Messages

1

Development and Code Review / Routed IPSec

« on: October 10, 2018, 01:14:25 am »

PFSense announced Routed IPSec which uses OS routing table.
More on https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html

I truly need this, is this going to be implemented?

2

Hardware and Performance / Re: Dual WAN links wih CARP hardware failover

« on: September 28, 2018, 05:35:53 pm »

Just setup two OPNSense Servers, each one with a cable from each modem, setup High Availability to sync the configs and setup a CARP. Assign the Interfaces from the modem and lan and set the IP's.
Create a Gateway Group, add the two Interfaces and choose if you want only Failover or Load Balancing.
Create a Firewall Rule on the LAN Interface and set the Gateway option to your Gateway Group.
This is a brief explanation but if you are into OPNSense, PFSense you should be able to do it.

Note: Your LAN devices should have the CARP IP as Gateway.

3

18.7 Legacy Series / Re: OpenVPN: OpenVPNServer Interface - usefull?

« on: September 28, 2018, 05:15:48 pm »

OpenVPN Interface on the Firewall Section is usefull in some scenarios.
Imagine you don't want the remote VPN server accessing to your PFSense/OPNSense, this only applies if you have services listening on all interfaces.
By blocking incoming connections you deny the server to reach for example your 80, 443 or 22 port, or even ICMP.
Usually I use the OpenVPN interface to NAT the remote VPN network to the rest of my network, it can be used also if you are working with a Site-To-Site VPN
OpenVPNServer interface gets ip because when the VPN starts it is creates an interface usually called tunX (tun0, tun1...) and it will assign the first ip address from the ip range you specify in the vpn config.

I hope this helps

4

18.7 Legacy Series / Re: Bridge + CARP + High Availability

« on: September 28, 2018, 11:59:01 am »

I don't use a dedicated uplink for SYNC but I can create. For SYNC I am using the same interface (Bridge0).
It might be due to ovpns3 on the Backup Server is down because it is a Site-To-Site TAP VPN, I can't have both servers connected at the same time to the VPN Server.
I just don't understand why because if I assign manually the interface on the backup server it stays there.
I was checking and the same interface is not assigned on the Gateways section if it was updated through sync, manually works.

5

18.7 Legacy Series / Re: Bridge + CARP + High Availability

« on: September 28, 2018, 11:50:21 am »

I get this notice:
"09-26-18 22:22:32 [ Interface specified for the virtual IP address 192.168.XX.250 does not exist. Skipping this VIP. ]"
However if I disable Virtual IPs Synchronization and I assigned the interface manually on the Backup server (Virtual IP/Carp Settings) it works just fine.

bridge0 (Master Server)

bridge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 02:e5:3e:f9:7c:00
   inet 192.168.XX.254 netmask 0xffffff00 broadcast 192.168.XX.255
   inet 192.168.XX.250 netmask 0xffffff00 broadcast 192.168.XX.255 vhid 1
   nd6 options=1<PERFORMNUD>
   carp: MASTER vhid 1 advbase 1 advskew 0
   groups: bridge
   id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
   maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
   root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
   member: ovpns3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 12 priority 128 path cost 2000000
   member: vtnet1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 2 priority 128 path cost 2000

bridge0 (Backup Server)

bridge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 02:a7:7b:d3:48:00
   inet 192.168.XX.251 netmask 0xffffff00 broadcast 192.168.XX.255
   inet 192.168.XX.250 netmask 0xffffff00 broadcast 192.168.XX.255 vhid 1
   nd6 options=1<PERFORMNUD>
   carp: BACKUP vhid 1 advbase 1 advskew 100
   groups: bridge
   id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
   maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
   root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
   member: ovpns3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 10 priority 128 path cost 2000000
   member: vtnet1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 2 priority 128 path cost 2000

6

18.7 Legacy Series / Re: Bridge + CARP + High Availability

« on: September 28, 2018, 11:39:25 am »

Do I need to open an issue on Github? Is there any more information that I should provide?

7

18.7 Legacy Series / Bridge + CARP + High Availability

« on: September 26, 2018, 05:09:55 pm »

I have two OPNSense installations in High Availability.
I setup CARP on the Master Server in a Bridged interface. Both machines have the bridge interface which is br0.
When both machines synchronize the backup server loses the Interface on CARP. Is this a new problem?
I have a second CARP using regular interfaces and it synchronizes fine.

Server 1 (Master)


Server 2 (Backup)

8

18.1 Legacy Series / Syslog Logs

« on: June 20, 2018, 12:22:46 pm »

Hello,

I am sending OPNSense Logs to a Syslog Server, however I am receiving too much "noise" from IPSec, I can't seem to disable or omit IPSec logging, I could disable not to send VPN logs however I need OpenVPN logs, is there anything I can do?
Thanks!

9

17.7 Legacy Series / Re: IPSec LAN-to-LAN Source IP

« on: January 19, 2018, 03:04:47 pm »

I managed to solve my problem by removing the routes that were added:
route del 192.168.190.113
route del 192.168.190.116

Then I did:
route add 192.168.190.113/32 -iface vtnet3
route add 192.168.190.116/32 -iface vtnet3

Is there any way I can do this through the webpanel?

10

17.7 Legacy Series / IPSec LAN-to-LAN Source IP

« on: January 18, 2018, 06:51:45 pm »

# Interfaces
WAN - XX
LAN - 192.168.1.51/24
LAN 1 - 192.168.65.0/24
LAN 2 - 10.50.53.254/24

# IPSec Phase 2
Local Network: 10.50.53.254/24
Remote Network: 192.168.190.113/32

Hello,

I have an IPSec connection established, however if I try to ping or do curl from the terminal I cannot, only by specifying the IP Address.

I have to do:
curl --interface 10.50.53.254 http://192.168.190.113

If I do without specifying the source address the traffic isn't routed through the IPSec interface (enc0).

Some help is highly appreciated.

11

Development and Code Review / Re: Building from Source Issues

« on: May 24, 2017, 08:53:25 pm »

It worked! Thanks, you were very helpful!! 

12

Development and Code Review / Re: Building from Source Issues

« on: May 24, 2017, 08:12:24 pm »

Now I can build dvd, vm, vga however when I run one of those (trying to install), when the system is booting it does not launch the configuration tool.

Code: [Select]

Warning: require_once(config.inc): failed to open stream: No such file or directory in /usr/local/etc/rc.bootup on line 52
Fatal error: require_once(): Failed opening required 'config.inc' (include_path='.:/usr/local/share/pear') in /usr/local/etc/rc.bootup on line 52


13

Development and Code Review / [SOLVED] Building from Source Issues

« on: May 20, 2017, 12:33:50 pm »

Hello,

I am trying building from source like it is described in here: https://github.com/opnsense/tools
I've got a Virtual Machine (VMWare) with FreeBSD 11, UFS File System, 30 GB Hard Drive and 4 GB of RAM.

I follow these steps:

Code: [Select]

# pkg install git
# cd /usr
# rm -rf src ports
# git clone https://github.com/opnsense/plugins
# git clone https://github.com/opnsense/ports
# git clone https://github.com/opnsense/tools
# git clone https://github.com/opnsense/core
# git clone https://github.com/opnsense/src
# cd tools
But when I do:

Code: [Select]

make dvd
After a while I get this error:

fatal: ambiguous argument 'stable/17.1': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
*** Error code 128

Stop.
make: stopped in /usr/tools

Image Link: https://puu.sh/vVQcj/fd69d33c68.png

I was really needing some help as I got stuck always on the same step.

Thanks!