Messages

Didn't someone say recently that enabling hardware offloading settings may be required for kvm on FreeBSD 13?

All the flags were enabled = feature disabled.

Thanks for the feedback but it's not a deliverability issue, we've been running a mailserver here for ages with no problems. The issue is with OPNsense upload performances, which unfortunately we weren't able to solve. We tried changing interface type to vmx3 or e1000 but we still had less than 0.5Mbps of upload. We switched to pfSense and now upload is 2.5MBps, which is in line with connection performance.

It looks like email with attachments (even >= 20KB) are impacted by the issue. Text only emails are delivered.

Hi.
We replaced a pfSense installation with a freshly installed 22.1.8_1. The mailserver in LAN is unable to contact some remote MX, specifically Gmail / Outlook, but also some other minor providers.
The configuration is pretty simple, there are no LAN rules except the default ones allowing all traffic. No QoS  configured.

Weird enough, telnetting to these hosts work, but mail delivery won't. Can be something related to TLS connections?

The WAN has a 192.168.20.1 address, the modem is 192.168.20.2. Block of private and bogon networks is disabled. This was erroneously enabled, and while web navigation was fine we had another issue: ssh'ing outside from the server was working, but scp didn't. Now scp works, but email still won't get delivered.

What could be blocking these connections?
thanks

Code Select Expand


Jun  3 14:57:12 srv02 postfix/smtp[19722]: 79CA91E33BC3: to=<a.b@domain.it>, relay=mail.register.it[195.110.124.132]:25, delay=3428, delays=3282/0.21/1.2/145, dsn=4.4.2, status=deferred (lost connection with mail.register.it[195.110.124.132] while sending message body)
Jun  3 14:57:49 galasrv02 postfix/smtp[19683]: AA78E1E33CC9: conversation with ASPMX.L.GOOGLE.com[108.177.126.27] timed out while sending message body


EDIT: forgot to say the firewall is running in as a Proxmox VM, network driver virtio

Same/similar here. My office setup: LAN to OpenVPN works. Customer setup: LAN to OpenVPN DOESN'T work

Did you manage to solve your issue? I've the same problem in a customer setup.

What puzzles me is that in my own office I can ping from LAN to OpenVPN clients. Our config is much simpler, tough. The non-working one has VLANs and dual WAN, even tough it should not matter. The routes are configured correctly (all automatic, no custom ones), OpenVPN server setup is the same, firewall the same, NAT the same. I don't know where to look at. If I traceroute from LAN to OpenVPN's .2 IP the packet goes to OPNsense default gw instead of the OpenVPN gw.

attaching gw status

Hi.
I've configured 20.1.7 with MultiWAN. It seems to work fine but I cannot figure out why I'm unable to ping both modems at the same time, only one of the two is available.
I checked the config it looks as per docs: the two WANs have two private 172.x networks, I configured the two gateways and gateway groups. The default firewall LAN rule is set in fallback mode, that is traffic going through one gw and using the second as failover. Ping from the firewall works for both modems, but from LAN only one of the two is responding. Ping from LAN to the gw monitoring IP works for both, but traceroute shows the same path for all! I.e. right now despite both gw being online LAN traffic is going through the secondary one!

Any hint on where to have a look? Thanks

[when]

Files are in /var/etc/openvpn-csc/1, I still have to figure out when they're actually being written

Did you enable gateway auto switch in advanced firewall config?

[if]

I've configured multi wan following the guide on the doc page. When I configure the load balancing gateway for the LAN I'm unable to reach the WAN02 gateway. dpinger can reach it as well as the configured monitoring IP, but it's not possible from the LAN if balanced gw or WAN01 priority gw is selected.

Also if I traceroute the WAN02 monitoring IP from LAN I get routed through the WAN GW, not the appropriate one. But the correct route for WAN02 (172.31.15.0/24) exists on the firewall.

Both GW are marked as upstream, gw auto switching is enabled in advanced firewall settings. I don't know what else to check.

thanks

I've created a client specific override for a user with a custom VPN network. Now I'd like to remove it, but I'm unable to, even if I remove the entry the client still get the custom network. I did everything I could:

• removed the entry in CSO
• restarted openvpn service
• restarted opnsense
• upgraded from 19.7 to 20.1
• created an empty CSO entry

the client still get custom routes. On the same computer if I change username it gets the default config.

So I tried sshing to opnsense and had a look into openvpn config file but wasn't able to find where those config are stored. Anyone has hints?

Thanks

Use "Force CSO Login Matching" in vpn Server Settings.
Then client specfic override will work on user name.

if this is for me thanks but I have no problem in matching the CN, now. I need to understand why the override isn't applied immediately

[if]

I'm trying to assign a static IP to an OpenVPN client. I added in Client Specific Overrides a new rule with the openvpn username as common name, and in Advanced:

The procedure is correct, but for some reason (probably because by default the server allows the client to retain their IP) it's not immediately applied. I haven't had time to investigate further but it can take up to 4h.

The correct syntax is this:

Code Select Expand


ifconfig-push 192.168.99.15 192.168.99.14

if the Topology checkbox on the server configuration is unticked. If this is enabled the command should be ifconfig-push 192.168.99.15 255.255.255.0 but I'm not sure, I haven't tested

Hi.
I'm trying to assign a static IP to an OpenVPN client. I added in Client Specific Overrides a new rule with the openvpn username as common name, and in Advanced:

Code Select Expand


ifconfig-push 192.168.99.15 255.255.255.0


but it will always get the same (but different) address. Is this still supported? thanks