"Recent posts
#1
26.1, 26,4 Series / Re: 2 WAN Uplinks split routin...
Last post by viragomann - Today at 07:40:52 PMIs the gateway status shown up as "online" for both IPv4 gateways in System: Gateways: Configuration?
How did you configure firewall rule for incoming traffic?
How did you configure firewall rule for incoming traffic?
#2
26.1, 26,4 Series / Re: 2 WAN Uplinks split routin...
Last post by pfry - Today at 07:34:05 PMDocumentation is pretty light... I don't know of any examples. Searching this forum would probably be your best bet for that.
#3
26.1, 26,4 Series / Re: 2 WAN Uplinks split routin...
Last post by paul5012 - Today at 07:10:57 PMwould I find something in the documentation, how to achieve this?
#4
26.1, 26,4 Series / Re: Issues with Reboot / Power...
Last post by mrzaz - Today at 06:25:39 PMQuote from: wincent on Today at 03:47:07 AMThis command "/usr/local/etc/rc.d/suricata onestop" will check the status of Suricata and delete the stale PID file, you previously used `kill` to shut down Suricata abnormally, a PID file may be left behind.
Now try to shut down or reboot OPNsense directly using the webGUI.
Thanks wincent,
I will save that one for the future. 🙂
I think I have kind of found out why it never shuts down or restart from WebGUI.
What is actually happening is the issue I have reported in other thread regarding PID for suricata never ending.
When I do the shutdown from webgui a lot of the shutdown messages is only seen in the session stdout who starts the shutdown which console is not.
To console is only some part of the later printouts that is printed to all stdout.
But as the system gets stuck endlessly waiting for suricata PID to end the shutdown never proceeds.
If I do the shutdown from console then you will see all sdtout including the hanging suricata PID.
Feels like a corner case that will seldom happen but could possibly be added as a robustness to the shutdown/reboot scripts handling suricata PID or any PID in future releases. 🙂
I propose to close this case and handle it through the other thread.
Best
Dan Lundqvist
Stockholm, Sweden
#5
26.1, 26,4 Series / Re: Problem with shutdown/rebo...
Last post by mrzaz - Today at 06:11:29 PMQuote from: franco on Today at 08:10:32 AMI've looked at the code and it's unclear where Suricata would hang. Has to be in poll() or recvfrom() but both have timeouts and SIGINT/SIGTERM should be properly handled and seen by the application eventually within the span of a second.
Cheers,
Franco
Hi Franco,
Thanks for the reply.
It is quite weird. When the issue was present i got the endless waiting for PID suricata that never end. I had to forcefully kill it for the rest of shutdown/reboot stuff to continue. Also when done from gui you didn't know why it was not shutting down or reboot.
I will keep checking if I stumble on it again.
If I do, do you have any commands to print to try to find what is going on?
Best regards
Dan Lundqvist
Stockholm, Sweden
#6
26.1, 26,4 Series / Re: 2 WAN Uplinks split routin...
Last post by pfry - Today at 06:07:09 PMSounds like you want a policy routing solution (""Gateway" in the rule definitions) for incoming sessions. You'd need to differentiate your policies by destination address. Load-sharing outbound? Got me.
(I'd normally use VRFs for something like this, but hey.)
(I'd normally use VRFs for something like this, but hey.)
#7
26.1, 26,4 Series / Unbound DNS Error - Send faile...
Last post by panda39 - Today at 06:04:07 PMI was having this issue since 25.5 and now I'm at 26.1. I've had to keep restarting OPNSense just so I can update to 26.1.10. I've increased the the tunable "kern.ipc.maxsockbuf" to 10MB as I've seen in a previous post before.
I don't have any VPNs configured, yet. I have a separate internal DNS server that I use for internal network. I only use Unbound for OPNSense. I've tried pointing system to my Internal DNS server and that works, but I really want to use Unbound only for OPNSense, but I don't know what else could be wrong.
I don't have any VPNs configured, yet. I have a separate internal DNS server that I use for internal network. I only use Unbound for OPNSense. I've tried pointing system to my Internal DNS server and that works, but I really want to use Unbound only for OPNSense, but I don't know what else could be wrong.
#8
Hardware and Performance / Re: Inseego MiFi Pro M4 as WAN...
Last post by Greg_E - Today at 05:36:28 PM4 to 5 bars signal and 140/70 from fast dot com. That will work nicely for my lab. Going to be a couple weeks until I get back to this, hoping the construction in my office will be in a better place then so I can start setting things back up and really test this. The IPPT is kind of on my mind right now, want to test it and see what I can see. Removes one layer of NAT so that has to help.
#9
26.1, 26,4 Series / 2 WAN Uplinks split routing is...
Last post by paul5012 - Today at 04:01:07 PMHi,
I've got a problem with a setup as in the drawing:
2 Internet uplinks, each one has a FritzBox. Different providers, each one has a static IPv4 address.
Only FritzBox2 has IPv6 (static address + /56 static prefix, but not of interest here)
OPNsense is 26.4.1-amd64
What I want to have: load balanced WAN links. Services in the DMZ like a Nextcloud or a mail gateway should be reachable via both public (IPv4) adresses.
I followed the intructions in https://docs.opnsense.org/manual/how-tos/multiwan.html and did multiple searches but found no solution.
The gateways table has 3 entries, two for the IPV4 Fritzboxes and one for the IPv6 box. Both v4 gateways have the same priority of 63. I configured a monitor IP (1.1.1.1 and 1.0.0.1 on the other interface).
The gateway is present in the respective WAN interface definition.
There is a gateway group with both v4 gateways, both as tier 1.
Pool options "default", trigger level "packet loss and high latency"
I did not configure DNS servers for each gateway as want unbound to be a full recursor in did not get the point with this part of the story.
I modified the "LAN pass to all" rule as in Step 4.
In the gateway overview one of the Fritzboxes is labeled "active", and there goes all the traffic.
When I try to connect from the internet to the nginx reverse proxy, I succeed when using the address of the "active" Fritzbox.
When I try to access the other public IP the packets are natted from the Fritzbox correctly and the syn packet arrives at the OPNsense. But the syn-ack packet go the wrong interface, with the sender address of the interface where to syn came in.
"Use sticky connections" is on. "shared forwarding" and "Disable force gateway" are off.
What do I miss?
I've got a problem with a setup as in the drawing:
2 Internet uplinks, each one has a FritzBox. Different providers, each one has a static IPv4 address.
Only FritzBox2 has IPv6 (static address + /56 static prefix, but not of interest here)
OPNsense is 26.4.1-amd64
What I want to have: load balanced WAN links. Services in the DMZ like a Nextcloud or a mail gateway should be reachable via both public (IPv4) adresses.
I followed the intructions in https://docs.opnsense.org/manual/how-tos/multiwan.html and did multiple searches but found no solution.
The gateways table has 3 entries, two for the IPV4 Fritzboxes and one for the IPv6 box. Both v4 gateways have the same priority of 63. I configured a monitor IP (1.1.1.1 and 1.0.0.1 on the other interface).
The gateway is present in the respective WAN interface definition.
There is a gateway group with both v4 gateways, both as tier 1.
Pool options "default", trigger level "packet loss and high latency"
I did not configure DNS servers for each gateway as want unbound to be a full recursor in did not get the point with this part of the story.
I modified the "LAN pass to all" rule as in Step 4.
In the gateway overview one of the Fritzboxes is labeled "active", and there goes all the traffic.
When I try to connect from the internet to the nginx reverse proxy, I succeed when using the address of the "active" Fritzbox.
When I try to access the other public IP the packets are natted from the Fritzbox correctly and the syn packet arrives at the OPNsense. But the syn-ack packet go the wrong interface, with the sender address of the interface where to syn came in.
"Use sticky connections" is on. "shared forwarding" and "Disable force gateway" are off.
What do I miss?
#10
26.7 Development Series / OPNsense 26.7-BETA images
Last post by franco - Today at 03:09:20 PMHi all,
Behind the scenes we were working on providing the first images for the upcoming 26.7 series. We aligned with the FreeBSD 15.1 release schedule and fixed all the installer compatibilities we've found. From early testing FreeBSD 15.1 behaves pretty well. The main difference from current community versions is PHP 8.5, OpenSSL 3.5 and that this image is only containing the development version. Upgrades to future versions are possible.
For now there's no path to upgrade from an existing 26.1.x but manual instructions can be shared once 26.1.11 is released next week. 26.7-RC1 will also add the stable release path.
You can find the usual images here:
https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/misc/26.7.b/
SHA256 (OPNsense-devel-26.7.b-dvd-amd64.iso.bz2) = 73fb138ae4ea0f2eccb1f7966a88f78d863a012f15b314105a5533f74b27abad
SHA256 (OPNsense-devel-26.7.b-nano-amd64.img.bz2) = 79c881c87af8fe27eef4d5a94cb7d211296870dc5fcfc00bc409c62fbdaa441f
SHA256 (OPNsense-devel-26.7.b-serial-amd64.img.bz2) = d7f257c7360c840e9d16360ef973cb6ca6b0b9ee10f761751d471ed92f16a0d7
SHA256 (OPNsense-devel-26.7.b-vga-amd64.img.bz2) = 62622a0a1a9954f77edde657fc8c66115977cd115737f475ec53aecc2b97117c
The public key for 26.7 is as follows:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziSNKuzrL2cwLx5LXmLn
cWS5Lk+i9CzRMXO/4xQYBQCaSnd8GBg/HA/g4aPoTUa6ovAI0AHfW8KQJQyBkFzn
pi6MLZJ9tEaFcn0CiV+tSTJd1RV4bB8jtpKl5oTkgFrPsyaB7iBlG5Cd49VCW19h
DxClQ24lkWkVoYfsfCQEt4ADNGLygWCPyf4bxGD/t6/tiW9SsOs2+gfOZ9C/G2d/
EBhJFoBEoz5lvULVxTdfY5PScYrHD/waZnk3rGc2A+9pI/SM2JAwKqsgZ6MSFbXO
DNocSjqFUUkdqhty+Qcc0OJ+hMbKKVE+f3QJBQIwT3ayys8QK0m5CCo91/f+DjoN
noj+t5YN9x8GREkF0wrdIi7hevkwrL2/SJQbq1bL1BLB+mMSXYR611lgT8YfYjyZ
7tmpNVC3O5Pj7l20snm1lVUSqS0PsFBvh6HQtBRwQDGppaIIhH1Nt9yIatmSiGZt
2YrMVNBzbQrJzSX+vWcAulkaPIt4t+XxmpO5IDNZ+4uMZ7XyJq1lAhIeyXx+Falf
v7S+ZpJWFVNz0/N5z6lBbADD855i+gFY6B5209xGyhd6FwaPOjISgQKkgBwF1AiW
MDuTuP9lkh/U5gGBZIFTnbdEMgOAL4P+Hsw9Nozav+3QIpiU3Pv9F29a1erCkq09
rpQyNglY7Jqme/RipzbYia8CAwEAAQ==
-----END PUBLIC KEY-----
The roadmap has a few more insights on what to expect: https://opnsense.org/roadmap/
Cheers,
Franco
Behind the scenes we were working on providing the first images for the upcoming 26.7 series. We aligned with the FreeBSD 15.1 release schedule and fixed all the installer compatibilities we've found. From early testing FreeBSD 15.1 behaves pretty well. The main difference from current community versions is PHP 8.5, OpenSSL 3.5 and that this image is only containing the development version. Upgrades to future versions are possible.
For now there's no path to upgrade from an existing 26.1.x but manual instructions can be shared once 26.1.11 is released next week. 26.7-RC1 will also add the stable release path.
You can find the usual images here:
https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/misc/26.7.b/
SHA256 (OPNsense-devel-26.7.b-dvd-amd64.iso.bz2) = 73fb138ae4ea0f2eccb1f7966a88f78d863a012f15b314105a5533f74b27abad
SHA256 (OPNsense-devel-26.7.b-nano-amd64.img.bz2) = 79c881c87af8fe27eef4d5a94cb7d211296870dc5fcfc00bc409c62fbdaa441f
SHA256 (OPNsense-devel-26.7.b-serial-amd64.img.bz2) = d7f257c7360c840e9d16360ef973cb6ca6b0b9ee10f761751d471ed92f16a0d7
SHA256 (OPNsense-devel-26.7.b-vga-amd64.img.bz2) = 62622a0a1a9954f77edde657fc8c66115977cd115737f475ec53aecc2b97117c
The public key for 26.7 is as follows:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziSNKuzrL2cwLx5LXmLn
cWS5Lk+i9CzRMXO/4xQYBQCaSnd8GBg/HA/g4aPoTUa6ovAI0AHfW8KQJQyBkFzn
pi6MLZJ9tEaFcn0CiV+tSTJd1RV4bB8jtpKl5oTkgFrPsyaB7iBlG5Cd49VCW19h
DxClQ24lkWkVoYfsfCQEt4ADNGLygWCPyf4bxGD/t6/tiW9SsOs2+gfOZ9C/G2d/
EBhJFoBEoz5lvULVxTdfY5PScYrHD/waZnk3rGc2A+9pI/SM2JAwKqsgZ6MSFbXO
DNocSjqFUUkdqhty+Qcc0OJ+hMbKKVE+f3QJBQIwT3ayys8QK0m5CCo91/f+DjoN
noj+t5YN9x8GREkF0wrdIi7hevkwrL2/SJQbq1bL1BLB+mMSXYR611lgT8YfYjyZ
7tmpNVC3O5Pj7l20snm1lVUSqS0PsFBvh6HQtBRwQDGppaIIhH1Nt9yIatmSiGZt
2YrMVNBzbQrJzSX+vWcAulkaPIt4t+XxmpO5IDNZ+4uMZ7XyJq1lAhIeyXx+Falf
v7S+ZpJWFVNz0/N5z6lBbADD855i+gFY6B5209xGyhd6FwaPOjISgQKkgBwF1AiW
MDuTuP9lkh/U5gGBZIFTnbdEMgOAL4P+Hsw9Nozav+3QIpiU3Pv9F29a1erCkq09
rpQyNglY7Jqme/RipzbYia8CAwEAAQ==
-----END PUBLIC KEY-----
The roadmap has a few more insights on what to expect: https://opnsense.org/roadmap/
Cheers,
Franco
