"Recent posts
#71
General Discussion / New Member With A Ton Of Quest...
Last post by timlab55 - Today at 01:04:55 AMHello everyone and thank you for letting me join. I have several questions about this software, what it can be run on, and setup. Yes, I've done my research on it, but still unsure about if it will help me out. My current set up is as follows: My Gateway is an ATT BG320-500, which I would have to give it a 5 out of 10. It's better than the BGW290 that I had before.
Yes, I do have fibre Opc (1GB) and love it. Then I have a switch that goes to my barn, my office (which has my full time PC) and 2 Raspberry Pi's 4, and then to my Smart TV and finally I have an NVR. Then going out to my barn, I have a varies of camera's (33 of them) as I live on 6 acres of a horse farm. My office CP is an I9, with lots of power, so I'm not going to go into that. About 1 month ago, I put my ATT Gateway into IP Passthrough as I wanted a router that could handle at least 50 connections. Well, the Netgear router that I purchase (RS300), did the trick and I was happy as a lark until last week. I walked into my office and nothing worked. I called ATT and they put me in the right direction, but they offer the wrong stuff. They said I had my Gateway and router to close to each other. But that wasn't the problem, as I called Netgear and explain everything to them, and came to find out that their new policy is any router that they sell, is it comes with a security patch, that a trial patch. So either I give them $300 for 6 months or $500 for a life time, and I said no thank you, and hung up.
Their software that came with it had something that I really enjoy and actually feel safe being on line now. It was called "Netgear Armour" or the other name was "Bitdefender". I wanted something that would block and scan at the router level and not the computer level. I chose Bitdefender because of the VPN and the ad blocking. So after I sent the Negear router back, I purchase Bitdefender myself, but I'm not feeling to happy now. Why? Because bitdefender was also inside the router and not loaded on every computer on my network. So now this is where OPNsense comes in as I'm sort of understanding it, but still have a ton of questions. Questions, like, I know a Raspberry Pi will run it, but it's slow as it only has one port. So the new computer that I will be getting is an mini PC, but not sure what kind would work. Then this mini PC should have wifi because of all the devices I have connected to Wifi now (camera's, wife's PC, tablet, phones). So this is where I"m lost and now I need some help in getting the right stuff for my network.
I also noticed that I have 3 IP address in my table that I have no clue where they are found on the BG 320-500. Can't figure out how to delete them and block them for life. I'm sure OPNSense can do this. So is anyone right to help out a newbie?
The first question I have, is what type of hardware do I need?
Thanks.
Yes, I do have fibre Opc (1GB) and love it. Then I have a switch that goes to my barn, my office (which has my full time PC) and 2 Raspberry Pi's 4, and then to my Smart TV and finally I have an NVR. Then going out to my barn, I have a varies of camera's (33 of them) as I live on 6 acres of a horse farm. My office CP is an I9, with lots of power, so I'm not going to go into that. About 1 month ago, I put my ATT Gateway into IP Passthrough as I wanted a router that could handle at least 50 connections. Well, the Netgear router that I purchase (RS300), did the trick and I was happy as a lark until last week. I walked into my office and nothing worked. I called ATT and they put me in the right direction, but they offer the wrong stuff. They said I had my Gateway and router to close to each other. But that wasn't the problem, as I called Netgear and explain everything to them, and came to find out that their new policy is any router that they sell, is it comes with a security patch, that a trial patch. So either I give them $300 for 6 months or $500 for a life time, and I said no thank you, and hung up.
Their software that came with it had something that I really enjoy and actually feel safe being on line now. It was called "Netgear Armour" or the other name was "Bitdefender". I wanted something that would block and scan at the router level and not the computer level. I chose Bitdefender because of the VPN and the ad blocking. So after I sent the Negear router back, I purchase Bitdefender myself, but I'm not feeling to happy now. Why? Because bitdefender was also inside the router and not loaded on every computer on my network. So now this is where OPNsense comes in as I'm sort of understanding it, but still have a ton of questions. Questions, like, I know a Raspberry Pi will run it, but it's slow as it only has one port. So the new computer that I will be getting is an mini PC, but not sure what kind would work. Then this mini PC should have wifi because of all the devices I have connected to Wifi now (camera's, wife's PC, tablet, phones). So this is where I"m lost and now I need some help in getting the right stuff for my network.
I also noticed that I have 3 IP address in my table that I have no clue where they are found on the BG 320-500. Can't figure out how to delete them and block them for life. I'm sure OPNSense can do this. So is anyone right to help out a newbie?
The first question I have, is what type of hardware do I need?
Thanks.
#72
General Discussion / Problem with upgrading package...
Last post by martinp - Today at 12:44:26 AMHi,
I'm quite new to OPNSense, I've downloaded and run the latest version directly onto a good Intel i5 PC.
Versions
OPNsense 25.1-amd64
FreeBSD 14.2-RELEASE
OpenSSL 3.0.16
The issue I'm having is attempting to download plugins, particularly os-ddclient, it keeps informing me to update, see below:
***GOT REQUEST TO INSTALL***
Currently running OPNsense 25.1 (amd64) at Sun May 11 23:37:20 BST 2025
Installation out of date. The update to opnsense-25.1.6_4 is required.
***DONE***
When I attempt to upgrade/ update my firewall, I get the following errors, using ChatGPT, yes, ChatGPT, because I don't know Linux very well, I eventually asked what the commands how to install packages individually, so I got it down from 79 to 45 packages to install.
The process will require 17 MiB more space.
102 MiB to be downloaded.
[1/50] Fetching py311-sqlite3-3.11.12_10.pkg: ..... done
[2/50] Fetching py311-anyio-4.9.0.pkg: .......... done
[3/50] Fetching unbound-1.23.0.pkg: .......... done
008081E7723B0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:323:
[4/50] Fetching wpa_supplicant-2.11_5.pkg: .......... done
[5/50] Fetching py311-cryptography-44.0.2,1.pkg: .......... done
[6/50] Fetching php83-filter-8.3.20.pkg: ... done
[7/50] Fetching opnsense-update-25.1.6.pkg: ..... done
[8/50] Fetching hostapd-2.11_3.pkg: .......... done
[9/50] Fetching py311-pandas-2.2.3,1.pkg: .... done
pkg-static: cached package py311-pandas-2.2.3,1: missing or size mismatch, fetching from remote
[10/50] Fetching py311-pandas-2.2.3,1.pkg: ..... done
pkg-static: cached package py311-pandas-2.2.3,1: missing or size mismatch, cannot continue
Consider running 'pkg update -f'
Starting web GUI...done.
Fetching base-25.1.5-amd64.txz: ....... failed, signature invalid
***DONE***
I've been here before, I love what OPNSense is, but I've had issues in the past, thought I'd try again.
There is so much I would like to do with it, but I don't understand why I'm getting so many issues with a stable version?
Sorry for all of the info, would appreciate any help.
Thank you
Martin
I'm quite new to OPNSense, I've downloaded and run the latest version directly onto a good Intel i5 PC.
Versions
OPNsense 25.1-amd64
FreeBSD 14.2-RELEASE
OpenSSL 3.0.16
The issue I'm having is attempting to download plugins, particularly os-ddclient, it keeps informing me to update, see below:
***GOT REQUEST TO INSTALL***
Currently running OPNsense 25.1 (amd64) at Sun May 11 23:37:20 BST 2025
Installation out of date. The update to opnsense-25.1.6_4 is required.
***DONE***
When I attempt to upgrade/ update my firewall, I get the following errors, using ChatGPT, yes, ChatGPT, because I don't know Linux very well, I eventually asked what the commands how to install packages individually, so I got it down from 79 to 45 packages to install.
The process will require 17 MiB more space.
102 MiB to be downloaded.
[1/50] Fetching py311-sqlite3-3.11.12_10.pkg: ..... done
[2/50] Fetching py311-anyio-4.9.0.pkg: .......... done
[3/50] Fetching unbound-1.23.0.pkg: .......... done
008081E7723B0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:323:
[4/50] Fetching wpa_supplicant-2.11_5.pkg: .......... done
[5/50] Fetching py311-cryptography-44.0.2,1.pkg: .......... done
[6/50] Fetching php83-filter-8.3.20.pkg: ... done
[7/50] Fetching opnsense-update-25.1.6.pkg: ..... done
[8/50] Fetching hostapd-2.11_3.pkg: .......... done
[9/50] Fetching py311-pandas-2.2.3,1.pkg: .... done
pkg-static: cached package py311-pandas-2.2.3,1: missing or size mismatch, fetching from remote
[10/50] Fetching py311-pandas-2.2.3,1.pkg: ..... done
pkg-static: cached package py311-pandas-2.2.3,1: missing or size mismatch, cannot continue
Consider running 'pkg update -f'
Starting web GUI...done.
Fetching base-25.1.5-amd64.txz: ....... failed, signature invalid
***DONE***
I've been here before, I love what OPNSense is, but I've had issues in the past, thought I'd try again.
There is so much I would like to do with it, but I don't understand why I'm getting so many issues with a stable version?
Sorry for all of the info, would appreciate any help.
Thank you
Martin
#73
25.1, 25.4 Production Series / Re: Floating rules for grouped...
Last post by nautilus7 - Today at 12:38:07 AMThanks for explaining the quick vs non-quick rules and their processing order.
I am using KEA DHCP and I have the option to create firewall rules enabled, so this should not be a problem.
I think this might be the problem... Should I also have an "allow any" per each interface, apart of the floating ones? And this "allow any" rule should be quick or non-quick?
Anyway, I am using a WAN PPPoE interface (vdsl) and several VLAN interfaces. No plain LAN as opnsense is virtualized and runs with one physical adapter only. Below are photos of my 3 firewall groups, the 4 floating firewall rules related to these groups and the rules that are picked up by vlan20 interface. There is also an "allow any" quick rule specific for that interface. If I remove/disable the "allow any" rule from the vlan20 interface, then access to the internet is blocked.
Quote from: OPNenthu on May 11, 2025, 01:37:53 AMIf you're using ISC, it registers automatic DHCP rules. Kea and Dnsmasq do it by default unless you disable the option in the service settings. I think there might be a nuance with Dnsmasq where it only auto-registers the DHCP rules if you select specific listen interfaces, but won't do it if you leave it on 'All' interfaces.
I am using KEA DHCP and I have the option to create firewall rules enabled, so this should not be a problem.
Quote from: OPNenthu on May 11, 2025, 01:37:53 AMDNS rules may or may not be needed, depending on how you set up your access rules and where your DNS server is. If you have a typical "Allow any" rule and your DNS isn't on a blocked network, then probably not needed.
I think this might be the problem... Should I also have an "allow any" per each interface, apart of the floating ones? And this "allow any" rule should be quick or non-quick?
Anyway, I am using a WAN PPPoE interface (vdsl) and several VLAN interfaces. No plain LAN as opnsense is virtualized and runs with one physical adapter only. Below are photos of my 3 firewall groups, the 4 floating firewall rules related to these groups and the rules that are picked up by vlan20 interface. There is also an "allow any" quick rule specific for that interface. If I remove/disable the "allow any" rule from the vlan20 interface, then access to the internet is blocked.
#74
25.1, 25.4 Production Series / Re: 26.1.6 - DNS/DHCP best pra...
Last post by nautilus7 - Today at 12:09:24 AMIs anyone going to fix the version typo on the title of this thread?
#75
25.1, 25.4 Production Series / Re: 26.1.6 - DNS/DHCP best pra...
Last post by tessus - Today at 12:07:35 AMQuote from: IsaacFL on May 10, 2025, 06:06:56 PMFor reverse dns, I added an 2 additional forwards
Oh, wait. Does this mean that you cannot use dnsmasq only (for DHCP and DNS), if you want a working reverse DNS, in which case you have to use Unbound as well?
#76
25.1, 25.4 Production Series / Re: 26.1.6 - DNS/DHCP best pra...
Last post by tessus - May 11, 2025, 11:59:31 PMQuote from: meyergru on May 09, 2025, 10:53:01 AMWith a lot of effort due to my big number of static reservations, I have now made the shift from ISC DHCP / Unbound to DNSmasq "only". Radvd is still in effect, since I use no DHCPv6. Thanks to ChatGPT for helping me to write the programs to extract the CSVs from the configuration XML for both the static reservations plus the DNS mappings and aliases.
@meyergru Any chance you could make these scripts available via a github repo?
I am currently using ISC DHCP / Unbound myself (only v4 - no v6 at all) and I have been quite happy with it. Although the fact that ISC is no longer maintained is a pitty and makes me slightly nervous.
However, I do have a high number of static mappings (as you have). I use around 20 VLANs, but the most mappings are distributed between 3 of them. In my Unbound I have set about 18 overrides with a select few of them having 2-3 aliases. (Thus those are not that hard to recreate manually if need to be.)
One of the very few things that irked me for years has been the problem that I couldn't set a static mapping via an API call. e.g. when creating a VM via TF (or Pulumi, or whatever tickles your fancy, or even manually), it would be great to set a static mapping and when decommissioning the same VM, remove the mapping again. Afaik a lot of services got an API (kudos to the devs), but I haven't seen anything for ISC, thus moving to dnsmasq might be a good choice.
I think to remember a few years ago, the devs were suggesting to migrate to Unbound from dnsmasq (or maybe this was just for one issue in one forum topic), but it seems now it's the other way around. I don't really mind, as long as there is some workable migration. By "workable" I mean in an automated fashion that does not require me to recreate all settings, DHCP ranges, static mappings, and whatnot manually.
On the other side, if it absolutely has to be I probably can invest 5 or 6 hours to manually to do all this. The problem is that this process is rather error prone - manual work always is.
I have also noticed that some VMs (even though they are sending a hostname) get a DHCP address (no static mapping) but are not registered in the DNS. I am not sure why this is happening, but I think this started with 25.1. Either way, moving to dnsmasq might fix that as well.
Anyway, long story short, it would be great to use scripts to migrate to test dnsmasq only. If it doesn't work as I hope, it should be fairly easy to restore a backup and just use ISC/Unbound for now...
#77
General Discussion / Hardening DHCP
Last post by verfluchten - May 11, 2025, 11:48:58 PMIs my understanding of https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol correct that the 'from' IPv4 address of the initial discovery and the first DHCP request from a DHCP client are always 0.0.0.0 and always from port 68/udp?
Next, I want to allow DHCP only from select MAC addresses, and they will include visitor devices. How can I discover MAC addresses to be manually allowed if they are not printed on the device or supplied by the visitor? Only by looking at the log for DHCPREQUEST ... from ... when the device is plugged in?
Next, I want to allow DHCP only from select MAC addresses, and they will include visitor devices. How can I discover MAC addresses to be manually allowed if they are not printed on the device or supplied by the visitor? Only by looking at the log for DHCPREQUEST ... from ... when the device is plugged in?
#78
25.1, 25.4 Production Series / Re: dnsmasq DNS/DHCP Oddities/...
Last post by Drinyth - May 11, 2025, 11:04:06 PMQuote from: bassopt on May 11, 2025, 04:20:17 PMHmmm I have rebooted pfsense many times what do you mean reload firewall rules? That doesn't make much sense even less pratical.
Does the DHCP register firewall rules really necessary.
To be honest the DNSMasq instructions are a bit confusing at the time.
If you have rebooted opnsense after making changes, your firewall rules will have reloaded as part of that reboot.
For my configuration (basic home network with a bunch of VLANs), setting "DHCP register firewall rules" was necessary. It wasn't necessary when I ran KEA, but dnsmasq must behave differently somehow to require those rules be there? Without those rules, DHCP services only worked intermittently where some devices were able to obtain an IP from the dnsmasq DHCP server, but others would not. After adding the firewall rules and reloading them, all those devices that would not connect previously started working.
#79
24.7, 24.10 Legacy Series / Re: Issue: DHCPv6 - Old DNS ip...
Last post by Mpegger - May 11, 2025, 11:00:33 PMQuote from: gmartin on April 22, 2025, 03:28:10 AMI'm having a similar issue. New opnSense install and it appears the dhcpv6 is handing out the router ip as the DNS. I need it to be the pihole ipv6. How does one edit the config file?
You might want to check out Confused about the DNS Configuration in OPNsense?. Alot of the information given about setting up DNS properly in Opnsense is given there, even though it's not really a "how-to" or step-by-step guide. It's more of a better explanation of what each DNS setting avialable in Opnsense does, and how each setting affects other settings within Opnsense.
In case anyone is still wondering how to edit the config, simply download a configuration backup from 'System > Configuration > Backups', and open the .xml file in your favaorite text editor. Make whatever changes you need to make, save, then restore the "new" configuration back in Opnsense.
Usual word of caution, if you don't know what you're doing in the configuration file, don't do it.
#80
Tutorials and FAQs / Re: Unbound DNS Guidance
Last post by baqwas - May 11, 2025, 10:47:48 PMThanks, @meyergru & @Vilhonator, for your patience & understanding. Your solution did the job for me.
Regards.
Regards.
