Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - evildevil

Pages: [1]

24.1 Legacy Series / Re: Peer generator: WireGuard Instance not saved / QR-Code Config not working

« on: April 05, 2024, 09:13:56 am »

Hi,

Quote from: stanthewizzard on April 05, 2024, 08:27:08 am

I'm with 24.1.5_2
and when trying to scan the QR this is still unvalid

I had this issue once yesterday - it looked like the QR-Code was not scanned properly and rescanning the QR-Code fixed the problem (maybe you could try cleaning the Mobile Phone's Camera lens / Computer Monitor or using different angle/distance to scan the QR-Code).

You can also scan the QR-Code with your Phone's default Camera App and it should decode the QR-Code as Text, which should be the same Information that is displayed at the Peer Generator "Config" Textbox.

Hope this helps,
Patrick

24.1 Legacy Series / Re: Peer generator: WireGuard Instance not saved / QR-Code Config not working

« on: April 04, 2024, 11:32:09 pm »

Seems like Issue #1 was addressed already:
https://forum.opnsense.org/index.php?topic=39813.msg195181#msg195181
Yes - I updated to 24.1.5_2 and it is fixed.
Thank you - that was really fast ;-)

Best regards,
Patrick

24.1 Legacy Series / Peer generator: WireGuard Instance not saved / QR-Code Config not working

« on: April 04, 2024, 11:30:06 pm »

Hello all,

I'm not sure if this is a specific issue from my environment, but I updated to 24.1.5 today and wanted to try the Wireguard Peer generator.
I ran into two issues:
1. The "Instance" selected in the Peer generator is not saved after clicking on the "Store and generate next" Button.
If you switch back to the "Peers", the Instance of the newly created Peer is empty.
2. I scanned the QR-Code on my Android Phone using "Wireguard for Android 1.0.20231018". Importing the config is working, but I can not establish the connection. Error message on the Phone is "Fehler beim Starten des Tunnels: at least on address must be specified"
I have to edit the configuration on the Phone and enter an IP-Address at the "Interface -> Adressen" Field that is in the Instance's IP range to make it work.

Is anybody else having these issues?

Best regards,
Patrick

High availability / Re: Poor Mans HA with CARP on internal Interfaces only

« on: January 25, 2023, 05:16:57 pm »

Hi all,

after meddling around unsuccessfully with my Idea, I decided to throw it away and implement CARP, loosing 2 public IP Addresses and go ahead and implement a reverse Proxy (HAProxy) to handle most incoming Webserver/-service Requests to make up for the loss of the 2 public IP Addresses.

Learn from my Failure, review your Requirements and try to implement it using Tools that are already available ;-)

Best Regards,
Patrick

High availability / Poor Mans HA with CARP on internal Interfaces only

« on: January 24, 2023, 10:17:47 am »

Hello,

due to the Shortage of WAN IP-Addresses (I am already using all the available IP-Addresses in
my IPv4 /29 Public Network) I wanted to implement a stripped down HA Solution.
Currently I am using two Sophos UTM SG Appliances to accomplish that (they don't use CARP and can failover without the need of additional IP-Addresses).
My Idea was to only configure the internal Interfaces using CARP and do an Active-Passive Failover on the WAN Interface.
Both OPNsense Boxes are running 22.7.10_2
Active Unit: WAN is up and configured with the main static IPv4 Address and the additional IPv4 Addresses
Passive Unit: WAN is down and configured with the main static IPv4 Address and the additional IPv4 Addresses

So, if the internal Interfaces fail and CARP is triggered, the Passive Unit's WAN Interface should be brought up by Script. I looked at the Scripts in https://github.com/opnsense/core/tree/master/src/etc/rc.syshook.d/carp and https://gist.github.com/jprenken/18ca7bf14ddae547ae0fdf6f56d72573#file-10-wireguard-L1
but my PHP Skills are not that sophisticated. I tried to walk trough the Source-Codes and Include-Files, but I don't get how/where the WAN interface can be simply brought up.
And should I enable/disable the physical Interface (igc2) or the logical IPv4 Interfaces? My Gut suggest the physical interface.

Based on the Wireguard Script:

Code: [Select]

if ($type === "MASTER") {
    log_error("Enabling WAN due to CARP event '$type'");
    # Checking `isset` avoids a race condition during startup when the
    # WireGuard config stanza seems like it's not yet loaded. Without it, this
    # can create an extra, empty, invalid stanza that breaks WireGuard.
# is the isset necessary?
    if (isset($config['OPNsense']['igc2']['general']['enabled'])) {
      $config['OPNsense']['igc2']['general']['enabled'] = '1';
    }
#    configd_run('wireguard start');   # WAN is not a service, or is it?
    write_config("Enable WAN due to CARP event '$type'", false);
} else {
    log_error("Disabling WAN due to CARP event '$type'");
#    configd_run('wireguard stop');
    if (isset($config['OPNsense']['igc2']['general']['enabled'])) {
        $config['OPNsense']['igc2']['general']['enabled'] = '0';
    }
    write_config("Disable WAN due to CARP event '$type'", false);
}

Any Hints and Pointers in the right Direction are appreciated.

Best Regards,
Patrick

22.7 Legacy Series / Re: Update to 22.7.8 Problem

« on: November 18, 2022, 03:18:53 pm »

Hello again,

I was able to fix it by following the info provided at https://forum.opnsense.org/index.php?topic=31108.0
Steps:
1. Backup/Snapshot!
2. Console:

Code: [Select]

pkg remove freeradius3-3.0.25(this removes freeradius3-3.0.25 as well as the os-freeradius plugin)
3. Web-Ui: Install os-freeradius plugin which showed as "missing"
Freeradius now shows as Version 3.2.1 in the Web-UI and is not detected as an update anymore.

Best regards,
Patrick

22.7 Legacy Series / Re: Update to 22.7.8 Problem

« on: November 18, 2022, 03:07:25 pm »

Hi,

same issue here. Updated vom 22.7.7 to 22.7.8, checked for updates, freeradius3 update from 3.0.25 to 3.2.1 is available, but does not want to update. Same errors as already posted by seed.

radiusd -v shows Version 3.2.1 and Auth by Radius is still working.

Looks like some glitch in the package manager?

Best regards,
Patrick

German - Deutsch / Re: OPT als LAN Port nutzen

« on: February 14, 2019, 10:33:48 pm »

Hi,

das sollte gehen, indem du LAN + OPT als Bridge definierst nehme ich an.

Gruß,
Patrick

German - Deutsch / Re: Default Deny Rule blockiert ab und zu VPN Netz

« on: February 03, 2019, 01:23:00 am »

Hallo,

ja, der Thread ist schon älter, aber da evtl. mal jemand über ne Websuche hierher findet (so wie ich)....
In meiner Umgebung hatte ich ebenfalls ähnliche Probleme.
Kurz zur Umgebung:
Auf einer alten Sophos UTM 120 (Atom N450, 2GB RAM, 4x Intel NIC) ist OPNsense installiert.
em0 Management, quasi "LAN"
em1 unbenutzt
em2 WAN
em3 VLAN Trunk mit VLAN 3,4,5,6,7,8)

Dazu habe ich einen TPLink T2600G-28TS Switch im Einsatz. em0 ist dort an einem Port mit untagged VLAN 10 (Management-VLAN) angebunden.
Zusätzlich ist em3 an einem Port mit tagged VLAN 3,4,5,6,7,8 am Switch angeschlossen
(Ich habe es leider nicht hinbekommen, OPNsense über einen VLAN Trunk incl. VLAN 10 am Switch zu betreiben, da mein "LAN" dem VLAN 3 entspricht und das irgendwie bei der Einrichtung dann nicht sauber lief).
Am Switch hängen auch noch 2 Unifi UAP-AC Lite, jeweils an einem tagged VLAN 3,4,5,6,7,8 Port.
Die UAP-AC Lite haben mehrere WPA2 PSK SSIDs , die jeweils unterschiedlichen VLANs zugewiesen sind. Zusätzlich gibt es eine SSID, die EAP per Radius machen soll (was aber aktuell noch nicht funktioniert).
Ich hatte eine Regel angelegt, die einer IP-Adresse aus VLAN8 den Zugriff auf eine IP-Adresse /TCP Port im Mgmt Netz erlaubt hat(Unifi Controller HTTPS-Server). Das ging auch halbwegs, aber im Firewall-Livelog waren immer wieder "Default Deny Rule" Einträge mit der eigentlich erlaubten Source-IP + Destination IP/Port zu finden.
Auch der Zugriff von VLAN 3 nach VLAN 10 (der komplett "offen" konfiguriert ist), auf einen SSH-Server im VLAN 10 hatte das gleiche Problem, was dann immer zu Abbrüchen der SSH-Session geführt hat.
Die genaue Ursache, warum die Firewall anscheinend nicht alle Pakete sieht und deshalb manche Paket als nicht in der State Table enthalten sind und verworfen werden, kenne ich nicht.
Aber seitdem ich die Option in der "Erlauben"-Regel unter "Advanced Options" -> "State Type" auf "none" gesetzt habe, werden die Pakete nicht mehr verworfen.

Viele Grüße,
Patrick

Pages: [1]