Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - alfemann

#1
Hi - a general question that is puzzling me.
I have a (primary lan) setup on igb2 with 10.10.11.0/24 and Opnsense interface is 10.10.11.1
In addition - I have another network (guests) on igb3 - with ip 192.168.5.1/24 - opnsense is 192.168.5.1

Reflection is turned on btw, if that matters.

I want to prevent all/any client on the 10.10.11 - network from pinging 192.168.5.1
I have tried all combinations I can think of, but regardless of the rules I make in the firewall, the ping goes through....
Is there something mystical or special about the local IP that I haven't thought about ?
#2
Yeah - rebooting does nothing..
#3
Yes I know. I only ever had one enabled at a time.
#4
I have tried both SNMP and USB - both turn up when I access them through the command-line, but not in diagnostics. Here are settings when I use in USB-mode.
#5
Not sure what you asked.... Do you mean in Opnsense config ?- Name is just "apc" nothing more.
#6
20.7 Legacy Series / NUT diagnostics screen is blank
January 08, 2021, 03:44:50 PM
I have installed the NUT add-on, and configured an older APC Smart-PS 1000 RM to work with it in Standalone mode.
Wether I use SNMP or USB - the ups is listed if I do upsc -l
Also - the parameters are read and displayed (correctly) if I do upsc <upsname>.
So - far - as expected, as should be,and all seems ok, BUT - in Services->NUT->Diagnostics - the screen is just ... blank. And curl http://localhost/ui/nut/diagnostics gives nothing.

I saw nothing fishy in any logfile either ....

Is there some standard basic error I may have done ?

#7
20.7 Legacy Series / Re: Hanging in first boot from USB
December 28, 2020, 10:07:50 AM
No, it is UEFI.
Have now tested with legacy and non-legacy and all the settings I can think of....
#8
20.7 Legacy Series / Hanging in first boot from USB
December 23, 2020, 10:41:26 AM
As my old Opnsense installation resides on a computer that is getting a bit old and tired, I purchased a new desktop PC and downloaded 20.7 to install. The problem is that the boot sequence stops right after some information about the video-card. The machine is then completely frozen, and has to be power-cycled.

Image is OPNsense-20.7-OpenSSL-vga-amd64.img.bz2
Installed to a 16G USB stick
Hardware : HP ProDesk 600 G5
-SFF
- Core i5 9500 / 3 GHz
- RAM 8 GB
- SSD 256 GB
- NVMe
- DVD-Writer
- UHD Graphics 630
- GigE

Attached is an image of where in the boot process it freezes.
Does anybody know what on earth this could be caused by ?
#9
General Discussion / Ping from firewall over IPSEC
January 10, 2019, 12:17:13 PM
I have a functioning IPSEC-tunnel up running on an OPNsense 17.7.4, and traffic between machines on either side is running perfectly.

I want to use an LDAP-server on the remote side of the IPSEC tunnel for authentication (for incoming openvpn roadwarrior clients). When I try to set this up as a server in OPNsense menu, there is no response from LDAP server. I then tried to ping the server from the OPNsense - no reply.
Doing ping or LDAP from any client on the LAN-side of the OPENsense - works fine.

What on earth could I be missing ??
#10
I have seen variations of this question, but I really cannot see that hey have been answered to a degree that I can understand how to set it up.

I have a /27 of public addresses say 199.199.199.34 .. .62
On the inside I use 10.10.10.0/24.

I have some servers running on the inside, and need to expose various ports on public IPs.
First off ; am I better off using Port forwarding, or one-to-one NAT and fw-rules ?
It seemed the port forwarding worked fine until I had 3-4 rules with some of the same ports (but on different public IPs of course) - then it just didnt work like I thought.

If I need to use one-to-one NAT - can someone please give me a blow-by-blow ? I cannot wrap my head around it.


#11
General Discussion / Re: Is Proxy ARP the solution..?
October 03, 2017, 09:05:57 PM
Quote from: Stephan on October 02, 2017, 02:30:27 PM
Quote from: alfemann on October 02, 2017, 12:56:09 PM
Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw

Hi, well - meanwhile You got it running^^ *thumbsup*
nevertheless I wonder why You don't see the TAP interface? <-- it's only working with a TAP configuration in openVPN

Cheers, Stephan

I would like to know that as well !
#12
General Discussion / Re: Is Proxy ARP the solution..?
October 02, 2017, 01:38:20 PM
Quote from: mimugmail on September 30, 2017, 01:42:11 PM
No, you need SPD entries in your ipsec setup and NAT

https://mimugmail.github.io/NATbeforeIPSEC.html

It looks a bit different now, but you should get it to work.

I made this work!! Thank you so much!!
#13
General Discussion / Re: Is Proxy ARP the solution..?
October 02, 2017, 12:56:09 PM
Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw
#14
General Discussion / Is Proxy ARP the solution..?
September 30, 2017, 01:03:33 PM
Current firewall is getting old, and I am planning to switch it with a computer running OpnSense.
I have one issue that I cannot seem to find an answer to ;
Our LAN is 10.10.11.0/24 and we are connected to a service we use through IPSEC, and the remote network is 10.1.1.0/24.

Here is the snag : the old Sonicwall set aside a few addresses in the LAN-segment for road-warriors connecting with SSL-VPN - and the remote network only knows that 10.10.11.0/24 is available though the tunnel.
I want to use OpenVPN road warrior setup, but the setup requires a separate (virtual?) subnet for these connections - meaning roadwarriors will have addresses outside of the LAN. If I can't change or add the routing on the remote side - how can I either ;
a) assign roadwarriors IPs from the LAN-segment (ideally using DHCP-relay to another server) ?
b) make traffic from roadwarriors seem like it comes from LAN-IPs when they in fact do not.

My instinct tells me to look closer at ProxyARP, but I am not sure, and I cannot seem to find thorough docs on the subject.

Does anyone have ideas as to the solution, and does anyone know some good examples and documentation for proxy-arp ?

========
Alf
#15
God, yes!
I don't understand why, but I tried on two different machines and was not able to make a bootable/installable USB or DVD. I tried all the relevant images, but no go. The closest I got was once on a USB - the words "gptboot: primary GPT table checksum mismatch" flashed by before it rebooted in an endless cycle.
In the end I spent some time googling etc, and LUCKILY - I found this post. Thank you for saving what little was left of my hair  ;D