Nach einem Wechsel von Kabel Vodafone auf Tkom Glasfaser funktionieren IPsec Tunnel nicht mehr.
Alte Konfig: Vodafone-Kabel-Fbox mit fester IP vor OPNsense. OPNsense war Exposed Host der Fbox. Die externe IP der OPNsense war eine öffentliche IP4adresse. Vodafone stellte ein mininetz zur Verfügung. Ipsectunnel haben funktioniert.
Neue Konfig: Telekom Glasfaser Modem an Fbox dann OPNsense. OPNsense ist Exposed Host der Fbox. Externe IP der OPNsense ist nun eine IPV4 Adresse 192.168.178.2 der FBOX. IPsectunnel bauen zwar verbindungen auf aber ein Ping in die Netze ist nicht möglich! Der Rest der Natkonfig (Portforwardings) funktioniert.
Ich finde den Fehler nicht. Geändert hat sich Augenscheinlich die Tatsache, das die externe IP Adresse der OPNsense nun eine private IP Adresse ist.
In der Fbox sind keine IPsec Verbindungen konfiguriert.
Ich denke es wäre wahrscheinlich einfacher das Glasfasermodem direkt an die OPNsense zu hängen und die Fbox wegzulassen. Kein doppeltes NAT usw.
Ich habe an anderer Stelle aber oft mit solchen Konfigs zu tun (FBOX als Ersatz für DSL-Modem) und es wäre schon deshalb wichtig hierfür eine Lösung zu finden.
Ich habe aber nach langem probieren keine Idee mehr wo ich ansetzen kann.
« Last post by Monviech on May 17, 2024, 11:33:39 pm »
Destination any is too broad, you have to choose your external IP address or "WAN Address" (probably "dsl Address" in your case since interface name is dsl) as destination.
« Last post by Greg_E on May 17, 2024, 10:15:55 pm »
It's all working fine on my T740 with an Intel branded i350, you are right, sometimes the HP and Dell branded cards have different firmware and might work slightly differently.
I did a little work with a 10gtek i350 card, this was a brand new card that I'm going to use in my long term production server, basic testing said it worked fine, but it was $80usd.
The T740 and used i350 cards are my lab machines, but one is in "production" at the moment while I get the production machine ready.
« Last post by Greg_E on May 17, 2024, 10:08:26 pm »
I had PFsense running at home also with tmobile... You should have seen packet loss and probably connection loss if that feature has been turned on.
How were you getting around CGNAT with pfsense? There are no real static IP given to home users on tmobile, though some have been able to figure out how to get ipv6 to do this (like it was designed to do). Sorry, no additional details on this because I haven't sat down long enough to try and figure out how I can or can not.
« Last post by hr3078 on May 17, 2024, 09:54:36 pm »
Hello OPNsense Community,
I am new here and only learning the basics so far, I am seeking help with configuring my OPNsense firewall to block access from a specific VLAN (IoT devices) to my main network and gateway. Below is a detailed description of my setup and the steps I've taken so far.
Network Setup:
- Main Router (Default Gateway) - Block IoT devices (VLAN30) from accessing the main network (192.168.0.0/24). - Block IoT devices from accessing the default gateway (192.168.0.1). - Allow IoT devices to access the internet.ateway): 192.168.0.1 - Firewall (OPNsense): 192.168.1.1 - VLANs: - VLAN10 (Roaming): 10.0.10.0/24 - VLAN20 (Services): 10.0.20.0/24 - VLAN30 (IoT): 10.0.30.0/24 - Devices: - IoT devices are connected to VLAN30 via a wireless access point.
Goals:
- Block IoT devices (VLAN30) from accessing the main network (192.168.0.0/24). - Block IoT devices from accessing the default gateway (192.168.0.1). - Allow IoT devices to access the internet.
Steps Taken:
1. VLAN Configuration:
- VLANs are configured on a managed switch with the following setup: - Ports 2-3: VLAN10 (Untagged) - Ports 4-5: VLAN20 (Untagged) - Ports 6-7: VLAN30 (Untagged) - Port 1: Trunk (Tagged for VLAN10, VLAN20, VLAN30) 2. Firewall Rules:
- VLAN30 Interface: - Block rule for `Source: 10.0.30.0/24` to `Destination: 192.168.0.0/24`. - Block rule for `Source: 10.0.30.0/24` to `Destination: 192.168.0.1`. - Allow rule for `Source: 10.0.30.0/24` to `Destination: any` (for internet access). - LAN Interface: - Added corresponding block rules for traffic originating from VLAN30. 3. NAT Configuration:
- Using automatic outbound NAT rule generation. 4. State Table Reset:
- Reset the state table after applying firewall rules.
Observations:
- Despite the block rules, IoT devices on VLAN30 can still ping and access the main network (192.168.0.0/24) and the default gateway (192.168.0.1).
Why Not Using Bridge Mode:
- I chose not to convert the ISP router to bridge mode to avoid disruptions with internet connectivity. Since I share the internet with my flatmate, maintaining stability and minimizing downtime was a priority. Changing the ISP router to bridge mode could have caused interruptions, and therefore, I opted to configure the network with the existing set
Firewall Rules Screenshots: Attached the firewall rules to this post
Logs:
- Enabled logging for block rules. - Observed logs showing that packets from 10.0.30.4 to 192.168.0.x are being blocked, yet pings are still successful.
Questions:
1. Is there a specific order in which the rules should be placed* 2. Could there be any missing configurations in VLAN settings or NAT rules that I'm missing? 3. Should I configure additional settings on my wireless access point to support VLAN segregation?
I appreciate any insights or suggestions from the community to help resolve this issue. Thank you in advance for your assistance!