Messages

Hi,
I'm looking for a network accessible device that I can hook the USB consoles of different firewalls to.

• rack mountable
• at least 6 USB ports
• RJ45

Any suggestions?
Thanks a lot

Hi,
I have just tried if I could recreate route based IPSec tunnels with the new configuration interface.
Everything seems to work, but fot the VTI, I have to enter an IP address in the 'Local address' field. How should I handle this when my local IP is dynamic?
In the 'General Settings' of the connection it is possible to leave this field empty.
Thanks and best regards,
Frank

Hi All,
I have tried to setup a 'read-only' access to the web-gui, with the intention of allowing to allow a given user to look at the config, but not mess with it.
I find that if I give a user access to the gui pages 'without edit' for rules and NAT, he can still reorder the rules.
He can't edit Aliases or rules, but he can still select a rule, and move it around with the <- icon.
Is this expected/known/wanted?
Thanks a lot in advance,
Frank

Hi,
every time that I do a static mapping in dhcp, I find myself creating a host alias for that IP immediately afterwards, because I will create one or more firewall rule(s) using this IP.
It might be doable to add a 'create host alias'  checkbox that creates an associated host alias when adding a static mapping.
Just an idea...
Thanks,
Frank

Hi again,
in case anyone is interested, I circumvented this by running the entire script as root
(edit: open for comments, though :-) )

Code Select Expand

#!/usr/local/bin/perl -w
#copyto:/usr/local/libexec/nagios/check_ipsec_certs

#re-run as root if we are not root
if ($ENV{USER} ne 'root'){
    my $CMD='/usr/local/bin/sudo /usr/local/libexec/nagios/check_ipsec_certs';
    exec $CMD;     
}
#do the actual checking...


Hi,
I would like to include an nrpe check to warn me before cerrtificates in /usr/local/etc/ipsec.d/certs expire.
However those files are not readable to the nagios user and a sudoers entry to the liking of

Code Select Expand

CHMODIPSECCERTS = /bin/chmod a+r /usr/local/etc/ipsec.d/certs/*
is not working (and not desirable). Any other ideas how I could do this?
Thanks a lot
Frank

Hm, I always was under the impression that SNAT doesn't work with route-based tunnels .. was this also working with 21.7?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474

Hi Michael,
does this make sense:

Code Select Expand


sysctl net.enc.out.ipsec_filter_mask=0
sysctl net.enc.in.ipsec_filter_mask=0
sysctl net.enc.out.ipsec_bpf_mask=0
sysctl net.enc.in.ipsec_bpf_mask=0
sysctl net.inet.ipsec.filtertunnel=1
sysctl net.inet.ipsec6.filtertunnel=1

(found here https://www.reddit.com/r/OPNsenseFirewall/comments/ts86eh/ipsec_gateway_as_upstream_gateway/ )

Hi,
no this didn't work with earlier releases AFAIK.
I remember trying to to SNAT before route-based IPSec before on a different site, but I ended up with a different solution as I couldn't get it to work.

Hello,
yes I tried both with and without this option.
Any other ideas?
Thanks,

Hi,
I have a weird behaviour somehow related to source NAT an route-based IPsec tunnels:

Networks A and B are behind an OPNsense Box (22.1) and should access to resources through a Tunnel.

Network B should be NATted as Network A for this. The NAT itself works.

• I can see the packets leaving through ipsec<X>
• I can see that the source has been correctly replaced with an address from Network A
• Packets really originating from Network A reach the other side
• when I try to generate traffic on the firewall itself (*), i get sendto: Permission denied
  errors
• when I temporarily pfctl -d packets reach the other side
• when I remove the outgoing NAT rule, packets reach the other side, with the undesired source addess

I can't see anything related in pflog, even if I enable logging in the 'permit' rule.

How do I figure out what causes the 'permission denied'? IDS/IPS is disabled.

Thanks a lot,
Frank

(*) either using ping -S Network-A-Addres, or using nc -vz -s

Got it,
thanks!

Thanks Franco,
opnsense-log is great.
I have one instance where I use an nrpe script to see if ipsec generated TS_UNACCEPT 'recently', and issue 'ipsec restart' in that case. I have a star-shape of IPsec tunnels, and when I make changes in the ipsec config at the hub, satellites generate TS_UNACCEPT errors (no idea why).
But looking around, I have found that ipsec logs can now be found in /var/log/ipsec/latest.log so I can adapt.
For anyone else stumbling across this: a lot of logfiles are now available as sequential files under
/var/log/<servicename>/latest.log

Thanks and regards

Hi all,
I wonder what I have at my disposal now that clog is gone? I rely on using clog when debugging things and I use it in nrpe  monitoring scripts as well.
Thanks in advance,
Frank

https://forum.opnsense.org/index.php?topic=24817.msg118994#msg118994

maybe?

Thanks!

Have here for long time now

Code Select Expand

OPNsense 21.7.2_1-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
LibreSSL 3.3.4

and different openVPN tunnels (s2s), no problems with routes or routing in general...

Thanks, that's it.... It's unfortunate that this is not corrected in the upgrade process. My appliances are managed through a tunnel, so this could potentially lock me out. I will have to be very careful.
Thanks!