"Recent posts
#1
25.7, 25.10 Series / Re: Protocol hopopt
Last post by doktornotor - Today at 10:50:35 AMWell, I would like to resurrect this topic. My problem is not that it is not allowed, my problem is that it is not allowed but it is impossible to create a manual rule to block HOPOPT without logging. Which is my case leads to tons of log spam. The only option is to disable the default deny rule logging which is sort of suboptimal.
The reason for this being (at least so for as the GUI is concerned) that the protocol is commented out in /etc/protocols (presumably since it conflicts with the IP "pseudoprotocol" 0).
Additionally, the traffic is misidentified in the firewall logs accordingly to the /etc/protocols issue...
Someone with a workaround for this? (Yeah I realize has been basically an upstream problem in libc since forever).
The reason for this being (at least so for as the GUI is concerned) that the protocol is commented out in /etc/protocols (presumably since it conflicts with the IP "pseudoprotocol" 0).
Additionally, the traffic is misidentified in the firewall logs accordingly to the /etc/protocols issue...
Someone with a workaround for this? (Yeah I realize has been basically an upstream problem in libc since forever).
#2
German - Deutsch / Re: Nginx - custom Headers
Last post by mm2023 - Today at 10:30:54 AMJa, das wird so sein. Das ist allerdings auch nicht anders möglich, denn die Nextcloud, die angesprochen wird, hört auf Port 11000 und erhält das SSL-Zertifikat extern von nginx. Damit die verschlüsselte Verbindung also zustande kommen kann, muss sie durch nginx geleitet werden.
#3
Tutorials and FAQs / Internet access problems
Last post by Jebecca - Today at 09:52:36 AMHi all,
This learning curve is a lot steeper than I expected. It's been almost three weeks now that I have been trying to get things setup but I still don't have internet access. The system is as follows,
bare metal installation of Opnsense on a HP Elitedesk 800 G3 with a HP NC365T 4 port Ethernet adapter giving a total of five interfaces, em0 WAN, ibg1 LAN, igb2 MGMT, igb0 & 3 SPARE. At present the spare interfaces have not been enable but may be assigned to LAGG in the future. The Vlans have igb2 as their parent and are vlan 10 TRUSTED, vlan 20 IOT, vlan 30 GUESTS, vlan 40 SECURITY, vlan 50 DMZ, vlan 60 STORAGE, vlan 99 MGMT. The same vlans are setup in a Cisco 3750G switch. There is a second HP Elitedesk 800 G4 with a bare metal installation of Proxmox but at the moment I have left it turned off. When I check the Firewall/Log Files/Live View all the entries are green, but they are all Interface WAN Out UDP. Would this indicate that the Internet access problem is not being caused by OPNsense?
This learning curve is a lot steeper than I expected. It's been almost three weeks now that I have been trying to get things setup but I still don't have internet access. The system is as follows,
bare metal installation of Opnsense on a HP Elitedesk 800 G3 with a HP NC365T 4 port Ethernet adapter giving a total of five interfaces, em0 WAN, ibg1 LAN, igb2 MGMT, igb0 & 3 SPARE. At present the spare interfaces have not been enable but may be assigned to LAGG in the future. The Vlans have igb2 as their parent and are vlan 10 TRUSTED, vlan 20 IOT, vlan 30 GUESTS, vlan 40 SECURITY, vlan 50 DMZ, vlan 60 STORAGE, vlan 99 MGMT. The same vlans are setup in a Cisco 3750G switch. There is a second HP Elitedesk 800 G4 with a bare metal installation of Proxmox but at the moment I have left it turned off. When I check the Firewall/Log Files/Live View all the entries are green, but they are all Interface WAN Out UDP. Would this indicate that the Internet access problem is not being caused by OPNsense?
#4
Documentation and Translation / KEA DHCP port example interfer...
Last post by wmagin - Today at 08:25:39 AMHi all,
I just come out of a session of getting 400: Bad request answers from my captive portal because I configured KEA DHCP server like discribed at https://docs.opnsense.org/manual/kea.html binding the control agent to port 8000. The 400 error came because Captive Portal and KEA contrl agent were running on the same port. As it is likely irrelevant on which high port the KEA agent should run it would be helpful for fellows not to run into the same issue if the example would show a port (for example 8080) which is not used by the default installation of OPNsense.
Just as a hint. Does this make sense?
Greetings
Wolfgang
I just come out of a session of getting 400: Bad request answers from my captive portal because I configured KEA DHCP server like discribed at https://docs.opnsense.org/manual/kea.html binding the control agent to port 8000. The 400 error came because Captive Portal and KEA contrl agent were running on the same port. As it is likely irrelevant on which high port the KEA agent should run it would be helpful for fellows not to run into the same issue if the example would show a port (for example 8080) which is not used by the default installation of OPNsense.
Just as a hint. Does this make sense?
Greetings
Wolfgang
#5
German - Deutsch / Re: 'Migration Assistant ' der...
Last post by knebb - Today at 07:52:05 AMDas (alte) Menü wird ja dann bestimmt auch irgendwann wegfallen. Migration hat wunderbar geklappt, aber jetzt habe ich natürlich zwei Einträge im Menü: "Rules [new]" und "Regeln".
Ja, ist absolut nicht wichtig aber weiß jemand die Roadmap, wann das wieder "ordentlich" aussieht, also richtige Sprache und keine zwei Einträge, wenn das eine überflüssig ist?
/KNEBB
Ja, ist absolut nicht wichtig aber weiß jemand die Roadmap, wann das wieder "ordentlich" aussieht, also richtige Sprache und keine zwei Einträge, wenn das eine überflüssig ist?
/KNEBB
#6
Virtual private networks / Wireguard setup with Nordvpn s...
Last post by rama3124 - Today at 05:10:31 AMHi
I set up all traffic to be passed through NordVPN using wireguard, according to the guide linked below:
https://sysadmin102.com/2025/01/opnsense-wireguard-nordvpn-setup/
It works fine but every few weeks, the internet completely stops working and the nordvpn gateway shows as offline. To fix this, I just go through the same guide and update the IP endpoint for the NordVPN server to get everything working again. Is there a way to make it so that the rules are disabled if the internet doesn't work due to the gateway being offline? Or is there a way to fix the NordVPN server more permanently so that I don't need to constantly regenerate a new gateway every few weeks?
TIA
I set up all traffic to be passed through NordVPN using wireguard, according to the guide linked below:
https://sysadmin102.com/2025/01/opnsense-wireguard-nordvpn-setup/
It works fine but every few weeks, the internet completely stops working and the nordvpn gateway shows as offline. To fix this, I just go through the same guide and update the IP endpoint for the NordVPN server to get everything working again. Is there a way to make it so that the rules are disabled if the internet doesn't work due to the gateway being offline? Or is there a way to fix the NordVPN server more permanently so that I don't need to constantly regenerate a new gateway every few weeks?
TIA
#7
26.1 Series / Re: CALL FOR TESTING: Multi-dh...
Last post by Maurice - Today at 04:40:43 AMI applied the patch to 26.1.3. Unfortunately, it doesn't work for me. dhcp6c fails to acquire an address (IA_NA) on the secondary WAN, and sometimes fails completely (no address on both WANs and no prefix delegation on WAN 1).
One thing I noticed in packet captures is that the IAID is now set to 0 for both WAN interfaces. That's not supposed to happen, each interface must have a distinct IAID. Not sure whether this is the root cause, but it's plausible because in my case, both WAN interfaces are served by the same upstream DHCPv6 server.
Without the patch, dhcp6c uses a distinct IAID for each interface. Had to roll back the patch. Happy to test again when unique IAIDs are back.
Config WAN 1:
Config WAN 2:
Cheers
Maurice
One thing I noticed in packet captures is that the IAID is now set to 0 for both WAN interfaces. That's not supposed to happen, each interface must have a distinct IAID. Not sure whether this is the root cause, but it's plausible because in my case, both WAN interfaces are served by the same upstream DHCPv6 server.
Without the patch, dhcp6c uses a distinct IAID for each interface. Had to roll back the patch. Happy to test again when unique IAIDs are back.
Config WAN 1:
Code Select
<if>vtnet0</if>
<descr>WAN_GPON</descr>
<enable>1</enable>
<lock>1</lock>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<mtu>1492</mtu>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-ia-pd-len>8</dhcp6-ia-pd-len>
Config WAN 2:
Code Select
<if>vtnet1</if>
<descr>WAN_LTE</descr>
<enable>1</enable>
<lock>1</lock>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-ia-pd-len>none</dhcp6-ia-pd-len>
Cheers
Maurice
#8
26.1 Series / When will "how to" topics be u...
Last post by RickNY - Today at 04:00:14 AMFor example -- https://docs.opnsense.org/manual/how-tos/multiwan.html
When will topics like these be updated to reflect the changes in firewall rules in v26?
Can these be netered as rules under the old system and them migrated to new?
Thanks
#9
26.1 Series / Re: link local address being a...
Last post by OzziGoblin - Today at 03:12:56 AMI think I resolved this. It appears to be because "Allow manual adjustment of DHCPv6 and Router Advertisements" wasn't selected on the interface and for some reason "Enable DHCPv6 server on LAN interface" was enabled on the DHCPv6 ISC setting for each interface.
Name resolution is now working, but ping for ipv6 addresses is still erratic.
maybe this will help someone else.
Name resolution is now working, but ping for ipv6 addresses is still erratic.
maybe this will help someone else.
#10
26.1 Series / Re: fixed rule window size
Last post by nero355 - Today at 02:53:07 AMQuote from: OPNenthu on Today at 02:33:14 AMTBH, I was intrigued when I saw a comment from franco the other day that OPNsense supports mobile. I never even imagined trying..I have used it once to tell a couple of guys to "bugger off" in a friendly way when they started asking a very stupid question : "Now that you no longer have any UniFi Router how do you update it from your phone ?"
#FacePalm...
For some people it's like their webbrowser died the same day that they discovered stupid apps for every damn simple basic thing! LOL!
And the actual joke is that I have never used any kind of UniFi related app! ^_^
