Messages

1

18.7 Legacy Series / Upgrade form OPNsense 18.1.13_1-amd64

« on: September 23, 2018, 06:04:14 pm »

Hi all, is it possible to backup the configuration of opnsense 18.1.x and restore it to a new 18.7?
Is there another way to upgrade to latest stable?

thank you

2

18.1 Legacy Series / Help configuring HA-proxy

« on: September 23, 2018, 05:59:50 pm »

Hi all, I'm running OPNsense 18.1.13_1-amd64.
I'm trying to configure HA proxy to server 2 webvers.
As of now, I care http to be working.
I'll take care of https later.

I already set up xa proxy and it's working but the web pages are incomplete: only html is loaded, no images, no css.

Before I flood this post wit many details, do you already know if that's a common configuration mistake?

The network schema is this:

Code: [Select]

router -> wan (192.168.179.2) | lan (192.168.178.3) -> webserver1 (192.168.178.15)
                                                    -> webserver2 (192.168.178.17)
The public ip is held by the router that forward all ports to opnsense.

Yhank you!

3

18.1 Legacy Series / Re: Nat 1:1 and reflection from the same network

« on: May 15, 2018, 09:15:51 am »

I've been adding 2 rule on LAN interface:
  from 192.168.2.0/24 to 192.168.6.0/24 Pass
  from 192.168.3.0/24 to 192.168.6.0/24 Pass

I think this is symptom that nat reflection is not working.
It means the requests don't get masqueraded with the public ip.

I double check the concept of nat reflection on wikipedia:

The local computer (192.168.1.100) sends the packet as coming from 192.168.1.100, but the server (192.168.1.2) receives it as coming from 203.0.113.1

I forgot to mention my firewall is configured with multiwan.
I don't know if that may matter or not.

4

18.1 Legacy Series / Nat 1:1 and reflection from the same network

« on: May 11, 2018, 09:40:42 am »

Hi all, I already spoke about nat 1:1 and reflection in this topic but I have another specific problematic to solve.

Consider 3 lan netwroks:

192.168.2.0/24 (office pc)
192.168.3.0/24 (office pc)
192.168.6.0/24 (servers)

I have three servers on 192.168.6.0/24.
For each server I'm using nat 1:1

1.2.3.4 -> 192.168.6.38 (webserver)
1.2.3.5 -> 192.168.6.10 (mailserver 1)
1.2.3.6 -> 192.168.6.11 (mailserver 2)

192.168.6.38 is a webserver.
I've been adding a firewall rule on WAN interface, so that ports 80 and 443 can be reached from outside.
I've been adding 2 rule on LAN interface:
  from 192.168.2.0/24 to 192.168.6.0/24 Pass
  from 192.168.3.0/24 to 192.168.6.0/24 Pass
doing so I'm able to reach my services from office networks.

The only thing that doesn't work is, for example, to contact port 80 from network 192.168.6.0/24.

From the webserver itself

Code: [Select]

nmap  -p 80 1.2.3.4 -Pn
PORT   STATE    SERVICE
80/tcp filtered http
From the webserver to a mailserver

Code: [Select]

nmap -p 25 1.2.3.5 -Pn

Starting Nmap 6.47 ( http://nmap.org ) at 2018-05-11 09:38 CEST
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39478 > 1.2.3.5:25 S ttl=59 id=47236 iplen=44  seq=707988922 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39479 > 1.2.3.5:25 S ttl=40 id=38922 iplen=44  seq=707923387 win=1024 <mss 1460>
Nmap scan report for server.domain.com (1.2.3.5)
Host is up.
PORT   STATE    SERVICE
25/tcp filtered smtp
Suggestions?

5

18.1 Legacy Series / Re: Problem with nat 1:1 reflection

« on: May 08, 2018, 12:46:26 pm »

Hi Animosity022, I do agree that dns override is a better solution but consider to more webserver, hosthing 100 domains.
All these domains and all their record shall be overridden to be able to reach them from the internal netwrok.
That's why I'm opting for nat reflection.
If it was matter of few dns records, I wasn't going to use nat reflection.
I'm aware that this way the traffic goes through the firewall but there will be not many requests in my case.

Anyway, I made it work!
I have to lan netwroks: 192.168.2.0/24 and 192.168.3.0/24.
My LAN interface has ip 192.168.2.254 and the virtual ip 192.168.3.250.
They are the gw for the relative netwroks.
I added two rules on LAN interface:

from 192.168.2.0/24 to 192.168.6.0/24 pass
from 192.168.3.0/24 to 192.168.6.0/24 pass



traceroute www.domain.com
traceroute to www.domain.com (1.2.3.4), 30 hops max, 60 byte packets
 1  webserver-jessie.domain.com (1.2.3.4)  0.425 ms  0.457 ms  0.479 ms
 2  webserver-jessie.domain.com (1.2.3.4)  1.689 ms  1.682 ms  1.697 ms

Note: I was in doubt if it was necessary to disable the option "Block private networks" on the WAN interface but it isn't.

6

18.1 Legacy Series / Re: Problem with nat 1:1 reflection

« on: May 07, 2018, 10:00:53 am »

I forgot to mention I'm using multi wan it that matters.
By the way, I'm not looking for work around but to find the way to make nat reflection works.

7

18.1 Legacy Series / Re: Problem with nat 1:1 reflection

« on: May 05, 2018, 07:16:40 pm »

Unfortunately this is an option I can't take.

8

18.1 Legacy Series / Re: Filter rule association: "Rule Nat" repeated 4 times

« on: May 05, 2018, 03:18:30 pm »

Ok, now it's clear.
I'll add rules descriptions.
Thank you.

9

18.1 Legacy Series / Problem with nat 1:1 reflection

« on: May 05, 2018, 03:05:32 pm »

Hi all, I have 2 webservers behind OPNsense 18.1.6-amd64:

(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)



I set nat reflection advanced options



I set a firewall rule on wan interface



The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,

Any suggestion?

10

18.1 Legacy Series / Re: Filter rule association: "Rule Nat" repeated 4 times

« on: May 01, 2018, 08:08:07 pm »

This is what I see.

11

18.1 Legacy Series / [SOLVED] Filter rule association: "Rule Nat" repeated 4 times

« on: April 29, 2018, 03:32:32 pm »

This really looks like a bug to me:

- create a firward rule.
  (it doesn't matter what you choose in "Filter rule association".
- click on the pencile to edit the forward rule and try to change the  "Filter rule association", you'll get this list:
  Pass
  Rule Nat
  Rule Nat
  Rule Nat
  Rule Nat

What do you think?

OPNsense 18.1.6-amd64

12

18.1 Legacy Series / Filter rule association: add unassociated filter rule

« on: April 29, 2018, 03:28:51 pm »

Hi, I created a port forward as test:
2222 -> 192.168.178.99:22
I chose "add unassociated filter rule".
I expected to find a rule in Firewall / Rules / Wan that I was able to edit but I see no related rule.
Is it a bug or am I misunderstanding the meaning?

Nontheless, If I click on the pencile to edite the "Nat / Port forward rule", the Filter rule association is "None".

Thank you.

OPNsense 18.1.6-amd64

13

18.1 Legacy Series / Filter rule association: Associated filter rule VS Pass

« on: April 29, 2018, 03:13:31 pm »

Hi all, if I redirect a port (Firewall / Nat / port forwarding) I have 3 choises.
In this topic I consider only two of them:

• Associated filter rule
• Pass

The first is the default.
It adds a rule in Firewall / Rule / Wan.
This rule can't be edit.
If I choose "Pass", no firewall rule will be checked.

I both cases, any request on the forwarded port will be accepted.
So, when is the case to prefeare "Associated filter rule" instead of "Pass"?

14

18.1 Legacy Series / Virtual IP / IP Alias netmask

« on: April 26, 2018, 05:50:07 pm »

This may be a trivial question:
Considering my LAN nic with ip 192.168.1.1/24, I create a new virtual ip of type (Mode 'IP Alias') 192.168.2.1.
Shall I set 24 or 32 as netmask?

15

18.1 Legacy Series / Re: WAN address explanation

« on: April 26, 2018, 02:10:35 pm »

Ok, now I know I better set the ip instead of 'WAN address' when I have aliases.
Thank you for you reply.