OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of ralph »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - ralph

Pages: [1]
1
General Discussion / Re: [SOLVED] UI lists old opt3, 4 and 5 interfaces that are no longer assigned
« on: June 14, 2019, 05:12:47 pm »
I solved this (seemed like a left over from a VPN client) by doing a backup, remove the entry von the config.xml and reimported the interface section only.

2
General Discussion / Re: OpenVPN Client Traffic all being answered by router [SOLVED]
« on: June 14, 2019, 05:08:46 pm »
Hello,

I'm facing the very same issue since updating to 19.1 two days ago. Did you mange to solve or work around it?

Cheers,
Ralph

3
General Discussion / Multicast routing between VLANs / IGMP proxy
« on: September 12, 2017, 08:26:54 pm »
Hello,

I did search Google and also this forum intensively, but unfortunately I couldn't figure out why I cannot forward multicast messages between VLANs.

My current setup consists of several VLANs used by different groups of devices. E.g. VLAN2 (192.168.2.0/24) is for smart home appliances (light bulbs, washing machine, ....), VLAN3 (192.168.3.0/24) is for multimedia appliances like Sonos or AndroidTV, and VLAN5 (192.168.5.0/24) is for "trusted" clients like family phones and PCs.

Now I managed to enable Sonos devices (VLAN2) being discoverable by trusted clients (VLAN5) by setting up the IGMP proxy service. I defined VLAN5 as upstream with netmask 192.168.5.0/24 ,VLAN3 as downstream with netmask 192.168.3.0/24. I also opened up UDP port 1900-1905 and TCP 3500 (Android) 3400 (PC) in VLAN3. VLAN5  has full inter-vlan routing privileges (i.e. pass IP4* 192.168.0.0/16). With this settings in place, I can control my sonos with all my devices although they are in different VLANS. ll is good and Robbert is your fathers brother.

But, since a few days, we have one of those Siemens HomeConnect washing machines at home, which I added to VLAN2 (192.168.2.32/32). I found out already that HomeConnect uses 224.0.0.51 to multicast its devices, and thus I need to proxy this multicasts to VLAN5. If I add VLAN2 with netmask 192.168.2.0/24 to the IGMP proxy service and enable connections for the washing machine (192.168.2.32/32) in both ways on all ports (although I know that it only uses port 80), my phone in VLAN5 fails to recognize it.

Now, can anyone provide me a tip or point me in the right direction to solve my problem?
What I want to basically achieve is that devices in VLAN2 and VLAN3 can only be discovered in VLAN5.

My hardware setup is like this:
MODEM -> OPNsense (spawning the VLANS) -> Netgear smart switch (24 ports) -> Netgear smart switch (8 ports) -> Unifi AP

I'll be happy to provide any additional information one might need to help me solving this issue.

Thanks for your time, your help is very much appreciated.

Cheers,
Ralph

4
17.7 Legacy Series / VPN (Hidemyass) forward not working after reboot
« on: June 20, 2017, 08:34:52 pm »
Hello everyone,

I did an extensive forum and Google search, but unfortunately I couldn't find anything similar to my issue.

I'm using OPNsense 17.1.8 as a VPN (Hidemyass) router. Everything works fine, as I can rout specific VLANs through the VPN while other go the direct route. I also have a floating rule that blocks traffic of specific subnets if the connection is down (NOW_WAN_EGRESS) opposed to using the direct WAN interface (default behaviour).

Anyhow, my problem is that, if I reboot he OPNsense VM, I need to manually either restart the OpenVPN connection or reload the firewall filters to have internet access again. I think it has something to do with the timing during boot, that the rule assining the VPN gateway is ignored till reloaded.

Has anyone of you experienced similar behaviour?
Any help is appreciated.

Cheers,
Ralph

NAT rules:
Code: [Select]
no nat proto carp all
nat on ovpnc1 inet from 127.0.0.0/8 to any port = isakmp -> 100.120.185.141 static-port
nat on ovpnc1 inet from 127.0.0.0/8 to any -> 100.120.185.141 port 1024:65535
nat on ovpnc1 inet from 192.168.0.0/16 to any port = isakmp -> 100.120.185.141 static-port
nat on ovpnc1 inet from 192.168.0.0/16 to any -> 100.120.185.141 port 1024:65535
nat on em1 inet from <tonatsubnets> to any port = isakmp -> 192.168.10.100 static-port
nat on em1 inet from <tonatsubnets> to any -> 192.168.10.100 port 1024:65535
no rdr proto carp all
no rdr on em0 proto tcp from any to (em0) port = https
no rdr on em0 proto tcp from any to (em0) port = http
no rdr on em0 proto tcp from any to (em0) port = ssh

Firewall rules:
Code: [Select]
no nat proto carp all
nat on ovpnc1 inet from 127.0.0.0/8 to any port = isakmp -> 100.120.185.141 static-port
nat on ovpnc1 inet from 127.0.0.0/8 to any -> 100.120.185.141 port 1024:65535
nat on ovpnc1 inet from 192.168.0.0/16 to any port = isakmp -> 100.120.185.141 static-port
nat on ovpnc1 inet from 192.168.0.0/16 to any -> 100.120.185.141 port 1024:65535
nat on em1 inet from <tonatsubnets> to any port = isakmp -> 192.168.10.100 static-port
nat on em1 inet from <tonatsubnets> to any -> 192.168.10.100 port 1024:65535
no rdr proto carp all
no rdr on em0 proto tcp from any to (em0) port = https
no rdr on em0 proto tcp from any to (em0) port = http
no rdr on em0 proto tcp from any to (em0) port = ssh
root@walt:~ # pfctl -sr
scrub on em0_vlan6 all fragment reassemble
scrub on ovpnc1 all fragment reassemble
scrub on em0 all fragment reassemble
scrub on em0_vlan3 all fragment reassemble
scrub on em0_vlan4 all fragment reassemble
scrub on em0_vlan2 all fragment reassemble
scrub on em0_vlan5 all fragment reassemble
scrub on em1 all fragment reassemble
block drop in on ! em0_vlan6 inet from 192.168.6.0/24 to any
block drop in inet from <__automatic_da9133ac_0> to any
block drop in on ! ovpnc1 inet from 100.120.184.0/21 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in on ! em0_vlan3 inet from 192.168.3.0/24 to any
block drop in on ! em0_vlan4 inet from 192.168.4.0/24 to any
block drop in on ! em0_vlan2 inet from 192.168.2.0/24 to any
block drop in on ! em0_vlan5 inet from 192.168.5.0/24 to any
block drop in on ! em1 inet from 192.168.10.0/24 to any
block drop in on em0_vlan6 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0_vlan3 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0_vlan4 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0_vlan2 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0_vlan5 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on ovpnc1 inet6 from fe80::14b0:6c70:affa:3ca to any
block drop in on em1 inet6 from fe80::dc04:2dff:fe0b:e033 to any
block drop in inet all label "Default deny rule"
block drop in inet6 all label "Default deny rule"
pass in quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
block drop in quick inet proto tcp from any port = 0 to any
block drop in quick inet proto tcp from any to any port = 0
block drop in quick inet proto udp from any port = 0 to any
block drop in quick inet proto udp from any to any port = 0
block drop in quick inet6 proto tcp from any port = 0 to any
block drop in quick inet6 proto tcp from any to any port = 0
block drop in quick inet6 proto udp from any port = 0 to any
block drop in quick inet6 proto udp from any to any port = 0
pass in quick proto carp all keep state
block drop in quick proto tcp from <sshlockout> to (self) port = ssh label "sshlockout"
block drop in quick proto tcp from <webConfiguratorlockout> to (self) port = https label "webConfiguratorlockout"
block drop in quick from <virusprot> to any label "virusprot overload table"
block drop in quick on em1 from <bogons> to any label "block bogon IPv4 networks from WAN"
block drop in quick on em1 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
block drop in quick on em1 inet from 10.0.0.0/8 to any label "Block private networks from WAN"
block drop in quick on em1 inet from 127.0.0.0/8 to any label "Block private networks from WAN"
block drop in quick on em1 inet from 100.64.0.0/10 to any label "Block private networks from WAN"
block drop in quick on em1 inet from 172.16.0.0/12 to any label "Block private networks from WAN"
block drop in quick on em1 inet from 192.168.0.0/16 to any label "Block private networks from WAN"
block drop in quick on em1 inet6 from fc00::/7 to any label "Block private networks from WAN"
pass in quick on em0_vlan6 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan6 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan6 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass out quick on em0 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0_vlan3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan3 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan3 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0_vlan4 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan4 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan4 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0_vlan2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan2 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan2 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0_vlan5 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan5 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan5 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on em1 proto udp from any port = bootps to any port = bootpc keep state label "allow DHCP client on WAN"
pass out on em1 proto udp from any port = bootpc to any port = bootps keep state label "allow DHCP client on WAN"
pass in quick on lo0 all flags S/SA keep state label "pass loopback"
pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em0 proto tcp from any to (self) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on em0 proto tcp from any to (self) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on em0 proto tcp from any to (self) port = ssh flags S/SA keep state label "anti-lockout rule"
pass out route-to (ovpnc1 255.255.248.0) inet from (ovpnc1) to ! (ovpnc1:network) flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em1 192.168.10.1) inet from (em1) to ! (em1:network) flags S/SA keep state allow-opts label "let out anything from firewall host itself"
block return out quick on em1 reply-to (em1 192.168.10.1) inet all label "USER_RULE: Reject outbound traffic marked NO_WAN_EGRESS" tagged NO_WAN_EGRESS
pass in quick on em0 inet from (em0:network) to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on em0 inet6 from (em0:network) to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on em0_vlan2 inet proto tcp from (em0_vlan2:network) to (em0_vlan2) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan2 inet proto udp from (em0_vlan2:network) to (em0_vlan2) port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan2 inet proto udp from (em0_vlan2:network) to 224.0.0.0/4 keep state allow-opts label "USER_RULE: Multicast messages not through VPN"
block return in quick on em0_vlan2 inet from 192.168.2.0/25 to ! (em0_vlan2:network) label "USER_RULE: Block internet traffic of first half of subnet"
pass in quick on em0_vlan2 route-to (ovpnc1 255.255.248.0) inet from (em0_vlan2:network) to any flags S/SA keep state label "USER_RULE: Any WAN traffic through VPN (NO_WAN_EGRESS)" tag NO_WAN_EGRESS
pass in quick on em0_vlan3 inet proto tcp from (em0_vlan3:network) to (em0_vlan3) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan3 inet proto udp from (em0_vlan3:network) to (em0_vlan3) port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan3 inet from (em0_vlan3:network) to 192.168.4.32 flags S/SA keep state label "USER_RULE: Allow access to Plex media server"
pass in quick on em0_vlan3 inet proto udp from (em0_vlan3:network) to (em0_vlan5:network) port 1900:1905 keep state allow-opts label "USER_RULE: Sonos player status updates to controller"
pass in quick on em0_vlan3 inet proto tcp from (em0_vlan3:network) to (em0_vlan5:network) port = 3500 flags S/SA keep state allow-opts label "USER_RULE: Sonos controller commands to player (Android)"
pass in quick on em0_vlan3 inet proto tcp from (em0_vlan3:network) to (em0_vlan5:network) port = 3400 flags S/SA keep state allow-opts label "USER_RULE: Sonos controller commands to player (PC)"
block return in log quick on em0_vlan3 inet from (em0_vlan3:network) to 192.168.0.0/16 label "USER_RULE: Block local networks"
pass in quick on em0_vlan3 inet from (em0_vlan3:network) to any flags S/SA keep state allow-opts label "USER_RULE: Allow traffic to WAN without VPN"
pass in quick on em0_vlan4 inet proto tcp from (em0_vlan4:network) to (em0_vlan4) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan4 inet proto udp from (em0_vlan4:network) to (em0_vlan4) port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan4 inet from (em0_vlan4:network) to (em0_vlan2:network) flags S/SA keep state label "USER_RULE: Allow traffic to smart home appliances (SHA)"
pass in quick on em0_vlan4 route-to (ovpnc1 255.255.248.0) inet from (em0_vlan4:network) to any flags S/SA keep state label "USER_RULE: All traffic through VPN (NO_WAN_EGRESS)" tag NO_WAN_EGRESS
pass in quick on em0_vlan5 inet proto tcp from (em0_vlan5:network) to (em0_vlan5) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan5 inet proto udp from (em0_vlan5:network) to (em0_vlan5) port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan5 inet from (em0_vlan5:network) to 255.255.255.255 flags S/SA keep state allow-opts label "USER_RULE: Multicast not through VPN"
pass in quick on em0_vlan5 inet from (em0_vlan5:network) to 224.0.0.0/4 flags S/SA keep state allow-opts label "USER_RULE: Multicast messages not through VPN"
pass in quick on em0_vlan5 inet from (em0_vlan5:network) to 192.168.0.0/16 flags S/SA keep state label "USER_RULE: Allow inter-VLAN traffic"
pass in quick on em0_vlan5 route-to (ovpnc1 255.255.248.0) inet from (em0_vlan5:network) to any flags S/SA keep state label "USER_RULE: Any WAN traffic through VPN (NO_WAN_EGRESS)" tag NO_WAN_EGRESS
pass in quick on em0_vlan6 inet proto tcp from (em0_vlan6:network) to (em0_vlan6) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan6 inet proto udp from (em0_vlan6:network) to (em0_vlan6) port = domain keep state label "USER_RULE: Allow DNS"
block return in log quick on em0_vlan6 inet from (em0_vlan6:network) to 192.168.0.0/16 label "USER_RULE: Block Local Networks"
pass in quick on em0_vlan6 route-to (ovpnc1 255.255.248.0) inet from (em0_vlan6:network) to any flags S/SA keep state label "USER_RULE: Any WAN traffic through VPN (NO_WAN_EGRESS)" tag NO_WAN_EGRESS

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2