Topics

Hello,

I've got issue with a IPSEC tunnel site to side between Opnsense and Fortigate.

Here is my setup:

NET A <-> FORTIGATE <-> WAN <-> OPNSENSE <-> NET B

I can access NET A from NET B but I can't access NET A to NET B.

On my Fortigate I see packet going through corresponding IPSEC but I see nothing on Opnsense side (with tcpdump).

What could possibly be wrong ?

Thanks a lot.

Regards,
Mathieu

Hello,

After adding a rule or a virtual ip, after press "Apply", browser is loading during a few seconds and return me a PR_CONNECT_RESET_ERROR. I'm not sure when the issue happen first but I think it's when I editing a virtual IP.

If I have open a ssh session on the firewall to watch the logs i'm disconnected.

I'm not able to see anything in the logs, is there any way to have more verbose logs of the GUI ?

OPNsense 20.1.3-amd64

Regards,
Mathieu

Hello,

I've got a strange static routing behavior with 19.7.2 firmware.

Here is my routing table:

root@OPNsense:~ # netstat -r4
Routing tables
Internet:
Destination        Gateway            Flags     Netif Expire
default                  A.B.C.D               UGS        vmx3
100.64.0.0/24      172.18.4.21        UGS        vmx1
172.21.0.0/16      172.18.4.20        UGS        vmx1


I'm able to contact 100.64.0.0/24 but not able to contact 172.21.0.0/16, there is the traceroute:
root@OPNsense:~ # traceroute 172.21.169.103
traceroute to 172.21.169.103 (172.21.169.103), 64 hops max, 40 byte packets
1  172.18.4.21 (172.18.4.21)  0.523 ms  0.262 ms  0.200 ms

Wrong next hop is choosen. If I change Gateway priority of the two gateway (172.18.4.21 / 172.18.4.20), the behavior is reversed (172.21.0.0/16 is reachable but not 100.64.0.0/24)

On 17.1 problem is not present.

Regards,
Math

Hello,

I've got the following network (simplified, i've got many more networks of right side)

172.18.3.0/24<----->.150 vmx0[OPNSENSE BOX]vmx8_vlan2595 .150<---->192.168.151.0/24

I'm trying to nat the whole 192.168.151.0/24 to another subnet (10.155.0.0/24) because i'm not able to readdress this network.

I need to setup
- a source nat to replace source IP vmx8_vlan2595 ip
- a destination nat to translate 10.155.0.0/24 destination ip to real 192.168.151.0/24 ip.

rules extract from pfctl
nat on vmx8_vlan2595 inet from any to 10.155.0.0/24 -> 192.168.151.150 port 1024:65535
rdr pass log on vmx0 inet from any to 10.155.0.0/24 -> 192.168.151.0/24

For now it's not working. Same configuration is working on Sophos firewall

Iptables extract from sophos
Chain fw6_nat_out (1 references)
pkts bytes target                prot opt in     out     source               destination          optimization
    0     0 RANGENAT              all  --  *      *       0.0.0.0/0            0.0.0.0/0           skip_ip_match       hostset --dstid 405  RANGENAT --from 10.155.0.1-10.155.0.254 --to 192.168.151.1-192.168.151.254

Chain fw6_nat_pre (1 references)
pkts bytes target                prot opt in     out     source               destination          optimization
    0     0 RANGENAT              all  --  *      *       0.0.0.0/0            0.0.0.0/0           skip_ip_match        ENTITY MATCH  --fwruleid 6 hostset --dstid 405  RANGENAT --from 10.155.0.1-10.155.0.254 --to 192.168.151.1-192.168.151.254


Regards,
Mathieu

Hello,

Is there any way to bind frrouting service to carp status to avoid manual start on backup when failover occur ?

I want to have:
CARP status is master --> frrouting service start
CARP status is backup --> frrouting service stop

On pfsense we can use /etc/rc.carpbackup / carpmaster to handle this setup but this files not exist on opnsense.

Regards,
Math