Messages

Well, I believe if Disable Preempt is NOT checked, net.inet.carp.preempt=1 is set under the hood?
Have never seen any documentation instructing to set this yourself.

From a sysctl -a | grep "net.inet.carp"
I can see this even see:
net.inet.carp.preempt: 1

So that looks ok to me. But despite that, it' s not working as expected as only the affected interface fails over.

I have a simple a simple 2 node LAN/WAN setup, but it looks like having the CARP VIP/being master on node1 or node2 is on the interface level and not global.
If I unplugged the WAN cable from node1 I can see the CARP master role for WAN moving from node1 to node2. However, node1 still is master on the LAN, responding on the LAN CARP VIP.
To me this split situations seems weird en incorrect, causing the LAN<->WAN traffic to halt. Shouldn't all interfaces move at same time from master to slave and vice versa? Can't see how this should work if that's not the case.

What am I missing here? Did I just misconfigure something? I followed guide at https://docs.opnsense.org/manual/how-tos/carp.html

Disable Preempt is NOT checked! That should be the setting controlling this, right? So preempt is enabled and this should group all VIPs and move all at the same time AFAIKS.

Have a HA setup, everything seems to work fine, except I'm unable to see ANY DHCPv4 logs on the master, no matter if using real or VIP IP. Always shows up empty in GUI, although in /var/log/dhcpd/ there is a dhcp_<date>.log with actual data and latest.log linking to it.

On backup node I can access the log from the GUI just fine, but just as long as it is backup. As I becomes master (by powering off the first node), the problem moves to the second node.

It seems you somehow can't access the DHCPv4 logs in the GUI on a node that is master...

Any ideas?

Tnx! I think I can live with that for now.
What's the best way to do suggestions to get things like this probably embedded in a next version?

Not any idea how to return a more formal correct status 403 for WAF violation?
Unlike as in haproxy there no such thing in NGINX to do custom options?

or even better: add a  "Violation status code" setting in the gui, setting the required status code

Ok I can see in the config:

location = /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;

If i add return 403; it works as expected, WAF is detected fine by different security scanners.

But it's overwritten/deleted evertime I hit Aplly in the GUI.
Any way to make a permanant custom config? Or any other way to add the return 403; ?

Is there a way to let nginx give a status code of 403 in case of violation of the NAXSI rules?
Some security scanners now can't detect a WAF and flag that as a security issue. The cause seems to be the 200 response instead of a 403, even if the request is actually denied. Setting a custom error violation page won't work too, cause "Only the page content itself is used. Status code rewriting and redirection is not supported"

Any ideas how to get a 403?

Really nobody with a similar setup?

My fiber provider in Holland (KPN) offered me a free upgrade from 100Mb to 200Mb, but told me I need to switch from PPPoE to IPoE.
Current situation: WAN is PPPoE, getting first IP automatically from my /29 subnet from provider, and configured the remaining IPs as an alias, working perfectly fine. LAN is on 192.168.1.0/24.
As I was unfamiliar with IPoE I started looking around and read everywhere I should just change the WAN type to DHCP and asked KPN for confirmation for that.

To my surprise they told me it was quite different and gave me a example config for Cisco looking quite strange to me. This was the only example they could provide. The Cisco config they gave me seem to tell to configure the WAN on a static IP in a different /30 subnet (calling it a "interlink subnet") with a gateway in that same subnet and configure my current /29 subnet on the LAN side...

!## Guide, instelling IPOE met Cisco Router.
!## Poortype kan afwijken
!-------
!------- WAN poort ----
!------- interface GigabitEthernet0/0/0 description Connection to WAN ip address 145.54.111.62 255.255.255.252 speed 100 duplex FULL MTU 1500
!
!
!
!-------
!------- LAN ------
!-------
! interface GigabitEthernet0/0/1 description to Customer LAN ip address 31.149.115.137 255.255.255.248
!
!
! ip route 0.0.0.0 0.0.0.0 145.54.111.61
!

That looks ridiculous to me, as I don't want my public IPs on the LAN! And I also don't want to buy a another router to put in front of OPNsense so I could use my public IPs on my OPNsense WAN.
Any idea how to configure this right on the OPNsense WAN interface? Could I probably just use the /30 subnet as suggested as primary and configure the /29 as aliases on the WAN also?
Anyone familiar with IPoE in general and/or KPN setup in particular?

Regards,

Julian

Did you ever made this work?  KPN told me I could upgrade my fibre connection, but need to switch to IPoE as well.
Is this simply setting the WAN to DHCP or Static IP instead of PPPoE what is currently used?

Reading the docs it seems there should be a NAT/BINAT options in the ipsec phase2 settings to do translation before the traffic enters the tunnel. However, in my setup (17.7.1) it is missing. Has this changed and are the docs not updated or am I missing something else?

Julian