"Recent posts
#31
26.1 Series / Re: 26.1.1 MTU Issues on PPPoE
Last post by meyergru - Today at 03:08:26 PMQuote from: abulafia on Today at 12:19:40 PMsame config (dual stack, IPv6 via PPPoE) gives me lower MTUs:
1. Same config as who?
2. Note the caveat to reboot after having applied the settings.
3. When you read the HOWTO closely, you will find that this does not work in all cases - especially, your ISP must support it. The safe value to set MTU to with PPPoE (regardless of VLAN) is 1492.
#32
26.1 Series / Re: 26.1.1 MTU Issues on PPPoE
Last post by Taunt9930 - Today at 03:00:23 PMThanks Meyergru - maybe I'll try replicating your settings, minus the VLAN as that is not required.
That being said, setting the WAN MTU on the first page to 1508 directly was enough up until now (after it changed where you didn't need to separately set up the parent interface) - it seems something has changed in 26.1 that means the more detailed setting might be required....
That being said, setting the WAN MTU on the first page to 1508 directly was enough up until now (after it changed where you didn't need to separately set up the parent interface) - it seems something has changed in 26.1 that means the more detailed setting might be required....
#33
25.7, 25.10 Series / Re: System: Settings: General ...
Last post by franco - Today at 02:38:47 PMYes, you only need this when you already have manual servers listed there. DNS servers (and monitoring IPs) should not overlap between gateways. This ensures that each DNS server stays on its own WAN connection. The underlying cause is that host routes are set up for each one and you cannot connect the same IP over two different gateways.
Cheers,
Franco
Cheers,
Franco
#34
German - Deutsch / Re: Anderes Gateway für den Sq...
Last post by bamf - Today at 02:38:25 PMIst das nicht möglich oder weiß nur niemand, wie es geht?
#35
25.7, 25.10 Series / Re: System: Settings: General ...
Last post by Patrick M. Hausen - Today at 02:33:36 PMYou can keep 127.0.0.1 and let Unbound (? probably) do its recursive thing using both WAN links according to the current routing table and state of the links.
#36
German - Deutsch / Re: OPNsense Cluster und Let's...
Last post by Patrick M. Hausen - Today at 02:32:30 PMGenau, beide verifizieren denselben TXT-Eintrag. Bzw. Letsencrypt verifiziert, dass der da ist, und das richtige enthält.
Mit _acme-challenge.meinedomain.de kannst du ein Zertifikat für "*.meinedomain.de" ausstellen. Das läuft dann auf beiden Firewalls, egal wo "opnsense.meinedomain.de" gerade hin zeigt. Wildcard ist besser, weil alle ausgestellten Zertifikate ja in einer öffentlichen Datenbank landen. Den eigenen FQDN also nicht im Zertifikat zu haben verkleinert die Angriffsfläche.
Mit _acme-challenge.meinedomain.de kannst du ein Zertifikat für "*.meinedomain.de" ausstellen. Das läuft dann auf beiden Firewalls, egal wo "opnsense.meinedomain.de" gerade hin zeigt. Wildcard ist besser, weil alle ausgestellten Zertifikate ja in einer öffentlichen Datenbank landen. Den eigenen FQDN also nicht im Zertifikat zu haben verkleinert die Angriffsfläche.
#37
General Discussion / Re: dnsmasq - no address range...
Last post by CaskAle - Today at 02:22:34 PMQuote from: Mpegger on Today at 03:31:42 AMI know the little help blurb for Interface says "If no interfaces are selected, Dnsmasq will listen on all available IPv4 and IPv6 addresses by default", but I find more often then not, that you have to add in or explicitly choose an option to make sure it actually works.
I could have worded that better. Yes, as you describe, I actually individually selected each interface except for the wan interface. I am goint to try it again though just to make sure I didnt miss anything.
#38
German - Deutsch / Re: OPNsense Cluster und Let's...
Last post by TheExpert - Today at 02:19:21 PMSo, jetzt bin ich einen Schritt weiter, aber noch nicht am Ziel. Der TXT für die DNS-Challenge wird eingetragen: The TXT record has been successfully added. Aber dann kann der ACME-Client bisher nicht den TXT-Eintrag verifizieren und somit das Zertifikat nicht anfordern oder erneuern.
Dieser TXT-Eintrag dient ja nur zur Verifizierung der DNS-Challenge, richtig? D. h. der Backup-Firewall-Knoten kann die Challenge auf den gleichen TXT-Record machen, oder? Ich hatte nämlich ursprünglich 2 TXT-Records hinterlegt (_acme1, _acme2), aber der ACME-Client will immer den Record mit dem Namen "_acme-challenge" verwenden. Daher habe ich nun nur noch den TXT-Record "_acme-challenge" angelegt.
Dieser TXT-Eintrag dient ja nur zur Verifizierung der DNS-Challenge, richtig? D. h. der Backup-Firewall-Knoten kann die Challenge auf den gleichen TXT-Record machen, oder? Ich hatte nämlich ursprünglich 2 TXT-Records hinterlegt (_acme1, _acme2), aber der ACME-Client will immer den Record mit dem Namen "_acme-challenge" verwenden. Daher habe ich nun nur noch den TXT-Record "_acme-challenge" angelegt.
#39
Q-Feeds (Threat intelligence) / Re: Unable to add Q Feed IPs t...
Last post by Q-Feeds - Today at 02:12:52 PMWe might have found the culprit. It was most likely due to a 'NULL' response from our server in one of the values of the license check. If anyone needs help, shoot us a message ;-)
#40
25.7, 25.10 Series / System: Settings: General - un...
Last post by Evert - Today at 01:59:08 PMHi,
We're in the process of setting up WAN failover (switch to 5G when/if the fibre connection craps out)
.
Until now we have
DNS server = 127.0.0.1
Use gateway = none
on System: Settings: General under 'DNS servers'.
However, the help text says: 'When using multiple WAN connections there should be at least one unique DNS server per gateway.'
What does that meen in practice? Or Does this only apply when using the multiple WAN connections simultaneously?
Should I have 2 entries, one for each gateway? Or can I leave this setting unaltered?
We're in the process of setting up WAN failover (switch to 5G when/if the fibre connection craps out)
.
Until now we have
DNS server = 127.0.0.1
Use gateway = none
on System: Settings: General under 'DNS servers'.
However, the help text says: 'When using multiple WAN connections there should be at least one unique DNS server per gateway.'
What does that meen in practice? Or Does this only apply when using the multiple WAN connections simultaneously?
Should I have 2 entries, one for each gateway? Or can I leave this setting unaltered?
