"Recent posts
#81
General Discussion / Re: Use differents Authenticat...
Last post by sec - May 11, 2025, 10:21:34 PMI've experienced exactly that issue. I was helping a client with a DEC670 who had a routing issue that broke TOTP (by preventing NTP) and SSH. Luckily they'd forgotten to require a password for serial console access!
Since then I've looked for ways to create an "emergency access" user that can access the serial console with a password, while also requiring MFA or public key auth for any user logging in remotely.
Since then I've looked for ways to create an "emergency access" user that can access the serial console with a password, while also requiring MFA or public key auth for any user logging in remotely.
#82
German - Deutsch / Re: Bambu Lab Printer LAN Mode...
Last post by viragomann - May 11, 2025, 10:13:21 PMAch ja, das IPv6 hatte ich gar nicht beachtet.
Ich finde es aber seltsam, dass das mDNS Paket ausschließlich auf IPv6 gesendet wird. Das würde jedenfalls erfordern, dass auch der PC IPv6 unterstützt.
Das nächste wäre ein IGMP Paket. Möglicherweise braucht der Drucker auch das. Allerdings ist mir hier die Quell-IP 0.0.0.0 nicht klar.
Vielleicht solltest du erstmal auf einer anderen Plattform herausfinden, was genau der Drucker benötigt. Das könnten auch mehrere Protokolle sein.
Ich finde es aber seltsam, dass das mDNS Paket ausschließlich auf IPv6 gesendet wird. Das würde jedenfalls erfordern, dass auch der PC IPv6 unterstützt.
Das nächste wäre ein IGMP Paket. Möglicherweise braucht der Drucker auch das. Allerdings ist mir hier die Quell-IP 0.0.0.0 nicht klar.
Vielleicht solltest du erstmal auf einer anderen Plattform herausfinden, was genau der Drucker benötigt. Das könnten auch mehrere Protokolle sein.
#83
25.1, 25.4 Production Series / Re: Error message every time I...
Last post by AlegroEmptyPlanet2001 - May 11, 2025, 09:50:52 PMI did that but even after reboot it gave the same error.
#84
German - Deutsch / Re: Bambu Lab Printer LAN Mode...
Last post by W0nderW0lf - May 11, 2025, 09:46:46 PMDas hatte ich tatsächlich auch schon versucht. Der Dienst lief auch als ich diesen Post erstellt habe.
Allerdings wundert mich woher die IPv6 beim Drucker käme. Auf meinem Drucker selbst kann ich nicht nachvollziehen ob dieser IPv6 verwendet.
Meine FW hat jedenfalls kein IPv6 aktiv noch einen DHCPv6.
Mein mDNS Repeater ist recht simpel eingestellt.
Hab LAN und WLAN als hörende Schnittstellen. Mehr nicht. Scheint aber nix zu bringen weil das Protokoll von der FW durch "Block everything" blockiert wird. Also brauche ich eine Ausnahme für Link Local Adressen und 0.0.0.0??
Allerdings wundert mich woher die IPv6 beim Drucker käme. Auf meinem Drucker selbst kann ich nicht nachvollziehen ob dieser IPv6 verwendet.
Meine FW hat jedenfalls kein IPv6 aktiv noch einen DHCPv6.
Mein mDNS Repeater ist recht simpel eingestellt.
Hab LAN und WLAN als hörende Schnittstellen. Mehr nicht. Scheint aber nix zu bringen weil das Protokoll von der FW durch "Block everything" blockiert wird. Also brauche ich eine Ausnahme für Link Local Adressen und 0.0.0.0??
#85
German - Deutsch / Re: Bambu Lab Printer LAN Mode...
Last post by viragomann - May 11, 2025, 09:37:54 PMQuote from: W0nderW0lf on May 11, 2025, 10:37:44 AMWas ich sehe, aber nicht eindeutig meinem Drucker zuweisen kann:Das ist anscheinend mDNS.
Code Select ExpandCode SelectWLAN 2025-05-11T10:29:32 [fe80::ebf4:cfd5:5887:6766]:5353 [ff02::fb]:5353 udp Block everything
WLAN 2025-05-11T10:28:57 0.0.0.0 224.0.0.1 igmp Block everything
Versuche es mal damit: Multicast DNS Proxy.
#86
25.1, 25.4 Production Series / Re: 25.1.6_2 and 25.1.6_4 prob...
Last post by trdeal - May 11, 2025, 09:30:45 PMAfter checking the KEA Logs (informational) with 25.1.6_4, after a power cycle the logs show my laptop communicating with KEA and obtaining an IPv6 address then after a brief period it shows the laptop going through the DORA process and obtaining IPv4 address. After restarting the KEA Service and power cycling the laptop, the logs show an IPv6 address SARR process, however the IPv4 only completes DO or DORA, an DHCPOFFER is sent but there is never any response.
In respect of my daughter's connection, I connected a laptop to her network connection and could not get an IPv6 or IPv4 address checking the logs it shows that for IPv6 it completes SA of SARR and DO or DORA. In both cases I am using automated firewall rules, checking them manually they appear to be correct.
Both VLANs are connected to LAG interface connecting the 25.1.6_4 to my switch.
Restoring the ISC DHCP backup and with the attendant reboot, everything works as normal. So it is not a network issue, it appears to be directly related to ISC Kea.
In respect of my daughter's connection, I connected a laptop to her network connection and could not get an IPv6 or IPv4 address checking the logs it shows that for IPv6 it completes SA of SARR and DO or DORA. In both cases I am using automated firewall rules, checking them manually they appear to be correct.
Both VLANs are connected to LAG interface connecting the 25.1.6_4 to my switch.
Restoring the ISC DHCP backup and with the attendant reboot, everything works as normal. So it is not a network issue, it appears to be directly related to ISC Kea.
#87
General Discussion / How to use monit to restart el...
Last post by Meg - May 11, 2025, 09:22:01 PMHello: I have monit set to alert when elasticsearch shuts down. I would like to us it to also restart elasticsearch but from what I understand, elasticsearch cannot be started as administrator. How can I get monit to restart elasticsearch when it as shutdown and not restart.
#88
General Discussion / Re: Firewall rules based on FQ...
Last post by verfluchten - May 11, 2025, 09:13:20 PMQuote from: verfluchten on May 11, 2025, 09:02:42 PMWhat am I doing wrong?
Using URL(s) was wrong. It should have been Host(s).
Then Diagnostics->Alias resolves, and the rule works.
#89
General Discussion / Re: Redirect DNS to pi-hole
Last post by viragomann - May 11, 2025, 09:12:53 PMQuote from: louis_nichols on May 11, 2025, 03:00:10 AMI wish I understood better why, but sometimes it's like this. :)
The point here is that if you only redirect DNS request to the pihole:
The client with the IP, say 10.0.0.100 requests the DNS server, say 8.8.8.8. OPNsense redirect the request packet to the pihole, which is 10.0.0.10. The pihole sees 10.0.0.100 as the source address of the request. Hence it sends the respond packet directly to this IP. The source address in the respond packet is the 10.0.0.10, but the client expects a respond from 8.8.8.8 actually and will ignore the packet.
With the outbound NAT rule, the pihole sees 10.0.0.1 as source and hence sends responses back to OPNsense. OPNsense translate the source IP back to 8.8.8.8 according to its state table.
#90
General Discussion / [SOLVED] Firewall rules based ...
Last post by verfluchten - May 11, 2025, 09:02:42 PMThere was an archived topic here in which someone asked how to create them, and the answer was to create a URL(s) type alias and to reference it in a rule.
I tried to do that and created an alias that includes deb.debian.org, ftp.debian.org, and security.debian.org. Then I added a Pass rule and referenced the alias in its destination, port 80.
But the source host still cannot connect to the 3x FQDNs above due to a Block rule that follows right next to the above Pass rule.
Tried http://deb.debian.org/* as content as well, hoping that wildcards are supported, but it did not work either.
What am I doing wrong?
I tried to do that and created an alias that includes deb.debian.org, ftp.debian.org, and security.debian.org. Then I added a Pass rule and referenced the alias in its destination, port 80.
But the source host still cannot connect to the 3x FQDNs above due to a Block rule that follows right next to the above Pass rule.
Tried http://deb.debian.org/* as content as well, hoping that wildcards are supported, but it did not work either.
What am I doing wrong?
