Recent posts

#1
German - Deutsch / Re: HILFE... für FiSi Abschlus...
Last post by fastboot - Today at 07:14:54 AM
Hallo Christian,

dein Netzwerk sieht auf jeden Fall interessant aus und man merkt, dass du dir viele Gedanken gemacht hast.

Was mich allerdings etwas wundert, ist der Umfang des Projekts. Nach meinem Verständnis muss eine IHK-Abschlussarbeit einen klar abgegrenzten Projektumfang haben, der vor Beginn durch den Prüfungsausschuss genehmigt wird. Erst danach darf das eigentliche Projekt durchgeführt werden.

Je nach IHK liegt die Projektzeit bei etwa 40 Stunden. In dieser Zeit müssen Planung, Umsetzung, Tests sowie die Projektdokumentation erfolgen. Bewertet wird dabei nicht die gesamte vorhandene Infrastruktur, sondern ausschließlich der genehmigte Projektumfang.

Wenn ich deinen Beitrag lese, erkenne ich unter anderem folgende Themen:

- Einführung von IPv6
- Aufbau eines OPNsense-Firewallclusters mit CARP
- mehrere VLANs
- OpenWRT
- KEA-DHCP
- mDNS über VLAN-Grenzen
- Druckdienste
- Routing zwischen mehreren Netzen

Das wirkt auf mich eher wie eine komplette Netzwerkinfrastruktur als wie ein einzelnes IHK-Abschlussprojekt.

Daher hätte ich eine ehrliche Verständnisfrage:

Wäre es möglich, deinen Projektantrag (selbstverständlich anonymisiert) hier zu zeigen? Mich würde interessieren,

- wie das Projektziel formuliert wurde,
- welche Aufgaben tatsächlich Bestandteil des genehmigten Projekts sind,
- wie die Zeitplanung aussieht und
- welcher betriebliche bzw. kundenseitige Nutzen beschrieben wurde.

Ich glaube, das würde auch vielen anderen helfen, den Projektumfang besser einzuordnen.

Zur Orientierung findest du hier die allgemeinen Informationen der IHK zur Projektarbeit und zum Projektantrag:

https://www.ihk.de/blueprint/servlet/resource/blob/6957958/fd54ae065bc407cd8fc092c654af9a96/leitfaden-fi-systemintegration-data.pdf

sowie beispielhafte Hinweise zum Projektantrag und zur Zeitplanung:

https://www.ihk.de/darmstadt/produktmarken/pruefungen/downloads/muther/it-hinweise-projektantrag-2551070

Mich würde wirklich interessieren, wie der Prüfungsausschuss dieses Projekt genehmigt hat, denn nach meiner Erfahrung wäre ein solcher Umfang für eine IHK-Abschlussarbeit eher sehr ungewöhnlich.

Viele Grüße

fb
#2
26.1, 26,4 Series / Re: WAN interface passing to p...
Last post by lmoore - Today at 06:39:20 AM
Quote from: nero355 on July 03, 2026, 07:05:03 PMThe same goes for Fibreglass ONTs and xDSL Modems :)

But I was thinking to have something like this :

But then two times each :
- Block Private Networks - Incoming
- Block Private Networks - Outgoing
- Block BOGON Networks - Incoming
- Block BOGON Networks - Outgoing

If your xDSL/ONT modem only has one Ethernet port and if you want the ability to check the status of the modem without interrupting the the connection to the Internet, your only choice is to access the modem via the WAN port.

My xDSL modem is a Draytek VigorNIC 132 which is plugged in to a PCIe slot.

Prior to setting up OPNsense as my firewall (January 2021), I was using OpenBSD. With OpenBSD I set up a bridge interface and included re0 (WAN port) and vether0 interfaces as members. The vether interface was configured with the RFC-1918 subnet I use to access the modem's web interface. Doing this allowed the standard outbound blocking rule for RFC-1918 address to be used without impacting access to the DSL modem.

Unfortunately, the vether-kmod port isn't included in OPNsense and won't be a consideration in the future unless the FreeBSD port can be fixed - this seems unlikely.

With OPNsense, I assigned the RFC-1918 subnet to the bridge interface, then set up applicable rules for the modem network.

The preferred method to prevent RFC-1918 leakage is by using the black hole routes, as already mentioned in this thread. It is conceivable that one day, one may encounter a problem and and when troubleshooting, the black hole routes may be disabled and they may not be re-enabled if it's forgotten about. The only other mechanism to prevent leakage is to have the outbound firewall rule to block RFC-1918 - I understand ISP's aren't supposed to allow RFC-1918 to be routed normally through their networks.

I have floating rules preventing internal traffic making its way to destinations via the WAN interface. In addition, I've created rules on the WAN interface to block outbound connections from the firewall. This is primarily to prevent connections originating from the firewall itself, otherwise they will be allowed out due to the automatically generated rule let out anything from firewall host itself (force gw).

Blocking outbound connections to bogon networks seems like a good idea. Testing to some of the addresses in the bogons alias, they are being blocked by Q-Feeds. Q-Feeds is the first block rule for my internal networks so it's possible other lists will include them too. However, they aren't being blocked from the firewall itself - time to review and update my outbound rules on the WAN interface.

[Update] - I already had rules to block outbound from the firewall itself so it is fair to say, the other lists I use do not include bogon address. I added a rule to use Q-Feeds and it is blocking connections to bogon addresses.
#3
Quote from: BrandyWine on July 03, 2026, 03:58:02 AMSome more on that hardware. Is it a Lanner mobo? If so what model #?
There's a SMBus controller in pciconf, this could be how bypass is controlled once OS boots.

dmesg|grep -Ei "bypass|watchdog"

The relays could be commanded from OS via gpio, this would need investigating as I suspect there's nothing in OPNsense distro supporting this bypass out-of-the-box.

2nd, online info suggests the bios should have a util for setting the default state of the bypass.


Was the bypass even tested with the OS running? Two laptops with IP in same /24, two x-over cables, laptops each connect to the matching bridge ports (looks like AAA over BBB), so any vertical pair. Can the laptops ping each other? If no x-over cables then two small switches, or one switch that can be managed to have two vlans, A-port and laptop-A on one vlanID, B-port and laptop-B on the other vlanID.

Depending on what the bios has available, it may be difficult to control the bypass on freeBSD. Can probably find some source code to compile, or even an existing klm, so more digging is needed.




wow that went realy over my head but let me try to explain wat i know , the hardware itsels functions the only interface that links that previusly work was igb2 , i put igb1 and igb2 as a pcie with 2 nics , but after updating and putting some plugins now th nics show all link when i put ethernet cable on there really dont know why but better for me i think.
#5
Quote from: BrandyWine on July 03, 2026, 03:58:02 AMSome more on that hardware. Is it a Lanner mobo? If so what model #?
There's a SMBus controller in pciconf, this could be how bypass is controlled once OS boots.

dmesg|grep -Ei "bypass|watchdog"

The relays could be commanded from OS via gpio, this would need investigating as I suspect there's nothing in OPNsense distro supporting this bypass out-of-the-box.

2nd, online info suggests the bios should have a util for setting the default state of the bypass.


Was the bypass even tested with the OS running? Two laptops with IP in same /24, two x-over cables, laptops each connect to the matching bridge ports (looks like AAA over BBB), so any vertical pair. Can the laptops ping each other? If no x-over cables then two small switches, or one switch that can be managed to have two vlans, A-port and laptop-A on one vlanID, B-port and laptop-B on the other vlanID.

Depending on what the bios has available, it may be difficult to control the bypass on freeBSD. Can probably find some source code to compile, or even an existing klm, so more digging is needed.





Hello no i was noty able to test before putting pfsense
#6
Quote from: pfry on July 03, 2026, 01:09:57 AMHuh! Yeah, I'd expect the em driver... but then igb and em seem oddly interchangeable.

ifconfig may also show the devices. My concern was this line in their lame excuse for a data sheet: "3 x 1G bypass bridge pair", which usually indicates the presence of a hardware bypass, which must be deactivated (via custom software interface) to use the interfaces... somewhat normally. So the drivers may load, the interfaces may be configurable, but they will be electrically isolated by the bypass. But that's a supposition - I didn't find better docs offhand.

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: VLANTRUNK (opt4)
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 80:61:5f:08:07:60
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: MGMT1 (lan)
        options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
        ether 80:61:5f:08:07:61
        inet 10.10.1.1 netmask 0xffffff00 broadcast 10.10.1.255
        inet6 fe80::8261:5fff:fe08:761%igb1 prefixlen 64 scopeid 0x2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=48500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 0c:c4:7a:b3:8f:38
        inet6 fe80::ec4:7aff:feb3:8f38%igb2 prefixlen 64 scopeid 0x3
        media: Ethernet autoselect
        status: no carrier
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
igb3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 0c:c4:7a:b3:75:9e
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb4: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 0c:c4:7a:b3:75:9f
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb5: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 0c:c4:7a:5e:95:08
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb6: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 0c:c4:7a:5e:95:09
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb7: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 0c:c4:7a:5e:95:0a
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb8: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,HWSTATS,MEXTPG>
        ether 0c:c4:7a:5e:95:0b
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
#7
General Discussion / Re: firewall is toast
Last post by newsense - Today at 04:20:20 AM
Depending on the hardware you're moving to you may be able to get away with simply reassigning the interfaces and rebooting after for everything to start up properly
#8
General Discussion / firewall is toast
Last post by robertkwild - Today at 02:17:20 AM
hi all,

my firewall is toast and unfortunately i didnt keep a backup (i know) obviously i have the m2 SSD still in the garbage firewall, can i just move it into the new host and will it work that way

thanks,
rob
#9
General Discussion / Problem upgrading from 26.1.9 ...
Last post by Lotek85 - Today at 12:00:36 AM
I'm not sure if i am putting this post in the right forum, so forgive me if i did. Anyways, for some reason when i try to update from    26.1.9   26.1.11 im getting this odd message saying some files are missing. Anyway to fix this or do i have to reinstall? Thanks in advance <3

***GOT REQUEST TO UPDATE***
Currently running OPNsense 26.1.11_5 (amd64) at Fri Jul  3 17:59:47 EDT 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
Nothing to do.
Nothing to do.
Flushing temporary package files... done
Starting web GUI...done.
Fetching base-26.1.11-amd64.txz: .............. done
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing base-26.1.11-amd64.txz...chflags: /usr/lib/i18n/libmapper_zone.so: No such file or directory
chflags: /usr/lib/i18n/libmapper_zone.so.5: No such file or directory
chflags: /usr/lib/i18n/libmapper_std.so: No such file or directory
chflags: /usr/lib/i18n/libmapper_std.so.5: No such file or directory
chflags: /usr/lib/i18n/libmapper_serial.so: No such file or directory
chflags: /usr/lib/i18n/libmapper_serial.so.5: No such file or directory
chflags: /usr/lib/i18n/libmapper_parallel.so: No such file or directory
chflags: /usr/lib/i18n/libmapper_parallel.so.5: No such file or directory
chflags: /usr/lib/i18n/libmapper_none.so: No such file or directory
chflags: /usr/lib/i18n/libiconv_std.so.5: No such file or directory
chflags: /usr/lib/i18n/libiconv_none.so: No such file or directory
 failed, chflags error 0
***DONE***
#10
General Discussion / Re: Why do I need to temporari...
Last post by Patrick M. Hausen - July 03, 2026, 09:52:16 PM
GRE does not have ports. It's its own protocol on top of IP independent of TCP and UDP. Port 0 might be a historical frontend abstraction of some product for not having port numbers at all.