Messages

Hi All,

I'm facing the following error:

The "VPN: IPsec: Status Overview" page is completely empty, I have 7 VPN tunnels whit around 60 phase 2 entries. All VPN tunnels are working correctly.

I did of course already some research trying to solve it and I found this 'old' bug on GitHub:

https://github.com/opnsense/core/issues/634

This bug should be solved in version 16.1.9, I'm running 17.7.8 (latest version and I'm running on officially supported hardware). When I manually try to execute the following script I get this output:

Code Select Expand



root@opnsense:~ # /usr/local/opnsense/scripts/ipsec/list_status.py
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/ipsec/list_status.py", line 83, in <module>
    for sas in s.list_sas():
  File "/usr/local/opnsense/scripts/ipsec/vici/session.py", line 334, in streamed_request
    self._register_unregister(event_stream_type, False);
  File "/usr/local/opnsense/scripts/ipsec/vici/session.py", line 250, in _register_unregister
    confirm=Packet.EVENT_CONFIRM,
vici.exception.SessionException: Unexpected response type 112, expected '5' (EVENT_CONFIRM)


Restarting the "Strongswan" service doesn't solve the problem, and I can reproduce the problem on multiple devices, so it doesn't seem to be limited to 1 installation.

Is this still a bug in "Strongswan" or "just" a small GUI issue?


Thanks,


Marijn

Hi,

Yes, this is working fine for me, you can just create VIPs, and then it's working without any problem.

I like to bump this forum post ones more;

Because I really don't get it; is what I try to achieve so strange, are there better ways to do this?

Let's make to scope otherwise a little different:

What is the best practice to build a lot of firewall rules using specific internal servers (web, app, enz servers) I cannot imagine that everyone is creating aliases by hand or only use IP addresses in the rules.

So maybe I just don't know the best practice is. So that could be the reason that my question is sounds a little bit strange for the OpnSense Experts on this forum.

I'm open for all kind of feedback because I'm really interested in the OpnSense technology and how to use it in the most efficient way.

OK, I will try to clarify myself a little bit better: ;)

What do I want to achieve:

I like to create aliases (host /network-object called by other major Firewalling/network brand  ::)) for all servers we have.

For example:

hostname, ipv4, ipv6
TST-WEB-001, 192.168.1.1, 2001:10::1

(Note: I know I cannot use the "-" mark in aliases at the moment, I have already a feature request created for this)

Since we have hundreds and hundreds of servers I like to script this, for example by talking to our DNS servers (they know IP address and hostnames of course).

In this way I can use the aliases to create access rules in the firewall (manually), due to the thousands of required access rules we have it's quite important to use hostnames instead of IP-addresses, that is the reason I like to create the aliases for each IP address we have.

So what I like to know:

Is it possible to create aliases from the Shell, in that way I can build a script and feed OPNsense with information I already own.

The thing about the google DNS; it was just an example, I don't want to have an alias for the google DNS.

I hope this makes it a little bit more clear.

Thanks

Thanks for the quick answer, but I'm not sure if this is where im looking for.

Example command I used:

Code Select Expand

ifconfig em0 alias 8.8.8.8

The line is accepted but I cannot find the alias in the GUI. besides that, I didn't have an option to give the object a name (or at least; I don't understand how)

I have the feeling this is an alias for the network interface or something like that.

This line is now extra placed in ifconfig:

Code Select Expand

inet 8.8.8.8 netmask 0xf000000 broadcast 8.255.255.255

The aliases I talking about can be found in the GUI -> Firewall -> Aliases. so are we talking about the same aliases?

Thanks anyway.

Hi All,

I have the feeling this question is already asked 100 times, but I cannot find a final fitting answer to my question.

We have a lot of Aliases, and with our current firewall solutions I use a script to generate them in the firewall, so I was looking for a possibility to create Aliases in the command line, in that way I can automate it (as data sources we are using our DNS servers for example).

I know you guys are working on an awesome API, but for now, I like to make a temporary solution.

So what I basically like to know:

1. Is it possible to create/edit aliases using the Shell (SSH)
2. What are the syntaxes
3. Are there major downside's regarding this idea?

If it's possible I will create a script (most likely PowerShell), and if people are interested I'm happy to share the script on this forum.

If this question is already answered please let me know

Thanks a lot!

Sorry for my delayed reaction, but it was and is "Carnaval" in some area's of my country, so I was not able to type let say give a "proper reaction"  :P

But thanks for your reply, and thanks for creation a the creation of the GitHub request @Tragen!

Hi All,

Maybe question that can simply be answered with "no", but still I like to see if there is a possibility.

So basically I'm testing OpnSense and how it will act in our enterprise environments, I like to make a lot of aliases (basically for every server we have) to create the thousands of access rules we have for every server and or server farms.

In most cases, an alias will include the server name as "name" and 2 IP addresses (1 IPv4 and 1 IPv6).

Now the "issue" all our server names are using a minus in the name, so for example "TST-WEB-101", I see OpnSense isn't supporting minuses in the alias names, but an underscore is working fine.

Is there a technical limitation or is it just a weird question from my side?  :P

Thanks

Hi Franco,

Thanks for your fast reply!

and yup, it's working ;)

Thanks!

Marijn

Hi All,

I started to implement and test OpnSense 17.1, especially because of the brand new release, and; my compliments, it looks really nice!

The problem I'm facing:

I'm unable to setup an LDAP server, everything seems to go will but if I press on save I will get the following error:

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.

A quick google showed my a topic on this forum (https://forum.opnsense.org/index.php?topic=3484.0) but I'm not sure if this is related.

edit: I tried "of course" multiple browsers :)

can anyone point in the right direction?

Thanks,

Marijn