OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of nspritz »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - nspritz

Pages: [1]
1
17.7 Legacy Series / Re: Suricata not catching packets on PPPoE WAN
« on: November 28, 2017, 02:15:32 pm »
Same behavior on a Qotom-Q355 appliance using Intel I211-AT (igb2 driver).
Would this be a hardware limitation or just the nature of PPPoE?

2
17.1 Legacy Series / Re: IPSEC fw rules don't trigger
« on: February 09, 2017, 04:19:45 pm »
Just updated to 17.1.1

IPSec (site-to-site) tunnel still connecting (phase 1 & 2) as before.
Tunneled traffic seems to be reaching destination WAN interface, but is being blocked by FW, even though IPSec fw rules are wide open on both sides (any:any).

Tried:
-Disabled 'Private Network Blocks' on WAN interface (both endpoints) as suggested.
-Started traceroute + ping from site-A --> site-B

Quick observations:
On site-B: fw logs now show ipsec traffic blocked on the WAN interface.
So I created a pass rule for the tunneled network (A) --> destination network (B) with protocol:any on the WAN int.

Now no more blocked logs but still no traffic reaching destination host. Hmm.

My 17.1.1 (testing env) OPN config has not changed from my 16.7.14 production env, which still works :)


Hope this helps, and please let me know if you need any more information.
When time allows again, I will try digging into this further.

Thanks.

3
17.1 Legacy Series / Re: IPSEC fw rules don't trigger
« on: February 06, 2017, 11:50:41 am »
I'm seeing the same behavior after upgrading to 17.1.

IPSec tunnel established but no TCP/UDP traffic flow. Logs show IPSec traffic being blocked despite allow rules on the IPSec Interace. ICMP (ping) seems to work regardless.

Only workaround for me was to *completely* open up the firewall rules on the IPSec interface at both tunnel endpoints.

Rules on both sides:
IPv4 (proto any) Src (any) --> Dest (any).
This is the only rule config which allows traffic to flow through the tunnel.

Hardware:
ESXi 6.0 VM <--ipsec--> Intel i3 box
Both endpoint running on Intel NICs (VM on passthrough to physical Intel 82574L 1Gb)

Hope this info helps.
Let me know if more hardware detail is needed.
Thanks :)

4
General Discussion / Re: IDS Alerts not Working (APU)
« on: October 15, 2016, 12:20:01 pm »
Thanks Franco.

Just want to add that this problem also exist on my LAN (Realtek RTL8111E) interface.
Either than this IDS issue, I have not experienced any other problems on this APU device.

5
General Discussion / IDS Alerts not Working (APU)
« on: October 14, 2016, 01:42:51 pm »
Are there any known problems with IDS reporting (Alerts) with 16.7.6 firmware on APU boards over PPPoE interface?
I had this working on earlier firmware versions, but with the last couple firmware updates, IDS alert logs are now completely null (no results found).

After some testing, it looks like 'User defined GeoIP blocking' IPS is also not working.

My other Opnsense installations on x86 hardware works just fine.
Would this be affecting APU hardware only? -or perhaps something to do with PPPoE interfaces?

------------------------------------------------
Hardware specs:
PC Engines - APU1D4 (AMD G-T40E)
Firmware: 16.7.6-amd64 (LibreSSL)
WAN Interface -> PPPoE (DHCP)

IPS mode: Enabled
Promiscuous mode: Disabled
------------------------------------------------

Thanks for your help!


6
General Discussion / Re: IPv6 multicasts flooding logs
« on: July 30, 2015, 04:26:33 pm »
Thanks Franco!

7
General Discussion / IPv6 multicasts flooding logs
« on: July 30, 2015, 02:40:56 pm »
I have IPv6 disabled in the General settings, however I see a lot of blocked IPv6 (ICMP) traffic originating from the LAN and lo0 interfaces being logged.
------------------------------------------------------------------------
IF           Source                         Destination        Proto
LAN       [fe80::20d:b9ff:....]     [ff02::1]         ICMPv6
lo0        [fe80::20d:b9ff:....]     [ff02::1]         ICMPv6
------------------------------------------------------------------------

I tried to create a non-logging block rule for this traffic, however it continues to log the traffic anyway.

Does anyone know how to suppress IPv6 logging?
Thanks!

8
15.1 Legacy Series / Re: [SOLVED] Open-VM-Tools
« on: March 27, 2015, 01:21:58 pm »
Just applied the 15.1.8.2 update, and it seems to have wiped our my manual vmtools startup entries in rc.
Will the rc be persistent in future builds?

9
15.1 Legacy Series / Re: Request: Open-VM-Tools
« on: March 10, 2015, 09:00:52 am »
Will do Franco, and yes; issue resolved for me.
Keep up the great work  ;)

10
15.1 Legacy Series / Re: Request: Open-VM-Tools
« on: March 09, 2015, 04:35:35 pm »
Thanks again for the speedy response! That did the trick  ;D
Vmtools now showing as "Running" in the ESXi console, and starting up on guest reboot.

Able to shutdown/restart guest, but suspend is greyed-out. I can live with that in my test environment ;)
Will investigate the suspend option from the ESX side and update post once I have answers.

--System Config--
ESXi 5.5-2068190
OPNsense VM Guest OS: FreeBSD (64bit)
--

11
15.1 Legacy Series / Re: Request: Open-VM-Tools
« on: March 09, 2015, 11:35:07 am »
I downloaded and installed open-vm-tools without any problems, however, the modules do not start on boot after enabling in /etc/rc.local (as per installer instructions):
----------------------------------------------------
vmware_guest_vmblock_enable="YES"
vmware_guest_vmhgfs_enable="YES"
vmware_guest_vmmemctl_enable="YES"
vmware_guest_vmxnet_enable="YES"
vmware_guestd_enable="YES"
----------------------------------------------------

kldstat does not list VM modules either:

Id Refs Address            Size     Name
 1    1 0xffffffff80200000 1f98850  kernel
...

Any suggestions?

12
15.1 Legacy Series / Re: Request: DynamicDNS Trigger on WAN IP Change
« on: March 09, 2015, 10:02:23 am »
Thanks Franco!

Updated to new 15.1.7.1-cabdbf8c2 (amd64) build and happy to report that DDNS is now updating on WAN IP change --with overridden by DHCP/PPP on WAN *disabled*--

** Tested on ESXi 5.5 virtual machine **


13
15.1 Legacy Series / [SOLVED] Open-VM-Tools
« on: March 05, 2015, 11:08:28 pm »
Vmxnet3 driver working well in ESXi-5.5 for me, but would like to see complete open-vmtools pkg included in next build.
Any plans for this?

14
15.1 Legacy Series / [SOLVED] DynamicDNS Trigger on WAN IP Change
« on: March 05, 2015, 11:00:52 pm »
It seems that DDNS update triggers on WAN DNS change.
Would like DDNS to auto update when WAN IP changes, leaving "Allow DNS server list to be overridden by DHCP/PPP on WAN " option disabled.
Is this possible?


Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2