"
I'm getting nowhere through search here or reddit. Does no one have a documented fix on this issue? Does no one else have this problem? Am I SOL and is this what forces me off of OPNsense?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
19.7 Legacy Series / Re: Need to fix firewall rules post-upgrade from 19.1 to 19.7.7
November 25, 2019, 05:47:26 PM #2
19.7 Legacy Series / Need to fix firewall rules post-upgrade from 19.1 to 19.7.7
November 21, 2019, 05:00:23 PM
I'm using this one vLAN as an example, but since upgrading from 19.1.10 to 19.7.7, servers on this vlan cannot access the internet, but can access the servers on other vLANs they have access to. If I change the gateway on the first and last rules to WAN_DHCP, internet connectivity works, but not connectivity to anything outside of the vLAN. I should note that 2 vlans are routed through an HA VPN gateway, and the setup seems pretty complex. Either way, all the rules have stayed the same, but since the upgrade, connectivity has changed.
#3
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
April 20, 2019, 07:30:56 PM
Hey, all... I got some help on the subreddit, but I'm having a weird issue... I got VPN working for one of my VLANs only (VLAN10_DL in my case, which is what I want for right now), and web traffic on every other VLAN and the LAN is working fine. However, there's issues with ping.
On my VLAN10_DL network that's routing over VPN. Traffic is fine with the exception of ping/ICMP. I cannot ping outside to anything on the WAN via IP or domain name (pinging 8.8.8.8 fails, and pinging google.com fails). Also from the LAN, I can ping 10.0.70.41 in my VLAN10_DL network, but I can't ping 10.0.70.101 that's in that same network. pinging something on the LAN from 10.0.70.101 is successful however.
On my LAN and other subnets that aren't routing over VPN (just over the WAN), pinging IP resolves, but not domain name (pinging 8.8.8.8 is successful, but pinging google.com fails).
See much of the config below...
What am I doing wrong? What could be cleaned up to make this simpler but still achieve what I'm wanting?
On my VLAN10_DL network that's routing over VPN. Traffic is fine with the exception of ping/ICMP. I cannot ping outside to anything on the WAN via IP or domain name (pinging 8.8.8.8 fails, and pinging google.com fails). Also from the LAN, I can ping 10.0.70.41 in my VLAN10_DL network, but I can't ping 10.0.70.101 that's in that same network. pinging something on the LAN from 10.0.70.101 is successful however.
On my LAN and other subnets that aren't routing over VPN (just over the WAN), pinging IP resolves, but not domain name (pinging 8.8.8.8 is successful, but pinging google.com fails).
See much of the config below...
What am I doing wrong? What could be cleaned up to make this simpler but still achieve what I'm wanting?
#4
General Discussion / Subnets and Messy Rules
January 28, 2019, 03:57:00 PM
I'm trying to go from a flat /20 network to subnets. I'm working on dividing my network up as below:
LAN - Currently contains most of the network at this time. Trying to move everything to VLANs/subnets
VLAN10_MGMT - Management network for DCs, DNS, ESXi hosts/vCenter, OoB management/console access, backups (may move to own subnet), monitoring servers/applications, etc. (Should be isolated, but also have access to everything?)
VLAN20_Storage - Network for NAS' with media and the SAN for VM storage. (Permit SAN for ESXi storage)
VLAN50_Users - My desktop, phone, laptop, etc. (Want access somehow to the management network, or everything... Not sure yet.)
VLAN70_DL - Download/torrent servers and DL automation services. (Want to view the web UIs from my Users and MGMT networks. Need to allow to read/write to the NAS on my storage network)
VLAN80_Web - Nginx reverse proxy servers, and any web-facing servers. (Only open ports to necessary services)
VLAN90_RA - Remote access - Squid proxy, VPN access to home network, RDP jumpboxes w/ Duo, ssh jumpboxes w/ Duo.
VLAN100_Guest - Guest wifi (Should be isolated completely with the exception of Plex and my other web services)
VLAN110_Wife - Wife's desktop, phone, tablet, etc. (Should be isolated completely with the exception of Plex and my other web services)
VLAN120_IOT - Internet of things... TV, Nvidia Shield... (Should be isolated completely with the exception of Plex and pi-hole DNS)
Right now, I have a PIA VPN on the firewall routing traffic to Torronto. When this was on, the guest wifi, wife and iot vlans wouldn't get access to the internet. I had to set their gateways to the WAN to fix that.
The problem right now is that when I enable the VPN, the LAN doesn't have access to the internet. Traffic should NOT be routing over that VPN, but something's happening where it's trying to, but is failing. I want it to go over the WAN, but for the time being, I don't want to set the WAN as a gateway, because then I can't access any of the other subnets.
Aside from starting my lab/home network from scratch, how do I make this all possible?
LAN - Currently contains most of the network at this time. Trying to move everything to VLANs/subnets
VLAN10_MGMT - Management network for DCs, DNS, ESXi hosts/vCenter, OoB management/console access, backups (may move to own subnet), monitoring servers/applications, etc. (Should be isolated, but also have access to everything?)
VLAN20_Storage - Network for NAS' with media and the SAN for VM storage. (Permit SAN for ESXi storage)
VLAN50_Users - My desktop, phone, laptop, etc. (Want access somehow to the management network, or everything... Not sure yet.)
VLAN70_DL - Download/torrent servers and DL automation services. (Want to view the web UIs from my Users and MGMT networks. Need to allow to read/write to the NAS on my storage network)
VLAN80_Web - Nginx reverse proxy servers, and any web-facing servers. (Only open ports to necessary services)
VLAN90_RA - Remote access - Squid proxy, VPN access to home network, RDP jumpboxes w/ Duo, ssh jumpboxes w/ Duo.
VLAN100_Guest - Guest wifi (Should be isolated completely with the exception of Plex and my other web services)
VLAN110_Wife - Wife's desktop, phone, tablet, etc. (Should be isolated completely with the exception of Plex and my other web services)
VLAN120_IOT - Internet of things... TV, Nvidia Shield... (Should be isolated completely with the exception of Plex and pi-hole DNS)
Right now, I have a PIA VPN on the firewall routing traffic to Torronto. When this was on, the guest wifi, wife and iot vlans wouldn't get access to the internet. I had to set their gateways to the WAN to fix that.
The problem right now is that when I enable the VPN, the LAN doesn't have access to the internet. Traffic should NOT be routing over that VPN, but something's happening where it's trying to, but is failing. I want it to go over the WAN, but for the time being, I don't want to set the WAN as a gateway, because then I can't access any of the other subnets.
Aside from starting my lab/home network from scratch, how do I make this all possible?
#5
General Discussion / Re: 10GbE Networking, Subnets, and performance without Layer 3 switching?
January 24, 2019, 07:00:10 PM
So am I then setting these firewall rules up then? Should all rules go out the WAN gateway? I set the Guest, Wife's, and IOT subnets to have the gateways for the first and last rules set to WAN. Does this need to be set this way for all vlans? I had to do it this way because traffic was somehow finding its way to one of my VPN gateways, but wasn't making it out so traffic halted.
#6
General Discussion / Re: 10GbE Networking, Subnets, and performance without Layer 3 switching?
January 24, 2019, 06:53:39 PM
Bart - Thanks for the input. I got an Intel/Dell x540 dual-10GbE NIC, so I could LAG those two ports together and have 20GbE to and from the 10GbE core switch.
Maybe this year I'll replace the Unifi switches with the ES series to get layer 3.
Maybe this year I'll replace the Unifi switches with the ES series to get layer 3.
#7
General Discussion / 10GbE Networking, Subnets, and performance without Layer 3 switching?
January 24, 2019, 04:17:24 PM
I have my OPNsense firewall on an ASUS RS200 with an i3 CPU, 4 GbE NICs, and 2x 10GbE NICs that will be installed this weekend.
My two switches are Ubiquiti Unifi US-16-XG and US-24-250. I have a SAN, two NAS', and 4 ESXi hosts. Each of these is connected to the 16-XG for 10GbE and then a 1GbE on the US-24 for failover.
I'm currently working on segregating my network so that it's no longer a flat 10.0.0.0/20, but has 10 different subnets (management, storage, desktops, backup, downloads, web/dmz, remote access, guest wifi, wife's devices, and iot). My problem is that now every subnet is having it's traffic routed through the firewall's 1GbE LAN port. 10 GbE will be installed this weekend, but do I have a way without buying all new Layer 3 switches to keep traffic from completely saturating the firewall? Someone had mentioned running some VMs on my hosts to act as the gateways, but I want to see if there's a better solution before I pursue that or just leave the traffic to route through the firewall once I install 10GbE.
Thanks!
My two switches are Ubiquiti Unifi US-16-XG and US-24-250. I have a SAN, two NAS', and 4 ESXi hosts. Each of these is connected to the 16-XG for 10GbE and then a 1GbE on the US-24 for failover.
I'm currently working on segregating my network so that it's no longer a flat 10.0.0.0/20, but has 10 different subnets (management, storage, desktops, backup, downloads, web/dmz, remote access, guest wifi, wife's devices, and iot). My problem is that now every subnet is having it's traffic routed through the firewall's 1GbE LAN port. 10 GbE will be installed this weekend, but do I have a way without buying all new Layer 3 switches to keep traffic from completely saturating the firewall? Someone had mentioned running some VMs on my hosts to act as the gateways, but I want to see if there's a better solution before I pursue that or just leave the traffic to route through the firewall once I install 10GbE.
Thanks!
#8
Hardware and Performance / Re: 10GbE NIC Recommendation?
January 18, 2019, 10:20:05 PM
Is that from personal experience or are they not supported?
#9
Hardware and Performance / Re: 10GbE NIC Recommendation?
January 18, 2019, 03:18:18 PM
I'm assuming that the X540-T2 cards work as well? If I can utilize the RJ45 10GbE NICs on my switch, maybe that's the way to go....
#10
Hardware and Performance / 10GbE NIC Recommendation?
January 18, 2019, 02:13:18 PM
I'm currently working on segregating my network into various vlans/subnets. I have a 10GbE Ubiquiti switch and an Asus RS200-E9-PS2 server that I'm using for my firewall. In my quest for network segregation with 10GbE, I learned that because my gateways are on the firewall, with a 1GbE connection, I'll be limited to 1GbE between devices on vlans that do communicate with each other.
With that said, I've had success with Mellanox Connectx-2s and 3s for SFP+ NICs in ESXi, Debian/Ubuntu, but don't know if these will work with OPNsense/FreeBSD? Can anyone confirm or recommend an SFP+ or RJ45 10GbE alternative?
Thanks!
With that said, I've had success with Mellanox Connectx-2s and 3s for SFP+ NICs in ESXi, Debian/Ubuntu, but don't know if these will work with OPNsense/FreeBSD? Can anyone confirm or recommend an SFP+ or RJ45 10GbE alternative?
Thanks!
#11
18.1 Legacy Series / Re: Cannot start snmpd service
July 21, 2018, 05:15:28 PM
No. I reinstalled os-snmp, and the service starts up fine, but no matter what I do, I'm unable to get anything on my network to poll SNMP from the firewall.
#12
18.1 Legacy Series / Re: Cannot start snmpd service
July 20, 2018, 01:35:48 PM
I've tried starting the service via console, and get the same error. I had bsnmpd installed previously (not any longer), but I was never able to get that to work, even though I was able to get that service to start.
#13
18.1 Legacy Series / Re: Cannot start snmpd service
July 19, 2018, 08:08:23 PM
The service continues to fail to start with the LAN (10.0.0.1) IP set as the Listen IPs.
#14
18.1 Legacy Series / Re: Cannot start snmpd service
July 19, 2018, 07:40:49 PM
I've entered 10.0.0.30 which is the workstation that I'm trying to test snmpwalk at the moment, and I've also tried other IPs, as well as 10.0.0.0/20 to allow all local traffic. The service still fails to start.
#15
18.1 Legacy Series / Cannot start snmpd service
July 19, 2018, 06:28:43 PM
I installed the os-net-snmp plugin, but the service is unable to run. I've attempted to reinstall without resolution. I'm running 18.1.12 and have os-net-snmp 1.0_1 installed.
Jul 19 12:21:18 root: /usr/local/etc/rc.d/snmpd: WARNING: failed to start snmpd
Thoughts on getting snmp running?
Jul 19 12:21:18 root: /usr/local/etc/rc.d/snmpd: WARNING: failed to start snmpd
Thoughts on getting snmp running?
