monviech (Cedrik) - Today at 08:13:23 PMAlso I just tried the port forward and it works for me without any tricks:
it might not be RFC conform but "hey it works I guess xD"
EDIT: DOESNT WORK!
it might not be RFC conform but "hey it works I guess xD"
EDIT: DOESNT WORK!
#8
Tutorials and FAQs / Re: ndp-proxy-go: Proxy ISP pr...
Last post by Monviech (Cedrik) - Today at 07:59:26 PMTWIMC: https://github.com/Monviech/ndp-proxy-go/issues/3
I got the proxy working now for PPPoE interfaces as well.
I got the proxy working now for PPPoE interfaces as well.
#9
25.7, 25.10 Series / Re: Help Needed: Branding & UI...
Last post by Maurice - Today at 07:18:45 PMSeems
They'll need it. And don't forget plugins, documentation, release notes, ports like opnsense-update (and their man pages), ...
🤣
Quote from: Patrick M. Hausen on Today at 12:13:03 PMGood luck.
They'll need it. And don't forget plugins, documentation, release notes, ports like opnsense-update (and their man pages), ...
🤣
#10
General Discussion / Re: new setup cannot reach lin...
Last post by muusemuuse - Today at 07:15:35 PMThe board sucking is mostly about obnoxious IOMMU grouping and not getting past POST if a flash drive is connected to the front USB ports. It does have AMDv enabled and the CPU type is host.
