Messages

1

22.1 Legacy Series / Re: Alias based firewall rules doesn't work after upgrade to 22.1.8

« on: May 26, 2022, 12:19:55 pm »

...This, added to the lack of proper release notifications

• https://docs.opnsense.org/releases/CE_22.1.html#may-25-2022
• https://forum.opnsense.org/index.php?topic=28492.0
• https://twitter.com/opnsense/status/1529391333852471297

Yes, I know detailed release notes are published with every release; I routinely read them, but often after the instances were updated (by cron). My point was about release notifications, i.e. being notified when a new version is released, via GitHub, a mailing list, or anything. I suppose Twitter is fine for many people, but I don't use it.

...We deployed it to power schools and care centers; we've...

Which is a vey good reason why you should at least test our development versions before their being merged, their available at every release included in the exact same version as you're installing now.... The alias additions have been in there for a couple of cycles now.  (https://docs.opnsense.org/manual/firmware.html#settings)

Yes, this is something I'm considering, and/or maintaining a private update mirror and only pushing upgrades after they've been tested.

I'm sure someone will soon answer me that we've got no right to complain since this is a free product...

Sure you do, it just doesn't bring much to the table when not thinking about how to help out from your end as well.

Of course not... Sorry for the rant.

...started with an underscore that I'd never seen before

It's a new feature collecting the networks attached to an interface so we can reuse these later in the "xxx_network" rules. This increases visibility and also offers the possibility to "nest" and combine these into derivatives.

A full list of added features is in this merged pull request https://github.com/opnsense/core/pull/5668.

Are those internal aliases excluded from the JSON import/export feature ? We use it internally (via the API) to propagate alias changes to sets of nodes, and we don't want to overwrite those internal aliases on remote nodes 

2

21.7 Legacy Series / Re: VRF support

« on: August 01, 2021, 04:40:24 pm »

FreeBSD can support multiple route tables but does not compile it by default. Such options are rarely production ready or have little support so we never supported it and likely will so in the future.

In fact, since FreeBSD 12, the GENERIC kernel ships with support for 2 routing tables. There is no need to build a custom kernel anymore, unless one needs to use more than 2 FIBs.

We use this feature extensively on our routers, as it allows to split administration and clustering interfaces (those running SSH, pfSync, config sync, HAProxy sync, etc.) from interfaces dedicated to production workloads. Administration interfaces are implicitly assigned to default FIB 0, while other ones are explicitly assigned to FIB 1.

This setup is fairly easy to configure. Just add:

Code: [Select]

net.fibs="2"
to /boot/loader.conf.local to make the kernel initialize 2 routing tables at boot time.  Then add:

Code: [Select]

net.add_addr_allfibs="0"
to /etc/sysctl.conf to prevent the kernel from binding all interface addresses to all FIBs (which it does by default, but this might change in a future release).

After a reboot, the kernel should be able to handle 2 distinct VRFs. I did not test these changes on OPNsense, but AFAIK they should not introduce any feature regression as both the kernel and userland are expected to use FIB 0 by default, just like in a standard setup.

From then, one may assign an interface to another FIB with the fib keyword. For instance, to bind interface vtnet2 to FIB 1:

Code: [Select]

ifconfig vtnet2 fib 1
Unless the fib keyword is specified, the interface will remain on FIB 0.

Routing works the same way. Most route actions support a -fib option to specify the target routing table. For instance:

Code: [Select]

route add default 192.168.1.254 -fib 1
Would add a default route on the second routing table (FIB 1).

The use of several routing tables does not seem to affect pf operations that much. By default, pf will process packets regardless of their FIB, and won't allow them to cross FIB boundaries. The rtable keyword may allow cross-FIB routing, but I never tested it. While the OpenBSD pf supports filtering packets by VRF (via the rdomain keyword), this is not possible on FreeBSD. I also noted that using several FIBs seems to break pf URPF checks.

The use of several routing tables allows us to maintain cleaner/safer rule sets on our BSD firewalls. It is also the only way to avoid asymmetrical routing in scenarios where the administration interface of the firewall must communicate with production networks via an external path. Adding support for multi FIBs would make OPNsense usable in such contexts.

3

20.1 Legacy Series / Support for EAP Radius Authentication

« on: March 29, 2020, 10:02:55 am »

Hi,

We're trying to make a few OPNsense 20.1 boxes authenticate users against a FreeRADIUS instance with EAP. The FreeRADIUS instance is also an OPNsense 20.1 box. While server-side EAP is enabled, it seems none of our boxes are actually using it. Below is the debug output from FreeRADIUS after one of the box tried to authenticate. Authentication succeeded while EAP-TTLS was enabled server-side with an invalid self-signed certificate. Debug messages show that EAP was not used (search for line (0) eap: No EAP-Message, not doing EAP)

Code: [Select]

Ready to process requests
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
(0) Received Access-Request Id 31 from 192.168.1.241:23849 to 192.168.1.249:1812 length 84
(0)   User-Name = "someuser"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "5e8049ad39eb5"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "SomePassword"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "someuser", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=someuser)
(0) ldap: Performing search in "cn=users,cn=accounts,dc=local,dc=domain,dc=tld" with filter "(uid=someuser)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tls"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ipa-00.core.local.domain.tld:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     if ((ok || updated) && User-Password) {
(0)     if ((ok || updated) && User-Password)  -> TRUE
(0)     if ((ok || updated) && User-Password)  {
(0)       update control {
(0)         Auth-Type := LDAP
(0)       } # update control = noop
(0)     } # if ((ok || updated) && User-Password)  = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: Login attempt by "someuser"
(0) ldap: Using user DN from request "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tld"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tld" was successful
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ipa-00.core.local.domain.tld:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)   } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Login OK: [someuser] (from client dnsr-00.local.domain.tld port 0)
(0) Sent Access-Accept Id 31 from 192.168.1.249:1812 to 192.168.1.241:23849 length 0
(0) Finished request

Could someone confirm that I'm not missing something ? If not, I think it would be valuable:

• To write explicitly in the documentation that EAP will not be used for Radius authentication even when available on the remote server
• To plan to add EAP support to OPNsense authentication
• To add an option to the FreeRADIUS plugin to disable non-EAP (fallback) mechanisms when EAP is enabled

Many thanks,

Marin

4

19.1 Legacy Series / Re: Aliasing completely broken for me recently

« on: April 21, 2019, 12:15:31 pm »

Hi,

Aliasing is totally broken here too on 19.1.6, even with both patches applied. Older aliases are still present in as pf tables while newer ones are blank. Am I the only one ?

5

19.1 Legacy Series / Re: OpenVPN DNS DHCP options not pushed to clients

« on: April 13, 2019, 08:54:31 am »

Hi,

Am I the only one to experiment this issue ? Should I fill a bug report on GitHub ?

Thanks,

Marin.

6

19.1 Legacy Series / OpenVPN DNS DHCP options not pushed to clients

« on: April 09, 2019, 12:38:30 pm »

Hi,

We use OPNsense 19.1.5 on 3 different sites as OpenVPN servers for roaming clients. OpenVPN is configured to send its own IP address (first address from the OpenVPN range) as a DNS server to the clients.

This setup works correctly on one of our sites, but not on the 2 others, where the OpenVPN omits to include a DHCP DNS options in the PUSH_REPLY command:

Code: [Select]

Tue Apr 09 12:35:51 2019 PUSH: Received control message: 'PUSH_REPLY,route 10.6.0.0 255.255.0.0,route 10.6.9.1,topology net30,ping 5,ping-restart 20,ifconfig 10.6.9.6 10.6.9.5,peer-id 0,cipher AES-256-GCM'
I have already tried removing then re-adding DNS options, but still no change. The server config is identical to the one running on the first site, except regarding subnets, of course, and I don't know what to do more.

Any idea ?

Many thanks!

Marin.

7

18.1 Legacy Series / Import config file from CLI

« on: February 08, 2018, 11:03:52 am »

Hi,

We're planning to deploy several tens OpnSense instances in our enterprise network. These instances will share common alias and rule sets.

I do not know of any reliable central management solution capable of automating the update of these sets on such a scale. AFAIK, there is no web service or API either dedicated to these tasks. This is why we need to find our own way to push the updates to our boxes.

I plan to develop a tool which would generate dynamic OpnSense XML config files from a set of parameters. The files would be valid XML config files, either full or partial (e.g. aliases only).

My issue is how to perform the actual update on the target firewalls: let's assume I have a valid config.xml file which contains the desired config state. Does there exist a CLI tool able to perform the update? Such a tool would allow us to ease config updates with an Ansible-like engine.

If such a tool exists, does it also support partial config files, just like the Web UI?

Thanks,

Marin.

8

16.1 Legacy Series / Re: Hyper-V interface names change on reboot

« on: March 07, 2016, 04:08:46 pm »

Hi,

We're experiencing the same issue with a fresh install from the latest ISO, updated to 16.1.5 a few minutes ago. In fact, troubles only happen with Hyper-V hosts with several network interfaces, as interface names are randomized at each startup. This means a single interface may be named hn0 on first boot, then hn3 or hn2 on the next one, and so on... As a consequence, OPNsense applies the network configuration to the wrong interface.

I don't know why this happens, but it's still present in the latest version of OPNsense and makes it totally unusable with any Hyper-V VM with more than one NIC.