Messages

Hi Franco,

after factory reset I have applyed the lock on all interfaces, thanks for your suggestion.

Why this option is not set as default? now I will install zerotier without issue? on zerotier interface this future is needed ?

Regards,
Liberomic

Hi All,

I have installed the zerotier plugin in the last version of opnsense after the reboot all vlan will be deleted.

Uses of zerotier on opnsense with vlan is very critical.

:'( :'( :'(

Hi Franco,

we want test this on new device in production but the file is missed.

opnsense-update -kr 17.1.9-ipsec
Fetching kernel-17.1.9-ipsec-amd64.txz: ...opnsense-verify: Unable to open /var/cache/opnsense-update/69564/kernel-17.1.9-ipsec-amd64.txz: No such file or directory
failed

We have updated to 17.1.11, this fix is included?

Regards,
Liberomic

Hi Franco,

IT WORKS!!!!  ;D ;D ;D

I have tested in my lab and work fine!!!!

In my production enviroment I have the version 17.1.6, Do you suggest doing any updates first to 17.1.10 and then changing the kernel?

Many thanks
Liberomic

Hi Franco,

thanks for your reply, do you have a tecnique to set my workaround permanent?

I have deleted this line from /tmp/rules.debug
block in  log inet from {any} to {any} label "Default deny rule"
block in  log inet6 from {any} to {any} label "Default deny rule"

I have added this line at the end of file  (all interface without IPSEC "enc0")

block in  log on $WAN inet from {any} to {any} label "Default deny rule"
block in  log on $WAN inet6 from {any} to {any} label "Default deny rule"
block in  log on $LAN inet from {any} to {any} label "Default deny rule"
block in  log on $LAN inet6 from {any} to {any} label "Default deny rule"

# pfctl -f /tmp/rules.debug

Regards,
Liberomic

Hi all,

I have the same problem from many days but this big issue is not considered highest from support.

in this post you can find my workaround
https://forum.opnsense.org/index.php?topic=4385.0

See you ;)
Liberomic

UP!

;) ;) ;)

Hi All,

this issue is very bad, with my workaround the incoming traffic working fine....
But this change in the file /tmp/rules.debug will be lost, when you modify firewall rules or restart the appliance....

Regards,
Liberomic

Hi All,

I have downgraded to 17.1.6 and voip working fine.....

bye
liberomic

Hi All,

do you have news for this PF issue?

Regards,
Liberomic

Hi Julien,

with 17.1.6 the voip in my network working fine (with stun server or redirect the voip traffic with NAT), after the upgrade to 17.1.7 the voip traffic does not work.

Today I will try to downgrade the software

#opnsense-revert -r 17.1.6 opnsense

You can check the voip traffic with this command:

tcpdump -n -e -ttt -i pflog0 'host IPOFYOURPBX'

Bye Bye
Liberomic

Hi All,

I have the same issue after upgrade 17.1.7 with 3CX PBX, in pflog all session are accepted.
The registration to sip provider working fine but the calls will be blocked.

I have reinstalled my old firewall at a moment...... :'(

Regards,
Liberomic

Hi Franco,

I have upgraded this configuration to 17.1.7 (zerotier now is removed) and working fine, but we want use Zerotier on Opnsense.

Do you have checked this issue on different configurations?

Regards
Liberomic

Hi Franco,

on IPSEC interface we have checked all combinations.

ANY--ANY--Accept
SurceVPN subnet--Local subnet--Accept

But the issue persist......

I have replicated the issue on different site and this issue will be replicable.

To clarify the issue I am writing network scheme, I have four site connected by IPSEC to central Office (HO).

- Office1 (opnsense) to Head Office: in this site working fine the wan interface of opnsense is Public IP
- Office2 (opnsense) to Head Office: I have WAN interface NATed and the inbound traffic will be blocked on enc0 interface
- Office3 (opnsense) to Head Office: I have WAN interface NATed and the inbound traffic will be blocked on enc0 interface

for Office2 and Office3 I have applyed my workaround for inbound traffic coming from Head Office, because without my workaround working only ICMP traffic and TCP/UDP will be blocked.

Note: on Office2 and Office3 I have enabled Nat Traversal and the router forward all ports to opnsense WAN interface. I have upgraded all opnsense to 17.1.7.

Thanks for your support
Liberomic

Hi all,

I have checked in 17.1.7 and the issue persist.

Regards,
Liberomic