Messages

1

General Discussion / Suggestions for a usb console port concentrator for OOBM?

« on: August 14, 2023, 12:04:05 pm »

Hi,
I'm looking for a network accessible device that I can hook the USB consoles of different firewalls to.

• rack mountable
• at least 6 USB ports
• RJ45

Any suggestions?
Thanks a lot

2

Virtual private networks / IPSec: VTI dynamic WAN IP [new config]

« on: August 01, 2023, 12:53:41 pm »

Hi,
I have just tried if I could recreate route based IPSec tunnels with the new configuration interface.
Everything seems to work, but fot the VTI, I have to enter an IP address in the 'Local address' field. How should I handle this when my local IP is dynamic?
In the 'General Settings' of the connection it is possible to leave this field empty.
Thanks and best regards,
Frank

3

22.1 Legacy Series / 'read-onéy' access allows reordering rules

« on: August 12, 2022, 01:47:25 pm »

Hi All,
I have tried to setup a 'read-only' access to the web-gui, with the intention of allowing to allow a given user to look at the config, but not mess with it.
I find that if I give a user access to the gui pages 'without edit' for rules and NAT, he can still reorder the rules.
He can't edit Aliases or rules, but he can still select a rule, and move it around with the <- icon.
Is this expected/known/wanted?
Thanks a lot in advance,
Frank

4

General Discussion / DHCP Static Mapping creates Alias

« on: June 30, 2022, 12:44:38 pm »

Hi,
every time that I do a static mapping in dhcp, I find myself creating a host alias for that IP immediately afterwards, because I will create one or more firewall rule(s) using this IP.
It might be doable to add a 'create host alias'  checkbox that creates an associated host alias when adding a static mapping.
Just an idea...
Thanks,
Frank

5

General Discussion / [SOLVED] Re: nrpe check ipsec certificates

« on: June 21, 2022, 08:50:55 am »

Hi again,
in case anyone is interested, I circumvented this by running the entire script as root
(edit: open for comments, though :-) )

Code: [Select]

#!/usr/local/bin/perl -w
#copyto:/usr/local/libexec/nagios/check_ipsec_certs

#re-run as root if we are not root
if ($ENV{USER} ne 'root'){
    my $CMD='/usr/local/bin/sudo /usr/local/libexec/nagios/check_ipsec_certs';
    exec $CMD;     
}
#do the actual checking...


6

General Discussion / nrpe check ipsec certificates

« on: June 20, 2022, 04:47:51 pm »

Hi,
I would like to include an nrpe check to warn me before cerrtificates in /usr/local/etc/ipsec.d/certs expire.
However those files are not readable to the nagios user and a sudoers entry to the liking of

Code: [Select]

CHMODIPSECCERTS = /bin/chmod a+r /usr/local/etc/ipsec.d/certs/*is not working (and not desirable). Any other ideas how I could do this?
Thanks a lot
Frank

7

General Discussion / Re: Mysterious "sendto: Permission denied"

« on: March 31, 2022, 01:06:29 pm »

Hm, I always was under the impression that SNAT doesn't work with route-based tunnels .. was this also working with 21.7?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474

Hi Michael,
does this make sense:

Code: [Select]

sysctl net.enc.out.ipsec_filter_mask=0
sysctl net.enc.in.ipsec_filter_mask=0
sysctl net.enc.out.ipsec_bpf_mask=0
sysctl net.enc.in.ipsec_bpf_mask=0
sysctl net.inet.ipsec.filtertunnel=1
sysctl net.inet.ipsec6.filtertunnel=1
(found here https://www.reddit.com/r/OPNsenseFirewall/comments/ts86eh/ipsec_gateway_as_upstream_gateway/ )

8

General Discussion / Re: Mysterious "sendto: Permission denied"

« on: February 22, 2022, 01:14:07 pm »

Hi,
no this didn't work with earlier releases AFAIK.
I remember trying to to SNAT before route-based IPSec before on a different site, but I ended up with a different solution as I couldn't get it to work.

9

General Discussion / Re: Mysterious "sendto: Permission denied"

« on: February 17, 2022, 02:22:51 pm »

Hello,
yes I tried both with and without this option.
Any other ideas?
Thanks,

10

General Discussion / Mysterious "sendto: Permission denied"

« on: February 16, 2022, 11:49:24 am »

Hi,
I have a weird behaviour somehow related to source NAT an route-based IPsec tunnels:

Networks A and B are behind an OPNsense Box (22.1) and should access to resources through a Tunnel.

Network B should be NATted as Network A for this. The NAT itself works.

• I can see the packets leaving through ipsec<X>
• I can see that the source has been correctly replaced with an address from Network A
• Packets really originating from Network A reach the other side
• when I try to generate traffic on the firewall itself (*), i get sendto: Permission denied
   errors
• when I temporarily pfctl -d packets reach the other side
• when I remove the outgoing NAT rule, packets reach the other side, with the undesired source addess

I can't see anything related in pflog, even if I enable logging in the 'permit' rule.

How do I figure out what causes the 'permission denied'? IDS/IPS is disabled.

Thanks a lot,
Frank

(*) either using ping -S Network-A-Addres, or using nc -vz -s

11

22.1 Legacy Series / Re: [Solved] What can replace clog?

« on: January 31, 2022, 04:49:44 pm »

Got it,
thanks!

12

22.1 Legacy Series / Re: What can replace clog?

« on: January 31, 2022, 03:33:34 pm »

Thanks Franco,
opnsense-log is great.
I have one instance where I use an nrpe script to see if ipsec generated TS_UNACCEPT 'recently', and issue 'ipsec restart' in that case. I have a star-shape of IPsec tunnels, and when I make changes in the ipsec config at the hub, satellites generate TS_UNACCEPT errors (no idea why).
But looking around, I have found that ipsec logs can now be found in /var/log/ipsec/latest.log so I can adapt.
For anyone else stumbling across this: a lot of logfiles are now available as sequential files under
/var/log/<servicename>/latest.log

Thanks and regards

13

22.1 Legacy Series / [Solved] What can replace clog?

« on: January 31, 2022, 02:31:05 pm »

Hi all,
I wonder what I have at my disposal now that clog is gone? I rely on using clog when debugging things and I use it in nrpe  monitoring scripts as well.
Thanks in advance,
Frank

14

21.7 Legacy Series / Re: 21.7.3 OpenVPN connects but doesn't set routes

« on: September 24, 2021, 08:32:39 am »

https://forum.opnsense.org/index.php?topic=24817.msg118994#msg118994

maybe?

Thanks!

15

21.7 Legacy Series / Re: OpenVPN routes on 21.7.2_1

« on: September 24, 2021, 08:31:37 am »

Have here for long time now

Code: [Select]

OPNsense 21.7.2_1-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
LibreSSL 3.3.4
and different openVPN tunnels (s2s), no problems with routes or routing in general...

Thanks, that's it.... It's unfortunate that this is not corrected in the upgrade process. My appliances are managed through a tunnel, so this could potentially lock me out. I will have to be very careful.
Thanks!