Topics

Hi,

yesterday I've upgraded from 23 to 24. This completely broke my DHCP setup. I use VLAN's with a central DHCP server which evaluates DHCP option 82 and agent.circuit-id like this:

Code Select Expand


class "PL-VLAN204" {
  match if option agent.circuit-id = "lagg0_vlan204";
}


DHCP relay with v23 tags the DHCP requests with the interface name in agent.circuit-id. DHCP relay in v24 stopped doing so and seems to use tags like "001a", "001b" and so on. For some reason my DHCP server does not match these tags.

How to get back the old agent.circuit-id's ?

TIA
Matthias

Hallo,

ich habe hier 2 VDSL Anschlüsse und einen LTE Zugang. Ich hätte gerne Load balancing für die VDSL-Anschlüsse und den LTE als fail over. Dazu habe ich eine Gateway-Gruppe gebaut mit den beiden VDSL als Tier 1 und dem LTE als Tier 2. Bei den Gateways habe ich das Monitoring aktiviert und den Haken bei "Upstream gateway" gesetzt.

Jetzt sehe ich aber immer wieder Traffic auf dem LTE, wie verhindere ich das bzw. wie mache ich das richtig?

TIA
Matthias

Hi,

my setup looks like this:

MailServer -> OpnSense1 -> Wireguard (Internet) -> OpnSenese2 -> Internet

Port 25 of the mail server has to be routet to OpnSese2 to reach other mail servers. IMHO there are two possible solutions:

1. A policy based route on OpnSense2 pointing to the LAN address of OpnSense2 where the packets get nated and routed out to the internet.

2. A TCP relay on OpnSese2 used at the mailserver.

For 1. I can't figure out how to configure the routing in OpnSesnse1 and for 2. I don't know which plugin to use. A Mail-Relay on OpnSense2 is no option for me.

Any suggestions?

TIA
Matthias

I just want to say "thank you" for the really nice new traffic graphs and especially for the new traffic widget. Exactly what I needed. Great work!

Hi,

since I've upgraded to 20.7 about every month radvd stops working and so IPv6 on my internal interfaces as the default route expires and isn't renewed. I've to restart radvd. After this everything is back to normal.

How to debug and fix this?

TIA
Matthias

Hi,

I've a running setup on a single appliance and I want to add a second appliance to create a cluster. Is it possible to do this without wiping my existing setup?

TIA
Matthias

Hi,

I've 3 up links, A, B and C. A is my default gateway. I use policy based routing to direct LAN (and VLAN) traffic to one of these up links. This works as expected.

I've configured my IPSEC VPN to use the interface of up link C. Now I need the IPSEC VPN to use the gateway of up link C. To get this I need policy based routing entries for firewall local traffic (ESP, ISADMP, NAT-T). I can see auto generated rules on up link C for the IPSEC traffic with the gateway of up link C to be set as gateway. But what I found is that they do not get used.

When I do "ipsec up con1" and look at my up link A interface by tcpdump I see the ESP traffic on A instead of C.

When I initial IPSEC from the remote site I see the ESP packages arrive on C and the answers of OpnSense on A.

How to get this working?

TIA

Hi,

now, as I've gained some experience with OPNsense I plan to switch to HA. My current setup is no longer trivial by now. I've 3 up links. One static and two with PPPoE. I've also 5 internal links with LACP with a variety of VLANs and I make use of HAproxy. I need HA as the firewall not only manages the internet traffic. It als manages the complete internal communication. All my systems are dependent on the firewall.

What is the best approach in this environment to "switch" to HA? What about the PPPoE connections? How do they get handled? What is best practice. Right now I've read every thing about HA and CARP in the wiki.

TIA

Hi,

I've a few comprehension questions about "pf" in general and with dual stack in particular.

• Is there a file containing the pf configuration in Opnsense like /etc/pf.conf in FreeBSSD?
• I found that I can create an alias containing IPv4 and IPv6 addresses and then use it in a IPv4+IPv6 rule. Is this correct?
• If 2. is correct: How does this work pf internally?

What I miss most is a real, generic "internet object" which addresse "all non local" traffic. I know the workaround with aliases but with more than one or two internal interfaces (12 in my case ...) it's real pain as I've to create an "internet" alias for every interface wich excludes all the others.

TIA

Hi,

ICMP with IPv4 from an do my WAN interfaces does not work for some reason. Any other traffic and ICMP via NAT from internal networks and ICMP with IPv6 on WAN interfaces works. The only thing that does not work ist ICMP IPv4 from an to firewall WAN interfaces. I've created a simple rule with just "Protocol: IPv4+6 ICMP". As I've multiple WAN interfaces I've tested with "ping -S WANIP TARGETIP" too. No success. When I ping the WAN interface I can see the ICMP echo requests with "tcpdump" but no replies. PFLOG does not show blocks.

How can I make ICMP with IPv4 on WAN interfaces work?

TIA

Hi,

in my setup I've multiple interfaces, VLANs and up links. I'v a mail relay in a DMZ VLAN. The mail relay receives mails and forwards them to the internal mail server. So I've a rule which allows SMTP from the internet to the mail relay and one to allow SMTP from the mail relay to the internal server. For outgoing mail I've one rule to allow SMTP from the internal mail server to the mail relay. Pretty simple so far.

Now I need a rule which allows the mail relay to send mail to the internet but NOT to any other interfaces or VLANs. See my current SMTP rules attached. The first is the one to allow incoming mails but the second will IMHO allow SMTP to any destination even to hosts on other interfaces or VLANs.

What is best practice to design a rule or rule set to get this working as expected? An addition real mail relay on the firewall is no option as I want my mail relay to do the work.

TIA

Hi,

I've an internal PKI and created an intermediate certificate for my Opnsense with:

Code Select Expand


X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA


and imported the root certificate and the intermediate certificate with the private key. When I try to issue a server or client certificate using the intermediate certificate I get:

Code Select Expand


The following input errors were detected:

openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value
openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value
openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value
openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value
openssl library returns: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


How to fix this?

TIA

Hi,

for some good reason  :) I need to map a IPv6 address to an internal RFC1918 IPv4 address.

IPv6-Client -> IPv6-Port-At-Firewall -> IPv4-Port-Internal-RFC1918-Address

E.g. a TCP relay which listens on a IPv6 address / port on the firewall and forwards all Traffic to a internal RFC 1918 IPv4 address / port. Some thing like this:

Code Select Expand

socat TCP6-LISTEN:1234,fork TCP4:1.2.3.4:1234

or

Code Select Expand

6tunnel -6 1234 1.2.3.4 1234

or using xinetd

Code Select Expand


service rdp_port_forward
{
    flags           = IPv6
    disable         = no
    type            = UNLISTED
    socket_type     = stream
    protocol        = tcp
    user            = nobody
    wait            = no
    redirect        = 1.2.3.4 1234
    port            = 1234
}


What is the best way to do this or some thing similar with Opnsense? Can this be done by a simple pf rule or perhaps by haproxy?

TIA

Hi,

for policy based routing I need gateway entries for every interface. I've set static IPv6 addresses for my PPPoE interfaces and " IPv6 Upstream Gateway" is set to "auto detect". How to get an entry in the gateway table for these interfaces? The IPv4 entries get generated automatically. The IPv6 entries don't.

Now I've tried some thing different. I've use DHCPv6 as described here https://wiki.opnsense.org/manual/how-tos/ipv6_dsl.html and a gateway entry is generated automatically. This assigns a IPv6 address to the interface. How do I assign a (additional?) static IPv6 address to the interfaces? By setting a virtual IP?

TIA

Hi,

I've three WAN interfaces, one static and two PPPoE Interfaces. All interfaces with static IPv4 and IPv6 addresses. IPv6 works with the static and the first PPPoE interface. The new, second PPPoE interface receives it's static IPv4 address by PPPoE. As with the first PPPoE interface I've configured the IPv6 address manually as static but it does not get assigned to the interface pppoe1.

Any suggestions how to fix this?

TIA

Firmware: latest 18,7

Hi,

how can I add IPs (v4&v6) to an interface? Some (v4) addresses need to be forwarded to internal hosts and some (v4&v6) addresses will be needed as bind target for services like NginX.

TIA
Matthias

Hi,

i plan a a bit more complex setup. See attachment. I've tree VDSL connections. All with static public IPv4 and IPv6. On with an IPv4 subnet and a /48 v6 prefix. The other two get single v4 addresses and a /56 v6 prefix. Internally I plan to have VLANs only and depending on the VLAN different outgoing NAT setups an IPv6 nets. Communication between the VLANs has to work too.

Is this doable with OPNsense?

TIA
Matthias

Hi,

I've setup a PPPoE interface which should work in dual stack mode with fixed IPv4 and IPv6 addresses. I want to set the IPv6 address. I've set IPv6 to "static" but the address does not get set. The interfaces always uses a generated IPv6 address.

How to fix this?

TIA
Matthias

Hi,

to day I revived my new OPNsense appliance. I set it up with IPv4 and IPv6 and everything worked as expected. The I've updated it to the current version 18.1.13_1-amd64 and IPv6 stopped working. I found that just no IPv6 packets left the appliance. I've seen arrive my ICMP echo requests but no answers. IMHO The packets got dropped. I had to remove the IPv6 address from the WAN interface and the re add it to make it work again.

Just want to let the devs know about this strange behavior.

Matthias