Messages

Same behavior on a Qotom-Q355 appliance using Intel I211-AT (igb2 driver).
Would this be a hardware limitation or just the nature of PPPoE?

Just updated to 17.1.1

IPSec (site-to-site) tunnel still connecting (phase 1 & 2) as before.
Tunneled traffic seems to be reaching destination WAN interface, but is being blocked by FW, even though IPSec fw rules are wide open on both sides (any:any).

Tried:
-Disabled 'Private Network Blocks' on WAN interface (both endpoints) as suggested.
-Started traceroute + ping from site-A --> site-B

Quick observations:
On site-B: fw logs now show ipsec traffic blocked on the WAN interface.
So I created a pass rule for the tunneled network (A) --> destination network (B) with protocol:any on the WAN int.

Now no more blocked logs but still no traffic reaching destination host. Hmm.

My 17.1.1 (testing env) OPN config has not changed from my 16.7.14 production env, which still works :)


Hope this helps, and please let me know if you need any more information.
When time allows again, I will try digging into this further.

Thanks.

[IPv4 (proto any) Src (any) --> Dest (any).]

I'm seeing the same behavior after upgrading to 17.1.

IPSec tunnel established but no TCP/UDP traffic flow. Logs show IPSec traffic being blocked despite allow rules on the IPSec Interace. ICMP (ping) seems to work regardless.

Only workaround for me was to *completely* open up the firewall rules on the IPSec interface at both tunnel endpoints.


Rules on both sides:
IPv4 (proto any) Src (any) --> Dest (any).
This is the only rule config which allows traffic to flow through the tunnel.

Hardware:
ESXi 6.0 VM <--ipsec--> Intel i3 box
Both endpoint running on Intel NICs (VM on passthrough to physical Intel 82574L 1Gb)


Hope this info helps.
Let me know if more hardware detail is needed.
Thanks :)

Thanks Franco.

Just want to add that this problem also exist on my LAN (Realtek RTL8111E) interface.
Either than this IDS issue, I have not experienced any other problems on this APU device.

Are there any known problems with IDS reporting (Alerts) with 16.7.6 firmware on APU boards over PPPoE interface?
I had this working on earlier firmware versions, but with the last couple firmware updates, IDS alert logs are now completely null (no results found).

After some testing, it looks like 'User defined GeoIP blocking' IPS is also not working.

My other Opnsense installations on x86 hardware works just fine.
Would this be affecting APU hardware only? -or perhaps something to do with PPPoE interfaces?

------------------------------------------------
Hardware specs:
PC Engines - APU1D4 (AMD G-T40E)
Firmware: 16.7.6-amd64 (LibreSSL)
WAN Interface -> PPPoE (DHCP)

IPS mode: Enabled
Promiscuous mode: Disabled
------------------------------------------------

Thanks for your help!

Thanks Franco!

[LAN [fe80::20d:b9ff:....] [ff02::1] ICMPv6]

I have IPv6 disabled in the General settings, however I see a lot of blocked IPv6 (ICMP) traffic originating from the LAN and lo0 interfaces being logged.
------------------------------------------------------------------------
IF           Source                         Destination        Proto
LAN       [fe80::20d:b9ff:....]     [ff02::1]         ICMPv6
lo0        [fe80::20d:b9ff:....]     [ff02::1]         ICMPv6
------------------------------------------------------------------------

I tried to create a non-logging block rule for this traffic, however it continues to log the traffic anyway.

Does anyone know how to suppress IPv6 logging?
Thanks!

Just applied the 15.1.8.2 update, and it seems to have wiped our my manual vmtools startup entries in rc.
Will the rc be persistent in future builds?

Will do Franco, and yes; issue resolved for me.
Keep up the great work  ;)

Thanks again for the speedy response! That did the trick  ;D
Vmtools now showing as "Running" in the ESXi console, and starting up on guest reboot.

Able to shutdown/restart guest, but suspend is greyed-out. I can live with that in my test environment ;)
Will investigate the suspend option from the ESX side and update post once I have answers.

--System Config--
ESXi 5.5-2068190
OPNsense VM Guest OS: FreeBSD (64bit)
--

[open-vm-tools]

I downloaded and installed open-vm-tools without any problems, however, the modules do not start on boot after enabling in /etc/rc.local (as per installer instructions):
----------------------------------------------------
vmware_guest_vmblock_enable="YES"
vmware_guest_vmhgfs_enable="YES"
vmware_guest_vmmemctl_enable="YES"
vmware_guest_vmxnet_enable="YES"
vmware_guestd_enable="YES"
----------------------------------------------------

kldstat does not list VM modules either:

Id Refs Address            Size     Name
1    1 0xffffffff80200000 1f98850  kernel
...

Any suggestions?

Thanks Franco!

Updated to new 15.1.7.1-cabdbf8c2 (amd64) build and happy to report that DDNS is now updating on WAN IP change --with overridden by DHCP/PPP on WAN *disabled*--

** Tested on ESXi 5.5 virtual machine **

Vmxnet3 driver working well in ESXi-5.5 for me, but would like to see complete open-vmtools pkg included in next build.
Any plans for this?

[DNS]

It seems that DDNS update triggers on WAN DNS change.
Would like DDNS to auto update when WAN IP changes, leaving "Allow DNS server list to be overridden by DHCP/PPP on WAN " option disabled.
Is this possible?