"Recent posts
#81
26.1 Series / Re: Freeradius TLS max version...
Last post by jeekee - Today at 11:35:54 AMAah explains it. Thanks for the reply!
#82
High availability / Re: CARP and Unbound DNS respo...
Last post by Patrick M. Hausen - Today at 11:29:24 AMSo it is not Unbound which is answering with a wrong source address but AdGuard Home? That is a known bug in AdGuard Home and can be worked around just the same way.
Edit /usr/local/AdGuardHome/AdGuardHome.yaml:
And use the same port forward NAT rule as I already advised.
Edit /usr/local/AdGuardHome/AdGuardHome.yaml:
Code Select
dns:
bind_hosts:
- 127.0.0.1
port: 53
And use the same port forward NAT rule as I already advised.
#83
General Discussion / Re: If you change the IP addre...
Last post by patient0 - Today at 11:19:09 AMAnd is NAT setup on OPNsense8 for traffic leaving through NAT, e.g. with what IP does the ping arrive at OPNsense7 LAN 192.168.0.8?
Btw: To get to 192.168.0.8 there is not much routing necessary. The not-LAN traffic on OPNsense7 is send to gateway 192.168.8.1/OPNsense8 and on OPNsense8 192.168.0.8 is an interface address.
Btw: To get to 192.168.0.8 there is not much routing necessary. The not-LAN traffic on OPNsense7 is send to gateway 192.168.8.1/OPNsense8 and on OPNsense8 192.168.0.8 is an interface address.
#84
26.1 Series / Crowdsec plugin and updates? ...
Last post by rfox - Today at 11:17:39 AMJust wondering about Crowdstrike updates - do we have to wait until the plugin maintainer updates the plugin or is there another way?
BTW - Updated to rules(New) and all is well ;-)
BTW - Updated to rules(New) and all is well ;-)
#85
26.1 Series / Re: dhcpctl.h:No such file or ...
Last post by franco - Today at 11:14:11 AMNote sure, now we've changed the goal post?
Could this be a box where the CMOS battery is empty?
Cheers,
Franco
Could this be a box where the CMOS battery is empty?
Cheers,
Franco
#86
26.1 Series / RA with dnsmasq
Last post by stylishly - Today at 11:12:39 AMHi, I have just migrated to 26.1 and also moved from radvd to dnsmasq and I am a bit confused by the documentation, especially the help from Router advertisements checkbox in General tab that says:
The last phrase is the part I dont get as I have this option disabled and SLAAC is working just fine. This is my dnsmasq configuration
In Wireshark I can see the RA working
Am I missing something? Is the RA checkbox in General required or not?
QuoteSetting this will enable Router Advertisements for all configured DHCPv6 ranges with the managed address bits set, and the use SLAAC bit reset. To change this default, select a combination of the possible options in the individual DHCPv6 ranges. Keep in mind that this is a global option; if there are configured DHCPv6 ranges, RAs will be sent unconditionally and cannot be deactivated selectively. Setting Router Advertisement modes in DHCPv6 ranges will have no effect without this global option enabled.
The last phrase is the part I dont get as I have this option disabled and SLAAC is working just fine. This is my dnsmasq configuration
Code Select
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
rebind-localhost-ok
stop-dns-rebind
port=53053
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=bridge0
dhcp-fqdn
domain=<domain masked>
# This tells dnsmasq that a domain is local and it may answer queries from /etc/hosts
# or DHCP but should never forward queries on that domain to any upstream servers.
local=<domain masked>
# Never forward to servers in /etc/resolv.conf
no-resolv
# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases
dns-forward-max=5000
cache-size=10000
local-ttl=1
conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf
dhcp-range=tag:bridge0,10.0.10.50,10.0.10.200,255.255.255.0,86400
dhcp-range=tag:bridge0,::,constructor:bridge0,slaac,64,86400
ra-param=bridge0,60,1200
dhcp-host=<masked>,10.0.10.2,saturn
# default IPv4 DNS mapped to this server (0.0.0.0)
dhcp-option=6,0.0.0.0
# default IPv6 DNS mapped to this server (::)
dhcp-option=option6:23,[::]
no-ident
In Wireshark I can see the RA working
Code Select
ICMPv6 Option (Prefix information : <masked>:/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0, On-link Flag (L), Autonomous Address Configuration Flag (A)
1... .... = On-link Flag (L): Set
.1.. .... = Autonomous Address Configuration Flag (A): Set
..0. .... = Router Address Flag (R): Not set
...0 .... = DHCPv6-PD Preferred Flag (P): Not set
.... 0000 = Reserved: 0
Valid Lifetime: 7200 (2 hours)
Preferred Lifetime: 7200 (2 hours)
Reserved
Prefix: <masked>:
Am I missing something? Is the RA checkbox in General required or not?
#87
General Discussion / Re: If you change the IP addre...
Last post by syuhei - Today at 11:10:29 AMThanks for the advice.
However, the gateway is configured manually.
The proof is that I can ping 192.168.0.8.
However, the gateway is configured manually.
The proof is that I can ping 192.168.0.8.
#88
26.1 Series / Re: hostname no longer include...
Last post by Patrick M. Hausen - Today at 11:09:51 AMAlready raised via a github issue and probably in the works.
https://github.com/opnsense/plugins/issues/5181
https://github.com/opnsense/plugins/issues/5181
#89
26.1 Series / hostname no longer included in...
Last post by siegfried - Today at 11:03:41 AMHello, I think since 26.1 the hostname is no longer included in the config backup file name. It's confusing when backing up multiple devices to a central location (nextcloud or so). Before 26.1 it was much easier to find the correct file, the hostname was part of the file name. It's possible to have the old behavior back?
Thanks in advance!
Thanks in advance!
#90
Web Proxy Filtering and Caching / nginx: HTTP/3 (QUIC) only work...
Last post by psychofaktory - Today at 10:56:50 AMHi,
I tried to enable http3/quic for my HTTP servers by checking the corresponding box in the nginx configuration.
This allowed me to determine that the following entries were added to nginx.conf:
If http3/quic is then activated for another HTTP server, all these entries are also set for that server.
However, this then leads to the following error message:
Apparently, the reuseport option can only be used once:
https://stackoverflow.com/questions/76348128/enabling-quic-http-3-on-multiple-domains-with-nginx-1-25
How can http3/quic be enabled for additional HTTP servers without causing the error?
I tried to enable http3/quic for my HTTP servers by checking the corresponding box in the nginx configuration.
This allowed me to determine that the following entries were added to nginx.conf:
Code Select
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
add_header Alt-Svc 'h3=":443"; ma=86400' always;If http3/quic is then activated for another HTTP server, all these entries are also set for that server.
However, this then leads to the following error message:
Code Select
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
nginx: [emerg] duplicate listen options for 0.0.0.0:443 in /usr/local/etc/nginx/nginx.conf
Apparently, the reuseport option can only be used once:
https://stackoverflow.com/questions/76348128/enabling-quic-http-3-on-multiple-domains-with-nginx-1-25
How can http3/quic be enabled for additional HTTP servers without causing the error?
