"Recent posts
#1
Virtual private networks / RouterOS IKE/IPSec Peer
Last post by tbk49 - Today at 09:23:59 PMI am looking for a howto/guide/advice on setting up IPSec between OPN and ROS using digital certs, so would welcome your feedback about this.
#2
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by allan - Today at 09:04:26 PMQuote from: Monviech (Cedrik) on Today at 09:06:36 AMI feel like you ran into this here:
https://github.com/opnsense/plugins/pull/5102
Sounds like an external Bind server might be better, I don't know if this can be reasonably fixed in the plugin.
If your workarounds work, well, that's good though, nice job figuring this all out.
Thank you! This is indeed what I am bumping into. I wonder if it is possible to write DDNS changes into a separate zone file. That way, the journal can monitor that file instead.
#3
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by Monviech (Cedrik) - Today at 08:07:47 PMMost users also want to use Unbound statistics or blocklists by subnet and then it would only show Dnsmasq as its only client (127.0.0.1)
Unbound cannot use magic like dnsmasqs "add-subnet" or "add-mac" which extract the real IP address of the client when the request is forwarded by another dns server.
So having Unbound as main entry point has more benefits.
Also the project owner simply calls it "dnsmasq" https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
Unbound cannot use magic like dnsmasqs "add-subnet" or "add-mac" which extract the real IP address of the client when the request is forwarded by another dns server.
So having Unbound as main entry point has more benefits.
Also the project owner simply calls it "dnsmasq" https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
#4
French - Français / Re: Ouverture de ports pour IP...
Last post by NEOSA - Today at 07:07:34 PMBonjour,
Il faut également une règle de firewall pour autoriser le trafic entrant sur l'interface WAN : un Destination NAT seul ne suffit pas, il faut aussi une règle de firewall ;-)
Le NAT et les règles de filtrage (Firewall) sont deux choses distinctes : Si vous créez une règle de Destination NAT (Port Forward) sans règle de pare-feu correspondante, le paquet sera correctement traduit vers l'IP de votre serveur local, mais le pare-feu le bloquera immédiatement après.
Ci dessous, exemple de trafic bloqué AVANT application d'une règle firewall à destination du port TCP:5000 sur l'interface WAN et AUTORISÉ après la mise en œuvre de la règle de firewall.
You cannot view this attachment.
Il faut également une règle de firewall pour autoriser le trafic entrant sur l'interface WAN : un Destination NAT seul ne suffit pas, il faut aussi une règle de firewall ;-)
Le NAT et les règles de filtrage (Firewall) sont deux choses distinctes : Si vous créez une règle de Destination NAT (Port Forward) sans règle de pare-feu correspondante, le paquet sera correctement traduit vers l'IP de votre serveur local, mais le pare-feu le bloquera immédiatement après.
Ci dessous, exemple de trafic bloqué AVANT application d'une règle firewall à destination du port TCP:5000 sur l'interface WAN et AUTORISÉ après la mise en œuvre de la règle de firewall.
You cannot view this attachment.
#5
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by nero355 - Today at 07:01:02 PMQuote from: Monviech (Cedrik) on Today at 09:06:36 AM@cinergiNow that you mention it...
Keeping it simple in your setup sounds indeed like the best plan. The configuration we recommend is this:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
Good choice :)
Why is this :
Quote from: cinergi on Today at 03:04:45 AMSo it's dnsmasq --> Unbound.Not the default setup ?!
When using DNSmasqd for DHCP and DNS it would be a lot more easier for a lot of people if Unbound was not used as the Primary DNS Resolution and instead just for talking to the Root DNS Servers after DNSmasqd sends it a DNS Query made by a Client on a local network.
#6
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by nero355 - Today at 06:47:47 PMQuote from: meyergru on Today at 07:02:58 AMYes, of course, just because when OpnSense is itself involved, iperf3 runs on top of the actual routing.But I still don't get it :
A connection between OPNsense and a Client talking directly to it involves 0,0 routing ?!
Why would that be slower than the speed between two random Clients that are let's say connected to the same Default LAN network of OPNsense ?
QuoteWell, "on the same subnet" is incorrect, of course, because OpnSense would not be involved at all if the traffic were between two clients on layer 2.Again :
OPNsense Default LAN network : 192.168.1.0/24
The speeds between :
OPNsense 192.168.1.1 <----> Random Client using Windows/Linux/MacOS/*BSD 192.168.1.22
And :
Random Client using Windows/Linux/MacOS/*BSD 192.168.1.22 <----> Random Client using Windows/Linux/MacOS/*BSD 192.168.1.42
Should always be the same in my opinion.
If that's not the case I would like to know why they are not/why you personally think they are not ?!
QuoteYou may know, but the OP did not state how exactly the measurements were taken, which is why I pointed it out again. RSS will not do any good with just one connection.It looked like he knows what he is doing so I decided to have a little trust in my fellow OPNsense user :)
#7
26.1, 26,4 Series / Re: Gratitious ARP from ISP ca...
Last post by Seimus - Today at 05:24:32 PMThe logs from OP,
This is a symptom of mobility, e.g IP movement. If it happens like (floods) this there are few possibilities:
1. Misconfiguration on the peer side
2. Duplicate IP
3. If they are using a redundancy protocol, VRRP, HSRP etc. the connection between the two ISP routers could flap triggering failovers
Regards,
S.
This is a symptom of mobility, e.g IP movement. If it happens like (floods) this there are few possibilities:
1. Misconfiguration on the peer side
2. Duplicate IP
3. If they are using a redundancy protocol, VRRP, HSRP etc. the connection between the two ISP routers could flap triggering failovers
Regards,
S.
#8
26.1, 26,4 Series / Re: Gratitious ARP from ISP ca...
Last post by franco - Today at 04:44:59 PMCode Select
rc.configure_interface is highly suspicious. This isn't a low level operation and it's also not carried out multiple times in the same second by us.Can you check dmesg?
Cheers,
Franco
#9
26.1, 26,4 Series / Re: What happened to the plugi...
Last post by franco - Today at 04:40:15 PMMaintenance reasons... being able to show core-supported (tier 1) or documentation-supported (tier 2) plugins without showing all the others. There is some overlap in functionality and it's better to enforce the boundary.
Cheers,
Franco
Cheers,
Franco
#10
26.1, 26,4 Series / Re: What happened to the plugi...
Last post by Patrick M. Hausen - Today at 04:17:12 PMWhy was this switch introduced in the first place? This must be the most frequent support request on the forum, currently. IMHO the old UI wasn't broken ;-)
