Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - jarif

Pages: [1]

Hardware and Performance / Multiple WAN links using a managed switch on DMZ port of the modem

« on: November 25, 2017, 06:16:04 pm »

I'm trying to create 4 WAN ports to my OPNsense using a HP OfficeConnect switch and a VDSL2 modem (DMZ port).

The idea is that I could get 4 different bridged connections which I might be able to NAT 1-to-1 some some internal hosts. The modem has only 1 DMZ port, but my ISP offers 5 public IPs, which would be 1 for router and 4 for DMZ in this scheme.

I have 5 ethernet ports in my server, connected as this:

1. OPNsense connected to modem - routing mode VLAN 1
2. switch connected to - modem - VLANs 2-5 tagged
3. OPNsense connected to switch - VLAN 2
4. OPNsense connected to switch - VLAN 3
5. OPNsense connected to switch - VLAN 4
6. OPNsense connected to switch - VLAN 5

Without the separate VLAN's OPNsense crashes miserably when it tries to initialize 2nd WAN-port. Apparently does not like multiple WAN ports in same subnet.

I have configured the VLAN numbers to both the OPNsense and the switch.

Is this totally wrong approache? At least I can not get it up and running...

17.7 Legacy Series / Re: [SOLVED] Port forwarding, internal server to external port

« on: November 15, 2017, 07:32:17 pm »

At least I am not having any difficulties with DNS, works as charm. My problem is that while *some* packets pass the firewall and NAT, the connection still does not somehow establish.

17.7 Legacy Series / Re: [SOLVED] Port forwarding, internal server to external port

« on: November 14, 2017, 08:59:50 pm »

Ditto here. I followed to the letter, while I was thinking that this is now a duplicate rule to what I already have.

No connection. I have an another thread on my issue, but it is the same problem. Some packets transfer thru according to tcpdump, but but no TCP socket connection establishes. Timeout.

17.7 Legacy Series / I have a problem with port forwarding

« on: November 13, 2017, 11:22:54 pm »

This must have been working at some stage, as I have multiple rules for port forwarding and I have been happy. But it does not work.

I try to connect from external site to a LAN box via OPNsense, and there are rules for port forward and firewall to make it happen.

But when I try that, the connection is said to be timeout.

Setup

- external client: 138.201.119.25 (www)
- router (OPNsense) (wellington)
- internal LAN host: 192.168.1.122 (gauntlet)

Attempt

[jarif@www ~]$ curl -v http://86.115.205.131
* About to connect() to 86.115.205.131 port 80 (#0)
* Trying 86.115.205.131...
* Connection timed out
* Failed connect to 86.115.205.131:80; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 86.115.205.131:80; Connection timed out

But the fireall does not block!

Firewall log tells me that the connection attempts were passed! Is it the port forwarding then?

Doing tcpdump of the LAN host

jarif@gauntlet ~ $ sudo tcpdump -A dst port 80 or src port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:10:41.819431 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:41.819734 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:42.821411 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.4.....w....z.M.P..........r.................
00:10:42.821618 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:43.826671 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:44.827337 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:44.827588 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:46.866648 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:48.835362 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:48.835588 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:11:19.429732 IP gauntlet.fredriksson.dy.fi.43405 > mail.bitwell.biz.http: Flags [.], ack 3695803675, win 1024, length 0
E..(\Q..7.cz...z..w....P.....I}.P.......
00:11:19.471313 IP mail.bitwell.biz.http > gauntlet.fredriksson.dy.fi.43405: Flags [R], seq 3695803675, win 0, length 0
E..(..@.4.....w....z.P...I}.....P.............
00:11:21.614267 IP gauntlet.fredriksson.dy.fi.43661 > mail.bitwell.biz.http: Flags , seq 2603470522, win 1024, options [mss 1460], length 0
E..,.7../......z..w....P.-......`....[......
00:11:21.664992 IP mail.bitwell.biz.http > gauntlet.fredriksson.dy.fi.43661: Flags [S.], seq 3444674754, ack 2603470523, win 29200, options [mss 1460], length 0
E..,..@.4.....w....z.P...Q...-..`.r..%........
00:11:21.665209 IP gauntlet.fredriksson.dy.fi.43661 > mail.bitwell.biz.http: Flags [R], seq 2603470523, win 0, length 0
E..(.=@.@......z..w....P.-......P.......

That is the output while doing curl connection on www.

The line is not dead, blocked or anything, but no tcp socket will be opened!

Is the web server dead on Gauntlet?

I don't think so. To see that I log in to OPNsense

jarif@gauntlet ~ $ ssh wellington
X11 forwarding request failed on channel 0
Last login: Tue Nov 14 00:16:42 2017 from 192.168.1.122
----------------------------------------------
| Hello, this is OPNsense 17.7 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website:   https://opnsense.org/ | @@@\\\ ///@@@
| Handbook:   https://docs.opnsense.org/ | )))))))) ((((((((
| Forums:   https://forum.opnsense.org/ | @@@/// \\\@@@
| Lists:   https://lists.opnsense.org/ | @@@@ @@@@
| Code:      https://github.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
jarif@wellington:~ % curl -v http://192.168.1.122
* Rebuilt URL to: http://192.168.1.122/
* Trying 192.168.1.122...
* TCP_NODELAY set
* Connected to 192.168.1.122 (192.168.1.122) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.1.122
> User-Agent: curl/7.56.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Mon, 13 Nov 2017 22:17:23 GMT
< Server: Apache/2.4.25 (Raspbian)
< WWW-Authenticate: Basic realm="Bacula"
< Content-Length: 462
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.25 (Raspbian) Server at 192.168.1.122 Port 80</address>
</body></html>
* Connection #0 to host 192.168.1.122 left intact

I'm really puzzled with this! Any ideas?

The NAT-rule is:

17.1 Legacy Series / Re: Need help with getting .ovpn file out of this

« on: August 03, 2017, 06:19:39 pm »

I want to be able to connect to my own lan using my MacBook and/or Android.

17.1 Legacy Series / Re: Need help with getting .ovpn file out of this

« on: July 30, 2017, 01:31:13 pm »

There is not clients, usernames etc. Help says it is a misconception between certificates, but I have created certs for both the client and server using same CA.

17.1 Legacy Series / Need help with getting .ovpn file out of this

« on: July 29, 2017, 01:19:48 am »

I setup CA, server and client for this OpenVPN. But nowever was offered a download of an .ovpn file for the client?

How is it done?

Thanks in advance!

17.1 Legacy Series / Re: No IPv6 on WAN

« on: July 18, 2017, 06:05:47 pm »

How can I do such a network trace?

17.1 Legacy Series / Re: No IPv6 on WAN

« on: July 16, 2017, 05:18:01 pm »

Code: [Select]

root@wellington:~ # ifconfig
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=80098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
	ether 00:15:60:a4:f9:a4
	inet 192.168.1.115 netmask 0xffffff00 broadcast 192.168.1.255 
	inet6 fe80::215:60ff:fea4:f9a4%bge0 prefixlen 64 scopeid 0x1 
	inet6 2001:2003:fbbe:1e40:215:60ff:fea4:f9a4 prefixlen 64 autoconf 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
xl0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
	options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
	ether 00:04:75:80:a8:d1
	inet6 fe80::1:1%xl0 prefixlen 64 scopeid 0x2 
	inet 86.115.203.6 netmask 0xfffff000 broadcast 86.115.207.255 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
enc0: flags=0<> metric 0 mtu 1536
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: enc 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo 
pflog0: flags=100<PROMISC> metric 0 mtu 33160
	groups: pflog 
pfsync0: flags=0<> metric 0 mtu 1500
	groups: pfsync 
	syncpeer: 0.0.0.0 maxupd: 128 defer: off
wan_stf: flags=4001<UP,LINK2> metric 0 mtu 1280
	inet6 2002:5673:cb06:: prefixlen 16 tentative 
	nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
	groups: stf

17.1 Legacy Series / Re: No IPv6 on WAN

« on: July 16, 2017, 05:16:21 pm »

Code: [Select]

root@wellington:~ # sockstat -l | grep ':546'
root     dhcp6c     34498 8  udp6   *:546                 *:*
root     dhcp6c     29911 7  udp6   *:546                 *:*

17.1 Legacy Series / No IPv6 on WAN

« on: July 15, 2017, 01:39:12 pm »

I'm a consumer client for Telia in Finland. I have a VDSL2 modem/router from them, and it is in routing mode, and has both IPv4 and IPv6 addresses. One of the LAN ports of it is in DMZ mode, and my OPNsense firewall is connected to that.

And OPNsense does not get IPv6 no matter how I configure the DHCP6 setting. It is currently in DHCPv6 and no IPv6 address, If I set it to 6to4-tunnel it gets IPv6 address but still http://test-ipv6.com claims I do not have IPv6.

Any ideas?

General Discussion / Re: I need to install Bacula-client to my OPNsense box, but not available?

« on: July 01, 2017, 03:02:20 pm »

Ouch. I already asked this elsewhere and got proper answers. Sorry.

Case closed.

17.1 Legacy Series / Re: I need to install Bacula client

« on: July 01, 2017, 03:00:34 pm »

Thanks fellows. I leave my hammer down this time

General Discussion / [solved] I need to install Bacula-client to my OPNsense box, but not available?

« on: July 01, 2017, 02:57:09 pm »

I was in the impression that OPNsense (latest) is on top of vanilla FreeBSD, and all packages would be available.

However: pkg search bacula will not find anything.

I'm a newbie with FreeBSD so there must be something that I do not know yet. Any ideas?

17.1 Legacy Series / I need to install Bacula client

« on: June 24, 2017, 10:47:57 pm »

I think I was told that OPNsense distro is somewhat plain FreeBSD+OPENsense and removing OPNsense would render me a FreeBSD.

In FreeBSD the command # pkg search bacula would output:

bacula-bat-7.4.7 Network backup solution (GUI)
bacula-client-7.4.7 Network backup solution (client)
bacula-client-static-7.4.7 Network backup solution (static client)
bacula-docs-7.4.4 Bacula document set
bacula-server-7.4.7 Network backup solution (server)
bacula-web-7.2.0 Bacula-web provides a summarized output of Bacula jobs
bacula5-bat-5.2.12_6 Network backup solution (GUI)
bacula5-client-5.2.12_2 Network backup solution (client)
bacula5-client-static-5.2.12_2 Network backup solution (static client)
bacula5-docs-5.2.12 Bacula document set
bacula5-server-5.2.12_2 Network backup solution (server)
nagios-check_bacula-7.4.7_3 Nagios plugin for Bacula
nagios-check_bacula5-5.2.12_2 Nagios plugin for Bacula

In my fresh OPNsense fresh install it renders nothing.

I need bacula-client to have backups, and maybe this nagios-plugin too. How? I do not want to compile from source.

Pages: [1]