Messages

somewhere around 16.7 I lost the ability to use my at&t network client which uses ipsec. do I need to declare that only one IP can do ipsec passthru and forward port(s) there? seems even many cheap routers have checkboxes for enabling ipsec passthru, lt2p passthru, etc....
any advice welcome. thanks in advance!
nrf

just a thought, if I set up an openvpn service, does that keep ipsec clients from passing thru by interfering with authentication port?

thanks for getting back to me. I posted here originally as this is the point at which it stopped working and I had to make alternate arrangements for my work pc. in the past I would have tried some other package but opnsense is otherwise very satisfying to me. whatever was done has 'stuck' as I keep trying from time to time as I upgrade to the newer versions, hoping it would have gotten corrected.

when I attempt to set up the work client it tells me it timed out and I must have a firewall that is dropping udp packets.

(specifically I use the AT&T Global Network Client for vpn and the configuration is for "Managed VPN - IPSec)

As a reference manual, the online document doesn't really satisfy my appetite for understanding and mastering the firewall and its NAT settings. there are even no main sections on this, nor how-to topics. I am trying to understand how it is blocking my work vpn client from getting thru even though port 500 appears to be open, but  I am really asking this question in a more general vein. It seems a great manual would have full reference for every point on the menu tree as all the little 'info' buttons don't qualify as reference material in my mind.

Maybe we are just supposed to know this stuff or refer to documents for the underlying open source components, in which case what would that be for the firewall/nat part?

bump? no help for this?
I'd like my work computer to have the benefit of this firewall....

I am happy to now be able to use suricata on my n40L with this release. but in exchange for that benefit, now I cannot use my ipsec vpn client which was working fine on previous release - a daily driver for me. I thought there might be some plugin needed but didn't find any related to passthru. puttering around in the forums I found some comments about nat rules for port 500, and I do have one that seems to come from setting up my openvpn server.

did I miss something in the release notes that I need to enable for ipsec passthru?

thanks in advance for your help.

and as I tweeted, the major upgrade went so well!!!! impressive!!!!

I just got the 16.7.6 update and still can't keep Intrusion Detection alive. And it seems to have spread to RADVD so now I don't get my ipv6 announcements and thus lost ipv6 to the web.

trying to keep it factual :(

anyone following this? seems I bumped up to 16.7 too soon, should have let others soak it :)

so I've had a couple cases of this since stepping up, rebooting didn't help, after the reboot I had to drop and restore the wan interface before it was 'ok'. Unfortunately, I"m not seeing anything on the dashboard turning red to tell me I can't get to the dns servers or there is high latency. And I'm not seeing any troubleshooting guide in the doc.

Ideally I'd like to be able to see response time for dns requests on a per server basis, with something turning red when that stops being timely, I am sure there are other things that could be read out given the router is in a position to observe everything...barring that, troubleshooting tips beyond 'reboot the modem reboot the router hope and pray'?

so a guy has to ask, given that either intrusion prevention or firewall rules can do this, are there any pros/cons to one or the other? importantly, performance differences?

thanks for your participation in this forum!

thanks for your kind consideration. given it is kind of a one-time thing I will be patient for such an improvement!

nice, but could be more efficient to be able to specify both ipv4 and ipv6 or at least clone/copy one to a new one so that can be tweaked.

just a suggestion from someone who now is making two very long lists and hoping they are the same.
nrf