OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: BeanAnimal on August 04, 2020, 10:19:33 pm
-
Nat reflection - had huge issues (never resolved, can't remember version, there is a thread) for a very basic setup. I have no idea if this is fixed or what the issue was, nobody had any clue other than the standard "it works for me" answer.
Had VLAN tag issue after a firmware upgrade - could not get them resolved. Had to start from bare metal a year or so ago (19 to 20 I think)
Now
upnp - was working some versions ago - upgrade to some 20.something and it broke. Nothing changed in config. Finally got tired of "Moderate NAT" on xbox so set out this week to fix it.
Nothing worked other than ANOTHER bare metal install! BAM UPNP starts works. I very carefully added back every rule, interface, etc.
I was still on hyper-v and had no reason to be so decided to MOVE to bare metal.
MORE ISSUES - Config between hyper-v instance and bare metal are not compatible. hn# interfaces became igb# interfaces. I was able to get some stuff running, but not others. The config was a mess. So much for a backup.
Bare metal again!
This time 20.7 - i mean why not start fresh with latest, right?
Latest issue:
upnp is fixed but now IPVanish client will not work. Same f'ing settings as before and same f'ing settings that worked 72 hours ago on 12.1 bare metal.
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]
Then:
Found new bug - fiddling with settings turning on and off TLS Authentication to see error state change. And now turning it back on, will not allow me to paste in a TLS auth Key
I get:
The following input errors were detected:
The field 'TLS Authentication Key' does not appear to be valid
Given the error and the fact that I can't even change the key now, tells me that something is corrupt and not properly applying the encryption to either they key or tunnel.
I really want to like this firewall and keep coming back, but then suddenly remember why I left. It feels like anything more than simple LAN-->Internet is an exercise in frustration and updates are sure to break something every time.
-
Sorry to hear your bad experience with opnsense.
The migration "problem" from hyper-v to bare metal is not a problem. It is caused by the fact, that the interfaces are named by the driver. The hyper-v emulated interfaces are different to your bare metal interfaces. This is why the name changes. Should not be a big problem since you can assign them on the console to the new interfaces.
This needs to be done if the order of the interfaces in a new box changes, too.
The problem with ipvanish seems to be related to a missing key in the configuration?
Have you imported the key?
-
Thank you for the response:
RE: Interface names
I do understand why the names changed but editing in GUI did not fix issues. Also - there as no way to remove the orphaned assignments and attempting to edit all instances in the xml and then import did not work either. I gave up and started over. Waster under the bridge now...
RE: IPVanish
... giving up here. No need to respond or look into any of the issues. This is a complete waste of my time.
Thanks again for the attempt to help.
-
... see above.
Feel free to close this thread. I am moving on and may come back at a later date. I can't devote hour upon hour fiddling with this to get simple services setup.
Thanks again for the help. Like I said, I want to love this firewall, but don't have time to fiddle with it in its current state.
-
As an FYI, the issues with XBox NAT has nothing to do with UPnP at all.
OPNsense for security reasons uses port randomization during NAT, and this breaks peer-to-peer communication of game consoles. This issue effects XBox, PlayStation, Nintendo Switch/WiiU/DS, and even some desktop games.
All you need is essentially a static DHCP lease for the game console, set hybrid NAT type, and then create a NAT rule with static port enabled for the given console's IP address.
https://ultramookie.com/2020/05/opnsense-xbox-live/
Also, VLAN tagging issues are generally not an OPNsense firmware issue, but a FreeBSD driver issue. These are generally fairly easy to overcome, but without knowing which NICs are being used, there isn't much I can say to that.
-
Darkain - my intent is not to be argumentative - but it is not that cut and dry:
I DO have a static DHCP lease on xbox
upnp WAS working - it broke
Static NAT rule was unable to get more than "moderate" on xbox
Started over (again) baremetal and upnp now works with static DHCP, 1to1 NAT AND upnp.... Insanity that it takes this much to get something rather simple to "work"
The VLAN issues I have had have all been the result of firmware updates - stuff just breaks. BTW, Intel NICs.
The other issue I have is NAT reflection - plain and simple, it does't work. Works on Cisco, Sophos, Palo Alto, Etc. Just not on opnsense.
Like I said, I like the UI and the idea! I think that a lot of very talented work has been put into this. That said for anything more than a simple internet router, this product is a toy for folks who like to hack at things, not a product I would put in a business. There are just too many little bugs, breaking changes and things that just don't work.
Thanks for the response
-
So the NAT issues for xbox were due to aliases being somehow borked - I deleted them and used IPs and hard coded ports instead. Issues resolved. On a whim, deleted and recreated aliases and they are working too.
That said, for whatever odd reason upnp has been working.
NAT reflection is still a disaster - So i just manually build the outbound redirect rules to get it to work.
I have calmed down a good bit and have most things working, albiet I am still very frustrated that tinkering with this firewall every few months to get things to work is a never ending battle.
See you again in a few months when the next update comes ;)
-
A quick note to confirm the point about aliases.
If I use an alias for static port mapping rules, it just doesn't work.
If I change them to use hard coded IP addresses suddenly it is working correctly.
I will open a bug report if I can make a simple repeatable test.