Topics

[Error mounting partition /mnt/boot/efimount_msdosfs: /dev/gpt/efifs: Invalid argument]

Hello everyone. I'm having a problem installing OPNSense on VMWare ESXi 7.0.
Using default install procedure I receive the following error, when the install prcedure is in the disk partition step

Error mounting partition /mnt/boot/efi
mount_msdosfs: /dev/gpt/efifs: Invalid argument

The same error occurs if BIOS or EFI is selected in the VM setup.
This does not happen with VMWare ESXi 6.7 where I have installed several versions of OPNSense many times.

Using EFI/GPT does have any advantage? If the answer is yes, do you suggest any workaround ?
Or  if it's not possible tuo use GPT, which of the disk partition options it would be advisable to use, BSD or MSDOS.?

I appreciate any advice

Many thanks
Norberto

Hi. Good 2023 for all !

I would like to know if it is possible change user properties from the command line.

I have a client with about 200 openvpn users and the idea is to disable all users who have not used openvpn for a while, running a script by cron each week.

Many thanks in advance
Norberto

Hi.
I have an installation with a lot of openvpn users defined. The authentication server is OpenLDAP.
I need to remove more than 300 users and I would like to avoid having to do it one by one from the web interface.

Is there a suggested method that could be used?

I don't like the idea, but could it be done by editing config.xml and removing <user> .... </user> and the corresponding certificate?

I will appreciate any suggestions.

Regards
Norberto

Hello.
I am needing to configure two OpenVPN clients that connect to different servers.
I have two internet connections.
Each client would use a wan, but I would like that if one of the wan goes down both clients could use the other.

I will thank you for any advice to be able to do it.

Regards
Norberto

Hello.
I'm testing Sensei but it stops after a while because it found a swap usage greater than 30%.

I am using version 1.7.1 with OPNSense 20.7.7_1

The box is a Lanner NCA-4210B with a Core i7 7100 processor and 16 GB of RAM.

Memory usage with Sensei turned ON is approx 45% and Swap use 0% (76/8192 MB).

Deployment mode: Pasive
Database: Local Elasticsearch
Deployment Size: Large

Could someone help me to track down the source of the issue ?
Any suggestions are greatly appreciated.

Regards
Norberto

Hi.
I need to install a site-to-site OpenVPN tunnel between two sites that currently have a satellite link between them.
The default gateway in each site will be changed to the OPNSense box.

But, I'll need to have the satellite link as a backup if the VPN fails.

I could be constantly checking the VPN to see if it's up or not, and if it goes down, add a static route that goes through the satellite link router, but since they're in the same LAN, the returning traffic will not go to the OPNSense box, so a pf state is not going to be established.

I could set the rule up as stateless, but I don't like this idea only needed when the VPN goes down.

Is there some way to define a pf anchor? There's not a problem with not using the GUI for this.
If this is effectively possible, then the stateless rule would need to be loaded only if the VPN goes down. In the rest of the cases the normal rule would be used.

Any advice is much thanked for.

Regards
Norberto

Hi to everybody,

I have an OPNSense 20.1.3 running as an OpenVPN server, that authenticates users against an OpenLDAP server.
300 users imported from the LDAP until now and currently 100 users connected.

My problem is that when trying to import the remaining users that are defined on the LDAP, the process takes a really long time, aprox. 5" with one user, 30" with 100 users. It's not a linear relationship.

Could it be that some resources are locked? (e.g.: a file being written).

Doesn't seem to be a hardware problem. Load an memory usage are very low.

If someone could give me a hand on this problem it would be much appreciated.

Thanks,
Norberto

Hi.
I need to install OPNSense to support about 100 OpenVPN clients simultaneously.
I'm planning to use a Lanner NCA 1031D (Atom N4200 with 8 GB RAM).

- Will the hardware be enough?
- What resource will be the most used? Memory? Processor? Both of them ?
- What other topic should I consider?

Many thanks in advance.
Regards

Norberto

Hi.
I need to migrate to OPNSense a firewall that currently is running on OpenBSD and functions as an OpenVPN client for several servers.

It has two internet links and in each case one is used as primary (active) and the other as secondary (standby).
To get this in each OpenVPN client there's a config file such as the following:

# Primary
<connection>
        remote REMOTE_IP 1194
        local LOCAL_IP1
</connection>
# Secondary
<connection>
        remote REMOTE IP 1194
        local LOCAL_IP2
</connection>

In the case that one of the links fails, an external script restart each OpenVPN daemon in order to establish the VPN using the secondary link.

My inquiry was about implementing this one function into OPNSense and having it work in a similar manner.

I will be grateful for any suggestions you can make.

Regards
Norberto

[All Pages System: Deny config write.]

Hi.

I'm trying to configure a read-only group.
In the group privileges I selected:

All Pages
System: Deny config write.

It works fine, but there are some exceptions like:

Firewall Alias that can be modified
Services like snmp, ftpproxy and monit also can be modified (I did not try all but Network Time remains readonly for example).

I would like to know  which is the correct way to assign readonly permissions for a group or user.

Many thanks

Hi.

I have found that all states are killed when the firewall rules are updated ( when you click on "Apply Changes" after making any changes to the rules)

This happens if the "Disable state killing on gateway failure" option is unchecked.

I believe that this did not happen in version 18.10

Please let me know if you need aditional data

Many thanks
Norberto

I configured OpenLDAP server and tested import users.
Is working but the Full Name appears empty and I can't manually edit.
Is this normal ?

The xml for an imported user looks like this:

  <user>
      <scope>user</scope>
      <name>peter</name>
      <user_dn>uid=peter,ou=people,dc=company,dc=com,dc=ar</user_dn>
      <descr/>
      <password>$2y$10$PLJ.NuquY3d3Rv5ELd2KMusQBm5uKNGIsY3A7KzcBxe6QgoNfN61a</password>
      <uid>2003</uid>
    </user>   

Any suggestion ?

Thanks

Hi.
I need define an user with Reboot System only privileges in the GUI.
I found option    GUI   Diagnostics: Reboot System, but is not working.
What aditional options do I need to enable?

Many thanks
Norberto

Hi.
I need to know if it's possible force to down a single gateway used in a group.

I know the option "mark gateway as down" but in my test this only exclude it, from default gateway switching, but not change the pf rules.

Let me explain. I have a group gateway with 2 Tier1 single gateways. Trigger Level: Packet Loss o High Latency

For example a pf rules looks like (pfctl -sr)

pass in quick on igb3 route-to { (igb1 x.x.x.1), (igb0 y.y.y.1) } round-robin inet proto tcp from <proxy> to ! <priv_nets> port = http flags S/SA keep state label "USER_RULE: Acceso HTTP/HTTPS hacia Internet"

If I disable igb1 interface, the rule correctly change to:

pass in quick on igb3 route-to { (igb0 y.y.y.1) } round-robin inet proto tcp from <proxy> to ! <priv_nets> port = http flags S/SA keep state label "USER_RULE: Acceso HTTP/HTTPS hacia Internet"

I would like the same behavior if I mark the gateway asigned to igb1 as down. Is it possible ?

I appreciate your advice

Regards
Norberto

Hello everyone.
I'm looking through the possibility of replacing a firewall that is running OpenBSD at present.

They're two systems with carp configured (active/passive) that use HP Proliant DL360 G7 servers.
(quad Xeon E5640 @ 2.67GHz).
RAM: 6 GB

Network interfaces:
- Two Internet links of symmetrical 150 mbps each (VLAN interfaces) 40% average use.
- DMZ (Gigabit interface)
- LAN (Gigabit interface) average use: 200 mbps

pf states: aproximately 50.000 - 60.000

I have some questions about this:

Does one of you have OPNsense installed on a firewall that could manage this number of connections and traffic?

What CPU and RAM options would be reasonable for using OPNSense just for packet filtering? New hardware will be used (server or network appliance)

What needs to be upgraded if we add services as Intrusion Detection, Netflow, Monit and Unbound in a near future?

Should the default Tuneable Parameters be changed in any way?

Thanks beforehand if any suggestion comes to mind.

Sincerely, Norberto.

Hi everyone.
I founded a problem trying to add an static route if before I add a new interface.
Let me explain the sequence.

- start with no static routes defined.
- config new interface for DMZ (added after initial installation)
- an empty static route appears (see attached image)
- when trying to add a route the form displays ok, but click on Save Changes do nothing and the form remains open

This is the change in config (>new  <old)

314a315
>       <descr>OPT1</descr>
316,320d316
<       <descr>DMZ</descr>
<       <enable>1</enable>
<       <spoofmac/>
<       <ipaddr>10.0.201.1</ipaddr>
<       <subnet>24</subnet>
428,429c424,425
<     <time>1547845088.249</time>
<     <description>/interfaces.php made changes</description>
---
>     <time>1547756897.0184</time>
>     <description>/interfaces_assign.php made changes</description>
699,704c695,696
<   <ppps>
<     <ppp/>
<   </ppps>
<   <staticroutes>
<     <route/>
<   </staticroutes>
---
>   <ppps/>
>   <staticroutes/>

Environment:
OPNsense 18.7.10-amd64
Proxmox VM

Is this a bug or I'm missing something ?
Many thanks

Norberto

Hi.
I founded an issue with default gateway switching and I appreciate any sugestion or workaround.

I had a dual wan setup working fine.

Now I need access an internal network not accesible by the default gateway.
Then, I add a new gateway gateway and define an static route. Great.

No problem until my default gateway was down, and the switch gateway mechanism select the internal gateway as default which is not correct.

I can manually add the static route but I need it survives a reboot.  How could I do this?

Many thanks

Norberto

Hi.
I have  a multi-wan setup and I would like to receive mails when a Gateway is Down and also when is Up again.
I configured SMTP Notifications and Gateway Down mails like the following are received OK

MONITOR: WAN2_GW is down, removing from routing group WANGWGROUP

But no mail is received when the gateway is again OK

Is there any way to receive mail in both events ?

Aditionally I configured monit service. Is there any way to configure this service to generate this alarms ?

Many thanks in advance

Regards
Norberto

Hi.
I'm using OPNSense 18.7.7 as OpenVPN Server and have a problem using OpenVPN Client Export selecting "Automatic Multi-WAN IPs" or "Automatic Multi-WAN Dynamic DNS hostnames"

I expect two lines like this added to config file.

remote servername1 1194 UDP
remote servername 2 1194 IDP

but NONE appears.

I configured:

OpenVPN server listen on Localhost
DynDNS names one for each interface
Firewall: NAT: Port forward rules

I will appreciate any suggestion or opinion

Let me point that I added manually both lines and VPN is working perfectly

Many thanks

Norberto