Messages

Hello,

I have 2 servers and 2 public IPs (1 IP for each server). I want to configure HA via CARP and pfsync.

LAN CARP interface is up and running via Virtual IP.

As far as my understanding goes:
I need a 3rd public IP for the WAN CARP interface, don't I?

Maybe it's possible to use 2 different IPs from another network on the 2 existing WAN interfaces and use 1 of the public IPs on the CARP interface? Problem is that the provider is using MAC address filtering so I would need to spoof the MAC address on the WAN CARP interface.

Any suggestions how to accomplish that?

Hello,

So far everything is working fine BUT:
Only 1 firewall is used as a gateway for both machines and the other one acts like a passive backup.

To improve I'm thinking about using OPNsense with CARP  for HA and automatic failover without changes on all servers and VMs. OPNsense is running as Hyper-V guests on each host already but without CARP.

Here is a network diagram (thanks a lot to https://textik.com ):

Code Select Expand

                                                 +----------+                                             
                                                 | INTERNET |                                             
                                                 +----------+                                             
                                                       |                                                   
                                                 +-----|----+                                             
                                +----------------- Gateway  -----------------+                             
                                |                +----------+                |                             
                                |                                            |                             
                       +-----------------+                          +-----------------+                   
                       | NIC1: Public IP |                          | NIC1: Public IP |                   
                       +-----------------+                          +-----------------+                   
                 +-----------------------------+              +----------------------------+               
Hyper-V Host1   |                             |              |                            |  Hyper-V Host2
                 |  +---------+                |              |  +---------+               |               
                 |  | VM: FW1 |                |              |  | VM: FW2 |               |               
                 |  +---------+                |              |  +---------+               |               
                 |       |                     |              |       |                    |               
                 |  +----|----+                |              |  +----|----+               |               
                 |  | VM: DB  |                |              |  | VM: TS  |               |               
                 |  +---------+                |              |  +---------+               |               
                 |             |               |              |         |                  |               
                 |             |               |              |         |                  |               
                 +-------------|---------------+              +---------|------------------+               
                                +-----------+                    +-----------+                             
                                | NIC2: LAN +--------------------- NIC2: LAN |                             
                                +-----------+                    +-----------+

The main idea is to have all VMs and also the host behind a firewall. Access will be possible only via VPN -> WireGuard is up and running already. That is working already but only with 1 firewall which is not ideal.

My questions are now:

• How to change the network to implement CARP (if that's possible)?
• Do I need a 3rd public IP for the new "virtual WAN gateway" or can I use one or both of the 2 available already?
• Does it make sense to somehow use both public IPs for the 2 firewalls?
• I think the 2 virtual IPs for WAN + LAN can be configured on top of the 2 existing NICs, can't they?
• Is XMLRPC needed to sync the configuration?
• Seems that WireGuard doesn't work with CARP? Any recommendation/solution?
  Reference: https://forum.opnsense.org/index.php?topic=14269.0

The provider is using MAC address filtering to allow access to the gateway but I managed that successfully with MAC address spoofing already.

OPNsense 19.7.10 + 20.1 - just updated.

WireGuard crashes and doesn't start anymore when you add a peer without a public key.

Steps to reproduce:
- Set up WireGuard
- Create a WireGuard peer -> leave the Public Key empty
- Add the peer to the configured WireGuard instance
- Save -> WireGuard seems to crash and will not start anymore until you remove the "empty" peer

Probably it's a WireGuard issue but since I didn't find any logs I'm not sure.

Solution:
- Check if it's a WireGuard issue
- Allow adding valid peers only
- If available: check the WireGuard configuration before applying them and cancel if there's an error

Short update:
I ended up in reinstalling the complete firewall...

I didn't find a way to renew or exchange the OpenVPN server certificate only without updating all clients which is really bad. I hope that was my mistake and it can be fixed with some nice and simple "Update OpenSSL Server Certificate for the next X Years" button in the GUI.

So I also thought "ok, let's do an upgrade, too since there have been a couple of new releases I skipped" and what should I say?

The update to 16.1.12 failed miserably and I had to drive into the company. Apparently there was some bug with FreeBSD running on Hyper-V so the box didn't boot properly anymore. I think it was related to that somehow:
https://forum.pfsense.org/index.php?topic=109952.0

Nevertheless I managed to boot the machine, backup the config so I didn't had to set up everything by hand again and installed the 17.1b which seems to work great so far.

But except of that really bad situation OPNsense is still a really nice project which worked without any problems - it just needs to be set up and than it will run and do it's work ;-)

Hello and Happy New Year!

I'm running the following OPNsense version at the moment with an OpenVPN server for road warriors:
OPNsense 16.1.20-amd64
FreeBSD 10.2-RELEASE-p19
OpenSSL 1.0.2h 3 May 2016

The OpenVPN Server Mode is set to "Remote Access (SSL/TLS + User Auth)" and everything was running just fine without any issues. I think I'm required to create a new certificate based on the old one and create some certificate chain? I also think I need to increase the OpenVPN server setting "Certificate Depth" from "One" to "Do Not check" just to be sure.

Unfortunately the OpenVPN server certificate expired recently and I'm unable to renew it or create a new certificate based on the original one.

If anyhow possible I don't want to update each and every client but only the server side.

How can I fix that? Any openssl magic is needed I think.

Btw. I located the OpenVPN configuration here:
/var/etc/openvpn/server1.[ca|cert|key] and so on

I found that link but it's pretty verbose and a really complicated topic:
http://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal

Please let me know if you need more details.

Hello,

I think it would be a nice addition on the website (perhaps under Download?) to get a ChangeLog so one can check if an update makes sense and what has changed etc.

I know it's accessible via the Blog but that is kinda hidden and not very obvious.

A good example for a ChangeLog can be found here:
https://www.jtl-software.de/JTL-Wawi-Changelog

My problem with OPNsense is that it works too good so I don't need to keep up2date all the time :-)

ChangeLogs provide a very good overview to decide if an update makes sense or not.

Cheers and thx for the really nice firewall which just works!

Well ... seems that I didn't see the message about the /dev/ada device. To be honest it was a "ok, let's do the update and reboot, the "installer" would tell me and ask for confirmation for such breaking changes" upgrade. And in the end it's still a test and playground machine for some days so I don't need to take much care of it yet :-)

Thanks for the link regarding the Hyper-V issue. Seems that I can't download the test kernel provided by "fichtner" to test it. Local network on the OPNsense box seems to be dead, too.

Will give it a try tomorrow if time permits and if I can get the kernel to the machine somehow. How can I get the test-kernel onto the machine without network access? ;-) Didn't try ssh yet so...

Just a short info:

I updated to 16.1 via opnsense-update. Besides it didn't boot anymore because I did set up the VM with /dev/ada and changing it to /dev/da... (thanks to weust for confirming my change) -> network is dead here, too. See here for details:
https://forum.opnsense.org/index.php?topic=2114.0

I'm running Hyper-V Server 2012 R2 (free edition) on a HP ProLiant ML370 G5. I didn't install integration services manually.

So it seems to be a general issue when using Hyper-V Server 2012 R2.

Hi,

thanks for your fast reply.

I already tried the ? command and it showed me some devices. I just tried the /dev/da0s1a and it booted!

Very good to get some confirmation from you so I did a vi /etc/fstab and removed the "evil a" and a reboot just worked :-)

Bad news is:
Seems that you were right with the network issues - where on IRC are you?

Hello,

I'm using OPNsense as a Hyper-V Server 2012 R2 VM since some weeks but it's running on a test machine so far - fortunately!

I was running the following version:
OPNsense 15.7.25-amd64
FreeBSD 10.1-RELEASE-p27
OpenSSL 1.0.2e 3 Dec 2015

I just ran opnsense-update in the hope to get the 16.1 version at the console and did a reboot aas suggested after the update.

Now it doesn't mount the root partition anymore and says:
Mounting from ufs:/dev/ada0s1a failed with error 19

... some more generell lines ...

mountroot>

So what can I do now and why did this happen while running the opnsense-update command?

There is nothing fancy installed and no advanced configuration. No Captiva, no IDS etc. Only simple NAT and OpenVPN tests with the wizard.

If everything fails:
Can I simply extract the /conf/config.xml and import it into a freshly installed OPNsense 16.1 VM?

Hi franco,

thx for your reply but I think I need that setting :-)

To be honest I didn't understand your reply but I tried to get NAT for the LAN to WAN working and it didn't work at all until I activated the upstream gateway on the WAN interface. What does this setting do?

My set up is like this:
LAN -> OPNsense -> WAN with Upstream Gateway to the router with a fixed external IP address

WAN is a SDSL line with a router and a small /29 network assigned. So a very basic network.

I never had to add such a gateway in any setups I did since years. Be it on OpenBSD, Linux or Windows or some Astaro/Sophos/SonicWALL etc. So either something fundamentally changed or it was done in the background for me ;-)

The default gateway is set already and it's the same IP like the upstream gateway so I don't get it why this setting is needed?

I also noticed that the pf rules grew from 66 rules to 68 rules and with the upstream link set it shows the "Default LAN to any rule" applied.

Is there some official documentation for this setting?

Hello,

I tried to set up OPNsense to do NAT for the LAN to WAN so nothing fancy. But I failed so far.

I have the following set up:
- SDSL line with a static IP address
- OPNsense running on Hyper-V Server 2012 R2
- System -> Gateways -> All -> WANGW which points to the router of the SDSL line and is the "Default Gateway"
- The "Default allow LAN to any rule" exists, too
- OPNsense is up2date and was restarted - but it never worked so far

Reaching the internet from the OPNsense box is working. Clients from the LAN cannot reach the internet though.

To my understanding the Firewall -> NAT -> Outbound -> Mode set to "Hybrid Outbound NAT rule generation" should generate some automatic rules for the Outbound NAT.

I compared to my pfSense set up which was working but I cannot find any differences.

Looking at pfctl -sr doesn't show any nat-to rules ... at least I didn't see them? And AFAIK the firewall and pf configuration is not done via a pf.conf file but with /conf/config.xml, isn't it?

I've also found the pfInfo, pfTop and pfTables Diagnostics menus but I cannot see any nat or nat-to rules there, too.

Any idea and hints how I can find the error? Which logs or tools like pfctl (-s), tcpdump etc. can help?

Regards

Hello,

when I create a firewall rule the Destination field must be typed manually. I would expect so select it from the defined Aliases? At least that would be very helpful :-)

Is this a forgotten field/bug or does it have some other good reason?

Regards

Hi,

I'm not an expert here but it seems that the firewall rules and all the configuration stuff are stored in /conf/config.xml

I couldn't find a pf.conf either.

Well ... makes sense for easier exporting and importing the configuration for backups etc. :-)

Regards

Hello,

I did set up OPNsense as a Hyper-V virtual machine which should act as a firewall replacement to our FRITZ!Box router and some pfSense I did set up for testing. WAN is changing also from ADSL to a fixed IP and some SDSL line. So I can set it up without taking everything offline - just switching the gateway on all clients when I'm done.

The box should primarily do some NAT and firewalling.

Configuration was ok so far but I'm not sure what this Interfaces -> Upstream Gateway setting means and what it is used for?

I can reach the internet from this machine's console so the default gateway is set to the SDSL router already. I can do OPNsense updates as well.

Regards