1
20.7 Legacy Series / Re: zabbix proxy 4 on Opnsense 20.7
« on: September 14, 2020, 04:13:36 pm »
Awesome. Thank you very much!
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
20.7 Legacy Series / zabbix proxy 4 on Opnsense 20.7
« on: September 13, 2020, 04:29:09 am »
Hi,
I have not upgraded to 20.7 yet as I noticed that this version jumps to zabbix proxy 5.
Will I still be able to run zabbix proxy 4 after the upgrade? The rest of my infrastructure is still running on 4.
Regards,
Andrea
I have not upgraded to 20.7 yet as I noticed that this version jumps to zabbix proxy 5.
Will I still be able to run zabbix proxy 4 after the upgrade? The rest of my infrastructure is still running on 4.
Regards,
Andrea
3
General Discussion / Thanks for the great product!
« on: April 02, 2019, 11:40:01 am »
Hi,
Can I please just spend one minute telling you how great OPNsense is?
No point as if you are reading this, you already know!
You've been my introduction to BSD, and since then a lot of more Unix based systems came my way.
Anyway, the other day I was reading this article on the right software for setting up a homelab and could not help mentioning the amazing OPNsense in the comments: https://opensource.com/article/19/3/home-lab
I keep mentioning OPNsense at work too but it's hard to steer/convince CISCO/Windows engineers that Unix and open source can be a valid alternative. None the less, I keep talking about it! lol
Thanks to all the developers, and keep up the good work,
Andrea
Can I please just spend one minute telling you how great OPNsense is?
No point as if you are reading this, you already know!
You've been my introduction to BSD, and since then a lot of more Unix based systems came my way.
Anyway, the other day I was reading this article on the right software for setting up a homelab and could not help mentioning the amazing OPNsense in the comments: https://opensource.com/article/19/3/home-lab
I keep mentioning OPNsense at work too but it's hard to steer/convince CISCO/Windows engineers that Unix and open source can be a valid alternative. None the less, I keep talking about it! lol
Thanks to all the developers, and keep up the good work,
Andrea
4
General Discussion / OS timezone VS application/OPNsense/schedule timezone
« on: April 02, 2019, 11:20:12 am »
Hi,
I like my systems to be setup all in UTC, so that it's easier to debug issues across timezones.
Apparently I'm not the only one: http://yellerapp.com/posts/2015-01-12-the-worst-server-setup-you-can-make.html :-D
Anyway, the problem is that if I set OPNsense to UTC then the FW schedule (eg to limit the Internet for the kids VLAN) goes off by one hour.
In summary, is there a way to have the OS (HBSD) and the application (OPNsense) to use two different timezones?
Any other workaround/suggestion for the problem above mentioned is welcome too.
Regards,
Andrea
I like my systems to be setup all in UTC, so that it's easier to debug issues across timezones.
Apparently I'm not the only one: http://yellerapp.com/posts/2015-01-12-the-worst-server-setup-you-can-make.html :-D
Anyway, the problem is that if I set OPNsense to UTC then the FW schedule (eg to limit the Internet for the kids VLAN) goes off by one hour.
In summary, is there a way to have the OS (HBSD) and the application (OPNsense) to use two different timezones?
Any other workaround/suggestion for the problem above mentioned is welcome too.
Regards,
Andrea
5
General Discussion / "Random" package drop/FW "default deny rule" match
« on: December 14, 2018, 07:00:59 pm »
Hi,
I want my pc (10.55.56.77) to manage/access resources on a different subnet (10.55.55.0/24).
With tools like "mtr" I pinged a server (10.55.55.34), setting the interval to 0.1 seconds and not losing a single ping for however long...
Sometimes though, some packages are getting dropped (as shown in the Opnsense UI screenshots attached), and I get kicked out of SSH sessions and web UIs etc.
The SSH sessions I'd say last 20/30 seconds, while web UI look slow at times, and some other times I get logged out too...
I obviously try adding rules which should have allow my management network to access everything, but some packages always end up getting caught.
Can anyone advice on how I should be debugging an issue like that please?
Thanks in advance for any tip.
Regards,
Andrea
I want my pc (10.55.56.77) to manage/access resources on a different subnet (10.55.55.0/24).
With tools like "mtr" I pinged a server (10.55.55.34), setting the interval to 0.1 seconds and not losing a single ping for however long...
Sometimes though, some packages are getting dropped (as shown in the Opnsense UI screenshots attached), and I get kicked out of SSH sessions and web UIs etc.
The SSH sessions I'd say last 20/30 seconds, while web UI look slow at times, and some other times I get logged out too...
I obviously try adding rules which should have allow my management network to access everything, but some packages always end up getting caught.
Can anyone advice on how I should be debugging an issue like that please?
Thanks in advance for any tip.
Regards,
Andrea
6
18.7 Legacy Series / Opnsense local config files backup
« on: December 11, 2018, 04:52:43 am »
Hi,
Background story
I'm half way through setting up an OpenVPN multi site setup.
Site1 is running the OpenVPN server (on OPNsense), while site2 and site3 are running some linux/openVPN clients.
The key to make this setup to work, is to add the openVPN "iroute" config for each client (site2 & site3), so that the openVPN server knows the subnets those clients/sites are providing.
OpenVPN settings
This setting is added in a client specific config file (defined by client-config-dir) which, in a normal linux environment, is normally somewhere like "/etc/openvpn/ccd/".
It took me a little while to find where OPNsense stores this (maybe just because I'm not used to freeBSD), and I found it to be in "/var/etc/openvpn-csc/3/" for some reason.
The number "3" is because this is the third openVPN I setup.
The config files for site2 would be "/var/etc/openvpn-csc/3/site2":
iroute 192.168.100.0 255.255.255.0
and for site3 would be /var/etc/openvpn-csc/3/site3:
iroute 192.168.110.0 255.255.255.0
Issue
I noticed that these configs/files do not get backed up by the standard OPNsense backup utility.
I've also noticed that when I cloned the VPN (as I changed listening port for some reason), these client specific config files were left behind.
Can someone please suggest the best practice here for either:
- including these client specific settings in the OPNsense web UI, so that they get backed up automatically with everything else;
- suggest a way to make sure these files/directories are backed up with the rest of the configs in some other ways.
Any advice would be much appreciated.
Regards,
Andrea
PS: of course I understand I could rsync the configs/directory at the same time I take the OPNsense backup, but I'm looking for the best practice/OPNsense way
Background story
I'm half way through setting up an OpenVPN multi site setup.
Site1 is running the OpenVPN server (on OPNsense), while site2 and site3 are running some linux/openVPN clients.
The key to make this setup to work, is to add the openVPN "iroute" config for each client (site2 & site3), so that the openVPN server knows the subnets those clients/sites are providing.
OpenVPN settings
This setting is added in a client specific config file (defined by client-config-dir) which, in a normal linux environment, is normally somewhere like "/etc/openvpn/ccd/".
It took me a little while to find where OPNsense stores this (maybe just because I'm not used to freeBSD), and I found it to be in "/var/etc/openvpn-csc/3/" for some reason.
The number "3" is because this is the third openVPN I setup.
The config files for site2 would be "/var/etc/openvpn-csc/3/site2":
iroute 192.168.100.0 255.255.255.0
and for site3 would be /var/etc/openvpn-csc/3/site3:
iroute 192.168.110.0 255.255.255.0
Issue
I noticed that these configs/files do not get backed up by the standard OPNsense backup utility.
I've also noticed that when I cloned the VPN (as I changed listening port for some reason), these client specific config files were left behind.
Can someone please suggest the best practice here for either:
- including these client specific settings in the OPNsense web UI, so that they get backed up automatically with everything else;
- suggest a way to make sure these files/directories are backed up with the rest of the configs in some other ways.
Any advice would be much appreciated.
Regards,
Andrea
PS: of course I understand I could rsync the configs/directory at the same time I take the OPNsense backup, but I'm looking for the best practice/OPNsense way
7
18.7 Legacy Series / Re: Can MTR (or similar) be installed?
« on: December 08, 2018, 04:45:54 pm »
alright, that was easy 
Thanks for the prompt response!
Regards,
Andrea
Thanks for the prompt response!
Regards,
Andrea
8
18.7 Legacy Series / Can MTR (or similar) be installed?
« on: December 08, 2018, 12:00:20 pm »
Hi,
I'm debugging some routing issues between different sites, is there a way to install MTR (or similar)?
MTR is an improvement over ping/traceroute.
Feel free to suggest a different/better tool to achieve the same results.
Regards,
Andrea
I'm debugging some routing issues between different sites, is there a way to install MTR (or similar)?
MTR is an improvement over ping/traceroute.
Feel free to suggest a different/better tool to achieve the same results.
Regards,
Andrea
9
18.1 Legacy Series / Re: OpenDNS Autoupdate?
« on: November 06, 2018, 02:54:56 am »
Hi,
I confirm that I'm having the same issue.
In my case I don't actually want to check "Filter DNS requests using OpenDNS" as i want to have the flexibility to use OpenDNS on some specific networks only.
To work around the lack of automatically updating my dynamic IP in "/services_opendns.php", I've installed the "os-dyndns" plugin, which looks great but unfortunately I could not get it to work to update OpenDNS as my WAN interface does not have a public IP address.
What I ended doing (as suggested above) is writing a cron for the following command:
curl -s -u 'username@gmail.com:myPassword' https://updates.opendns.com/nic/update?hostname=myServiceUsername
In case it helps anyone else:
1) create the cron file as: /usr/local/opnsense/service/conf/actions.d/actions_update_opendns.conf,
with content similar to:
2) service configd restart
3) Find your newly added cron in the "/ui/cron" add menu, and set it up to run every 10 minutes or so.
Hope it helps.
Regards,
Andrea
I confirm that I'm having the same issue.
In my case I don't actually want to check "Filter DNS requests using OpenDNS" as i want to have the flexibility to use OpenDNS on some specific networks only.
To work around the lack of automatically updating my dynamic IP in "/services_opendns.php", I've installed the "os-dyndns" plugin, which looks great but unfortunately I could not get it to work to update OpenDNS as my WAN interface does not have a public IP address.
What I ended doing (as suggested above) is writing a cron for the following command:
curl -s -u 'username@gmail.com:myPassword' https://updates.opendns.com/nic/update?hostname=myServiceUsername
In case it helps anyone else:
1) create the cron file as: /usr/local/opnsense/service/conf/actions.d/actions_update_opendns.conf,
with content similar to:
Code: [Select]
[update]
command:/usr/local/bin/curl
parameter:-s -u 'username@gmail.com:myPassword' https://updates.opendns.com/nic/update?hostname=myServiceUsername
type:script
message:Updating Dynamic DNS for OpenDNS
description:Update Dynamic DNS for OpenDNS
2) service configd restart
3) Find your newly added cron in the "/ui/cron" add menu, and set it up to run every 10 minutes or so.
Hope it helps.
Regards,
Andrea
10
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
« on: May 29, 2018, 03:14:17 am »
Hi,
Maybe it's just me, but I can't get this to work!
I can connect to the openVPN server, that is never been a problem.
I created a subnet 10.55.59.0/24, whose hosts are the only ones which should go through the VPN.
When I connect to the VPN, the router itself goes through the VPN (which it should not).
You can see from traceroute below:
The dafault gateway is correct (10.55.50.1), but somehow it goes through the openVPN one.
Hosts in other subnets (other than the VPN one), cannot get on the Internet:
I've attached the NAT/outbound rules, as I'm pretty sure I'm doing something wrong there, as I don't really know what they should look like (10.55.59.0/24 is colour coded "black").
I found rules along those lines in some "random" tutorials, and a pfsense tutorial from 4 years ago! :-/
I tried both Hybrid and manual NAT rule generation (plus all sorts of combinations). No luck!
If anyone can give me some hints, it would be much appreciated.
Regards,
Andrea
Maybe it's just me, but I can't get this to work!
I can connect to the openVPN server, that is never been a problem.
I created a subnet 10.55.59.0/24, whose hosts are the only ones which should go through the VPN.
When I connect to the VPN, the router itself goes through the VPN (which it should not).
You can see from traceroute below:
Code: [Select]
root@routy:~ # traceroute 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 64 hops max, 40 byte packets
1 c-46-246-84-1.ip4.frootvpn.com (46.246.84.1) 34.104 ms 33.843 ms 33.998 ms
2 178.73.195.97 (178.73.195.97) 35.006 ms 34.265 ms 34.585 ms
3 be-1.cr1.sto2.se.portlane.net (80.67.4.208) 35.372 ms 35.370 ms 35.383 ms
4 72.14.216.118 (72.14.216.118) 34.637 ms 34.987 ms 34.275 ms
5 108.170.253.161 (108.170.253.161) 35.504 ms
108.170.254.33 (108.170.254.33) 35.479 ms 35.283 ms
6 216.239.58.43 (216.239.58.43) 34.759 ms
72.14.236.85 (72.14.236.85) 34.908 ms
74.125.37.157 (74.125.37.157) 34.624 ms
7 google-public-dns-b.google.com (8.8.4.4) 34.819 ms 34.505 ms 35.023 ms
The dafault gateway is correct (10.55.50.1), but somehow it goes through the openVPN one.
Code: [Select]
root@routy:~ # netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 46.246.84.1 UGS ovpnc1
default 10.55.50.1 UGS igb0
[..]
Hosts in other subnets (other than the VPN one), cannot get on the Internet:
Code: [Select]
root@willy:~# traceroute google.com
traceroute to google.com (172.217.22.174), 30 hops max, 60 byte packets
1 routy.home (10.55.55.1) 0.200 ms 0.170 ms 0.179 ms
2 * * *
3 * * *
4 * * *
5 * * *
I've attached the NAT/outbound rules, as I'm pretty sure I'm doing something wrong there, as I don't really know what they should look like (10.55.59.0/24 is colour coded "black").
I found rules along those lines in some "random" tutorials, and a pfsense tutorial from 4 years ago! :-/
I tried both Hybrid and manual NAT rule generation (plus all sorts of combinations). No luck!
If anyone can give me some hints, it would be much appreciated.
Regards,
Andrea
11
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
« on: April 10, 2018, 08:04:29 pm »
have you guys tried the latest 18.1.6 yet? I haven't.
12
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
« on: March 31, 2018, 07:22:58 pm »
Hi Seamus,
Unfortunately I made no progress since my last post.
Regards,
Andrea
Unfortunately I made no progress since my last post.
Regards,
Andrea
13
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
« on: March 13, 2018, 06:19:08 pm »
I use local name resolving.
Anyway I don't think my problem is DNS related.
After having stopped pulling new routes from my VPN provider, every VLAN/subnet can go on the Internet freely.
The problem I have right now is that even the VLAN which should go on the Internet through the VPN only, does not go through the VPN tunnel.
So either I need to find a way to specify a different gateway for the "VPN VLAN", or I need to understand policy based routing.
So far I've been following this instructions by M4DM4NZ (BTW, thank you very much!!!), but if there is a better way (particularly now with 18.1.x) to achieve what I need, I'm all ears.
Regards,
Andrea
PS: is there a single place where to retrieve all FW rules? I have lots of subnets...
Anyway I don't think my problem is DNS related.
After having stopped pulling new routes from my VPN provider, every VLAN/subnet can go on the Internet freely.
The problem I have right now is that even the VLAN which should go on the Internet through the VPN only, does not go through the VPN tunnel.
So either I need to find a way to specify a different gateway for the "VPN VLAN", or I need to understand policy based routing.
So far I've been following this instructions by M4DM4NZ (BTW, thank you very much!!!), but if there is a better way (particularly now with 18.1.x) to achieve what I need, I'm all ears.
Regards,
Andrea
PS: is there a single place where to retrieve all FW rules? I have lots of subnets...
14
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
« on: March 13, 2018, 10:20:30 am »
I'm using Unbound default settings (I think).
Anyway "Enable DNS Resolver" is ticked, while "Enable Forwarding Mode" is unticked.
Anyway "Enable DNS Resolver" is ticked, while "Enable Forwarding Mode" is unticked.
15
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
« on: March 13, 2018, 01:57:22 am »
actually, possibly the biggest routing problem experienced (in my case) came from this rule:
0.0.0.0/1 46.246.85.1 UGS ovpnc1
I thought this was added by OpnSense (for some reason) but it isn't; this rule is added by the VPN provider I use, therefore ticking either "Don't pull routes" or "Don't add/remove routes" (not too sure about the difference at this stage) stops OpnSense from pulling extra routes and mess my routing table.
Now all VLANs can go on the Internet even when the VPN is enabled/working.
The only problem I'm left with now, is that the VLAN which should be tunneled through the VPN, isn't.
I'll have to investigate in that direction.
Regards,
Andrea
0.0.0.0/1 46.246.85.1 UGS ovpnc1
I thought this was added by OpnSense (for some reason) but it isn't; this rule is added by the VPN provider I use, therefore ticking either "Don't pull routes" or "Don't add/remove routes" (not too sure about the difference at this stage) stops OpnSense from pulling extra routes and mess my routing table.
Now all VLANs can go on the Internet even when the VPN is enabled/working.
The only problem I'm left with now, is that the VLAN which should be tunneled through the VPN, isn't.
I'll have to investigate in that direction.
Regards,
Andrea
Pages: [1] 2