Messages

Thanks for pointing me to IPSec. I've now taken a look at the new IPSec connections (I was still using legacy before) and was able to implement my desired scenario very easily.

There, I can simply configure two remote IPs. When I simulate a failure by disconnecting one uplink, the connection switches to the alternative route without any loss. Very cool! With IPSec, I'm also achieving the same bandwidth as with WireGuard. WireGuard is usually my favorite because of its speed.

Case closed :-)

Hi!
I have a data center that is directly connected to my headquarters via dark fiber. This has historical reasons, as we gradually moved all servers from the HQ into the data center over time.

Now I want to convert my HQ into a regular site again and separate the networks. I also want to set up a WireGuard tunnel between the HQ and the data center. The tunnel should primarily run over the dark fiber (100 Gbit) and secondarily over the regular internet (10 Gbit) in case the dark fiber is damaged.

Is this scenario possible to implement using a WireGuard tunnel?

Thank You!

In the past, I had CARP active with approx. 20-25 VLANs. As I had stability problems, I implemented the second firewall as a cold standby at some point and deactivated CARP.
Now I'm wondering what I did wrong a few years ago and am asking myself the following question:
If one of the VLAN changes the master status to slave, shouldn't all the other VLANs automatically change to slave as well, because otherwise I have a 'split brain problem'. This has never happened to me. It happened that one or more VLANs had the status slave, while the rest were still master.
What do you think?
Thank You!

I am a bit confused. is there a general "Disable ISC" option? I have now disabled the server for all interfaces below ISC and enabled kea. I also get an IP address, but apparently not from KEA, the log file + the lease overview remains empty.

Hi Franco,
even if ISC is deactivated on the interface and only KEA is listening?
Well, then I have to change all interfaces at once.

Many thanks for the quick answer!

I have many VLANs where the classic ISC DHCP SErver does its job. Now I wanted to deactivate ISC and activate KEA in one VLAN as a test, but I can't get a DHCP lease. I don't see any errors in the log file and the KEA service starts. Do I have to disable ISC on all interfaces for it to work?

I have already configured the corresponding subnet in KEA and checked it three times. But after deactivating ISC and activating KEA on that specific VLAN, my client does not get a DHCP lease on the VLAN.

Thank you!

No, my test instanz wont work with Peer Certificate Revocation List. At the moment I dont have any idea how to manage/fix this. I'm thinking about to renew all client certs with a new CA.

They are note. Thats why I'm wondering what happened...
I will create a new instance (legacy) for testing with all the same settings as the other plus revokation list and try to figure out whats going on.

Hello,
A colleague installed the update from 24.7 to 24.7.1 during the night. It was this morning when I noticed that the OpenVPN connections can no longer be established. All certificates report "error=cerificate revoked".
We couldn't find any indication of why this was suddenly the case, so I set "Peer Certificate Revocation List = none" in the server instance. Since then the login has been working again.
We are still using the legacy OpenVPN server instances. Did I miss something critical in the changelog?

Code Select Expand

2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS Error: TLS handshake failed
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS Error: TLS handshake failed
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS Error: TLS handshake failed
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 OpenSSL: error:0A000086:SSL routines::certificate verify failed:

I was overthinking it. The simplest solution will indeed be to create a LAGG interface for failover or load balancing. Thank you!

Hi!

I have several free SFP+ ports on my hardware. My goal is to secure my public IPs over two lines to the ISP Switch. However, an IP alias can only be assigned to one interface. How could I achieve this goal without using two Firewalls with CARP?
Thank you :-)

I think I have now understood how OPNSense thought of it.
first i disabled the default log rules:

Log packets matched from the default block rules put in the ruleset
Log packets matched from the default pass rules put in the ruleset
Log packets processed by automatic outbound NAT rules

So there are much(!!) less entries in the live log. And if I now activate "enable logging" in a firewall rule, it also appears in the live log.

Are there any best practices which rules should be logged by default?

Please help me to understand the live log correctly. I am having extreme problems looking up anything there for debugging purposes.  I mostly switch back to TCPDUMP.

For example I have a mailserver. I go into the livelog, enter the filter "src IP mailserver" or "dst IP mailserver" and nothing is displayed.
Neither my ping tests, nor the mails coming in, nor anything else.

At the same time, several mails per second go through this server, but I can't see anything in the livelog.

Do I need to check "enable logging" everywhere in the ruleset?

The mail server is in a DMZ, which means that all connections have to go through the firewall and therefore have to be visible in the livelog.

Maybe I have too many connections, so it can't show up in the livelog? I do not know exactly where I see the active connections, but the firewall has 32k active states.

don't get me wrong, when i run the livelog without filter, i see dozens of entries that change very quickly.

Hallo,
ich bin gerade am grübeln, wie man bei folgendem Szenario richtig vorgeht.

Angenommen ich habe dutzende VLAN's und möchte nun eine zweite Firewall zwecks HA einbinden.
Muss ich denn jetzt auch für jedes VLAN eine separate CARP Adresse konfigurieren, oder genügt es, wenn ich auf einem Interface CARP konfiguriere, damit die Firewalls den Master/Slave aushandeln können, und für alle weiteren VLAN/Interfaces richte ich dann Virtuelle IP's ein?

In meinem Fall habe ich an die 50 VLAN's und kann mich ehrlich gesagt nicht damit anfreunden für jedes Interface eine extra CARP IP einzurichten.

Danke!

Hallo Leute,
seit einiger Zeit übertrage ich die Logfiles schon an einen Loki Server. Nun will ich gerade ein bestimmtes Problem debuggen, wo die Fehlermeldungen hier auflaufen:

    System: Log Files: General

Aber jene Meldungen kann ich nicht via Loki finden, sämtliche anderen jedoch schon.
Ich habe nochmal kontrolliert und bei Logging destination sind alle Applications angehakt, außer filter (filterlog). Hat da jemand eine Idee zu?

Danke!