OPNsense

455 readers
13 users here now

All discussions about the open source, FreeBSD-based firewall called OPNsense.

founded 1 year ago
MODERATORS
1
 
 

Hello all you lovely people!

I'm trying to figure out if I can port forward to different servers based on the destination domain.

I have a domain with a wildcard cert and I'd like to be able to route all traffic headed towards "1.domain.com" to a server I'm calling "1". I'd still like traffic headed to domain.com to go to where it's currently going, we can call this server "0", and to be able to have a 2.domain.com or 3 or 4 in the future.

I thought that having a port forward rule with: interface: WAN Protocol: any source: any destination: a url alias including 1.domain.com redirect target ip: local ip

Would work, but it doesn't seem to. Any tips?

2
 
 

Hi!

I have a question. If I enable IPS mode, my outbound traffic graphs stop working.

This is a known bug? Is there something that I can do?

https://imgur.com/Igzjc6I

I'm running OPNsense 24.1.3_1.

Thanks!

3
 
 

Hi all, I've got a cheap Celeron box running OPNSense and it's been pretty good so far, but I found twice that the device turned off at some point while I was at work, and I have been unable to figure out what's causing it.

The only change was that I enabled Monit to see if I could figure out what was causing crowdsec to stop sometimes but never ended up configuring anything. I've only been running it for a couple months though, so it's possible that that is not related.

I know that on a Mac (based on freebsd, right?) you can determine whether the shutdown reason was a hard shutdown, regular shutdown, or the power cable being unplugged. Is it possible to do that with OPNSense? I'd like to narrow it down to software or hardware ideally.

4
1
submitted 9 months ago* (last edited 9 months ago) by HakFoo@lemmy.sdf.org to c/opnsense@lemmy.world
 
 

After a home rewire, I'm ready to bump up to 2.5GbE, and demote my old 1Gbps router/wifi box to "AP Only mode".

I want at least ~~five~~ six total ports, four of which need to be 2.5+ (three to different rooms, one for uplink, one 1G+ for the AP, and one "any speed is enough" for the networked printer :) )

It seems like the "mini-PC with a bunch of 2.5GbE ports running OPNSense" option fits neatly between "Build a router out of my old i5-2500K and some eBay NICs and ignore the USD450 electric bill", and "enterprise rackmount gear with Delta fans left over from people overclocking their Socket A Athlons."

I see a lot of machines of the form "fanless case with a little castle of fins on top, Intel N100 CPU, six 2.5G ports from I226 chipset". A representative example is https://www.aliexpress.us/item/3256806214512701.html

I suspect they may all be re-brands of the same basic product, but I wanted to know real-world experiences:

  • Basic question: can anyone vouch for any specific one of these devices/sellers and confirm it worked for them?

  • I understand the i225-v LAN chipset was much buggier than the i226-v and to be avoided; still the case? I see a few products that are like USD50 cheaper, with different CPUs and i225-based LAN.

  • For routing/firewall duties (probably 4 PCs, 3 phones, a couple printers, and some smart devices) , are the bottom-of-the-line configs (8GB RAM/128G disc) suitable? Is the CPU sufficient? The N100 makes me laugh-- Intel doesn't even want to give it a brand name.

  • Regarding WiFi, should I just block out that little Mini-PCIe slot on the board from my mind? I know that FreeBSD WiFi has been sort of a fourth-class citizen for years, but I was wondering if there had been a breakthrough, or at least a "here is one specific card you can buy for a largely drama-free experience"

  • Weird question: Any problems with RF noise? I have had some devices where the power brick made a mess of a neighbour's AM radio reception, and I don't want to start a war with him. I figure when you're buying a device with a 60w wall-wart from a random brand, it might not be the cleanest.

5
 
 

Just a few tips for installing on a Sophos SG135 (and perhaps others in the Sophos family?) using the serial build via usb

  1. Sophos device starts at 38400,n,8,1 as com settings. OPNsense switches to 115200 after bios. If you set your session to 115200 prior to OPNsense taking over, this causes PuTTY to not be able to input keyboard characters until you kill and re-open the session. Something happens in the transition on either serial interface to cause problems.

  2. Perform the auto detection of interfaces. For some reason I got screwed up on the interfaces and couldn't for the life of me get LAN to come up to configure the box. I believe this was twofold: one, the interfaces were all down when I configured them - and two, that caused them to go into a state to where even if 'ifconfig' showed active as I moved my cabling around, pings would not work (LAN). Once I redid the usb live and utilized the auto detection feature properly, no issues occurred.

Hope this helps someone who may run into similar issues.

6
 
 

Hey all, I've been trying to figure out why enabling IPS kills my network. I have some services I host and would like to get some sort of IPS running. I used to have Snort running through pfSense and didn't experience issues like this.

7
 
 

Hey all, recent convert from pfSense. I'm trying to make sure only the DNS servers I've defined are being used for lookups? I'm using Unbound and noticing a lot of traffic on port 53 to destinations other than the ones I've put in.

8
 
 

Hi There,

Please excuse the lenghty post, I wanted to explain/have all the information I can possibly write down

I've been trying to have "udpbroadcastrelay" plugin to relay SSDP (Simple Service Discovery Protocol) between two subnets, LAN and Bridge. However, I've hit a roadblock with this setup.

The peculiar thing is that mDNS (Multicast DNS) works flawlessly using the same plugin and setup!

I hope that someone can help shed some light on this issue and help me get SSDP relay working as smoothly as mDNS does in my setup. If anyone has experience with the "udpbroadcastrelay" plugin in OPNsense or has encountered a similar issue, your insights and guidance would be greatly appreciated. Thanks in advance for any assistance or suggestions!

SIDENOTE:-

I have used BOTH of :

- os-udpbroadcastrelay 1.0_3 (frpm repo)
- compiled from source (Github) so i can use --msearch option
  1. My Setup

    • Virtualized OPNsense in Proxmox
      • Pass-Through (WAN)
      • 2 VirtIO Interfaces (LAN & Bridge)
    • OPNsense Version: OPNsense 23.7.10_1-amd64 FreeBSD 13.2-RELEASE-p7
    • Proxmox Version: proxmox-ve: 8.1.0 (running kernel: 6.5.11-7-pve)
  2. Troubleshooting Attempts:

I've tried various solutions from different sources to resolve this issue, including:

  • HOW TO - Configure OPNsense for TV7 (init7) Multicast Stream

    LAN
    First we have to enable allow options on the default LAN rule Default allow LAN to any rule.

    • Navigate to Firewall -> Rules -> LAN
    • Edit the rule with the description "Default allow LAN to any rule" by clicking the pencil.
    • Scroll down until you see Advanced Options: and click on Show/Hide
    • Make sure that the allow options checkbox is checked
    • Click Save
    • Back on Overview click on Apply changes to enable the changed rule
  • [SOLVED] - Multicast bridge problem | Proxmox Support Forum

    maybe try to disable multicast snooping on bridges ?

    echo 0 > /sys/class/net/vmbrX/bridge/multicast_snooping

  • Multicast notes - Proxmox VE

    Linux: Disabling Multicast snooping on bridges

    Snooping should be enabled on either the router / switch or on the linux bridge, but it may not work if enabled on both. If you have a hosting provider that has igmp snooping enabled on the multicast switch, it may be necessary to disable snooping on the linux bridge. In that case use:

    post-up ( echo 1 > /sys/devices/virtual/net/$IFACE/bridge/multicast_querier )

    post-up ( echo 0 > /sys/class/net/$IFACE/bridge/multicast_snooping )

To help diagnose the issue effectively, here is what i managed to gather:

FW Ruleset

LAN Rule Set
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 LAN net * * * * * Default allow LAN to any
Bridge Rule Set
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 Bridge net * * * * * Allow Bridge to any rule (Manual Entry)
cat /tmp/rules.debug

LAN Rule Set
pass in log quick on vtnet0 inet from {(vtnet0:network)} to {any} keep state label "3070463c8d527cf93da451fa4f88c7cb" # Default allow LAN to any rule

Bridge Rule Set
 pass in log quick on vtnet1 inet from {(vtnet1:network)} to {any} keep state label "2681e3c4a046e0ab9b3ab64679df3edc" # Allow Bridge to any rule

Interfaces

igc0: flags=8963 metric 0 mtu 1500
	description: WAN (wan)
	options=4802028
	ether xx:xx:xx:xx:xx:xx
	inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (1000baseT )
	status: active
	nd6 options=29
vtnet0: flags=8963 metric 0 mtu 1500
	description: LAN (lan)
	options=800a8
	ether xx:xx:xx:xx:xx:xx
	inet 192.168.100.3 netmask 0xffffff00 broadcast 192.168.100.255
	media: Ethernet autoselect (10Gbase-T )
	status: active
	nd6 options=29
vtnet1: flags=8963 metric 0 mtu 1500
	description: Bridge (opt1)
	options=800a8
	ether xx:xx:xx:xx:xx:xx
	inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
	media: Ethernet autoselect (10Gbase-T )
	status: active
	nd6 options=29

CLI USED

./udpbroadcastrelay -d -d --id 1 --port 1900 --dev vtnet1 --dev vtnet0 --multicast 239.255.255.250 --msearch dial

2023/12/29 21:48:17.555 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=438 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term upnp:rootdevice
2023/12/29 21:48:17.555 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=438 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.593 <- [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet1 len=462 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-sony-com:service:Party:1
2023/12/29 21:48:17.593 -> [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet0 len=462 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.593 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=447 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term uuid:00000001-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:48:17.593 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=447 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.614 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=490 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:device:MediaServer:1
2023/12/29 21:48:17.614 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=490 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.637 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=502 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:service:ContentDirectory:1
2023/12/29 21:48:17.637 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=502 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.663 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=504 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:service:ConnectionManager:1
2023/12/29 21:48:17.663 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=504 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.315 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.315 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.373 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.373 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.460 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.460 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:24.824 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
   Applying default action FORWARD
2023/12/29 21:48:24.824 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:24.924 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
   Applying default action FORWARD
2023/12/29 21:48:24.924 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:25.425 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
   Applying default action FORWARD
2023/12/29 21:48:25.425 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:25.525 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
   Applying default action FORWARD
2023/12/29 21:48:25.525 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:49:16.556 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=267 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term upnp:rootdevice
2023/12/29 21:49:16.556 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=267 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:49:16.577 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=276 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term uuid:00000004-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:49:16.577 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=276 tos=0x04 DSCP=1 ttl=4)

Lan Wireshark Capture

No. Time Source Destination Protocol Length Info
920 09:13:01.207756 10.10.10.46 239.255.255.250 SSDP 349 NOTIFY * HTTP/1.1
921 09:13:01.229336 10.10.10.46 239.255.255.250 SSDP 349 NOTIFY * HTTP/1.1
922 09:13:01.290046 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
923 09:13:01.292706 10.10.10.46 192.168.100.75 UDP 354 50201 → 59796 Len=312
924 09:13:02.292100 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
925 09:13:02.294187 10.10.10.46 192.168.100.75 UDP 354 50201 → 59796 Len=312
926 09:13:03.308643 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
928 09:13:03.310873 10.10.10.46 192.168.100.75 UDP 354 50201 → 59796 Len=312
929 09:13:04.309797 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
930 09:13:04.311739 10.10.10.46 192.168.100.75 UDP 354 50201 → 59796 Len=312
932 09:13:04.803218 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
933 09:13:04.805015 10.10.10.46 192.168.100.75 UDP 306 50201 → 53037 Len=264
934 09:13:05.800708 10.10.10.46 192.168.100.75 UDP 306 37333 → 53037 Len=264
936 09:13:07.799676 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
937 09:13:07.801449 10.10.10.46 192.168.100.75 UDP 306 50201 → 53037 Len=264
938 09:13:08.045029 10.10.10.46 192.168.100.75 UDP 306 37333 → 53037 Len=264
962 09:13:10.807982 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
963 09:13:10.811017 10.10.10.46 192.168.100.75 UDP 306 50201 → 53037 Len=264
964 09:13:12.695351 10.10.10.46 192.168.100.75 UDP 306 37333 → 53037 Len=264
1068 09:14:02.720283 192.168.100.75 239.255.255.250 UDP 1123 49620 → 3702 Len=1081
1080 09:14:02.977262 192.168.100.75 239.255.255.250 UDP 1123 49620 → 3702 Len=1081
1119 09:14:03.205658 192.168.100.75 239.255.255.250 UDP 666 59260 → 3702 Len=624
1152 09:14:03.442876 192.168.100.75 239.255.255.250 UDP 1123 49620 → 3702 Len=1081
1237 09:14:03.907019 192.168.100.75 239.255.255.250 UDP 1123 49620 → 3702 Len=1081
1284 09:14:04.593450 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
1285 09:14:04.595580 10.10.10.46 192.168.100.75 UDP 306 50201 → 52272 Len=264
1286 09:14:04.608593 192.168.100.75 239.255.255.250 SSDP 179 M-SEARCH * HTTP/1.1
1301 09:14:04.862324 192.168.100.75 239.255.255.250 UDP 666 59260 → 3702 Len=624
1324 09:14:05.215444 10.10.10.46 192.168.100.75 UDP 306 37333 → 52272 Len=264
1371 09:14:06.231131 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
1372 09:14:06.233068 10.10.10.46 192.168.100.75 UDP 354 50201 → 58452 Len=312
1392 09:14:06.865155 192.168.100.75 239.255.255.250 UDP 666 59260 → 3702 Len=624
1401 09:14:07.232162 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
1402 09:14:07.234422 10.10.10.46 192.168.100.75 UDP 354 50201 → 58452 Len=312
1408 09:14:07.595062 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
1409 09:14:07.597369 10.10.10.46 192.168.100.75 UDP 306 50201 → 52272 Len=264
1410 09:14:07.610422 192.168.100.75 239.255.255.250 SSDP 179 M-SEARCH * HTTP/1.1
1443 09:14:08.234467 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
1444 09:14:08.234644 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
1445 09:14:08.236807 10.10.10.46 192.168.100.75 UDP 354 50201 → 58452 Len=312
1446 09:14:08.237538 10.10.10.46 192.168.100.75 UDP 306 50201 → 52272 Len=264
1448 09:14:08.265899 192.168.100.75 239.255.255.250 SSDP 175 M-SEARCH * HTTP/1.1
1450 09:14:08.297109 192.168.100.75 239.255.255.250 SSDP 169 M-SEARCH * HTTP/1.1
1453 09:14:08.334904 192.168.100.75 239.255.255.250 SSDP 167 M-SEARCH * HTTP/1.1
9
 
 

Hi everyone,

I’m at my wits end here getting port forwarding working on my setup with Nginx Proxy Manager (NPM) and OPNsense.

I recently upgraded my networking gear, and everything is working great, I’m loving OPNsense and 10G networking. I’ve had the same setup for port forwarding for years and never had issues, the main change was the addition of OPNsense and a switch.

Previous setup (I realize this wasn’t the best):

ISP modem -> DHCPv4 with ports 80/443 forwarded to ASUS wireless router WAN -> DHCPv4 with ports 80/443 forwarded to VM on proxmox running NPM -> NPM set up with hosts to proxy services on other VMs/server.

This (or a variation thereof) has all been working great for years, along with ddns set up as I have a dynamic IP.

New setup:

ISP modem -> DHCP off with ports 80/443 forwarded to OPNsense WAN via MAC address -> OPNsense NAT-Port Forwarding set up to the NPM host/port, rest is the same as before.

The settings for the port forward are the standard I’ve found in guides. WAN address, any source/port, redirect to NPM host and ports. Tried the domain I usually use, no luck. Port checker shows the ports are closed.

Tried the following:

  1. DMZ on the ISP modem keeping WAN IP default/automatic and adding OPNsense to the DMZ, no change.
  2. Advanced DMZ on ISP, WAN is the external IP, no change
  3. Same as 2, but changed OPNsense WAN settings from DHCPv4 to PPPoE, and added the ISP login info. Received new IP, updated ddns, still no change.
  4. Checked over port forwarding settings, enabled NAT reflection, still nothing.

I’m between all these steps, I rebooted OPNsense, proxmox, switches, etc.

Any ideas on what I could try for next steps? All of the local networking and external connections work awesome, it’s just the port forwarding as the last piece. Thanks!

Edit 2023-01-03:

I finally solved this, turned out the OPNSense and NPM configuration was all correct.

The problem was a glitch in the docker compose/portainer. I had my ports in docker compose set to 80:80/443:443, but when the container was deployed, it assigned 1880:80/18443:443 because of…reasons, and I didn’t notice until going through it all line by line 🤦.

Redeploying the stack/container didn’t solve it, so I changed the time zone to another city, redeployed and viola, everything works perfect as it should!

10
 
 

This comes with some fixes to the new openVPN system, and route-gateway was added (a big oversight imo). More updates to wireguard and improvements have been added, and are still ongoing.

Here are the full patch notes:

system: correctly set RFC 5424 on remote TLS system logging

system: remove hasGateways() and write DHCP router option unconditionally

system: avoid plugin system for gateways monitor status fetch

system: remove passing unused ifconfig data to Gateways class on static pages

system: remove passing unused ifconfig data on gateway monitor status fetch

system: remove the unused "alert interval" option from the gateway configuration

interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account

interfaces: teach ifctl to dump all files and its data for an interface

interfaces: remove dead link/hint in GIF table

interfaces: avoid duplicating $vfaces array

interfaces: introduce interfaces_restart_by_device()

firewall: remove old __empty__ options trick from shaper model

firewall: update models for clarity

firmware: update model for clarity

ipsec: omit conditional authentication properties when not applicable on connections

ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)

ipsec: allow the use of eap_id = %any in instances

openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)

openvpn: add CARP VHID tracking for client instances

openvpn: add tun-mtu/fragment/mssfix combo for instances

openvpn: add "route-gateway" advanced option to CSO

openvpn: use new File::file_put_contents() wrapper for instances

openvpn: updated model and clarified "auth" default option

mvc: remove "non-functional" hints from form input elements

mvc: uppercase default label in BaseListField is more likely

ui: add bytes format to standard formatters list

plugins: os-ddclient 1.16[1]

plugins: os-frr 1.36[2]

plugins: os-wireguard 2.1[3]

plugins: os-tinc 1.7 adds support for "StrictSubnets" variable (contributed by andrewhotlab)

lang: update translations and add Polish

src: bring back netmap tun(4) ethernet header emulation (contributed by Sunny Valley Networks)

src: axgbe: gracefully handle i2c bus failures

src: bnxt: do not restart on VLAN changes

src: ice: do not restart on VLAN changes

src: net: do not overwrite VLAN PCP

src: net: remove VLAN metadata on PCP / VLAN encapsulation

src: if_vlan: always default to 802.1

src: iflib: fix panic during driver reload stress test

src: iflib: fix white space and reduce some line lengths

src: ixgbe: define IXGBE_LE32_TO_CPUS

src: ixgbe: check for fw_recovery

src: net80211: fail for unicast traffic without unicast key[4]

src: pcib: allocate the memory BAR with the MSI-X table[5]

ports: php 8.2.10[6]

ports: python 3.9.18[7]

ports: unbound 1.18.0[8]
11
 
 

This is an open ended question, it seems we need to encourage people to join here as well as being on their preferred platform (which is not ours to discourage or be derogatory about).

I still frequent the "that site" because I want to help - but honestly I dont want to help "that site". Not that I am really doing so.

However, it feels weird if I do have to say "we are also on fede.. blah blah" and lets be honest about this -- its less support, but by more knowledgeable people (??probably I believe so).

How do we get them (and lets face it, Franco) over here to support OSS.

I know Franco has paid subscriptions but opnsense is OSS, the community is more than happy to help out if it is not paywalled.

12
13
 
 

Will I be able to use proton vpn .conf for WireGuard so I can run all my devices in that tunnel

14
15
 
 
  • system: close boot file after probing to avoid lock inheritance
  • system: fix lock() inheriting the lock state
  • system: give more context in process kill error case since we operate PID numbers only
  • firewall: groups were not correctly parsed for menu post-migration
  • firewall: hide row command buttons for internal groups
  • firewall: add "ipv6-icmp" to protocol list in shaper
  • firewall: fix PHP warnings on the rules pages
  • dhcp: check if manufacturer exists for IPv4 lease page to prevent error
  • dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error
  • dhcp: fix validation for static entry requirement
  • firmware: revoke 23.1 fingerprint
  • network time: support pool directive and maxclock (contributed by Kevin Fason)
  • openvpn: fix static key delete
  • openvpn: fix "mode" typo and push auth "digest" into export config
  • openvpn: fix race condition when using CRLs in instances
  • openvpn: remove arbitrary upper bounds on some integer values in instances
  • unbound: migration of empty nodes failed from 23.1.11 to 23.7
  • unbound: fix regression when disabling first domain override
  • mvc: fix empty item selection issue in BaseListField
  • plugins: os-ddclient 1.14
  • plugins: os-acme-client 3.19
  • src: bhyve: fully reset the fwctl state machine if the guest requests a reset
  • src: frag6: avoid a possible integer overflow in fragment handling
  • src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs
  • src: libpfctl: ensure the initial allocation is large enough
  • src: pf: handle multiple IPv6 fragment headers
  • ports: curl 8.2.1
  • ports: nss 3.92
  • ports: openssl 1.1.1v
  • ports: perl 5.34.1
  • ports: py-dnspython 2.4.1
  • ports: strongswan 5.9.11
  • ports: syslog-ng 4.3.1
16
 
 

Four days ago it was looking on track: https://forum.opnsense.org/index.php?topic=35041.0

As per the roadmap, https://opnsense.org/about/road-map/ it will come soon.

The main points to note about this release (See https://forum.opnsense.org/index.php?topic=34948.0 for everything):

o php8.2 updates

o allow “.” in DNS search override

o extend/modify IPv6 primary address behaviour

o rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration

o move unbound-blocklists.conf to configuration location

Updates to these plugins:

o plugins: os-acme-client 3.18[3]

o plugins: os-dnscrypt-proxy 1.14[4]

o plugins: os-dyndns removed due to unmaintained code base

o plugins: os-frr 1.34[5]

o plugins: os-telegraf 1.12.8[6]

However, there are a lot of known issues and migration considerations:

o The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.

o Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.

o IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is recommended. An appropriate EoL annoucement will be made next year.

o The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.

o The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.

17
18
 
 

There is no better feeling in the world

19
 
 

I’ve been using OPNsense for a little over a year now, after migrating from PFsense which I used for many years. I really love it, it’s incredibly powerful and yet easy to use once you wrap your head around things. And the interface is much cleaner than PFsense ever was.

I have a fairly complex setup with several vlans and different outbound routing for different hosts, client vpn (outbound) and server vpn (inbound). I’m no network guru but I’m happy to help with any questions to the best of my ability. More people should be using this!

20
 
 

Update went smoothly as can be. A reboot is required.

21
22