"Recent posts
#1
General Discussion / Re: No Beep on Startup and Shu...
Last post by johnmcallister - Today at 03:58:41 AMQuote"...I'm not sure what hardware brand or version of OPNSense you're running, but this also happened to me. I was just tinkering with it today. I have a Lenovo M720q Tiny as well as a M715q Tiny. The beep can be heard on the M715q but not on the M720q..."
I'm running a Lenovo® M90n-1 Nano and encountered the same problem: No friendly OPNsense beeps on startup/shutdown. Definitely mission-critical, couldn't let it go unaddressed.
After some poking around I got it fixed. There were three separate problems:
- Two different versions of the "beep" binary, one of which doesn't work on my system.
- The opnsense-beep shell script calling the wrong (non-functional) version of "beep."
- The opnsense start / stop beep sound definition files contain beep durations in bare integers that are interpreted as "centiseconds" by one version of beep, but as "milliseconds" in another version of beep.
There are for whatever reason multiple versions of the "beep" binary on my system. (25.7.8.) (As best I can tell it looks like one might use /dev/speaker and another version uses /dev/dsp instead? )
Each of these versions has different command-line options, and only one of them (/usr/bin/beep) actually makes sounds on my system.
Code Select
root@router:~ # ls -al /usr/bin/beep
-rwsr-xr-x 1 root wheel 10088 Nov 24 23:26 /usr/bin/beep
# This version interprets tone-length integers as millisecond values, and it works (makes beep noises) on my system.
root@router:~ # ls -al /usr/local/bin/beep
-r-xr-xr-x 1 root wheel 7584 Jul 21 16:21 /usr/local/bin/beep
# This version interpretes tone-length integers as centi-second values, and it doesn't work (no sounds) on my system.The /usr/local/sbin/opnsense-beep script, as-shipped, calls /usr/local/bin/beep.
So I altered the script it to call the other version of beep instead. I also altering the command-line flags as-required.
Code Select
root@router:~ # diff opnsense-beep opnsense-beep-ORIGINAL
69c69
< /usr/bin/beep -F "${NOTE}" -D "${DURATION}" -g 100
---
> /usr/local/bin/beep -p "${NOTE}" "${DURATION}"But after doing this, while I could type, say, /usr/bin/beep -F 1000 -D 100 from the command line and it would work fine, the opnsense-beep script still wasn't working.
I finally checked the beep-sound definition files in /usr/local/etc/opensense-beep.d/* and found them to have DURATION lengths of "25." Those lengths were meant for
/usr/local/bin/beep, which takes tone lengths in units of centi-seconds. (Hundredths of a second.)
As it turns out, on this system (and perhaps many others in the Lenovo™ "tiny" series?), the minimum beep duration that can be used with /usr/bin/beep is 50 ms. Once I changed all the individual sounds in the /usr/local/etc/opensense-beep.d/* tune definition files to => 50 ms, my modified version of /usr/local/sbin/opnsense-beep worked fine. (I found that using a 75 ms tone length makes the closest approximation to the OPNsense beep sequences I'm accustomed to on other systems.)
FWIW, here are the audio devices as-reported on my system:
Code Select
root@router:~ # cat /dev/sndstat
Installed devices:
pcm0: <Realtek ALC235 (Analog 2.0+HP/2.0)> (play/rec) default
pcm1: <Intel Kaby Lake (HDMI/DP 8ch)> (play)
No devices installed from userspace. #2
25.7, 25.10 Series / Re: Dropdown Menu Error on Viv...
Last post by charles.adams - Today at 03:52:26 AMFor others who run into this issue. It is caused by setting a chromium flag:
You cannot view this attachment.
If you set it wrong you will get this problem on selection boxes that the browser can't guess at the autofill.
You cannot view this attachment.
If you set it wrong you will get this problem on selection boxes that the browser can't guess at the autofill.
#3
25.7, 25.10 Series / Re: Dropdown Menu Error on Viv...
Last post by charles.adams - Today at 03:45:22 AMThey are from 25.10
#4
Zenarmor (Sensei) / Zenarmor BF Sale
Last post by charles.adams - Today at 03:42:44 AMThere was a BF sale last year. Do you think there will be another again this year?
#5
25.7, 25.10 Series / Re: Using Adguard Home and DNS...
Last post by OPNenthu - Today at 03:28:55 AMQuote from: JMini on Today at 02:28:12 AMDoes Unbound use DOH/DOT to send the request to the resolvers? Because the DNS req will still go through my ISP. So even though they're not serving the DNS request themselves, they can still see the unencrypted DNS request.
You can configure Unbound as a DoT forwarder.
If your threat model involves preventing your ISP collecting your DNS queries then I think that's a good reason not to use any kind of plain DNS, such as Unbound in recursive mode. However it's not as simple as that. You have to trust that your DoT provider isn't colluding with other entities to share or sell your data. Furthermore, the encryption between you and the provider is not infallible- certificates can be spoofed. If you're not using a VPN then the ISP can anyway infer your DNS queries by just timing your connections to web servers. If you are using a VPN, then you are again giving all the data to a single entity who may sell/share it on (and as we see playing out now, governments are increasingly pushing to weaken VPNs).
There's no privacy. It's just a matter of who you wish to share with and what features you need. For instance, Quad9 offers malware filtering based on threat intelligence which you may decide is a valuable tradeoff for giving them your DNS queries.
#6
General Discussion / new setup cannot reach line sp...
Last post by muusemuuse - Today at 03:05:01 AMI've set up a fedora server and threw OPNsense into a VM on it. The system has a ryzen 5800xt CPU and a dual port intel i226v NIC installed. I have pinned 2 CPU cores to the OPNsense VM and fed 1 thread from each core to the VM. The WAN port is passed to the VM via direct attachment (bridge right now, though I will probably change that to private) and the LAN port uses linux bridges for the untagged traffic as well as the vlan ports on it. The plan is to pass them all as separate interfaces into OPNsense, then tell the host to grab an IP on whatever bridge I need it to talk to.
OPNsense is configured right now to only use the WAN and LAN ports. I havent set up the vlan interfaces yet. Firewall rules are still defaults.
My interent connection speed is 1000 down/40 up, but in this configuration I can only hit 670 down/40 up on speedtest.net from a client device on the network. I tried doing this bare metal for comparison and it hit 824/40. connecting a macbook to the modem directly got me to 916/40. I'm using virtuio since passthrough is just not going to happen with this crappy motherboard but supposedly that should be fine.
I know there's going to be some overhead with this, and I haven't done any performance tuning yet because I'm still testing out basic functionality first, but this seems a bit severe. I have clearly overlooked something, but I'm stumped as to what I'm missing.
I checked the read me first posts on here. I saw there were some mitigations I could disable in OPNsense and did try that but no change. There is a firmware update possibly out there for this NIC but the linux host has custody of the NIC and it's not telling me what version firmware it has on it. That update seems to be more about stability than performance anyway and I'm getting stable connections, just not performant ones.
What am I overlooking?
OPNsense is configured right now to only use the WAN and LAN ports. I havent set up the vlan interfaces yet. Firewall rules are still defaults.
My interent connection speed is 1000 down/40 up, but in this configuration I can only hit 670 down/40 up on speedtest.net from a client device on the network. I tried doing this bare metal for comparison and it hit 824/40. connecting a macbook to the modem directly got me to 916/40. I'm using virtuio since passthrough is just not going to happen with this crappy motherboard but supposedly that should be fine.
I know there's going to be some overhead with this, and I haven't done any performance tuning yet because I'm still testing out basic functionality first, but this seems a bit severe. I have clearly overlooked something, but I'm stumped as to what I'm missing.
I checked the read me first posts on here. I saw there were some mitigations I could disable in OPNsense and did try that but no change. There is a firmware update possibly out there for this NIC but the linux host has custody of the NIC and it's not telling me what version firmware it has on it. That update seems to be more about stability than performance anyway and I'm getting stable connections, just not performant ones.
What am I overlooking?
#7
25.7, 25.10 Series / Re: Using Adguard Home and DNS...
Last post by JMini - Today at 02:28:12 AMDoes Unbound use DOH/DOT to send the request to the resolvers? Because the DNS req will still go through my ISP. So even though they're not serving the DNS request themselves, they can still see the unencrypted DNS request.
#8
25.7, 25.10 Series / 25.7.8 Reporting -> Unbound DN...
Last post by irrenarzt - Today at 12:51:44 AMFirst off, thank you for the latest update! It looks like a lot of work went into this one, which we all appreciate.
I have a very minor issue noticed after this update, and want to confirm whether it's an actual bug or if it's a *me* problem. Prior to 25.7.8 if I went to Reporting -> Unbound DNS -> Top blocked domains, it would display the full name of the block list used to block a domain. However, after 25.7.8, mine is displaying an awkward "hgz005" instead of the full name. Anyone else seeing this?
I have unchecked and then reapplied the block lists to see if that would restore it, but it did not.
I have a very minor issue noticed after this update, and want to confirm whether it's an actual bug or if it's a *me* problem. Prior to 25.7.8 if I went to Reporting -> Unbound DNS -> Top blocked domains, it would display the full name of the block list used to block a domain. However, after 25.7.8, mine is displaying an awkward "hgz005" instead of the full name. Anyone else seeing this?
I have unchecked and then reapplied the block lists to see if that would restore it, but it did not.
#9
General Discussion / TUI for viewing and analysing ...
Last post by allddd - Today at 12:48:37 AMHi everyone
Since I couldn't find a simple way to quickly analyse filter logs, I've been writing a TUI in Go for this over the past few months. It's come a lot further than I first expected, so I decided to share it in case anyone else needs something like this.
It's called opnsense-filterlog and it's basically a TUI similar to a pager like less in terms of navigation, but with color output and search/filtering features that are better suited for firewall logs. The filter syntax is similar to tcpdump and pretty simple, but still lets you filter out all log entries you (don't) want to see, e.g.:
(src 192.168.1.1 or src 192.168.1.2) and action block and not proto udp
It's a simple binary with no dependencies that runs on OPNsense itself. I tried to make it as memory and resource efficient as possible, so it should be able to handle huge log files, even on low-spec devices.
In case anyone is interested, there is more documentation in the repo: https://gitlab.com/allddd/opnsense-filterlog
Figured I'd share this here, maybe it'll save someone a bit of time digging through logs.
Since I couldn't find a simple way to quickly analyse filter logs, I've been writing a TUI in Go for this over the past few months. It's come a lot further than I first expected, so I decided to share it in case anyone else needs something like this.
It's called opnsense-filterlog and it's basically a TUI similar to a pager like less in terms of navigation, but with color output and search/filtering features that are better suited for firewall logs. The filter syntax is similar to tcpdump and pretty simple, but still lets you filter out all log entries you (don't) want to see, e.g.:
(src 192.168.1.1 or src 192.168.1.2) and action block and not proto udp
It's a simple binary with no dependencies that runs on OPNsense itself. I tried to make it as memory and resource efficient as possible, so it should be able to handle huge log files, even on low-spec devices.
In case anyone is interested, there is more documentation in the repo: https://gitlab.com/allddd/opnsense-filterlog
Figured I'd share this here, maybe it'll save someone a bit of time digging through logs.
#10
25.7, 25.10 Series / Re: Code quality reminder for ...
Last post by meyergru - Today at 12:29:36 AMIf you need production quality, you should either consider delaying to apply upgrades until first glitches have been ironed out, or - even better - get a business license where code has had the chance to mature another few months over the community edition.
OpnSense CE, like many open-source products, is a trade-off: you get it for free, yet you are volunteering to test.
OpnSense CE, like many open-source products, is a trade-off: you get it for free, yet you are volunteering to test.
