OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of tuaris »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - tuaris

Pages: [1] 2 3 ... 5
1
23.7 Legacy Series / Re: Constant Kernel Panics
« on: June 08, 2024, 09:36:20 am »
Quote from: newsense on June 08, 2024, 03:32:13 am
Do you have IPv6 there at all ?

Quote from: cookiemonster on June 08, 2024, 12:55:12 am
these suggest a hardware problem. OPN versions would not normally make a difference.
Suggest you start with the usual mem test, etc. it could be bad memory, bad power or something else.

I don't have IPv6.  Going to try a memtest and see what comes back.  At least this thing is still in warranty (less than a year old).

2
Virtual private networks / Need help troubleshooting route based IPSec tunnel
« on: June 08, 2024, 09:05:29 am »
I just realized that I have been posting my question in the wrong forum, wondering why I'm not getting an answer.  :P.

What I have and currently works

I have a functional route based IPSec VPN tunnel using the instructions at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html.

Site A: LAN=192.168.1.0/24 WAN=1.2.3.4
Site B: LAN=192.168.8.0/24 WAN=4.3.2.1

Phase 2 Local address at Site A: 10.192.168.1
Phase 2 Local address at Site B: 10.192.168.8
Phase 2 Remote address at Site A: 10.192.168.8
Phase 2 Remote address at Site B: 10.192.168.1

Gateways added on each site, and static routes exists for making sure the 192.168.1.0/24 can talk to 192.168.8.0/24 and vice versa.

Good so far.

Context

For the purpose of simplification, there is a website http://showthisip.com that displays my public IP address.  That host name resolves to 63.247.147.167.

At Site A, when I visit that website from a client on the 192.168.1.0/24 subnet, I am shown the IP address 1.2.3.4, which is expected.  That's the public IP of the WAN interface of OPNsense at Site A.

At Site B, when I visit that website from a client on the 192.168.8.0/24 subnet, I am shown the IP address 4.3.2.1, which is expected.  That's the public IP of the WAN interface of OPNsense at Site B

What I want to do

I want, when I visit that website using a client on the 192.168.1.0/24 subnet at Site A, to show the IP address: 4.3.2.1.  The public IP of the WAN interface at Site B.  In other words, I would like to route traffic leaving Site A  for 63.247.147.167 through the VPN tunnel I setup previously so that http://showthisip.com thinks I am at Site B. 

I add a firewall rule on the IPsec interfaces (both sites) to allow all traffic in.  Then I proceed to add a static route at Site A:

Network Address: 63.247.147.167
Gateway: 10.192.168.8

I open my browser at Site A, type in the website address... and it times out.

I trace route and see:

Code: [Select]
traceroute -n 63.247.147.167
traceroute to 63.247.147.167 (63.247.147.167), 64 hops max, 40 byte packets
 1  192.168.1.1  0.347 ms  0.272 ms  0.158 ms
 2  10.192.168.8  151.799 ms  151.946 ms  151.913 ms
 3  * * *
 4  * * *
 5  * * *

Am I missing another firewall rule?

3
24.1 Legacy Series / Re: IPSec/NAT: Have client on local LAN use use remote OPNSense's IP Address
« on: June 08, 2024, 06:07:07 am »
Maybe it's not NAT related sine it appears OPNsense is properly auto-generating those:



I added a firewall rule for the IPsec interface at Site B to allow anything through (for testing purposes).  That got me one step closer (it seems).



Code: [Select]
# traceroute -n 162.55.60.2
traceroute to 162.55.60.2 (162.55.60.2), 64 hops max, 40 byte packets
 1  192.168.1.1  0.347 ms  0.272 ms  0.158 ms
 2  10.192.168.8  151.799 ms  151.946 ms  151.913 ms
 3  * * *
 4  * * *
 5  * * *
 6  * *^C

4
24.1 Legacy Series / Re: IPSec/NAT: Have client on local LAN use use remote OPNSense's IP Address
« on: June 08, 2024, 05:37:28 am »
I've run through the instructions and I can get hosts on each of the local networks to connect with each other.  I will admit, this is an interesting way of getting IPSec tunnels setup.

Problem is if I add a route to a public IP on Site A that points to the VTI on Site B, the packets seem to go nowhere.



Code: [Select]
traceroute -n 162.55.60.2
traceroute to 162.55.60.2 (162.55.60.2), 64 hops max, 40 byte packets
 1  192.168.1.1  0.234 ms  0.168 ms  0.196 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
...

Probably has something to do with NAT, but I'm not sure how to fix it.

5
23.7 Legacy Series / Re: Constant Kernel Panics
« on: June 07, 2024, 07:26:26 pm »
It seems to be getting worse.  There have been 3 kernel panics so far today and it's only 12PM.

6
23.7 Legacy Series / Constant Kernel Panics
« on: June 07, 2024, 05:09:01 pm »
I have been noticing my Internet dropping a lot.  At first I thought this was a problem with my ISP.  Turns out it's not them, it's me.  Specifically, OPNSense:

Code: [Select]
2024-06-07T14:31:39 Notice kernel KDB: enter: panic
2024-06-07T14:31:39 Notice kernel panic() at panic+0x43/frame 0xfffffe008565cac0
2024-06-07T14:31:39 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe008565ca60
2024-06-07T14:31:39 Notice kernel panic: page fault
2024-06-04T08:11:46 Notice kernel KDB: enter: panic
2024-06-04T08:11:46 Notice kernel panic() at panic+0x43/frame 0xfffffe00107aea50
2024-06-04T08:11:46 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe00107ae9f0
2024-06-04T08:11:46 Notice kernel panic: page fault
2024-04-22T15:28:49 Notice kernel KDB: enter: panic
2024-04-22T15:28:49 Notice kernel panic() at panic+0x43/frame 0xfffffe00107aea60
2024-04-22T15:28:49 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe00107aea00
2024-04-22T15:28:49 Notice kernel panic: page fault
2024-04-22T03:53:41 Notice kernel KDB: enter: panic
2024-04-22T03:53:41 Notice kernel panic() at panic+0x43/frame 0xfffffe00107aea60
2024-04-22T03:53:41 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe00107aea00
2024-04-22T03:53:41 Notice kernel panic: page fault
2024-03-01T12:53:33 Notice kernel KDB: enter: panic
2024-03-01T12:53:33 Notice kernel panic() at panic+0x43/frame 0xfffffe00107aea60
2024-03-01T12:53:33 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe00107aea00
2024-03-01T12:53:33 Notice kernel panic: page fault
2024-02-18T20:55:36 Notice kernel KDB: enter: panic
2024-02-18T20:55:36 Notice kernel panic() at panic+0x43/frame 0xfffffe008565cac0
2024-02-18T20:55:36 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe008565ca60
2024-02-18T20:55:36 Notice kernel panic: page fault
2024-02-18T04:22:37 Notice kernel KDB: enter: panic
2024-02-18T04:22:37 Notice kernel panic() at panic+0x43/frame 0xfffffe00107aebd0
2024-02-18T04:22:37 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe00107aeb70
2024-02-18T04:22:37 Notice kernel panic: page fault
2024-01-16T12:38:37 Notice kernel KDB: enter: panic
2024-01-16T12:38:37 Notice kernel panic() at panic+0x43/frame 0xfffffe00107aebd0
2024-01-16T12:38:37 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe00107aeb70
2024-01-16T12:38:37 Notice kernel panic: page fault

That's apparently been going on since I first installed the device (Protectli Vault).  Here's the full log of most recent panic:

Code: [Select]
2024-06-07T14:31:39 Notice kernel FreeBSD clang version 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc12386ae247c)
2024-06-07T14:31:39 Notice kernel FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP amd64
2024-06-07T14:31:39 Notice kernel FreeBSD is a registered trademark of The FreeBSD Foundation.
2024-06-07T14:31:39 Notice kernel The Regents of the University of California. All rights reserved.
2024-06-07T14:31:39 Notice kernel Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
2024-06-07T14:31:39 Notice kernel Copyright (c) 1992-2021 The FreeBSD Project.
2024-06-07T14:31:39 Notice kernel ---<<BOOT>>---
2024-06-07T14:31:39 Notice kernel KDB: enter: panic
2024-06-07T14:31:39 Notice kernel --- trap 0x5424a868, rip = 0x89133a23244e489d, rsp = 0xd149a69345269a6c, rbp = 0xbb3576f2ede5dbc ---
2024-06-07T14:31:39 Notice kernel fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe008565cf30
2024-06-07T14:31:39 Notice kernel fork_exit() at fork_exit+0x7e/frame 0xfffffe008565cf30
2024-06-07T14:31:39 Notice kernel ithread_loop() at ithread_loop+0x25a/frame 0xfffffe008565cef0
2024-06-07T14:31:39 Notice kernel softclock() at softclock+0x79/frame 0xfffffe008565ce60
2024-06-07T14:31:39 Notice kernel softclock_call_cc() at softclock_call_cc+0x133/frame 0xfffffe008565ce40
2024-06-07T14:31:39 Notice kernel nd6_llinfo_timer() at nd6_llinfo_timer+0x478/frame 0xfffffe008565cd90
2024-06-07T14:31:39 Notice kernel __rw_wlock_hard() at __rw_wlock_hard+0x158/frame 0xfffffe008565ccf0
2024-06-07T14:31:39 Notice kernel --- trap 0xc, rip = 0xffffffff80c84288, rsp = 0xfffffe008565cc50, rbp = 0xfffffe008565ccf0 ---
2024-06-07T14:31:39 Notice kernel calltrap() at calltrap+0x8/frame 0xfffffe008565cb80
2024-06-07T14:31:39 Notice kernel trap_pfault() at trap_pfault+0x4f/frame 0xfffffe008565cb80
2024-06-07T14:31:39 Notice kernel trap_fatal() at trap_fatal+0x387/frame 0xfffffe008565cb20
2024-06-07T14:31:39 Notice kernel panic() at panic+0x43/frame 0xfffffe008565cac0
2024-06-07T14:31:39 Notice kernel vpanic() at vpanic+0x151/frame 0xfffffe008565ca60
2024-06-07T14:31:39 Notice kernel db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe008565ca10
2024-06-07T14:31:39 Notice kernel KDB: stack backtrace:
2024-06-07T14:31:39 Notice kernel time = 1717770612
2024-06-07T14:31:39 Notice kernel cpuid = 2
2024-06-07T14:31:39 Notice kernel panic: page fault
2024-06-07T14:31:39 Notice kernel trap number = 12
2024-06-07T14:31:39 Notice kernel current process = 12 (swi4: clock (0))
2024-06-07T14:31:39 Notice kernel processor eflags = interrupt enabled, resume, IOPL = 0
2024-06-07T14:31:39 Notice kernel = DPL 0, pres 1, long 1, def32 0, gran 1
2024-06-07T14:31:39 Notice kernel code segment = base 0x0, limit 0xfffff, type 0x1b
2024-06-07T14:31:39 Notice kernel frame pointer         = 0x28:0xfffffe008565ccf0
2024-06-07T14:31:39 Notice kernel stack pointer         = 0x28:0xfffffe008565cc50
2024-06-07T14:31:39 Notice kernel instruction pointer = 0x20:0xffffffff80c84288
2024-06-07T14:31:39 Notice kernel fault code = supervisor read data, page not present
2024-06-07T14:31:39 Notice kernel fault virtual address = 0x440
2024-06-07T14:31:39 Notice kernel cpuid = 2; apic id = 04
2024-06-07T14:31:39 Notice kernel Fatal trap 12: page fault while in kernel mode
2024-06-07T14:31:39 Notice syslog-ng syslog-ng starting up; version='4.4.0'

I'm not sure what to make of this, but it brings back bad memories from a few years ago when I was having the same exact problem with a different device.

I can try upgrading to 'the latest version', but will that actually help? (it didn't a few years ago).

7
24.1 Legacy Series / IPSec/NAT: Have client on local LAN use use remote OPNSense's IP Address
« on: June 06, 2024, 11:52:37 pm »
I know this is probably a question that has been asked an answered multiple times.  Problem is that my searches on this forum are not producing any results.  I think it's because I am probably not working it correctly.

I have 2 OPNSense boxes:

- Site A: IP of WAN: 1.2.3.4
- Site B: IP of WAN: 9.8.7.6

There is a site-to-site tunnel created between the two.  LAN clients can communicate with each other.  Good so far.

I would like to have all LAN clients in Site A that connect to a specific public IP address (or host name if possible), appear as if they are in Site B.

In other words, a LAN client in Site A opens the page http://showthisip.com and see's 9.8.7.6, but only for that page.  If I go to http://seethisip.com (assume for the moment for the purpose of this example that the two sites resolve to different IP's), I will see 1.2.3.4

Am I correct that if I follow the instructions on one of these paged, I will achieve the above?
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html

Which one should I follow?

8
General Discussion / Need help setting up static route on LAN
« on: March 23, 2024, 06:44:14 am »
Setup Overview

As seen in the diagram below I have two offices.  Office 1 has a single LAN (192.168.0.0/24) and Office 2 has a single LAN (192.168.8.0/24).  The two offices are connected to each other using a site-site IPSEC VPN tunnel using OPNSense A and C.



Office 1 has two ISP's.  OPNSense B is connected to the second ISP and there are some hosts in Office 1 that use OPNSense B as the default gateway.

Problem

I would like to make it so 192.168.0.50 can communicate with 192.168.8.2 and 192.168.8.2 can communicate with 192.168.0.50 without having to configure a static route on 192.168.0.50.

Attempts So Far

I created a static route entry on OPNSense B to send anything for 192.168.8.0/24 to 192.168.0.100



This does not work as expected.  The hosts can ping each other, but no network traffic other than that makes it through.  For example, HTTP does not work between them.

Firewall rules for LAN on all OPNSense's:



For the IPSec interface on OPNSense A and C:




9
24.1 Legacy Series / Re: What is the best way to recover a broken system
« on: February 08, 2024, 08:06:59 pm »
Oh well.  Since this is a VM, I'll make a new virtual disk and do a fresh install and do the restore.  I wanted to see if I could save time,  but it's looking like that ship has sailed  ;D

10
24.1 Legacy Series / Re: What is the best way to recover a broken system
« on: February 08, 2024, 07:54:23 pm »
I have backups of the config.  I was hoping to avoid re-installing from scratch, perhaps some way to just overwrite the corrupted image file.

Is restoring from a config backup also going to restore my plugins and packages?

11
24.1 Legacy Series / What is the best way to recover a broken system
« on: February 08, 2024, 07:49:33 pm »
Had a little catastrophe/accident on the storage level, but the system boots, but shows signs of corruption, then kernel panics.  I can access single user mode and see that the image appears to be damaged, conf files looks intact.  What is the best way to approach recovery?

12
23.7 Legacy Series / What is the correct way to route two LANs across two OPNsense devices
« on: December 28, 2023, 12:04:10 am »
This is a problem I have struggled with since the days of m0n0wall.  Here's a realistic (yet completely made up) scenario:

There are two OPNSense devices, each with there own public IP and private LAN's. Each have the LAN port connected to their own isolated network switch, and each have the WAN port connected to the ISP modems/routers.  Lets call them WORK and PLAY

- The LAN subnet for WORK is 172.16.22.0/24
- The LAN subnet for PLAY is 192.168.0.0/24
- There is a computer called OFFICE-PC connected to WORK LAN
- There is a computer called GAME-PC connected to PLAY LAN
- Both OPNSense devices have a (third) extra Ethernet port that is unused

What are my options and what steps must I take (assuming there are no firewalls) so that OFFICE-PC can talk to GAME-PC and vice a versa?




13
23.7 Legacy Series / Re: ERR_CONNECTION_RESET problems when browsing web
« on: December 27, 2023, 11:42:25 pm »
I get tons of those while browsing the web.  I figure the Internet and modern web browsers are just broken and no one cares enough to fix the problem.  I never considered it to be related to OPNsense or it's predecessor/forks.

14
23.7 Legacy Series / NAt/Firewall Config for PPTP Server
« on: November 08, 2023, 09:28:37 am »
Unfortunately it's still not possible to do without a PPTP server.  It's simply not feasible to use OpenVPN, Wireguard, Tinc, etc without having to install additional software on OS's, devices, etc.

So I have resorted to setting up a FreeBSD VM that's running mpd5.

What do I need to do on the OPNSense Firewall to allow traffic to the PPTP server?  I already did the usual NAT port forwarding for TCP port 1723 and the GRE protocol.  While I can "connect" it's failing on LCP paramater negotiation "LCP: parameter negotiation failed".  I suspect the auto-created firewall rule is wrong?

15
23.7 Legacy Series / Replicating PPTP VPN Functionality
« on: October 01, 2023, 09:02:06 am »
This isn't a post complaining about the removal of PPTP.

I had to replace t1n1wall with a new device that uses OPNsense.  The PPTP VPN which was available in t1n1wall allowed me to easily setup the VPN server to provide access to all the networks, including IPSec tunnels, and WAN/Internet that were configured on it.  This was very useful in that I could VPN into my home network and access the Internet as if I was home, and access all my remote offices without having to do any additional setup on my part.

I'm having trouble replicating this behavior with IPSec mobile VPN (https://docs.opnsense.org/manual/how-tos/ipsec-rw.html#vpn-compatibility).  I can barely access my home network, let alone any remote offices.  I haven't even begun to think about "remote" Internet access. I'd prefer not to use OpenVPN since it requires installing extra stuff on the client side.

Are there any instructions on how to do this?

Pages: [1] 2 3 ... 5
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2