Messages

Thanks rainerle, that was exactly what I was looking for!

Hello. I'd like to connect a remote Linux server to my firewall via IPsec using the existing strongswan.conf on my firewall as a basis for the configuration of the new tunnel. Where is strongswan.conf kept?

I've made a mistake configuring a new firewall: I enabled DHCP on LAN and after connecting to the web interface I checked "Deny unknown clients" without immediately adding any hosts to the static mapping list. I didn't realize the problem at first, it only became apparent when my host tried to renew DHCP. I can still log in via the console, but I can't reach the web interface at all. Is there a config file I can edit to disable "Deny unknown clients" for the LAN interface?

I've tried setting "denyunknown" in /conf/config.xml to 0 and rebooting, but this didn't do the trick.

EDIT: Disaster averted! For anyone reading this thread in the future, just follow these steps to save yourself:

• Log into the firewall console as root or some other admin user.
• If you logged in as root, hit 8 to go to the shell.
• Edit the file /conf/config.xml
• Go to the section <dhcp> and find the subsection <lan>
• Add the line <enable>1</enable> just underneath <lan>
• Remove the entire line <denyunknown>1</denyunknown>, don't just set it to 0!
• Save the file
• Reload DHCP; if you are logged in as root just go back to the console and hit 11 to reload all services

Hi all, I'm setting up a guest Wi-Fi network in OPNsense. All Wi-Fi is handled via the PUBLIC interface, and I use firewall rules to prevent any traffic from reaching my LAN interface PRIVATE. However, I'm using Unbound DNS  on both interfaces. PUBLIC users could still get the IP of PRIVATE hosts using nslookup, ping, etc. Is there any way to prevent that?

How it currently is:

• PUBLIC host nslookups PRIVATE host
• IP address of PRIVATE host is displayed

How I'd like it:

• PUBLIC host nslookups PRIVATE host
• ** server can't find [PRIVATE host]: NXDOMAIN

I set up CARP using the OPNsense docs, and it mostly works; the firewalls sync and failover correctly. For the sake of example, let's say my setup has the same WAN IPs as the OPNsense docs:

Primary	172.18.0.101/24
Secondary	172.18.0.102/24
Virtual IP	172.18.0.100/24

I've made a manual outbound NAT rule with the following settings:

Interface	WAN
Source	any
Source Port	*
Destination	*
Destination Port	*
NAT Address	172.18.0.100
NAT Port	*
Static Port	NO

However there are two major problems:

• When the primary firewall comes back up, the secondary firewall will not relinquish master status. The secondary-master must be brought down/rebooted for the primary to reclaim CARP master.
• Regardless of which firewall is currently the backup, its WAN interfaces are perpetually down. This seems to be because it is trying to use the WAN virtual IP, but that IP is already used by the current master.

I tried everything I could think of to fix this, and eventually I found the following note in the pfSense CARP docs:

Never add outbound NAT rules that could match the WAN/Public IP addresses of the cluster. This includes both rules that have the public IP addresses listed explicitly and also rules that have any set as a source. These NAT rules will cause other problems/unintended behavior, and will break outbound connectivity from the secondary node when it is in a BACKUP state.

This exactly describes at least one of my problems. Assuming "the WAN/Public IP addresses of the cluster" would refer to 172.18.0.100, this seems to be at odds with the OPNsense CARP docs, which state the following:

Go to Firewall -> NAT and select outbound nat. Choose manual outbound nat on this page and change the rules originating from the 192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100).

So, if you aren't supposed to use the WAN virtual IP, which NAT address should be used to set up outbound NAT correctly?

My firewall's system log (System -> Log Files -> General) is unusable because it is getting the same "no active session, user not found" message every second. Each message is prefaced by "api" and a random number in brackets. I'm not sure what is causing this or how to fix it. Any ideas?

I have a fairly complex firewall setup with multiple physical LANs and WANs. I use DHCP static mappings to help control which hosts can connect to which LAN, and Unbound to provide DNS on each LAN and the oVPN server. The web GUI is running on a separate physical interface called CONTROL, which connects to one of the LANs, called TRUSTED.

I want to be able to access the web GUI by entering the firewall's hostname and domain in my browser, as normal, but this isn't possible right now because when I nslookup the firewall, it shows the network address of all LANs and the VPN; the interfaces marked as Network Interfaces in Unbound. I tried creating a DNS override in Unbound with just the CONTROL IP, but this just added it to the list of addresses found when using nslookup.

How can I use Unbound to provide DNS to my various LANs and VPN servers, but retain only one DNS entry that corresponds to the web GUI?

I have OPNsense firewalls deployed to two different offices that communicate with each other via IPsec tunnels. The trouble is that I need to somehow keep the DNS records of 300+ hosts consistent between the two. It would be a hassle to change both firewalls every time there is a change in one location. Is there some way to sync DNS between two different firewalls in two different physical locations?

Sure, here's an example of traceroute from behind the PFsense firewall (external IP would be X.X.X.74). I hope it will make sense to you. Traceroute from a different ISP network is more or less the same, it just takes 12 hops to get to "isp-upstream-fateway".

Code Select Expand

traceroute to OPNsense-firewall (X.X.X.75), 30 hops max, 60 byte packets
1  PFsense-firewall (192.168.76.254)  0.220 ms  0.217 ms  0.213 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  isp-upstream-gateway (X.X.X.73)  3.376 ms  3.261 ms  3.259 ms
7  isp-upstream-gateway (X.X.X.73) 3.861 ms  3.801 ms  3.851 ms
8  isp-upstream-gateway (X.X.X.73) 4.415 ms  4.398 ms  4.385 ms
9  isp-upstream-gateway (X.X.X.73) 4.926 ms  4.971 ms  4.961 ms
10  isp-upstream-gateway (X.X.X.73) 5.523 ms  5.559 ms  5.628 ms
11  isp-upstream-gateway (X.X.X.73) 6.155 ms  6.135 ms  6.108 ms
12  isp-upstream-gateway (X.X.X.73) 6.723 ms  6.719 ms  6.771 ms
13  isp-upstream-gateway (X.X.X.73) 7.355 ms  7.262 ms  7.298 ms
14  isp-upstream-gateway (X.X.X.73) 7.926 ms  7.795 ms  7.845 ms
15  isp-upstream-gateway (X.X.X.73) 8.461 ms  8.456 ms  8.511 ms
16  isp-upstream-gateway (X.X.X.73) 9.009 ms  9.167 ms  9.075 ms
17  isp-upstream-gateway (X.X.X.73) 9.690 ms  9.687 ms  9.681 ms
18  isp-upstream-gateway (X.X.X.73) 10.235 ms  10.233 ms  10.205 ms
19  isp-upstream-gateway (X.X.X.73) 10.838 ms  10.857 ms  10.856 ms
20  isp-upstream-gateway (X.X.X.73) 11.448 ms  11.441 ms  11.380 ms
21  isp-upstream-gateway (X.X.X.73) 11.894 ms  11.898 ms  11.895 ms
22  isp-upstream-gateway (X.X.X.73) 12.537 ms  12.518 ms  12.515 ms
23  isp-upstream-gateway (X.X.X.73) 13.125 ms  13.172 ms  13.049 ms
24  isp-upstream-gateway (X.X.X.73) 13.719 ms  13.671 ms  13.664 ms
25  isp-upstream-gateway (X.X.X.73) 14.246 ms  14.278 ms  14.271 ms
26  isp-upstream-gateway (X.X.X.73) 14.822 ms  14.849 ms  14.841 ms
27  isp-upstream-gateway (X.X.X.73) 15.406 ms  15.417 ms  15.415 ms
28  isp-upstream-gateway (X.X.X.73) 15.975 ms  15.880 ms  16.000 ms
29  isp-upstream-gateway (X.X.X.73) 16.536 ms  16.619 ms  16.567 ms
30  isp-upstream-gateway (X.X.X.73) 17.119 ms  17.032 ms  17.029 ms

My environment has two Netgate XG-2758 firewalls; one is running OPNsense 18.1 and the other is still on PFsense. We also have two ISPs coming in. While both ISP WAN connections work great on the PFsense firewall, they do not work properly on OPNsense despite identical upstream gateway, netmask and IPs confirmed in our block. The gateways and interfaces do not appear to go down, the daemons don't seem to crash, there is nothing unusual in the logs as far as I can tell, but the IPsec VPN tunnel has a weird flickering problem and when I try to traceroute to the firewall it just hits the upstream gateway again and again.

I have already tried all of the following:

• A laptop using the same IP, netmask and gateway as the OPNsense firewall works as expected.
• I have tried using different IPs in our WAN blocks; same results.
• I have tried using different firewall interfaces as WAN; same results.
• I have tried connecting to only one ISP at a time; same results.
• I have tried setting up multi-WAN; same results.
• I have tried disabling IPsec, but this problem was evident from traceroute before IPsec was configured.
• Sticky connections is disabled.

At this point I am not sure what else to do. Does anyone have any idea how to fix this?

Franco was right - it does "just work", if you have a basic understanding of GEOM (which I did not). The fix is included in an edit to the OP. What you want to do is wipe the drives, create the GEOM mirror, then install OPNsense to the GEOM mirror device. You're not supposed to install OPNsense on ada0 or ada1!

I tried wiping the SSDs and installing OPNsense from scratch again, and this time it worked! The difference? I didn't set up GEOM this time. I am going to try to research GEOM because I do not really understand it, but the OPNsense installer GEOM configuration utility is very straightforward so I'm not sure how I could have messed it up...

EDIT: I was also able to install under MBR with no problems after wiping the drives. Unfortunately installing both drives under MBR then setting up GEOM from the installer still takes me to mountroot on boot, so there is still something left to solve.

I was able to wipe the XG-2758's SSDs today and started the OPNsense installer from scratch. While the mirror/pfSenseMirror is now gone, I'm still getting the same mountroot prompt. Am I doing something wrong with selecting ada0 as the primary and ada1 as the secondary when setting up the GEOM mirror? Am I supposed to set the GEOM mirror before I install OPNsense on the SSDs?

[EDIT]

I've managed to get the serial installer working on my troublesome Netgate XG-2758, but I've encountered a lot of bsdlabel and mounting errors during and after install; I'm not very familiar with BSD or GEOM and am not sure what to do about this. I am using the 18.1 serial installer now, but have had the same problems with the 17.7 installer too. The only way I can complete the installation is to use the Guided install -> GPT/UEFI method; anything else results in bsdlabel errors. Choosing Guided install -> MBR produces this error:

Code Select Expand


/sbin/bsdlabel -B -r -w ada0s1
auto FAILED with a return code of 1.


Viewing the log returns the following:

Code Select Expand


  x BSD Installer started                                                    a
  x DFUI connection on tcp:9999 successfully established                     a
  x ,- opened pty to '/sbin/sysctl -n hw.physmem'                            a
  x < 17138442240                                                            a
  x `- closed pty to '/sbin/sysctl -n hw.physmem'                            a
  x `/sbin/sysctl -n hw.physmem` returned: 17138442240                       a
  x ,- opened pty to '/sbin/sysctl -n kern.disks'                            a
  x < da0 ada1 ada0                                                          a
  x `- closed pty to '/sbin/sysctl -n kern.disks'                            a
  x `/sbin/sysctl -n kern.disks` returned: da0 ada1 ada0                     a
  x /dev/mirror exists. Surveying.                                           a
  x ,- opened pty to '/usr/bin/find /dev/mirror/* | /usr/bin/sed             a
  x "s/\/dev\/mirror/mirror/"'                                               a
  x < mirror/OPNsenseMirror                                                  a
  x `- closed pty to '/usr/bin/find /dev/mirror/* | /usr/bin/sed             a
  x "s/\/dev\/mirror/mirror/"'                                               a
  x `/usr/bin/find /dev/mirror/* | /usr/bin/sed "s/\/dev\/mirror/mirror/"`   a
  x returned: mirror/OPNsenseMirror                                          a
  x Testing mirror/OPNsenseMirror                                            a
  x Invoking survey for mirror/OPNsenseMirror                                a
  x Surveying Disk: mirror/OPNsenseMirror ...                                a
  x | Media sector size is 512                                               a
  x | Warning: BIOS sector numbering starts with sector 1                    a
  x | Information from DOS bootblock is:                                     a
  x | The data for partition 1 is:                                           a
  x | sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)                               a
  x | start 63, size 234441585 (114473 Meg), flag 80 (active)                a
  x | beg: cyl 0/ head 1/ sector 1;                                          a
  x | end: cyl 132/ head 15/ sector 63                                       a
  x | The data for partition 2 is:                                           a
  x | <UNUSED>                                                               a
  x | The data for partition 3 is:                                           a
  x | <UNUSED>                                                               a
  x | The data for partition 4 is:                                           a
  x | <UNUSED>                                                               a
  x `->>> Exit status: 0                                                     a
  x ,-<<< Executing `/sbin/bsdlabel -B -r -w ada0s1 auto'                    a
  x | bsdlabel: unable to get correct path for ada0s1: No such file or       a
  x directory                                                                a
  x `->>> Exit status: 1                                                     a


When this happens, it becomes impossible to leave the installer without rebooting as far as I know. <Retry> and <Cancel> will immediately display the same error again; <Skip> will cycle through a few more errors until it comes back to the original. The Manual install option also produces this error, but the <Cancel> option allows you to go back and choose other options. That being said, I was able to install GPT/UEFI on both ada0 and ada1 using the Guided install, and created an OPNsense GEOM mirror using ada0 as the primary and ada1 as the secondary. When booting the system, however, I get the following error:

Code Select Expand


mountroot: waiting for device /dev/gpt/rootfs...
Mounting from ufs:/dev/gpt/rootfs failed with error 19.


Typing "?" at the resulting mountroot prompt gives me four options: mirror/OPNsenseMirror, mirror/pfSenseMirror, ada1 and ada0. I am not sure how to remove the pfSenseMirror, but entering "ufs:/dev/mirror/OPNsenseMirror" produces this error:

Code Select Expand

Mounting from ufs:/dev/mirror/OPNsenseMirror failed with error 22.

The other devices listed present the same error. How can I mount one of these filesystems and get the system working normally?

EDIT: Figured it out. You're supposed to wipe the drives, create the GEOM mirror BEFORE installing OPNsense on either drive, then select mirror/OPNSenseMirror as the device to install to. DO NOT try to install OPNsense on ada0 and/or ada1 THEN create the mirror. Then it should just work!

Hi all, trying to install OPNsense 18.1 on a Netgate XG-2758. While I've installed OPNsense using a VGA monitor and USB keyboard without problem, this model of firewall has no VGA port, only microUSB serial. I have the amd64 serial OPNsense image written to a USB drive, and can get to the BIOS over serial. However, when I choose to boot from the USB drive I get this message:

/boot/config: -S115200 -D

/oading /boot/defaults/loader.confsion 1.1port

After this, the serial connection does not seem to send/receive anymore. I have let it sit like this for an hour with no change. Any ideas what's up with it?

EDIT: Big thanks to pylox and bhsense for the following post: https://forum.opnsense.org/index.php?topic=6998.msg31097#msg31097

Pylox's instructions got the installer displaying correctly for me.