Recent Posts

41

General Discussion / Re: Fresh installation, no ipv4, dns is fine

« Last post by dseven on November 23, 2024, 10:10:16 am »

Do a packet capture on your WAN interface (maybe for ICMP, while attempting to ping something on the internet), and see what's going out / coming back....

42

24.7 Production Series / Re: OPNsense crashes when accessing Dashboard

« Last post by dseven on November 23, 2024, 09:57:22 am »

My guess would be bad memory. Is it possible to take half the memory out, and see if the problem persists? (then try the other half)

43

24.7 Production Series / Re: Can not get on the Internet LAN Side, but OPNSense itself can Ping 8.8.8.8

« Last post by dseven on November 23, 2024, 09:44:57 am »

One-to-one NAT maps *ONE* external IP address to *ONE* internal IP address. 192.168.1.0 is one IP address, not a subnet. It happens to be a network address, not a host, so one-to-one NAT for it will not do anything useful.

If you need need an entire internal subnet to share one external IP address, use outbound NAT.

If you need to expose internal hosts to the internet, you could either use port-forwarding, or use some of your public IP addresses for 1:1 NAT, but you can't use a given public IP address for both outbound NAT and one-to-one NAT at the same time.

44

24.7 Production Series / Re: [Resolved]Wifi vlan 30 can't acces the internet

« Last post by bartjsmit on November 23, 2024, 09:43:05 am »

Good outcome from a security perspective as well. As dseven mentioned, having your policy enforced on only one device makes for easier management.

Hang around on this forum if you want to hone your networking skills 

45

German - Deutsch / Webserver WAN -> OpnSense -> S2S -> Server erreichen

« Last post by Speedy2024 on November 23, 2024, 09:18:22 am »

Guten Morgen,

ich habe zwei Standorte per S2S verbunden. Ein Standort (A) hat eine feste IP, der andere (B) eine dynamische.
Für meine Domain hinterlege ich als Record A Standort A. Sobald die Anfrage dort eintrifft, soll diese zum Webserver an Standort B weitergeleitet werden.

Wie realisiere ich das am besten?

Danke Euch.

46

24.7 Production Series / Re: Upgrading 24.1.10 to 24.7: kernel panic and reset (SYS-E300-9A-4C test setup)

« Last post by franco on November 23, 2024, 09:01:16 am »

Since -A is a persistent operation after grabbing the kernel from -A 24.7 we need to switch back to -A 24.1 to get the actual upgrade set link from 24.1's perspective, which may be newer than from -A 24.7 due to upgrade pinning (e.g. the packages go to 24.7.1 as far as I remember). It's not a day to day task.


Cheers,
Franco

47

24.7 Production Series / Re: Upgrading 24.1.10 to 24.7: kernel panic and reset (SYS-E300-9A-4C test setup)

« Last post by newsense on November 23, 2024, 08:29:08 am »

@nd2420

>>> # opnsense-update -ubp -A 24.1

I suspect this was a typo: 24.1 is nonsensical, should be 24.7 instead since you need to upgrade base and packages built for 24.7.x

DIsregard, 24.1 is correct after all.

48

General Discussion / Re: Adguardhome, NextDNS, ControlD etc....

« Last post by lebsack2 on November 23, 2024, 08:08:46 am »

How do encryption protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) enhance the security of DNS queries, and what limitations do they have regarding the privacy of data once it reaches the DNS provider?

49

German - Deutsch / Erfahrung mit IPU624S/IPU410S gegenüber DEC

« Last post by Koda on November 23, 2024, 08:05:54 am »

Guten Morgen

Hat schon jemand Erfahrungen mit den IPU624S/IPU410S?
Ich hätte gerne ein dediziertes Gerät und habe mit die DEC750/850 nochmals beliebäugelt da sie SFP+ ports haben.
Ich habe schon mehrfach gelesen das die beiden aber je nach Anwendung etwas schwach sein können.

Die beiden IPU624S/IPU410S von Juli 24 finde ich grad relativ interessant, kann aber nicht abschötzen ob sie ein Mehrwert bieten. Preislich sind sie ja sehr ähnlich wie die DEC Geräte.

50

24.7 Production Series / Re: IPsec IKEv2 EAP-MSCHAPv2 stopped working with iOS 18.1 update

« Last post by Slashing on November 23, 2024, 06:48:10 am »

Maybe someone will be interested, I use this config for my phones. Authorization via freeradius and certificate from letsencrypt. It works for several years without problems.

Code: [Select]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthName</key>
<string>username</string>
<key>AuthPassword</key>
<string>verystrongpassword</string>
<key>AuthenticationMethod</key>
<string>None</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>20</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-384</string>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Low</string>
<key>EnableFallback</key>
<false/>
<key>EnablePFS</key>
<true/>
<key>ExtendedAuthEnabled</key>
<integer>1</integer>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>20</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-384</string>
</dict>
<key>LocalIdentifier</key>
<string>username</string>
<key>NATKeepAliveOffloadEnable</key>
<integer>1</integer>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>SSID</string>
<string>SSID_1</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>RemoteAddress</key>
<string>vpn.example.net</string>
<key>RemoteIdentifier</key>
<string>vpn.example.net</string>
<key>ServerCertificateCommonName</key>
<string>vpn.example.net</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<false/>
</dict>
<key>PayloadDisplayName</key>
<string>ikev2.home</string>
<key>PayloadIdentifier</key>
<string>net.example.vpn.conf1</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>cf6e0c93-a7f4-485b-90ff-7904668e68cd</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>ikev2.home</string>
<key>VPNType</key>
<string>IKEv2</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>ikev2.home</string>
<key>PayloadIdentifier</key>
<string>ikev2.home</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>7aadc059-c7c4-4034-ac96-e1b6ccb69b81</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>