Messages

1

Virtual private networks / Re: VXLAN between two OPNsense

« on: August 28, 2024, 05:26:08 pm »

bartjsmit you are right! 

This is my configuration.

Firewall A

VXLAN

VNI: 100200
Source Address: a.a.a.a
Source port: 5248
Remote address: b.b.b.b
Remote port: 5248
Multicast group: none
Device: none

I assigned (without IP address) and activated an interface using as device VXLAN_100200
I created a bridge with members VXLAN_200 and VLAN_200
On WAN interface:

Protocol: IPv4 UDP
Source: b.b.b.b
Destination: a.a.a.a (WAN Address)
Destination port: 5248

Firewall B

VXLAN:

VNI: 100200
Source Address: b.b.b.b
Source port: 5248
Remote address: a.a.a.a
Remote port: 5248
Multicast group: none
Device: none

I assigned (without IP address) and activated an interface using as device VXLAN_100200
On Firewall B I have no VLANs to associate with VXLAN 100200

On WAN interface:

Protocol: IPv4 UDP
Source: a.a.a.a
Destination: b.b.b.b (WAN Address)
Destination port: 5248

On both Firewall in rules for VXLAN interface I add only one rule, permit any to any

First of all, I think there is some missing configuration on Firewall B...

Thank you

2

Virtual private networks / VXLAN between two OPNsense

« on: August 28, 2024, 11:50:47 am »

Hi,

I need to configure VXLAN between two OPNsense. This is my situation
OPNsense A as a phisical Firewall in head office

IP Public: a.a.a.a
LAN 1: 192.168.100.1/24
VLAN 200: 192.168.200.1/24
VLAN 210: 192.168.210.1/24
VLAN 220: 192.168.220.1/24

OPNSense B as VM in a DC:

IP Public: b.b.b.b
LAN 1: 192.168.2.1/24

Mi goal is to transport VLANs 200, 210 and 220 of Firewall A to Firewall B in DC so as to allow VLANs 200, 210 and 220 to surf the Internet through Firewall B using its IP Public b.b.b.b .

For various reasons I cannot use any other VPN than VXLAN

I tried some configuration but without luck.

Could you help me, please?

Thank you

3

24.7 Production Series / Re: mlx4en failing to load after upgrade to 24.7

« on: August 24, 2024, 12:07:38 pm »

Hi,

the solution proposed by doktornotor works!

Thank you

4

24.7 Production Series / Re: mlx4en failing to load after upgrade to 24.7

« on: August 23, 2024, 01:45:56 pm »

Hello,

after some attempts I found a workaround. The problem is that OPNsense does not load the mlx4en module at startup even though the command mlx4en_load="YES" is present in the file /boot/loader.conf.local. A workaround is to create in

Code: [Select]

/usr/local/etc/rc.syshook.d/early/
the file

Code: [Select]

16-mlx4en-load
with the following content:

Code: [Select]

#!/bin/sh
kldload mlx4en

Now you have to set execute permissions to the file:

Code: [Select]

chmod +x 16-mlx4en-load
The last step is to reboot the system.

I hope this workaround can help someone

5

24.7 Production Series / Re: mlx4en failing to load after upgrade to 24.7

« on: August 21, 2024, 01:24:22 pm »

Hello,

I have a AOC-MCX312C-XCCT (2 x 10 Gb SPP+) installed on a Supermicro AS-5019D-FTN4 and after update to 24.7 the ports do not work anymore. I tried the following actions:

• Remove from /boot/loader.conf.local the only row with mlx4en_load="YES"
• Reboot
• Load mlx4en with kldload mlx4en
• Reload all interfaces with configctl interface reconfigure <interface_name>

My interfaces are lagg0 and 3 VLANs so to reload interfaces I run the following commands:

• configctl interface reconfigure lagg0
• configctl interface reconfigure lagg0_vlan20
• configctl interface reconfigure lagg0_vlan3
• configctl interface reconfigure lagg0_vlan9

After all these steps the interfaces do not work....

This is the message at boot time (before I load the module):

This is the messages at boot time:

mlx4_core0: <mlx4_core> mem 0xef800000-0xef8fffff,0x1fff8000000-0x1ffffffffff irq 54 at device 0.0 on pci4
mlx4_core: Mellanox ConnectX core driver v3.7.1 (November 2021)
mlx4_core: Initializing 0000:04:00.0
mlx4_core0: Unable to determine PCI device chain minimum BW
intsmb0: <AMD FCH SMBus Controller> at device 20.0 on pci0
smbus0: <System Management Bus> on intsmb0
ig4iic0: <Designware I2C Controller> iomem 0xfedc2000-0xfedc2fff irq 10 on acpi0
iicbus0: <Philips I2C bus (ACPI-hinted)> on ig4iic0
ig4iic1: <Designware I2C Controller> iomem 0xfedc3000-0xfedc3fff irq 11 on acpi0
iicbus1: <Philips I2C bus (ACPI-hinted)> on ig4iic1
ig4iic2: <Designware I2C Controller> iomem 0xfedc4000-0xfedc4fff irq 12 on acpi0
iicbus2: <Philips I2C bus (ACPI-hinted)> on ig4iic2
ig4iic3: <Designware I2C Controller> iomem 0xfedc5000-0xfedc5fff irq 13 on acpi0
iicbus3: <Philips I2C bus (ACPI-hinted)> on ig4iic3
ig4iic4: <Designware I2C Controller> iomem 0xfedc6000-0xfedc6fff irq 14 on acpi0
iicbus4: <Philips I2C bus (ACPI-hinted)> on ig4iic4
ig4iic5: <Designware I2C Controller> iomem 0xfedcb000-0xfedcbfff irq 15 on acpi0
iicbus5: <Philips I2C bus (ACPI-hinted)> on ig4iic5
driver bug: Unable to set devclass (class: ppc devname: (unknown))

Could you help me, please?

Thank you

6

Virtual private networks / Wireguard 2 WANs IP

« on: July 26, 2024, 05:22:02 pm »

Hello,

I have the following configuration:

• Virtualized OPNSense in a DC witn 1 Static Public IP: a.b.c.d
• An Hardware OPNSense in the Customer Headquarter with 2 WAN (different ISPs) Connections and therefore 2 WANs IPs Addresses (say e.f.g.h and i.j.k.l)

Now in the Customer HQ the first WAN Connection is the primary and the second WAN is the backup. I configured a Wireguard tunnel between DC OPNSense and HQ OPNSense using as peer endpoint IP address (in DC OPNSense) e.f.g.h (primary WAN IP of the HQ OPNSense). Now if the primary WAN connection of the HQ goes down also the Wireguard tunnel goes down because, in the Virtual OPNSense in DC, Wireguard endpoint peer address is set to e.f.g.h (primary WAN  IP address of HQ Connection).
Now the question is: how can I configure, in Virtual OPNSense in DC, a second endpoint peer address ( i.j.k.l) as backup, so if the HQ primary WAN ISP goes down the Wireguard tunnel switch versus the secondary WAN using as peer endopint IP address i.j.k.l ?

Thank you

7

23.7 Legacy Series / Re: 23.7 upgrade from 23.1 results in DNS issues

« on: September 13, 2023, 01:54:59 pm »

Hi Franco,

I sent you the unbound section of config.xml via email.

Thak you

8

23.7 Legacy Series / Re: 23.7 upgrade from 23.1 results in DNS issues

« on: September 13, 2023, 10:29:07 am »

@Franco

Hi,

I have the same issue, after upgrade to 23.7.3 Unboud was disabled so I enable it but all my overrides dosn't work.
I run the following command:

Code: [Select]

/usr/local/opnsense/mvc/script/run_migrations.php

** OPNsense\Unbound\Unbound Migration failed, check log for details

and then

Code: [Select]

opnsense-log | grep run_migrations

<147>1 2023-09-13T08:23:04+02:00 localhost config 2076 - [meta sequenceId="29"] #1 /usr/local/opnsense/mvc/script/run_migrations.php(54): OPNsense\Base\BaseModel->runMigrations()
<147>1 2023-09-13T08:27:54+02:00 opnsense-casa.proximanet.net config 80369 - [meta sequenceId="8"] #1 /usr/local/opnsense/mvc/script/run_migrations.php(54): OPNsense\Base\BaseModel->runMigrations()
<147>1 2023-09-13T09:56:22+02:00 opnsense-casa.proximanet.net config 50858 - [meta sequenceId="6"] #1 /usr/local/opnsense/mvc/script/run_migrations.php(54): OPNsense\Base\BaseModel->runMigrations()

Then I tried also to enable the access list and insert my subnets, but it still doesn't work...

Can you help me, please?

Thank you

9

General Discussion / DHCP Server multiple subnets on same interface

« on: January 09, 2023, 10:25:06 am »

Hi to all,

I know this topic has been covered before, but I would like to know if there is any forecast if this feature will be implemented and if so when. The functionality I'm talking about is that the DHCP Server is able to release, and reserve, IPs even for remote Subnets not directly connected to OPNSense. These requests all arrive over the same interface from remote routers, say cisco, which use the dhcp-relay feature. OPNsense, based on the IP of the cisco router that sends the request, responds to the latter by issuing a valid IP.

Thank you

10

General Discussion / Re: VoIP QoS

« on: October 24, 2022, 01:46:44 pm »

Yes, I have read these two guides but, honestly, I have not understood how to adapt them to my needs. Also consider the fact that the VoIP Server is in the Cloud and its Public IP changes from time to time.

Thank you

11

General Discussion / VoIP QoS

« on: October 24, 2022, 11:25:43 am »

Hi to all,

we have the following 4 VLANs:

• LAN - VLAN 10: 192.168.10.0/24
• WIFI 1 - VLAN 20: 192.168.20.0/24
• WIFI 2 - VLAN 30: 192.168.30.0/24
• VoIP - VLAN 40: 192.168.40.0/24

We need that the VoIP VLAN has the priority over the others. Our ISP connection is a 100/100 Mb/s. Our goal is that if the connection becomes saturated, the VoIP VLAN takes precedence over the others and, if possible, reserve for the VoIP VLAN, in case of band saturation, at least 15/15 Mb/s.

Thank you

12

22.1 Legacy Series / Re: IPsec site-to-site VPN loses connection after upgrade to 22.1.8

« on: May 31, 2022, 10:30:20 am »

Hi,

the configurations on both ends are exactly the same. If I restart the service on the local OPNsense (22.1.8_1) the IPSec Tunnel goes up and everything works perfectly for a certain period of time. If I generate traffic in the Tunnel (infinite ping versus a host in the remote network), the tunnel doesn't go down. It goes down after a period of time if there isn't traffic in the tunnel.
This issue is started when I updated local OPNsense to 22.1.8_1. The remote version of OPNsense is 22.1.2_1

I attach Phase 1 and Phase 2 configuration of the local OPNSense. They are exactly the same on remote OPNsense, except for "Remote Gateway" in Phase 1 and "Local Address" and "Remote Address" in Phase 2 that are inverted...

Thank you

13

22.1 Legacy Series / Re: IPsec site-to-site VPN loses connection after upgrade to 22.1.8

« on: May 30, 2022, 03:49:00 pm »

No, it doesn't come up

14

22.1 Legacy Series / Re: IPsec site-to-site VPN loses connection after upgrade to 22.1.8

« on: May 30, 2022, 11:35:12 am »

Hi,

I tried the solution suggested by bugzptr but it didn't work. After about 15-20 minutes of incantivity the IPSec Tunnel goes down. Instead if there is traffic in the Tunnel (infinite ping) the link doesn't go down...   

Thank you

15

22.1 Legacy Series / Re: IPsec site-to-site VPN loses connection after upgrade to 22.1.8

« on: May 30, 2022, 10:08:29 am »

Hi,

I tried the solution suggested by bugzptr but with no luck. Now I try what pmhausen suggested and keep you informed. Below you can see my logs

Code: [Select]

2022-05-30T09:55:06 Informational charon 10[ENC] <con1|2> parsed INFORMATIONAL response 856 [ D ]
2022-05-30T09:55:06 Informational charon 10[NET] <con1|2> received packet: from OPNSENSE_REMOTE_PUBLIC_IP[500] to OPNSENSE_LOCAL_PUBLIC_IP[500] (69 bytes)
2022-05-30T09:55:06 Informational charon 10[NET] <con1|2> sending packet: from OPNSENSE_LOCAL_PUBLIC_IP[500] to OPNSENSE_REMOTE_PUBLIC_IP[500] (69 bytes)
2022-05-30T09:55:06 Informational charon 10[ENC] <con1|2> generating INFORMATIONAL request 856 [ D ]
2022-05-30T09:55:06 Informational charon 10[IKE] <con1|2> sending DELETE for ESP CHILD_SA with SPI c439b93b
2022-05-30T09:55:06 Informational charon 10[IKE] <con1|2> failed to establish CHILD_SA, keeping IKE_SA
2022-05-30T09:55:06 Informational charon 10[IKE] <con1|2> unable to install inbound and outbound IPsec SA (SAD) in kernel
2022-05-30T09:55:05 Informational charon 10[CFG] <con1|2> selected proposal: ESP:AES_GCM_16_256/MODP_8192/NO_EXT_SEQ
2022-05-30T09:55:05 Informational charon 10[IKE] <con1|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2022-05-30T09:55:05 Informational charon 10[ENC] <con1|2> parsed CREATE_CHILD_SA response 855 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2022-05-30T09:55:05 Informational charon 10[NET] <con1|2> received packet: from OPNSENSE_REMOTE_PUBLIC_IP[500] to OPNSENSE_LOCAL_PUBLIC_IP[500] (1225 bytes)
2022-05-30T09:55:05 Informational charon 10[NET] <con1|2> sending packet: from OPNSENSE_LOCAL_PUBLIC_IP[500] to OPNSENSE_REMOTE_PUBLIC_IP[500] (1225 bytes)
2022-05-30T09:55:05 Informational charon 10[ENC] <con1|2> generating CREATE_CHILD_SA request 855 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2022-05-30T09:55:04 Informational charon 10[IKE] <con1|2> establishing CHILD_SA con1{499} reqid 1
2022-05-30T09:55:04 Informational charon 10[KNL] creating acquire job for policy OPNSENSE_LOCAL_PUBLIC_IP/32 === OPNSENSE_REMOTE_PUBLIC_IP/32 with reqid {1}
2022-05-30T09:55:03 Informational charon 10[NET] <con1|2> sending packet: from OPNSENSE_LOCAL_PUBLIC_IP[500] to OPNSENSE_REMOTE_PUBLIC_IP[500] (65 bytes)
2022-05-30T09:55:03 Informational charon 10[ENC] <con1|2> generating CREATE_CHILD_SA response 304 [ N(NO_PROP) ]
2022-05-30T09:55:03 Informational charon 10[IKE] <con1|2> failed to establish CHILD_SA, keeping IKE_SA
2022-05-30T09:55:03 Informational charon 10[IKE] <con1|2> unable to install inbound and outbound IPsec SA (SAD) in kernel

Thank you