Messages

1

General Discussion / Block ICMP to/from interfaces

« on: May 05, 2022, 12:45:25 pm »

Hi - a general question that is puzzling me.
I have a (primary lan) setup on igb2 with 10.10.11.0/24 and Opnsense interface is 10.10.11.1
In addition - I have another network (guests) on igb3 - with ip 192.168.5.1/24 - opnsense is 192.168.5.1

Reflection is turned on btw, if that matters.

I want to prevent all/any client on the 10.10.11 - network from pinging 192.168.5.1
I have tried all combinations I can think of, but regardless of the rules I make in the firewall, the ping goes through....
Is there something mystical or special about the local IP that I haven't thought about ?

2

20.7 Legacy Series / Re: NUT diagnostics screen is blank

« on: January 19, 2021, 11:47:43 am »

Yeah - rebooting does nothing..

3

20.7 Legacy Series / Re: NUT diagnostics screen is blank

« on: January 19, 2021, 09:57:36 am »

Yes I know. I only ever had one enabled at a time.

4

20.7 Legacy Series / Re: NUT diagnostics screen is blank

« on: January 18, 2021, 08:55:19 am »

I have tried both SNMP and USB - both turn up when I access them through the command-line, but not in diagnostics. Here are settings when I use in USB-mode.

5

20.7 Legacy Series / Re: NUT diagnostics screen is blank

« on: January 16, 2021, 04:18:14 pm »

Not sure what you asked.... Do you mean in Opnsense config ?- Name is just "apc" nothing more.

6

20.7 Legacy Series / NUT diagnostics screen is blank

« on: January 08, 2021, 03:44:50 pm »

I have installed the NUT add-on, and configured an older APC Smart-PS 1000 RM to work with it in Standalone mode.
Wether I use SNMP or USB - the ups is listed if I do upsc -l
Also - the parameters are read and displayed (correctly) if I do upsc <upsname>.
So - far - as expected, as should be,and all seems ok, BUT - in Services->NUT->Diagnostics - the screen is just ... blank. And curl http://localhost/ui/nut/diagnostics gives nothing.

I saw nothing fishy in any logfile either ....

Is there some standard basic error I may have done ?

7

20.7 Legacy Series / Re: Hanging in first boot from USB

« on: December 28, 2020, 10:07:50 am »

No, it is UEFI.
Have now tested with legacy and non-legacy and all the settings I can think of....

8

20.7 Legacy Series / Hanging in first boot from USB

« on: December 23, 2020, 10:41:26 am »

As my old Opnsense installation resides on a computer that is getting a bit old and tired, I purchased a new desktop PC and downloaded 20.7 to install. The problem is that the boot sequence stops right after some information about the video-card. The machine is then completely frozen, and has to be power-cycled.

Image is OPNsense-20.7-OpenSSL-vga-amd64.img.bz2
Installed to a 16G USB stick
Hardware : HP ProDesk 600 G5
 -SFF
- Core i5 9500 / 3 GHz
- RAM 8 GB
- SSD 256 GB
- NVMe
- DVD-Writer
- UHD Graphics 630
- GigE

Attached is an image of where in the boot process it freezes.
Does anybody know what on earth this could be caused by ?

9

General Discussion / Ping from firewall over IPSEC

« on: January 10, 2019, 12:17:13 pm »

I have a functioning IPSEC-tunnel up running on an OPNsense 17.7.4, and traffic between machines on either side is running perfectly.

I want to use an LDAP-server on the remote side of the IPSEC tunnel for authentication (for incoming openvpn roadwarrior clients). When I try to set this up as a server in OPNsense menu, there is no response from LDAP server. I then tried to ping the server from the OPNsense - no reply.
Doing ping or LDAP from any client on the LAN-side of the OPENsense - works fine.

What on earth could I be missing ??

10

General Discussion / One-to-one NAT or just port forwarding

« on: October 03, 2017, 09:30:29 pm »

I have seen variations of this question, but I really cannot see that hey have been answered to a degree that I can understand how to set it up.

I have a /27 of public addresses say 199.199.199.34 .. .62
On the inside I use 10.10.10.0/24.

I have some servers running on the inside, and need to expose various ports on public IPs.
First off ; am I better off using Port forwarding, or one-to-one NAT and fw-rules ?
It seemed the port forwarding worked fine until I had 3-4 rules with some of the same ports (but on different public IPs of course) - then it just didnt work like I thought.

If I need to use one-to-one NAT - can someone please give me a blow-by-blow ? I cannot wrap my head around it.

11

General Discussion / Re: Is Proxy ARP the solution..?

« on: October 03, 2017, 09:05:57 pm »

Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw

Hi, well - meanwhile You got it running^^ *thumbsup*
nevertheless I wonder why You don't see the TAP interface? <-- it's only working with a TAP configuration in openVPN

Cheers, Stephan

I would like to know that as well !

12

General Discussion / Re: Is Proxy ARP the solution..?

« on: October 02, 2017, 01:38:20 pm »

No, you need SPD entries in your ipsec setup and NAT

https://mimugmail.github.io/NATbeforeIPSEC.html

It looks a bit different now, but you should get it to work.

I made this work!! Thank you so much!!

13

General Discussion / Re: Is Proxy ARP the solution..?

« on: October 02, 2017, 12:56:09 pm »

Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw

14

General Discussion / Is Proxy ARP the solution..?

« on: September 30, 2017, 01:03:33 pm »

Current firewall is getting old, and I am planning to switch it with a computer running OpnSense.
I have one issue that I cannot seem to find an answer to ;
Our LAN is 10.10.11.0/24 and we are connected to a service we use through IPSEC, and the remote network is 10.1.1.0/24.

Here is the snag : the old Sonicwall set aside a few addresses in the LAN-segment for road-warriors connecting with SSL-VPN - and the remote network only knows that 10.10.11.0/24 is available though the tunnel.
I want to use OpenVPN road warrior setup, but the setup requires a separate (virtual?) subnet for these connections - meaning roadwarriors will have addresses outside of the LAN. If I can't change or add the routing on the remote side - how can I either ;
a) assign roadwarriors IPs from the LAN-segment (ideally using DHCP-relay to another server) ?
b) make traffic from roadwarriors seem like it comes from LAN-IPs when they in fact do not.

My instinct tells me to look closer at ProxyARP, but I am not sure, and I cannot seem to find thorough docs on the subject.

Does anyone have ideas as to the solution, and does anyone know some good examples and documentation for proxy-arp ?

========
Alf

15

17.1 Legacy Series / Re: Opnsense not installing? Alternative method to get it done!

« on: February 17, 2017, 02:21:41 pm »

God, yes!
I don't understand why, but I tried on two different machines and was not able to make a bootable/installable USB or DVD. I tried all the relevant images, but no go. The closest I got was once on a USB - the words "gptboot: primary GPT table checksum mismatch" flashed by before it rebooted in an endless cycle.
In the end I spent some time googling etc, and LUCKILY - I found this post. Thank you for saving what little was left of my hair