Messages

Hi

OPNsense default deny rule in "floating" intercepts traffic from IPsec VPN to a network connected directly to OPNsense, there are at least 2 rules which should ensure traffic passing.

I've got a rule for that specific traffic in IPsec (dns and http/s) and added another one allowing all traffic from IPsec to everything in floating.

...any ideas ?

btw. I do have own Deny ALL rules on every interface but this never hit by the IPsec traffic - it goes straight to the floating default deny all rule.


After some more investigation:

IPsec traffic is blocked only if I select the predefined "IPsec net" as source, if I however create an alias with the IPsec network address and use that as the source the traffic is going thru - however responses are then being blocked (as I see it responses are not seen as responses by the firewall but as new connections).

The firewall has several interfaces and all traffic is going as it should - only IPsec has problems.

...and something more:
responses to IPsec traffic are logged several seconds after request leaves the firewall on the correct interface.

I have tried to change IP-address of the VPN just to verify that I don't have a routing issue, I have no problems with traffic between any other interfaces so and the firewall is default gw. on all connected interfaces.

mszeliga first off thank you for reporting this issue. You created this post over a month ago with the subject "There is a serious problem!". Unfortunately you haven't had the time to provide any new information since then so the OPNsense team can troubleshoot this. I feel at this point it's appropriate to change the subject title to more closely resemble the problem you are experiencing. Maybe another OPNsense user is experiencing this same issue and could provide some additional helpful information. Again thank you for reporting the issue and hopefully in the future when you have the time this can be resolved.

I've sent a PM to Franco with a link to the whole VM (as Franco asked me) some days after I posted the first message.
I did see this at least 3 times (once on physical hardware and 2 times on virtual hardware).
My definition of "serious" regarding a firewall is a when the firewall stops acting as a firewall, it may crash, it may burn but it does NOT just drop all it's filtering and pass all traffic.

Now if someone here claims that this was due to misconfiguration then my claim is that the rule validation was broken! (but then why does it not work with a restored, previous working, config ?)

We may of course also just hope that the problem has disappeared in 1.6.8, I am going to install it soon.

I am however open to suggestions for a better title...

Hi Franco & Maciej,

That would indeed be helpful. Can you PM me the download link?

Is there any update on this serious matter?

Regards
temporaryuser

I SHOULD probably write that I only had this problem during configuration.

Sorry, I have been quite busy at work.

Regards
Maciej

It seems that the filter stops filtering, everything else is working.

The problem is that you really can't see it: webinterface is running and it is possible to change settings but no changes will fix the problem, the only visible symptom is that I've  got a handfull of log entries about IGMP packets from 10.0.0.0 and then the logging stops (the other possibility has been continous log entries of this type).
After that all packets seems to be forwarded... just like it would be thru a simple router.

A restore of a earlier configuration may fix the problem but I had to go 5 backups back before it worked.

One important clarification is needed: this has only happened on configuration changes and not during normal operation.

I am looking for the logs now, if opnsense team want the whole vm I could upload that.

regards
Maciej

Hi

I have now several times experienced a situation where the firewall crashes and becomes a simple router.

I have experienced this behaviour on running virtualized and on real hardware and both in 15.7 and 16.1.
I do not know what happens (yet) but when the firewall crashes the result should be no traffic passing instead of all traffic passing.

After this happens the firewall keep acting as a simple router even after a reboot, only restoring earlier configuration may fix the problem.

I am running with 10 interfaces (on the hardware) and 8 VLAN interfaces on virtual,

I will try to dig the logfiles out of the crashed virtualized tomorrow (9. march).

regrds
Maciej

Hi

I'm trying to get OPNsense to work as an "internal" firewall between our test environments and production, so it ends up with no WAN interface.

My primary problem is that I can't fetch updates, I've tried with proxy and without proxy but the result is the same "Connection Error".  Then I added a WAN port (still behind the corporate firewall) but update still fails.
I can see (on the external firewall) it is connecting successfully to mail.opnsense.org on port 80.

Regards
Maciej

Please forgive me... one from my team has changed the firewall I was trying to connect to.
This happened the very same day I changed my m0n0wall to opnsense so from my perspective it looked that the problem was at my end.

Regards
Maciej 

Hi

I've recently replaced a m0n0wall with opnsense and I can't get IPsec passthru working, the same configuration worked with the m0n0wall.

Problem:

Cisco PIX behind opnsense connects to a Cisco ASA, the tunnel is up and networks behind the ASA are able to reach networks behind the PIX but it is impossible to get from network behind the PIX to reach networks behind the ASA.

Configurations on both PIX and ASA are not changed, IP addresses on opnsense are the same as they were on m0n0wall, rules and NAT are copied from the m0n0wall. There is nothing in the logs, only the tunnel coming up.
The internal port of the PIX is connected to my switch (a Cisco CC3560x) which is used as router on the LAN, this switch has static routes to the networks behind the ASA pointing to the PIX. The external port of the PIX is connected to LAN7 interface on the opnsense.
I've got rules for ISAKMP from EXT to the PIX on LAN7, NAT for the same and also the other way

btw. the hardware is an old Checkpoint UTM-1 with 10 1-Gigabit ports, I've named the ports in opnsense as they are named on the box (INT, EXT, DMZ, LAN1..LAN7).

Regards
Maciej