"Recent posts
#1
Virtual private networks / Re: OpenVPN on Multi-WAN Envir...
Last post by ipzipzap - Today at 11:38:47 AMQuote from: jasoncrowley on May 04, 2023, 01:53:35 PMI'm resurrecting an old thread because I found a solution for our use case.
THANK YOU! I had the same problem on our MultiWAN firewall cluster and this fixed it!
I can't believe that in 2026 it's still not fixed.
#2
26.1, 26,4 Series / Re: OPNcentral NAT sync crash ...
Last post by franco - Today at 11:21:46 AMSorry I meant to write -g:
# pluginctl -g nat
Cheers,
Franco
# pluginctl -g nat
Cheers,
Franco
#3
26.1, 26,4 Series / Re: OPNcentral NAT sync crash ...
Last post by ews - Today at 11:11:09 AMHello Franco,
pluginctl -n nat returns no output on my system.
At first I thought I may have missed a migration step because the firewall rules in 26.4 had to be manually converted to the new MVC system. However, from what I have been able to verify so far, NAT still appears to be largely legacy-based at the moment.
Therefore I assume my system is still using the classic NAT configuration from config.xml.
Would you prefer only the NAT section or a full config.xml for reproduction?
And on which firewall does the problem occur — source or destination?
Thanks,
Christian
pluginctl -n nat returns no output on my system.
At first I thought I may have missed a migration step because the firewall rules in 26.4 had to be manually converted to the new MVC system. However, from what I have been able to verify so far, NAT still appears to be largely legacy-based at the moment.
Therefore I assume my system is still using the classic NAT configuration from config.xml.
Would you prefer only the NAT section or a full config.xml for reproduction?
And on which firewall does the problem occur — source or destination?
Thanks,
Christian
#4
26.1, 26,4 Series / Captive Portal + MFA
Last post by oattisan - Today at 10:51:25 AMHi,
I am currently setting up WireGuard on my firewall and have successfully assigned the wg0 interface. I can see the traffic flowing correctly through Zenarmor, so the basic connectivity is working as expected.
I am now trying to implement a Captive Portal (accessible at IP:8000) to enforce MFA for these users. To achieve this, I created a new OTP server (Local + Time-based One Time Password) named WG_OTP.
However, I have run into the following issue:
The Authentication Tester fails when using the WG_OTP server.
The Captive Portal page loads correctly, but I cannot get the OTP configuration to validate.
If I switch the authentication server to the Local Database, the tester works perfectly.
The OTP server itself seems to be configured correctly because it is already functioning for my existing OpenVPN setup.
Could you provide some guidance on why the OTP authentication might be failing specifically for this WireGuard/Captive Portal implementation?
Thank you in advance.
Luca
I am currently setting up WireGuard on my firewall and have successfully assigned the wg0 interface. I can see the traffic flowing correctly through Zenarmor, so the basic connectivity is working as expected.
I am now trying to implement a Captive Portal (accessible at IP:8000) to enforce MFA for these users. To achieve this, I created a new OTP server (Local + Time-based One Time Password) named WG_OTP.
However, I have run into the following issue:
The Authentication Tester fails when using the WG_OTP server.
The Captive Portal page loads correctly, but I cannot get the OTP configuration to validate.
If I switch the authentication server to the Local Database, the tester works perfectly.
The OTP server itself seems to be configured correctly because it is already functioning for my existing OpenVPN setup.
Could you provide some guidance on why the OTP authentication might be failing specifically for this WireGuard/Captive Portal implementation?
Thank you in advance.
Luca
#5
26.1, 26,4 Series / Re: DEC840 gets stuck on boot ...
Last post by tuto2 - Today at 10:17:07 AMHi,
I took the liberty of testing with an older DEC850 model (same platform, 8 instead of 4 cores). Since I had both the FS 10GSR-85 and the FS 10G-T lying around, plugged these in as well but can't seem to reproduce your issue.
It can be helpful to set both dev.ax.0.axgbe_debug_level and dev.ax.1.axgbe_debug_level to "1" in system -> settings -> tunables, and reboot. This will produce a lot of noise over serial so make sure you can access via ssh to reset these tunables by hand (# sysctl dev.ax.0|1.axgbe_debug_level=0) or make sure you're able to access the GUI to reset the tunables there.
Instead of directly fetching from the serial console you can also pipe "# dmesg" into a file, but make sure it has the ---<<BOOT>>--- in there.
Possibly unrelated, but is one of the ax ports configured for DHCP as a client?
I took the liberty of testing with an older DEC850 model (same platform, 8 instead of 4 cores). Since I had both the FS 10GSR-85 and the FS 10G-T lying around, plugged these in as well but can't seem to reproduce your issue.
It can be helpful to set both dev.ax.0.axgbe_debug_level and dev.ax.1.axgbe_debug_level to "1" in system -> settings -> tunables, and reboot. This will produce a lot of noise over serial so make sure you can access via ssh to reset these tunables by hand (# sysctl dev.ax.0|1.axgbe_debug_level=0) or make sure you're able to access the GUI to reset the tunables there.
Instead of directly fetching from the serial console you can also pipe "# dmesg" into a file, but make sure it has the ---<<BOOT>>--- in there.
Possibly unrelated, but is one of the ax ports configured for DHCP as a client?
#6
26.1, 26,4 Series / Re: OPNcentral NAT sync crash ...
Last post by franco - Today at 09:50:46 AMHi Christian,
Haven't heard about this from someone else so far.
Would you mind sharing with me the legacy NAT rules configuratio so I can try to reproduce? At least I'm assuming it's the legacy configuration, because quirks there are more common.
# pluginctl -g nat
You can also share this via PM or mail to franco AT opnsense DOT org
Thanks,
Franco
Haven't heard about this from someone else so far.
Would you mind sharing with me the legacy NAT rules configuratio so I can try to reproduce? At least I'm assuming it's the legacy configuration, because quirks there are more common.
# pluginctl -g nat
You can also share this via PM or mail to franco AT opnsense DOT org
Thanks,
Franco
#7
26.1, 26,4 Series / Re: 26.1.7_2: issue with ACME ...
Last post by franco - Today at 09:38:40 AMIn either case it looks like it expects TrueNAS as OS, not OPNsense.
Cheers,
Franco
Cheers,
Franco
#8
26.1, 26,4 Series / Re: DEC740 26.1.6-serial USB h...
Last post by franco - Today at 09:35:54 AMOk, good. Be aware that if the CMOS battery is empty it could keep resetting itself.
Cheers,
Franco
Cheers,
Franco
#9
26.1, 26,4 Series / Re: Business Edition pf CVE-20...
Last post by franco - Today at 09:34:10 AMhappy to hear :)
#10
26.1, 26,4 Series / Re: DS-Lite (PPPoE|DHCPv6-PD) ...
Last post by meyergru - Today at 09:25:57 AMGood to know, that would be an alternative that saves some money on M-Net, because you can now avoid paying for "real IPv4" and stay with CG-NAT. I posted it here.
P.S.: I tried the "None" IPv4 setting for my "real IPv4" setup - it does not work, because you do not get any IPv4 then.
P.S.: I tried the "None" IPv4 setting for my "real IPv4" setup - it does not work, because you do not get any IPv4 then.
