Messages

I have an Deciso appliance which I have upgraded to 18.7 from 18.1.
Now I can't login to the web interface, SSH or console anymore.

I do enter the right credentials. It was very hard to find a few minutes to allow downtime so does anyone know a fix which doesn't involve downtime?

I think, as far as I have found there is something messed up with the local database not being used for authentication anymore.

I do have AD setup for OpenVPN, so if there is a way by adding an AD user or something to regain access to the web interface, SSH or the serial console that would be awesome. Can't really afford any downtime.

Any thoughts?

Hi,

The loadbalancing is inbound, not outbound.
Behind the loadbalancer are for example two Exchange servers providing Client Access.

On the current "main" connection everything works just fine and relayd reports those VS's as up.

Some more information, the load balancer virtual server statuses show Unknown - relayd not running? as well.
Seems to be related.

Thanks for your reply but unfortunately this allready has been unset.

Hi,

We plan on taking a new fiber connection into production.
So far so good, but currently I am testing the new connection and I am experiencing some issues.

I have set the outbound NAT to Hybrid. I have set one machine to be routed over the new connection with as address an IP Alias, but it appears I still am being routed over the current primary WAN interface.

When I set a rule for this specific machine with the gateway towards the new fiber I experience a lot of issues with visiting websites where it seems that I have some sort of split routing (some pages load partially but most pages don't load at all).

A traceroute to the IP Alias I have setup on this machine shows the traffic going through all the proper hops but after one of the hops the (current) main IP address of the WAN IP appears, the traffic is forwarded to the default gateway of the current WAN interface and then being routed again. So a routing loop seems to appear.

Any ideas?

Since the upgrade of our 2 firewalls running OPNsense the IPSEC status overview is empty.
The IPSEC tunnels are up and functioning normally, but I do not have any statistics or uptime information anymore.

Also in the log files I have many of these errors:
charon: 06[KNL] unable to query SAD entry with SPI <ID> No such file or directory (2)

How to fix this?

Ok, this is very strange. Port forward to X.X.199.4 works as long as no similar portforward is setup to X.X.199.3

I have portforward to SSH up running. I get correct server when using X.X.199.4 (No portforward is setup on port 22 to X.X.199.3 -> 192.168.12)
Same does not apply with X.X.199.4. Both port 80/443 forwards to X.X.199.3 instead.

For X.X.199.3 I'm using "WAN address" in port forward rule. For X.X.199.4, I'm using "X.X.199.4" in port forward rule. I can't use X.X.199.3 instead of WAN address (seems like that would solve the issue).

Is this a bug or ?

I have had the same issue after upgrading from 16.x.

You have to create an Alias (Firewall -> View -> Aliases) and create an alias called WANIP with the primary IP address of your router (so the WAN Address).

After that change the rule that has WAN Address in it and set the Destination address to your newly created alias. After that everything starts working.

It seems that the bug is that instead of WAN Address being used, the WAN NET is being used in the port forward.

Hi,

I upgraded from 16.7 yesterday, and after my clients reported LOTS of issues with my Virtual IP NATting I have found out that if you create an NAT entry on WAN Address the whole WAN NET gets forwarded for that port.

You have to create an alias on the WAN Address and set the destination to the newly created Alias in order to prevent the whole WAN NET to be forwarded. In my case pretty problematic with multiple Virtual IP's.

Is this a known issue?

I have several examples if required.

Regards,