1
19.7 Legacy Series / Re: strongswan.conf location
« on: August 15, 2019, 08:48:10 pm »
Thanks rainerle, that was exactly what I was looking for!
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
19.7 Legacy Series / strongswan.conf location
« on: August 14, 2019, 04:51:52 pm »
Hello. I'd like to connect a remote Linux server to my firewall via IPsec using the existing strongswan.conf on my firewall as a basis for the configuration of the new tunnel. Where is strongswan.conf kept?
3
19.1 Legacy Series / Changing DHCP settings from console?
« on: March 29, 2019, 08:50:58 pm »
I've made a mistake configuring a new firewall: I enabled DHCP on LAN and after connecting to the web interface I checked "Deny unknown clients" without immediately adding any hosts to the static mapping list. I didn't realize the problem at first, it only became apparent when my host tried to renew DHCP. I can still log in via the console, but I can't reach the web interface at all. Is there a config file I can edit to disable "Deny unknown clients" for the LAN interface?
I've tried setting "denyunknown" in /conf/config.xml to 0 and rebooting, but this didn't do the trick.
EDIT: Disaster averted! For anyone reading this thread in the future, just follow these steps to save yourself:
I've tried setting "denyunknown" in /conf/config.xml to 0 and rebooting, but this didn't do the trick.
EDIT: Disaster averted! For anyone reading this thread in the future, just follow these steps to save yourself:
- Log into the firewall console as root or some other admin user.
- If you logged in as root, hit 8 to go to the shell.
- Edit the file /conf/config.xml
- Go to the section <dhcp> and find the subsection <lan>
- Add the line <enable>1</enable> just underneath <lan>
- Remove the entire line <denyunknown>1</denyunknown>, don't just set it to 0!
- Save the file
- Reload DHCP; if you are logged in as root just go back to the console and hit 11 to reload all services
4
19.1 Legacy Series / Limiting cross-interface DNS in Unbound
« on: March 27, 2019, 04:26:08 pm »
Hi all, I'm setting up a guest Wi-Fi network in OPNsense. All Wi-Fi is handled via the PUBLIC interface, and I use firewall rules to prevent any traffic from reaching my LAN interface PRIVATE. However, I'm using Unbound DNS on both interfaces. PUBLIC users could still get the IP of PRIVATE hosts using nslookup, ping, etc. Is there any way to prevent that?
How it currently is:
How I'd like it:
How it currently is:
- PUBLIC host nslookups PRIVATE host
- IP address of PRIVATE host is displayed
How I'd like it:
- PUBLIC host nslookups PRIVATE host
- ** server can't find [PRIVATE host]: NXDOMAIN
5
18.7 Legacy Series / Configuring CARP outbound NAT correctly?
« on: December 03, 2018, 06:31:48 pm »
I set up CARP using the OPNsense docs, and it mostly works; the firewalls sync and failover correctly. For the sake of example, let's say my setup has the same WAN IPs as the OPNsense docs:
I've made a manual outbound NAT rule with the following settings:
However there are two major problems:
I tried everything I could think of to fix this, and eventually I found the following note in the pfSense CARP docs:
This exactly describes at least one of my problems. Assuming "the WAN/Public IP addresses of the cluster" would refer to 172.18.0.100, this seems to be at odds with the OPNsense CARP docs, which state the following:
So, if you aren't supposed to use the WAN virtual IP, which NAT address should be used to set up outbound NAT correctly?
| Primary | 172.18.0.101/24 |
| Secondary | 172.18.0.102/24 |
| Virtual IP | 172.18.0.100/24 |
I've made a manual outbound NAT rule with the following settings:
| Interface | WAN |
| Source | any |
| Source Port | * |
| Destination | * |
| Destination Port | * |
| NAT Address | 172.18.0.100 |
| NAT Port | * |
| Static Port | NO |
However there are two major problems:
- When the primary firewall comes back up, the secondary firewall will not relinquish master status. The secondary-master must be brought down/rebooted for the primary to reclaim CARP master.
- Regardless of which firewall is currently the backup, its WAN interfaces are perpetually down. This seems to be because it is trying to use the WAN virtual IP, but that IP is already used by the current master.
I tried everything I could think of to fix this, and eventually I found the following note in the pfSense CARP docs:
Quote
Never add outbound NAT rules that could match the WAN/Public IP addresses of the cluster. This includes both rules that have the public IP addresses listed explicitly and also rules that have any set as a source. These NAT rules will cause other problems/unintended behavior, and will break outbound connectivity from the secondary node when it is in a BACKUP state.
This exactly describes at least one of my problems. Assuming "the WAN/Public IP addresses of the cluster" would refer to 172.18.0.100, this seems to be at odds with the OPNsense CARP docs, which state the following:
Quote
Go to Firewall -> NAT and select outbound nat. Choose manual outbound nat on this page and change the rules originating from the 192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100).
So, if you aren't supposed to use the WAN virtual IP, which NAT address should be used to set up outbound NAT correctly?
6
18.7 Legacy Series / General log gets "no active session, user not found" every second
« on: November 13, 2018, 10:05:49 pm »
My firewall's system log (System -> Log Files -> General) is unusable because it is getting the same "no active session, user not found" message every second. Each message is prefaced by "api" and a random number in brackets. I'm not sure what is causing this or how to fix it. Any ideas?
7
18.7 Legacy Series / Unbound DNS Override for Web GUI?
« on: October 22, 2018, 10:36:38 pm »
I have a fairly complex firewall setup with multiple physical LANs and WANs. I use DHCP static mappings to help control which hosts can connect to which LAN, and Unbound to provide DNS on each LAN and the oVPN server. The web GUI is running on a separate physical interface called CONTROL, which connects to one of the LANs, called TRUSTED.
I want to be able to access the web GUI by entering the firewall's hostname and domain in my browser, as normal, but this isn't possible right now because when I nslookup the firewall, it shows the network address of all LANs and the VPN; the interfaces marked as Network Interfaces in Unbound. I tried creating a DNS override in Unbound with just the CONTROL IP, but this just added it to the list of addresses found when using nslookup.
How can I use Unbound to provide DNS to my various LANs and VPN servers, but retain only one DNS entry that corresponds to the web GUI?
I want to be able to access the web GUI by entering the firewall's hostname and domain in my browser, as normal, but this isn't possible right now because when I nslookup the firewall, it shows the network address of all LANs and the VPN; the interfaces marked as Network Interfaces in Unbound. I tried creating a DNS override in Unbound with just the CONTROL IP, but this just added it to the list of addresses found when using nslookup.
How can I use Unbound to provide DNS to my various LANs and VPN servers, but retain only one DNS entry that corresponds to the web GUI?
8
18.7 Legacy Series / Managing DNS between branch offices?
« on: September 05, 2018, 07:05:13 pm »
I have OPNsense firewalls deployed to two different offices that communicate with each other via IPsec tunnels. The trouble is that I need to somehow keep the DNS records of 300+ hosts consistent between the two. It would be a hassle to change both firewalls every time there is a change in one location. Is there some way to sync DNS between two different firewalls in two different physical locations?
9
18.1 Legacy Series / Re: Cannot Traceroute WAN Connection?
« on: May 07, 2018, 05:58:38 pm »
Sure, here's an example of traceroute from behind the PFsense firewall (external IP would be X.X.X.74). I hope it will make sense to you. Traceroute from a different ISP network is more or less the same, it just takes 12 hops to get to "isp-upstream-fateway".
Code: [Select]
traceroute to OPNsense-firewall (X.X.X.75), 30 hops max, 60 byte packets
1 PFsense-firewall (192.168.76.254) 0.220 ms 0.217 ms 0.213 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 isp-upstream-gateway (X.X.X.73) 3.376 ms 3.261 ms 3.259 ms
7 isp-upstream-gateway (X.X.X.73) 3.861 ms 3.801 ms 3.851 ms
8 isp-upstream-gateway (X.X.X.73) 4.415 ms 4.398 ms 4.385 ms
9 isp-upstream-gateway (X.X.X.73) 4.926 ms 4.971 ms 4.961 ms
10 isp-upstream-gateway (X.X.X.73) 5.523 ms 5.559 ms 5.628 ms
11 isp-upstream-gateway (X.X.X.73) 6.155 ms 6.135 ms 6.108 ms
12 isp-upstream-gateway (X.X.X.73) 6.723 ms 6.719 ms 6.771 ms
13 isp-upstream-gateway (X.X.X.73) 7.355 ms 7.262 ms 7.298 ms
14 isp-upstream-gateway (X.X.X.73) 7.926 ms 7.795 ms 7.845 ms
15 isp-upstream-gateway (X.X.X.73) 8.461 ms 8.456 ms 8.511 ms
16 isp-upstream-gateway (X.X.X.73) 9.009 ms 9.167 ms 9.075 ms
17 isp-upstream-gateway (X.X.X.73) 9.690 ms 9.687 ms 9.681 ms
18 isp-upstream-gateway (X.X.X.73) 10.235 ms 10.233 ms 10.205 ms
19 isp-upstream-gateway (X.X.X.73) 10.838 ms 10.857 ms 10.856 ms
20 isp-upstream-gateway (X.X.X.73) 11.448 ms 11.441 ms 11.380 ms
21 isp-upstream-gateway (X.X.X.73) 11.894 ms 11.898 ms 11.895 ms
22 isp-upstream-gateway (X.X.X.73) 12.537 ms 12.518 ms 12.515 ms
23 isp-upstream-gateway (X.X.X.73) 13.125 ms 13.172 ms 13.049 ms
24 isp-upstream-gateway (X.X.X.73) 13.719 ms 13.671 ms 13.664 ms
25 isp-upstream-gateway (X.X.X.73) 14.246 ms 14.278 ms 14.271 ms
26 isp-upstream-gateway (X.X.X.73) 14.822 ms 14.849 ms 14.841 ms
27 isp-upstream-gateway (X.X.X.73) 15.406 ms 15.417 ms 15.415 ms
28 isp-upstream-gateway (X.X.X.73) 15.975 ms 15.880 ms 16.000 ms
29 isp-upstream-gateway (X.X.X.73) 16.536 ms 16.619 ms 16.567 ms
30 isp-upstream-gateway (X.X.X.73) 17.119 ms 17.032 ms 17.029 ms
10
18.1 Legacy Series / Cannot Traceroute WAN Connection?
« on: May 03, 2018, 10:49:17 pm »
My environment has two Netgate XG-2758 firewalls; one is running OPNsense 18.1 and the other is still on PFsense. We also have two ISPs coming in. While both ISP WAN connections work great on the PFsense firewall, they do not work properly on OPNsense despite identical upstream gateway, netmask and IPs confirmed in our block. The gateways and interfaces do not appear to go down, the daemons don't seem to crash, there is nothing unusual in the logs as far as I can tell, but the IPsec VPN tunnel has a weird flickering problem and when I try to traceroute to the firewall it just hits the upstream gateway again and again.
I have already tried all of the following:
At this point I am not sure what else to do. Does anyone have any idea how to fix this?
I have already tried all of the following:
- A laptop using the same IP, netmask and gateway as the OPNsense firewall works as expected.
- I have tried using different IPs in our WAN blocks; same results.
- I have tried using different firewall interfaces as WAN; same results.
- I have tried connecting to only one ISP at a time; same results.
- I have tried setting up multi-WAN; same results.
- I have tried disabling IPsec, but this problem was evident from traceroute before IPsec was configured.
- Sticky connections is disabled.
At this point I am not sure what else to do. Does anyone have any idea how to fix this?
11
18.1 Legacy Series / Re: Mounting from ufs:/dev/gpt/rootfs failed with error 19.
« on: March 07, 2018, 11:36:01 pm »
Franco was right - it does "just work", if you have a basic understanding of GEOM (which I did not). The fix is included in an edit to the OP. What you want to do is wipe the drives, create the GEOM mirror, then install OPNsense to the GEOM mirror device. You're not supposed to install OPNsense on ada0 or ada1!
12
18.1 Legacy Series / Re: Mounting from ufs:/dev/gpt/rootfs failed with error 19.
« on: March 05, 2018, 06:04:27 pm »
I tried wiping the SSDs and installing OPNsense from scratch again, and this time it worked! The difference? I didn't set up GEOM this time. I am going to try to research GEOM because I do not really understand it, but the OPNsense installer GEOM configuration utility is very straightforward so I'm not sure how I could have messed it up...
EDIT: I was also able to install under MBR with no problems after wiping the drives. Unfortunately installing both drives under MBR then setting up GEOM from the installer still takes me to mountroot on boot, so there is still something left to solve.
EDIT: I was also able to install under MBR with no problems after wiping the drives. Unfortunately installing both drives under MBR then setting up GEOM from the installer still takes me to mountroot on boot, so there is still something left to solve.
13
18.1 Legacy Series / Re: Mounting from ufs:/dev/gpt/rootfs failed with error 19.
« on: March 02, 2018, 10:36:25 pm »
I was able to wipe the XG-2758's SSDs today and started the OPNsense installer from scratch. While the mirror/pfSenseMirror is now gone, I'm still getting the same mountroot prompt. Am I doing something wrong with selecting ada0 as the primary and ada1 as the secondary when setting up the GEOM mirror? Am I supposed to set the GEOM mirror before I install OPNsense on the SSDs?
14
18.1 Legacy Series / Mounting from ufs:/dev/gpt/rootfs failed with error 19.
« on: February 27, 2018, 08:31:46 pm »
I've managed to get the serial installer working on my troublesome Netgate XG-2758, but I've encountered a lot of bsdlabel and mounting errors during and after install; I'm not very familiar with BSD or GEOM and am not sure what to do about this. I am using the 18.1 serial installer now, but have had the same problems with the 17.7 installer too. The only way I can complete the installation is to use the Guided install -> GPT/UEFI method; anything else results in bsdlabel errors. Choosing Guided install -> MBR produces this error:
Viewing the log returns the following:
When this happens, it becomes impossible to leave the installer without rebooting as far as I know. <Retry> and <Cancel> will immediately display the same error again; <Skip> will cycle through a few more errors until it comes back to the original. The Manual install option also produces this error, but the <Cancel> option allows you to go back and choose other options. That being said, I was able to install GPT/UEFI on both ada0 and ada1 using the Guided install, and created an OPNsense GEOM mirror using ada0 as the primary and ada1 as the secondary. When booting the system, however, I get the following error:
Typing "?" at the resulting mountroot prompt gives me four options: mirror/OPNsenseMirror, mirror/pfSenseMirror, ada1 and ada0. I am not sure how to remove the pfSenseMirror, but entering "ufs:/dev/mirror/OPNsenseMirror" produces this error:
The other devices listed present the same error. How can I mount one of these filesystems and get the system working normally?
EDIT: Figured it out. You're supposed to wipe the drives, create the GEOM mirror BEFORE installing OPNsense on either drive, then select mirror/OPNSenseMirror as the device to install to. DO NOT try to install OPNsense on ada0 and/or ada1 THEN create the mirror. Then it should just work!
Code: [Select]
/sbin/bsdlabel -B -r -w ada0s1
auto FAILED with a return code of 1.
Viewing the log returns the following:
Code: [Select]
x BSD Installer started a
x DFUI connection on tcp:9999 successfully established a
x ,- opened pty to '/sbin/sysctl -n hw.physmem' a
x < 17138442240 a
x `- closed pty to '/sbin/sysctl -n hw.physmem' a
x `/sbin/sysctl -n hw.physmem` returned: 17138442240 a
x ,- opened pty to '/sbin/sysctl -n kern.disks' a
x < da0 ada1 ada0 a
x `- closed pty to '/sbin/sysctl -n kern.disks' a
x `/sbin/sysctl -n kern.disks` returned: da0 ada1 ada0 a
x /dev/mirror exists. Surveying. a
x ,- opened pty to '/usr/bin/find /dev/mirror/* | /usr/bin/sed a
x "s/\/dev\/mirror/mirror/"' a
x < mirror/OPNsenseMirror a
x `- closed pty to '/usr/bin/find /dev/mirror/* | /usr/bin/sed a
x "s/\/dev\/mirror/mirror/"' a
x `/usr/bin/find /dev/mirror/* | /usr/bin/sed "s/\/dev\/mirror/mirror/"` a
x returned: mirror/OPNsenseMirror a
x Testing mirror/OPNsenseMirror a
x Invoking survey for mirror/OPNsenseMirror a
x Surveying Disk: mirror/OPNsenseMirror ... a
x | Media sector size is 512 a
x | Warning: BIOS sector numbering starts with sector 1 a
x | Information from DOS bootblock is: a
x | The data for partition 1 is: a
x | sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD) a
x | start 63, size 234441585 (114473 Meg), flag 80 (active) a
x | beg: cyl 0/ head 1/ sector 1; a
x | end: cyl 132/ head 15/ sector 63 a
x | The data for partition 2 is: a
x | <UNUSED> a
x | The data for partition 3 is: a
x | <UNUSED> a
x | The data for partition 4 is: a
x | <UNUSED> a
x `->>> Exit status: 0 a
x ,-<<< Executing `/sbin/bsdlabel -B -r -w ada0s1 auto' a
x | bsdlabel: unable to get correct path for ada0s1: No such file or a
x directory a
x `->>> Exit status: 1 a
When this happens, it becomes impossible to leave the installer without rebooting as far as I know. <Retry> and <Cancel> will immediately display the same error again; <Skip> will cycle through a few more errors until it comes back to the original. The Manual install option also produces this error, but the <Cancel> option allows you to go back and choose other options. That being said, I was able to install GPT/UEFI on both ada0 and ada1 using the Guided install, and created an OPNsense GEOM mirror using ada0 as the primary and ada1 as the secondary. When booting the system, however, I get the following error:
Code: [Select]
mountroot: waiting for device /dev/gpt/rootfs...
Mounting from ufs:/dev/gpt/rootfs failed with error 19.
Typing "?" at the resulting mountroot prompt gives me four options: mirror/OPNsenseMirror, mirror/pfSenseMirror, ada1 and ada0. I am not sure how to remove the pfSenseMirror, but entering "ufs:/dev/mirror/OPNsenseMirror" produces this error:
Code: [Select]
Mounting from ufs:/dev/mirror/OPNsenseMirror failed with error 22.The other devices listed present the same error. How can I mount one of these filesystems and get the system working normally?
EDIT: Figured it out. You're supposed to wipe the drives, create the GEOM mirror BEFORE installing OPNsense on either drive, then select mirror/OPNSenseMirror as the device to install to. DO NOT try to install OPNsense on ada0 and/or ada1 THEN create the mirror. Then it should just work!
15
18.1 Legacy Series / Serial installer not displaying over serial connection?
« on: February 08, 2018, 04:13:14 pm »
Hi all, trying to install OPNsense 18.1 on a Netgate XG-2758. While I've installed OPNsense using a VGA monitor and USB keyboard without problem, this model of firewall has no VGA port, only microUSB serial. I have the amd64 serial OPNsense image written to a USB drive, and can get to the BIOS over serial. However, when I choose to boot from the USB drive I get this message:
After this, the serial connection does not seem to send/receive anymore. I have let it sit like this for an hour with no change. Any ideas what's up with it?
EDIT: Big thanks to pylox and bhsense for the following post: https://forum.opnsense.org/index.php?topic=6998.msg31097#msg31097
Pylox's instructions got the installer displaying correctly for me.
Quote
/boot/config: -S115200 -D
/oading /boot/defaults/loader.confsion 1.1port
After this, the serial connection does not seem to send/receive anymore. I have let it sit like this for an hour with no change. Any ideas what's up with it?
EDIT: Big thanks to pylox and bhsense for the following post: https://forum.opnsense.org/index.php?topic=6998.msg31097#msg31097
Pylox's instructions got the installer displaying correctly for me.
Pages: [1] 2