Recent posts

#1

General Discussion / Re: v26.1.10 Default deny / st...

Last post by Patrick M. Hausen - Today at 12:58:38 PM

Please show your custom rule details.

[don't]

#2

General Discussion / Re: Connecting to DHCP managed...

Last post by gareththered - Today at 12:56:29 PM

Have you tried with the MAC Address spoofing?
My UK fibre provider works perfectly well without it and I get no connection with it.

Just to clarify - are you saying that you don't spoof the MAC and it works?  I'm with YouFibre and everyone says I have to spoof. I tried with and without and I could only get an IP address when spoofing while using the built-in Realtek driver.  Now that I've swapped to the vendor driver, and it's working, I realised I hadn't spoofed the MAC address.  I'm naturally reluctant to go a tweak again!

#3

General Discussion / v26.1.10 Default deny / state ...

Last post by chrisb - Today at 12:53:50 PM

Hi All,

I have configured a new OPNsense box, with the above rule blocking all my traffic to internal hosts.
Firewall logs show all traffic destined for the internal host blocked.
I am unable to elevate my custom rule before the default deny rule - or I do not know how to do it.

I am unable to find any documentation to assist me.

Please advise.

Thank you.

#4

26.1, 26,4 Series / Re: picky DHCP on WAN

Last post by dseven - Today at 12:46:43 PM

DHCP lease renewal is normally (per standard) attempted when half of the lease time remains. That's very well established, and generally stable.

I haven't been seeing opnsense do that though. It seems to wait until the 85% mark before attempting renewal.

opnsense just uses the standard dhclient - nothing special as far as lease renewal goes (AFAIK).

How are you observing this "85% mark"? What does /var/db/dhclient.leases.igb2 look like?

#5

General Discussion / Re: Connecting to DHCP managed...

Last post by gareththered - Today at 12:30:22 PM

I would start looking for clues in two places: message buffer and system log which is /var/log/system/latest.log
Perhaps a live tail (tail -f) whilst renewing the dhcp lease from the ISP.

Thanks for the suggestion of looking in the logs.  That got me thinking - it might not be firewall/routing, but lower level network issues.

Fedora worked with the a Realtek USB NIC, so I tried the same in my OPNSense router and it failed.  The logs showed the NIC bouncing.  A quick Google showed me that the default Realtek driver isn't the best with FreeBSD and a vendor one is available.  I installed that, and the OPNSense router's internal NIC for the WAN side (also a Realtek) came up straight away and gave me full speed.

I've now ordered an Intel based NIC for it, so that I can keep away from Realtek.

What's strange is that this internal Realtek NIC worked reliably with my previous provider.  They were using an OpenReach ONT though (made by Nokia apparently) while the current provider uses an Adtran ONT.  There must be some incompatibility somewhere.

This is what happens when someone who is comfortable with Linux dabbles with FreeBSD :-)

#6

26.1, 26,4 Series / Re: OIDC and Automatic User Cr...

Last post by franco - Today at 11:40:08 AM

Sure, this mimics the way LDAP extended queries work.  Just need a feature request.  :)


Thanks,
Franco

#7

26.1, 26,4 Series / Re: WAN Interface speed duplex...

Last post by dseven - Today at 11:29:04 AM

Google AI thinks it's likely a grounding issue on the cable side - if the cable is not (properly) grounded, voltages have to find another way, which might be via the ethernet connection to the firewall. I don't believe everything AI comes up with, but this seems plausible.

How are you observing the "failure to autonegotiate"? Do you see anything in dmesg when the failure occurs?

#8

26.1, 26,4 Series / Re: Redirect URL After Success...

Last post by franco - Today at 11:16:49 AM

Hi Marco,

Thanks, I'll assign it to Ad who will look into it.


Cheers,
Franco

#9

26.1, 26,4 Series / Re: OIDC and Automatic User Cr...

Last post by Moeni - Today at 11:02:06 AM

Yes, I agree that OPNsense should have an internal check as well. Something like "require membership in at least one of the configured groups, otherwise deny" would be much easier to set up than per-client flow overrides, especially when multiple teams need access. It looks like constraint_groups only changes how groups are mapped right now, not whether access is granted, so a real "deny if not a member" option would be nice to have.

Meanwhile, if you're using Keycloak, you can solve this server-side on the IdP: duplicate the browser flow, add a conditional sub-flow with a "Condition — user role" (negated) plus a "Deny Access" execution, and bind that flow to the OPNsense client only (Clients -> Advanced -> Authentication flow overrides). When you gate on a role and map your group to it, people who aren't in your group won't get a token at all, so OPNsense doesn't create them automatically. No auth proxy required.

Cheers,
Marco

#10

26.1, 26,4 Series / Re: WireGuard does not start a...

Last post by sopex - Today at 10:53:53 AM

Was it working before? 26.1.9? Or we don't know?