Recent posts

#21

25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...

Last post by franco - Today at 02:12:40 PM

> Just following up that I still see a memory leak in dnsmasq even after a reboot and an update to 25.7.10.

I don't think it's surprising given the fact that the binary did not change.


Cheers,
Franco

#22

German - Deutsch / KEA DHCP4 - Keine einstellung ...

Last post by paperware - Today at 02:10:15 PM

Ich habe auf KEA DHCP4 umgestellt, habe in meinem HomeLab 6 Subnetze. KEA DHCP4 liefert als DNS Server jweils die Schnittstelle des Subnetzes.
Ich habe in den Einstellungen von KEA HDCP4 nichts gefunden, wo ich meinen DNS-Server angeben kann. Nur wenn ich statische Eintraege (Reservierungen) erzeuge, dann kann ich den DNS-Server mitgeben.
Uebersehe ich etwas?

#23

German - Deutsch / Re: Caddy Wildcard-Zertifikat ...

Last post by Patrick M. Hausen - Today at 01:59:32 PM

Du hast eine Domain mit einem Wildcard-Zertfikat, aber natürlich für jede Subdomain einen eigenen Eintrag mit einem eigenen Handler. Üblicherweise sind da ja jeweils völlig unterschiedliche Anwendungen auf unterschiedlichen Backend-Servern dahinter. Und auch möglicherweise unterschiedliche Access-Regeln.

Also: ist genau so gedacht.

#24

German - Deutsch / Caddy Wildcard-Zertifikat und ...

Last post by observing0436 - Today at 01:55:38 PM

Opnsense-Version: 25.7.10

Hallo Zusammen,

ich benutze seit längerem Caddy als mein Reverse-Proxy. Unter anderem auch für nur intern erreichbare Ziele. Dafür verwende ich ein Wildcard-Zertifikat. Entsprechend habe ich auch eine Wildcard-Domain und Subdomains über die Opnsense GUI konfiguriert.

Allerdings entspricht das daraus resultierende JSON-File nicht dem Muster auf der Caddy Web Site (https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates)

Hier ein Beispiel:
Wildcard-Domain: https://*.example.com
Subdomains: foo.example.com und bar.example.com

Erwarteter Output (Auszug eventuell mit Syntax-Fehler!):

Code Select Expand

*.example.com {
tls /usr/local/etc/caddy/certificates/68359499ac11f.pem /usr/local/etc/caddy/certificates/68359499ac11f.key {
}

@foo host foo.example.com
handle @foo {
reverse_proxy 192.168.13.1
}

@bar host bar.example.com
handle @bar {
reverse_proxy 192.168.13.1
}

# Fallback for otherwise unhandled domains
handle {
abort
}
}
Tatsächlicher Output (Auszug):

Code Select Expand

*.example.com {
tls /usr/local/etc/caddy/certificates/68359499ac11f.pem /usr/local/etc/caddy/certificates/68359499ac11f.key {
}
}

foo.example.com {
handle {
reverse_proxy 192.168.13.1 {
}
}
}

bar.example.com {
handle {
reverse_proxy 192.168.13.1 {
}
}
}

Der tatsächliche Output macht für mich wenig Sinn, weil ich dann eh alles für jede Subdomain einzeln konfigurieren muss (z.B. Access).

Ist das eventuell ein Fehler oder beabsichtigt?

Viele Grüße
Mike

#25

25.7, 25.10 Series / Re: dnsmasq and ipv6 config

Last post by muchacha_grande - Today at 01:35:01 PM

They don't show up in Leases, but they do get added to DNS and I presume also marks that IP as reserved from the pool.

This is what I couldn't make work. When the IPs are fixed they don't respond to DNS queries.

Will redefine my DHCP ranges better.

#26

German - Deutsch / Re: ISC DHCP - neu angelegte N...

Last post by observing0436 - Today at 01:27:35 PM

Gehe auf einen ISC-DHCP Eintrag für eine andere Schnittstelle und ersetze in der Adresszeile deines Browsers den Identifier für das Interface in der URL mit dem Identifier deiner neuen Schnittstelle:
https://opnsense.xxxxxx.de/services_dhcp.php?if=opt5

Dann konfiguriere DHCP für die neue Schnittstelle und speichern nicht vergessen. Danach taucht sie auch im Menü auf.

#27

General Discussion / Re: FIB/VRF support in OPNsens...

Last post by Fredouil - Today at 11:44:41 AM

Hello, I disagree with this analysis. I've lost count of the number of discussions where professionals say that if OPNsense supported VRF, they would immediately switch to that solution. I know many professionals who are reluctantly forced to turn to Fortinet, VYOS, or others because they have VRF or VDOM. I truly believe it would be a huge mistake to think this feature isn't important; it should be a priority. I'm giving you my analysis as an expert and professional who regularly meets with other professionals at trade shows.

#28

General Discussion / Re: Struggles scripting with t...

Last post by allddd - Today at 09:15:34 AM

Does it have to be an LAN host, or would it be OK for an external service to notify you?

You could use a service like https://healthchecks.io in combination with Monit. This would be even more reliable, since you would receive a notification regardless of whether you are currently using the system or not.

You can configure Monit to send an HTTP request to healthchecks.io every time a check is successful. If it fails for any reason, or if OPNsense cannot reach healthchecks.io at all, you will be notified. They offer a generous free tier, you can even receive calls and SMS.

#29

25.7, 25.10 Series / Re: LAN breaks when moving fro...

Last post by tdpolo26 - Today at 07:31:59 AM

Hi
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.

yeah i had that same idea today.... its like when i switch the assignment something remains em0

#30

25.7, 25.10 Series / Re: Suricata IPS + Promiscuous...

Last post by greY - Today at 06:03:47 AM

ended up, having all WAN (1G) ports at queues=1 and all LAN (10G) ports at queues=2. I guess LAN ports could be set to 4 or 8, I just currently have no time for deeper tests and performance seems to be the same as before.

It made all working again. Especially having WAN ports at 4 I also had weird issues with gateway groups. Doesn't matter if load balancing or failover mode, there were connection issues (instable) to SSH targets.