OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: nicovell3 on September 19, 2017, 12:49:06 pm
-
Hi,
Since the last OPNsense update (yesterday), some things stopped working at my firewall.
First of all, I have an IPsec tunnel established with my other firewall (always updated at the same time, so they have always the same versions of software). Every connection from each of the clients can be routed through the IPsec tunnel, but not the firewall connections. Let's put an example:
Firewall A <-> Firewall B
10.0.0.0/24 10.1.0.0/24
My firewall B IP is 10.1.0.1 and the DNS server is at 10.0.0.2. When I try to send things from 10.1.0.1 to 10.0.0.2, the packets are not reaching the destination. I've listenned at enc0 in both firewalls and this is the problem: at firewall B I see the packets going out but at firewall A I can't see those incoming packets (but I see the firewall B clients traffic). I've verified that I've got rules to allow all that traffic and I've set the necesary gateway and route at firewall B (if that wasn't done, I wouldn't see the outgoing packets at enc0). And this is the only IPsec tunnel enabled at each firewall (firewall A has another IPsec tunnel, but it's not enabled). This worked before the 17.7.2 update...
And also, I've got a lot of rules at my firewall. When I click apply rules (after modifying some firewall rule), a popup is displayed with the text "The settings have been applied and the rules are now reloading in the background.". But my rules are not reloaded in background. Before this update, I had a feature at the menu called "Filter reload", which I activated to force the application of the new rules, but now it doesn't appear at the menu. I have to log in through SSH and run "/usr/local/etc/rc.filter_configure". And then, rules are applied.
Does someone know how to fix these two things?
Regards.
-
Interpolating from your second point you upgraded to 17.7.2, but from which version did you come from and/or which was your first OPNsense version? Leaving these infos out will make it very hard to help.
You can reload the filter under Services: Diagnostics or from the respective Services widget on the dashboard.
Not sure why your rules don't reload normally, it sounds like it should be investigated.
As for IPsec, let's circle back when the other questions have been cleared up. :)
Cheers,
Franco
-
Hi Franco,
Thanks very much for your response! I've found the Packet Filter restart button, but it doesn't show me the progress as the Filter reload section did... Thanks anyway, that'll let me change rules without connecting over SSH.
Also, I don't remember which version I had before the update. I think it was 17.1.8, because the last time I had updated the firewall was in june.
Regards,
Nico.
-
Hi Nico,
The reload with the service button is synchronous, so the progress is 100% when the page comes back. The diagnostics messages weren't very useful as they gave some technical insights but no indication of progress in terms of % done. If there is an error during the reload, you will see it in the notifications anyway.
Ok, so we're looking at a 17.7 transition that could cause this. That's a good start.
Does ping work through both sides of the tunnel? What are your filter rules in the IPSEC tab on each side?
# ping -S YOUR.LEFTSUBNET.IP.ADDR A.RIGHTSUBNET.IP.ADDR
Cheers,
Franco
-
Hi franco,
The problem is now solved. I don't know why, now the gateway to route the firewall B traffic through the tunnel can't have the IP configured. If I set up that gateway without IP, then it renames to dynamic and every packet is routed correctly. Services which where running before the gateway change needed to be restarted, but it works again. Thanks for your attention!
Regards,
Nico.
PS: I need to click the restart pf after each rule change to make them to be applied, but that's not a big problem.
-
Hi Nico,
PS: I need to click the restart pf after each rule change to make them to be applied, but that's not a big problem.
Glad to hear the other issue is resolved, but we should really find out why the rules reload doesn't work for you.
So when you edit a rule, the rules page loads again and offers you a blue box with an apply button, or does it not?
Cheers,
Franco
-
I need to butt in here as I have the same issue regarding IPsec after updating from 17.7 to 17.7.2, but setting the gateway to dynamic doesn't help me. ping comes back with "sendto: permission denied" :-\
Hosts behind the opnsense box can reach the other end just finde, just the box itself cannot. Which is pretty bad for some services running on that box connecting to servers on the other side of the tunnel.
btw. I cannot set routes with a dynamic gateway, the page comes back with
"The following input errors were detected:
The gateway 'dynamic' is a different Address Family as network '10.20.0.0'."
If I change the gateway back to a static ip I can then change the route and change the gateway back to dynamic