Messages

NAT is the only way to do this if it works at all with OPNsense

Sure, this is possible as I wrote, but no NAT thorough the remote side, the NAT should be on the LAN2 interface.

I tried to give constructive infos and recommendations though.

Again: Natting on your site is no option to solve this.

Yes, that's true, thank you.

It's a bit frustrated to get such replays where are not that constructive. I wouldn't post and invest a lot of try and error time if the solution is that easy like to change the subnet.

This has a reason why I can't change the numbering and sometimes it's just a fact.

Thanks a lot

Ivo

:-) Hehe, would be nice if I can do that.

This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...

Hi

I have the problem, that we have two subnet with destination 192.168.2.0/24, one is direct connected to OPNsense (26.01), the other via IPSec:

LAN1: 10.16.5.254/24
LAN2: 192.168.2.3/24
IPSec destination: 192.168.2.0/24

The hosts in the LAN2 subnets should see the hosts from LAN1 with the GW IP 192.168.2.3, reachable from 10.16.5.0 subnet with 192.168.22.0 and no communication back to 10.16.5.0, so only one-way.

The hosts on remote subnet via IPSec must be reachable from LAN1, but not from LAN2 with 192.168.2.0 addresses, also from the remote 192.168.2.0 subnet, the 10.16.5.0 hosts must be reachable.

I try 1:1 NAT, Outgoing NAT, Destination NAT and some combinations of then, Filter roles with and without gateways, no luck. At the most of the configurations, the traffic goes via IPSec, but not to LAN2 or was not NATed.

Any hints are welcome.

Thanks a lot
Ivo

Hi

We struggling with the similar problems. All new exported client configs doesn't work:

Code Select Expand

Options error: Unrecognized option or missing or extra parameter(s) in xxxx_xx01_fw01_openvpn01__Superadmins__xxx.ovpn:4: data-ciphers-fallback (2.4.7)
Use --help for more information.


I tried on our client:
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022

And I also can't find an option for "data-ciphers-fallback" in (but I can't try with the ovpn file at the moment)
OpenVPN 2.6.1 [git:v2.6.1/2c2a98a0e559928c] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar  8 2023

The old exported configurations works fine and also, after we remove the "data-ciphers-fallback" line in the client exported .ovpn file or with the workaround from chrishh

It's a bit strange, because it should be work since 2.3: https://community.openvpn.net/openvpn/wiki/CipherNegotiation

gruss ivo

Salü Franco

For sure we only use opnSense :-)

Without the patch in the main office, we had different versions in place; between 19.1.2 and 19.1.4 and we can't connect to any side.

Maybe this is interesting: We patch only the FW on the main office (19.1.4 + patch) and it runs fine with the unpatched 19.1.4 boxes and 19.1.2 to .3 from the branch offices.

gruss ivo

Hallo zusammen

Die verwendete Hardware wäre doch noch interessant und hat mal jemand die MTU kontrolliert?

Wir betreiben eine opnSense auf einem Intel Server mit XEON in einem Datacenter mit 10GB Fiber und haben keine schlechteren Ergebnisse als mit unserer grossen Cisco ASA im gleichen Datacenter und gleicher Leitung.

gruss ivo

Salü gs

Why you trace to 10.10.12.3 and not to 10.10.12.2?
What about 10.10.12.1, where you define it?

gruss ivo

Salü Franco

It looks fine after applying the patch:

- Update 19.1.2 --> 19.1.4
- Manual Reboot
- Applying patch
- Manual Reboot

Besten Dank und schönen Abend.

gruss ivo

In the console:

opnsense-revert -r 19.1.2 opnsense

Yes, same on our side, we go back to 19.1.2 and have to request a maintenance window to try the patch.

ivo

Thank you for sharing your code. We use it vise-versa (our server pull it from opnsense), because the external FW boxes can't reach the backup server.

I think from the security perspective, it was safer in the 18.1 version to have a ssh key and a dedicated user without any permissions, just pull the configuration. Now, we have to give the backup admin and bash rights.

gruss ivo

Hi all

We just updated some OPNsense boxes from 18.1 -> 18.7 and got a problem with the nightly backup process.

The centralized server got all configurations from all boxes with a preshared key and a special backup user, who have no password access to the OPNsense etc.

After the update to 18.7 it doesn't work again, but I found these in the logs:

Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: User backupCFG from 198.18.6.3 not allowed because none of user's groups are listed in AllowGroups
Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: Postponed keyboard-interactive for invalid user backupCFG from 198.18.6.3 port 42896 ssh2 [preauth]
Aug 29 19:01:12 lab-ch-rma01-fw02 opnsense: user 'backupCFG' could not authenticate.

I check with the web gui the "Effective Privileges" from this user and I can't find the point "User - System: Shell account access" anymore.

On the 18.1 configuration, because the security, this user is not a member of the admin group, "/sbin/nologin" is the Login Shell and only the "Effective Privileges" "User - System: Shell account access" was set. With the preshared key we get the configuration with scp. It work's fine.

How can I setup it up with the 18.7 release?

gruss ivo

Hi all

Is anyone out there with experiences with an LTE modem on the APU2 (or APU3) board?

A list with compatible modem can I find here:
http://pcengines.ch/howto.htm#3G

Is there a OPNsense supported modem as well?

Are there any restrictions? How is the modem configured (PIN, APN etc.)?

gruss ivo