Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - skydiablo

Pages: 1 [2] 3

General Discussion / Re: OPNsense Rewrite Discussion

« on: June 13, 2023, 01:42:25 pm »

I really don't want to bash anyone here, and at the end of the day, the one who takes action is the one who is right, not the one who just talks about it. The current MVC approach is certainly a good path, but when I look at the current code, it doesn't feel like an enterprise web application to me. Hence, my initial statement: Wouldn't a "greenfield" approach be worth considering?

General Discussion / Re: OPNsense Rewrite Discussion

« on: June 12, 2023, 04:20:16 pm »

Okay, so the current system will be migrated to a different codebase "on the fly." What about the challenge of bridging the old and new worlds? Wouldn't a complete rewrite free us from a lot of technical debt?

General Discussion / OPNsense Rewrite Discussion

« on: June 12, 2023, 03:55:47 pm »

Hello, has there been any recent attempt to rewrite OPNsense? I wanted to enable the addition of gateways to the Gateway API and therefore took a closer look at the source code of OPNsense. I don't want to say that it's bad, but it does seem quite dated. Not that I want to open a "yet-another-open-source-firewall" fork of OPNsense right away, but at least discussing whether it would make sense?

General Discussion / Re: VXLAN via Wireguard

« on: April 11, 2023, 04:04:36 pm »

this is an accepted issue and already fixed in BSD main-line: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261711

is this already merged into the current opnsense kernel? my current tests arent working yet, so i asking.

23.1 Legacy Series / Re: Assistance with ICS-DHCP Configuration Transfer to LAN-DHCPv4 GUI

« on: March 07, 2023, 03:26:27 pm »

I was able to help myself! First, I extended my desktop DHCP client config to request DHCP option 125. To do this, I simply added the number 125 to the "request" field in the "/etc/dhcp/dhclient.conf" file.
Then, I queried the already configured ICS DHCP server using the command "sudo dhclient -i eth0". At the same time, in a separate terminal, I ran the tool "dhcpdump -i eth0". As a result, the specific response was displayed, which I was able to adopt 1-to-1.

I hope that this could help someone who may have a similar topic as I did.

regards, volker.

23.1 Legacy Series / Assistance with ICS-DHCP Configuration Transfer to LAN-DHCPv4 GUI

« on: March 01, 2023, 05:12:34 pm »

Hello, I have an existing ICS-DHCP configuration that I would like to use in the LAN-DHCPv4 GUI. I'm not sure how to read the configuration, so I'm unsure how to transfer it to the GUI. All of my previous attempts have been unsuccessful. The crucial point is that I need to correctly implement option 125 "option genexis.config "http://x.y.z.1:7567/file.conf";" Further up in the configuration, there are various definitions that describe the option, but I'm not entirely sure how to create the option 125 and how to generate the value, and possibly hex-code it into the GUI. Here's the configuration that has worked so far:

Code: [Select]

# Configuration via DHCP with "Option 125"
# OPTION 125
option space genexis;
option genexis.fw code 2 = text;
option genexis.config code 3 = text;
option space vivso code width 4;
option vivso.iana code 0 = string;
option vivso.iana 01:01:01;
option vivso.genexis code 25167 = encapsulate genexis;
option option125 code 125 = encapsulate vivso;
 
subnet x.y.z.0 netmask 255.255.255.0 {
  range x.y.z.10 x.y.z.240;
  option subnet-mask 255.255.255.0;
  option broadcast-address x.y.z.255;
 
#OPTION 125
# define config file
  option genexis.config "http://x.y.z.1:7567/file.conf";
}

High availability / Re: IPsec with HA and Carp failover issue

« on: December 21, 2022, 12:23:59 pm »

old topic, but same problem! so you mentioned some workarounds in your question, is this the way to go?

regards, volker.

High availability / No internet-uplink in backup-node with static WAN IP

« on: September 27, 2022, 11:03:10 am »

hi,
in my ha setup, i have to configure the public WAN ip as static, so i generate an CARP solution. but in case all is normal, my backup-node has no internet WAN ip and also no internet uplink. my problem is, i can not install updates or anthing else which is needed internet on backup-node?!
how can i use the master-node as internet/default uplink for the backup-node? in an automatic mode, of ourse.

thx, volker.

Virtual private networks / Re: Outbound NAT to IPSEC tunnel

« on: June 29, 2022, 03:49:11 pm »

okay, i have solved by my own with this post by reddit: https://www.reddit.com/r/OPNsenseFirewall/comments/hrdzti/nat_not_working_with_ipsec_vpn/

thx for attention.

**German - Deutsch / Re: OPNsense / *sense (Online) Usergroup?**

« on: June 29, 2022, 08:02:04 am »

das klint ja toll hier! wann wäre das nächste treffen?

Volker.

Virtual private networks / [SOLVED] Outbound NAT to IPSEC tunnel

« on: June 28, 2022, 03:29:37 pm »

Hi! i have an dummy network, an loopback interface with assigned IP (192.168.200.1/24). also an running IPSEC tunnel (non routed, non VTI). so i want my local LAN to NAT over this dummy network, so that any request from my local LAN is NATed by 192.168.200.1:

Code: [Select]

                                      ┌────────────────────────┐
                                      │                        │
┌───────────────────┐                 │ ┌────────────────────┐ │
│                   │                 │ │                    │ │
│  Remote Network   │   IP-SEC-Tunnel │ │  Dummy Network     │ │
│  10.22.248.0/21  ─◄─────────────────►─┼─ 192.168.200.0/24  │ │
│                   │                 │ │                    │ │
└───────────────────┘                 │ └─────────▲──────────┘ │
                                      │           │            │
                                      │           │            │
                                      │  ┌────────┴─────────┐  │
                                      │  │                  │  │
                                      │  │  Outbound NAT    │  │
                                      │  │                  │  │
                                      │  │   10.50.0.0/24   │  │
                                      │  │        │         │  │
                                      │  │        ▼         │  │
                                      │  │  192.168.200.1   │  │
                                      │  │                  │  │
                                      │  └────────▲─────────┘  │
                                      │           │            │
                                      └───────────┼────────────┘
                                                  │10.50.0.2
                                                  │
                                                  │
  ┌───────────┐                       ┌───────────┴───────────┐
  │           │                       │                       │
  │  Machine  │                       │  Local LAN            │
  │           │10.50.0.107            │  10.50.0.0/24         │
  │           ├──────────────────────►│                       │
  └───────────┘                       │                       │
                                      └───────────────────────┘

i have just add an outbound NAT, and try to ping from an machine like 10.50.0.107 to 10.22.250.1 ... the machine knows the right route (10.22.248.0/21 via 10.50.0.2 dev eth0) but no success. there is no NAT ing and no packet is arriving the IPSEC remote network.
is it possible like this to NAT the traffic to an IPSEC tunnel?

Virtual private networks / Re: ipsec => fortigate -vs- opnsense

« on: June 28, 2022, 03:09:43 pm »

my problem was an miss-configured fortigate, so i miss an rule for the ipsec tunnel:

TLTR: https://community.fortinet.com/t5/FortiGate/Technical-Note-Log-message-ignoring-request-to-establish-IPsec/ta-p/198467

Virtual private networks / [SOLVED] ipsec => fortigate -vs- opnsense

« on: June 24, 2022, 04:13:55 pm »

hi!
i'm trying to establish an ipsec tunnel (routed VTI) between my fortigate (v7.0.6) and an opnsense (22.1.9). my problem is already in phase 1, my fortigate call me an error like "peer SA proposal not match local policy"

my current config is attached as images.

any hints or additionals info request?

thx, volker.

Virtual private networks / Re: Extend VLAN across Wireguard

« on: December 08, 2021, 08:57:38 am »

the problem is only happens if the VXLAN routed over wireguard, an direkt p2p without wireguard is working like a charm.

Virtual private networks / Re: Extend VLAN across Wireguard

« on: December 07, 2021, 03:18:46 pm »

checkout attachment, this is a complete tcpdump from wg interface if i try to ping the vxlan interface. the vxlan interface has no traffic at all

Pages: 1 [2] 3