Recent posts

#1
26.1 Series / Re: Neighbors: Automatic Disco...
Last post by kasper93 - Today at 04:23:30 PM
Quote from: franco on Today at 01:25:52 PMTo some degree I understand the problem at hand
I think you are missing the point here.
Quote from: franco on Today at 01:25:52 PMbut I'm wondering why you find your manually configured static ARP entries suboptimal?
Because, I don't want them "anymore". The configuration page for them is NOT accessible when ISC is disabled. I need to disable Dnsmasq for the given interface, to access this configuration again.

All I need is static DHCP assignments, with ISC static arp was bonus on top.
Quote from: franco on Today at 01:25:52 PMAre you still using ISC?
No. That is the point.
Quote from: franco on Today at 01:25:52 PMDo you need these static entries?
No. But after disabling ISC, it is not clear where they are coming from and how to remove those entries. UI elements are completely not available, even more so if you remove the ISC DHCP plugin completely.
Quote from: franco on Today at 01:25:52 PMYou could also remove the MAC address which would make them not feed into the Neighbor table.
I know how to workaround the issue, but once ISC is disabled it is no longer possible, without reenabling it (at least temporary). It makes stale configuration, no longer accessible from user interface to affect the arp table.
#2
26.1 Series / Re: Enable SSH at Console
Last post by nero355 - Today at 04:03:16 PM
Quote from: franco on Today at 08:54:08 AM/usr/local/etc/rc.sshd is a script from *sense.  Don't trust AI.  ;)
Yeah, I was more pointing out that when you use something FreeBSD based a bit of additional basic FreeBSD knowledge is very nice to have! :)

Machine Learning Chatbots should never be trusted ofcourse! ^_^

QuoteIf you are into verbatim FreeBSD commands this should do the trick:

# service openssh onestart
NICE!

QuoteBut keep in mind even then you'd have to go to /usr/local/etc/ssh/sshd_config and configure it according to your needs because OpenSSH doesn't permit password and root login by default as far as I remember (same as us really).
AFAIK it's a default setting spread out to all Linux/*BSD distributions that use OpenSSH Server :)

And you can ofcourse easily follow these instructions to add another wheel user so you can use SSH without root :
https://docs.freebsd.org/en/books/handbook/basics/#users-synopsis

But people don't like to read manuals... LOL!
#3
German - Deutsch / Re: rfc2136 bei MultiWAN
Last post by wurmloch - Today at 03:53:18 PM
Das ist ein interessanter Ansatz, werde ich testen.

Ich habe auf dieser Maschine ein IPsec (net-to-net) mit ausgehendem Verbindungsaufbau, das ist spannend.
Eingehend mit SSH/OpenVPN/Wireguard Client (road warrior) kann ich mir noch vorstellen.

Weißt Du zufällig, ob es für das rfc2136 community plugin einen Plan gibt, das MutliWAN Interface zu unterstützen (analog/ ähnlich der pfSense)?

Danke und Gruß

#4
Quote from: Seimus on Today at 10:36:54 AMHonestly I think you cant actually get 10G ~ wirerate.
I think so too based on personal experience with Dedicated Hosting/Server Rental setups in the past :
- Standard speed 1 x 10 Gbps = 6,5 Gbps effectively.
- Standard speed 2 x 10 Gbps in LACP with Layer 3+4 Hashing = 13 Gbps effectively.

Only one special customer who did a lot of optimizing on their own reached about 8 to 8,5 Gbps on a single 10 Gbps connection.
And he used OpenBSD instead of Debian/Ubuntu/CentOS/Gentoo which other customers were using most of the time !!

NIC brands varied from Intel to Mellanox to whatever a lot of various HPE 1x10 Gbps and 2x10 Gbps models were using at the time...
All of them only had SFP+ ports by the way!

So this sounds logical IMHO :
QuoteFirewall Throughput - 10Gbps = BackPlane
Firewall Port to Port Throughput - 8.5Gbps = Throughput per single 10G NIC

Realistically speaking the MAX you should get is 8.5G, but that will heavily depend on your implementations.
:)
#5
German - Deutsch / Re: rfc2136 bei MultiWAN
Last post by Monviech (Cedrik) - Today at 02:59:36 PM
Ah okay darauf läuft es hinaus.

Am besten macht man 2 hostnamen (für jedes dynamische WAN eins) und lässt den Client entscheiden welchen er nimmt.

Die meisten VPN Protokolle können mit mehreren Hostnamen umgehen.

Dadurch hat man dann auch keine TTL probleme (selbst wenn die TTL niedrig ist, caches können sticky sein)
#6
German - Deutsch / Re: rfc2136 bei MultiWAN
Last post by wurmloch - Today at 02:56:45 PM
Hi,

unter dem FQDN "foo.bar.example.com" soll die OPNsense sich nach außen melden oder von außen (z.B. per VPN/SSH) erreichbar sein, jenachdem, welches WAN Interface (mit der entsprechenden dynamischen öffentlichen IP) gerade aktiv ist.

Dazu nutze ich einen DNS-Server, bei dem sich die OPNsense mit der aktuellen IP-Adresse per rfc2136 melden/ updaten kann.
#7
German - Deutsch / Re: rfc2136 bei MultiWAN
Last post by Monviech (Cedrik) - Today at 02:48:21 PM
Hallo,

was soll denn genau passieren?
#8
You can use the external IP address of the OPNsense, split DNS is not necessary. Just normal external A records will be enough since the OPNsense will listen on this external IP address via a socket (if nginx is bound to it or *(any) interface). The default route of all clients sends the traffic to the OPNsense anyway.

Otherwise just use any IP of the OPNsense and Unbound for a Host override. Just make sure the firewall rules allow access.
#9
Quote from: vpx on Today at 08:13:32 AM
QuoteMaybe it is complaining about the remote site's id. Possibly it's different from the IP address?
As you can see or can't see because I redacted the rest of the IP, the remote IP and remote ID are identical.
Yes, they seemed to be identical to me. I didn't doubt.

The log shows the remote IP and the expected IKE ID in square bracket.
My suspicion was, that the ID sent by the remote site (not shown in the log) differs from the expected one on your site, however. And obviously this was the issue in fact.^^
#10
Ich wiederhole hier also nochmal dass es hierfür (enterprise) Switch features wie Auto-Voice-VLAN gibt. Man kann das halt nicht mit jedem Wald und Wiesen switch machen.

https://www.cisco.com/web/fw/tools/cisco-business/emulators/switch/catalyst/c1300-24mgp-4x/html/cat1k/english/1300/t_auto_voice_vlan_settings.html