Recent Posts

91

General Discussion / Re: High inblock packet count on passive LAN interfaces

« Last post by vpx23 on November 20, 2024, 06:57:45 pm »

Ah, thank you, that makes sense, maybe I should RTFM, I thought 'm' was for mega, i.e. millions. 

That would have been in the realm of a 100 GBit/s NIC.

92

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« Last post by MatheusPP on November 20, 2024, 06:52:30 pm »

I tried to change the "Child Prefix Mask" to ::/63 and ::/60 but I got "Invalid prefix mask" from the ONU, not sure what the mask should be to get a larger different prefix.

Did you also change the „request prefix size“ on the WAN interface settings in OPNsense?

You should get at least a /57 prefix out of your uplink router. Some documentation available?

I tried both /63 and /60, but after a reload it always gets a /64 prefix.

93

24.7 Production Series / Re: 24.7.9 - Can't login WebGUI with 2FA

« Last post by franco on November 20, 2024, 06:33:19 pm »

Yep, it's a bit opportunistic, but fixing this properly is a bit more difficult since update.sh decides if it reboots!

https://github.com/opnsense/core/blob/ae97263e460/src/opnsense/scripts/firmware/reboot.sh#L62-L65

vs.

https://github.com/opnsense/core/blob/ae97263e460/src/opnsense/scripts/firmware/update.sh#L73-L77

94

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« Last post by dseven on November 20, 2024, 06:33:10 pm »

@dseven on routing: I meant the uplink router, not the OPNsense box. If the uplink router delegates the network downwards, it MUST route it.

So did I. I have two OPNsense instances here - one cascaded behind the other, and ran into this issue when I first tried to delegate a prefix from one to the other. I don't want to distract this thread any further over it - point is that it could happen.

95

General Discussion / Re: Static IP addresses vs DHCP for IoTs

« Last post by pankaj on November 20, 2024, 06:29:14 pm »

Thanks @dseven and @seimus for your inputs.

My original message was getting long so I skipped few details. In 2020 when I started home automation, I was not using VLANs and had DHCP servers running on five (5) untagged interfaces. I also started experimenting with WiFi cameras and all the WIFi traffic (IoTs, home devices, cameras and guest) was handled by a single Orbi mesh router set. This topology clearly caused lot of unnecessary broadcasting across the home network and many of the devices (IoTs included) were either unable to get on the network or get enough bandwidth. So to circumvent that problem, I stated adding static IP addresses to each device whenever the device configuration permitted and I’m still continuing this habit.

The above practice of assigning static IP at a device level eased the congestion a little bit but the problem really got sorted out when I added VLANs to the network and separated out the SSIDs for home devices, guest and IoTs. And specifically for the IoT subnet, the DHCP server on OPNSense has all devices IoTs MACs mapped to static IP addresses. So in short I’m duplicating efforts for static IP address assignment:
1) Within each IoT device configuration and
2) OPNSense DHCP server

My question was related to discontinuing 1) and simple let OPNSense handle the static IP mapping for each device based on the MAC address. Based on your comments it seems like a standard practice and should work for me without any foreseeable problems.

96

General Discussion / ESTABLISHED,RELATED - How to block NEW ?

« Last post by brunoc68 on November 20, 2024, 06:27:55 pm »

Dear all,

I am using a MikroTik OpenVPN client which connects to an OPNSense OpenVPN server.
I have a PC named "A" on the client network and a PC named "B" on the server network.
I want B to be able to dialog with A, but I want to block all traffic from A to B that is initiated by A.

That was easy to do with iptables :
- traffic A->B initiated by B was catched by "--state RELATED,ESTABLISHED -j ACCEPT"
- traffic A->B initiated by A was catched by "--state NEW -j DROP"

I read on the different posts that with OPNSense it is actually default behaviour that when B is authorized to A, A can reply to B, and I could test it works well.

However, my issue is the following when one does step by step :
1. first, A pings B : there is no answer - correct
2. second, B pings A : it works - correct
3. but now, if A pings B, A gets replies - NOT CORRECT

Actually what happens is obviously the following :
- step 1 : there is no rule to accept traffic from A to B so there is no reply
- step 2 : there is a rule to accept traffic from B to A, so as default OPNSense tracks the state of the connexion and replies from A are accepted back to B
- step 3 : when, at that point, A initiates traffic to B, OPNSense uses the previous state of the connexion at step 2 and it accepts the traffic !

So, in case there is regular communication from B to A, an attacker could suddenly usurpate the IP address of A to attack B through the firewall.

How can one definitely block traffic from A to B that is initiated by A ?

97

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« Last post by stefan00 on November 20, 2024, 06:19:46 pm »

Additional hint from memory (not on a box right now):

You can increase dhcp6c logging level on interfaces->settings->IPv6 DHCP log level

These can later be viewed on system->logfiles->general reported as dhcp6c events

98

24.7 Production Series / Re: 24.7.9 - Can't login WebGUI with 2FA

« Last post by Patrick M. Hausen on November 20, 2024, 06:09:34 pm »

Did you perchance set the "always reboot" option in the UI?

System > Firmware > Settings > Advanced

99

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« Last post by stefan00 on November 20, 2024, 06:06:37 pm »

I tried to change the "Child Prefix Mask" to ::/63 and ::/60 but I got "Invalid prefix mask" from the ONU, not sure what the mask should be to get a larger different prefix.

Did you also change the „request prefix size“ on the WAN interface settings in OPNsense?

You should get at least a /57 prefix out of your uplink router. Some documentation available?

100

24.7 Production Series / Re: WebGUI unaccessible for 3-4 minutes --> when modyfing "Interfaces"

« Last post by Monviech (Cedrik) on November 20, 2024, 06:00:40 pm »

Hey thanks for trying and confirming that it must be an isolated hardware/software related issue. I'll install the latest version on some old and new hardware and see if I can reproduce the steps you outlined.