Messages

1

23.1 Legacy Series / Upgrade from 23.1.10_1 bloqued (I think because of broken cicada theme)

« on: December 21, 2023, 12:09:38 am »

Hi,

I have a FW which doesn't want to upgrade (running 23.1.10_1 actually) :

from console I obtain following message  : Installation out of date. The update to opnsense-23.1.11_2 is required.

from web interface (no update available) but plugin conflict.
Plugin confilct is wuth theme cicada)


When I try to resolve conflicts :

 Currently running OPNsense 23.1.10_1 at Wed Dec 20 23:57:59 CET 2023
Installation out of date. The update to opnsense-23.1.11_2 is required.

Is there a way to remove a broken plugin from shell ?

Thanks for your help.
Regards,
Renaud.

2

Hardware and Performance / Manage led on an Sophos XG 106 reinstalled with OPNsense

« on: March 10, 2023, 10:59:19 pm »

Hi,

I have installed OPNsense on an old Sopos XG 106 FW.
Everything si working well.
Network interface, power and HDD leds are working too.
Status led is always blinking and I'd like to fix it when os loaded and maybe blink on error.

So I'm looking for a solution to manage leds.
I've seen apuled package, but /dev/led doesn't exist...

Thanks for your help.
Regards,
Renaud.

3

High availability / [solved] Re: some VIP always Master on Backup node

« on: February 10, 2023, 09:56:44 am »

Hi,

I found the solution, the 3 VLAN tags were not correctly distributed across the network, oups...

Bye.

4

High availability / [solved] some VIP always Master on Backup node

« on: February 09, 2023, 09:31:39 pm »

Hello guys,

I have 7 VIP in my configuration (each on a vlan interface).
When I start Carp, 7 VIP are Master one primary node and 7 VIP are Backup on secondary node.
After about 20s, 3 last VIP switch to Master on secondary node and stay Master on primary node.

I've tried to remove a VIP and problem still persits with 3 last VIP,
I've tried to change base freq to 3 to these VIP but problem is still there,
I've tried to configure VIP by syncing configuration from primary node or to configure them manually and it doesn't make a difference...

Is there anyone with an idea to solve this issue ?
How may I capture Carp packets ton understand this issue ?

Thanks for your help.
Best Regards,
Renaud.

5

High availability / Re: IPsec with HA and Carp failover issue

« on: February 09, 2023, 09:04:45 pm »

Hi,

You just have to attach IPSEC tunnel to VIP interface, so it won't be able to go up if doesn't own the VIP.

Regards,
Renaud.

6

Virtual private networks / Re: Doing same action of Disconnect button in VPN IPSEC Status via script

« on: October 17, 2022, 12:41:31 pm »

Hi Franco,

Thanks for your answer.
It works fine with configctl scripts.

Cheers,
Renaud MEDICI.

7

Virtual private networks / Doing same action of Disconnect button in VPN IPSEC Status via script

« on: October 15, 2022, 07:33:13 pm »

Hi,

I think, it's the first time in my life that a web button is better than a script command !

I have an IPSEC tunnel which lost often some of his phase 2,

- if I Disconnect from Status page, then reconnect.
-> All Phase 2 restart

If I script (for automation)
ipsec down con2
 and
ipsec up con2,

-> only phase2 previously up restart...

Someone knows what more is doing disconnect button ?
Thanks for your help.
Regards,
Renaud MEDICI.

8

22.7 Legacy Series / IPSEC VPN Status not working for users with limited access.

« on: August 24, 2022, 10:54:14 am »

Since Upgrade to 22.7 release,

Users with limited access are not able to seen IPSEC VPN status.

Rights defined as below :


   GUI   Status: IPsec
   GUI   Status: IPsec: Leasespage
   GUI   Status: IPsec: SAD
   GUI   Status: IPsec: SPD
   GUI   Status: System logs: IPsec VPN
   GUI   VPN: IPsec

It was working before upgrade.
Thanks for your help.
Regards,
Renaud.

9

21.7 Legacy Series / Re: OPENVPN API Export

« on: August 03, 2022, 05:26:16 pm »

Hi,

Really not so clear...
Do you have find solution to do that ?

Regards,
Renow.

10

Virtual private networks / IPSEC route propagation via OSPF

« on: March 25, 2021, 12:05:04 pm »

Hi everybody,

I'm trying to configure a configuration with 2 OPNsense Firewall in 2 different datacenter.
There a connected via a routed IPSEC link and are running OSPF v2 to share route.

If I add a static route, I see it directly on second firewall via OSPF.
But if I connect an IPSEC tunnel (runnel mode), the tunnel work well, I see the route in the route table, but I don't see it in OSFP route diagnostic on any of the firewall...

Is there a limitation in FRR for this kind of road the only difference I've seen is falgs of the route :

US for the IPSEC tunnel route
UGS for the static route

Any idea ?
Thanks for you help.
Regards,
Renaud.

11

18.1 Legacy Series / Re: IPSEC Nat 1 to 1 behind Router NAT

« on: September 14, 2018, 01:55:17 am »

Finally, I'm able to have a functionnal IPSEC Natted with following configuration :

Phase 2 :

Type                    local Network          remote network
ESP IPv4 tunnel    192.168.111.0/24     192.168.0.0/24

1 to 1 NAT rules :

Interface    External IP            Internal IP           Destination IP
IPsec     192.168.111.0/24    192.168.0.0/24    192.168.101.0/24
IPsec    192.168.111.0/24    192.168.101.0/24    192.168.0.0/24     

and need to add manually SPD even with "192.168.101.0/24" in manual SPD of GUI

Code: [Select]

setkey -f spd.conf
with spd.conf

Code: [Select]

spdadd 192.168.101.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/[Local Public IP]-[Remote Public IP]/unique:2;
Nat from router isn't the problem, manual SPD of GUI isn't working for me...

maybe:
https://github.com/opnsense/core/issues/2173
https://github.com/opnsense/core/issues/1773

12

18.1 Legacy Series / IPSEC Nat 1 to 1 behind Router NAT

« on: September 13, 2018, 07:00:52 pm »

Hello,

I'm trying to configure an IPSEC tunnel and need to use 1 to 1 NAT because local IP network exists in remote networks.

Configuration is as follow :

HQ : Local Network : 192.168.100.1/24 : (LAN) OPN (WAN) : 192.168.1.254 ------ Router 192.168.1.1 ------- WWW
Remote : 192.168.0.0/24 --- Public IP (WWW)

Need to configure an IPSEC with translation to 192.168.111.0/24 (local) and connected to 192.168.0.0/24 (remote)

So I have configured  :

- an IPSEC P2 for network 192.168.111.0/24 to 192.168.0.0/24
- a 1 to 1 NAT on IPSEC interface with external 192.168.111.0/24 for traffic from 192.168.0.0/24 to 192.168.0.0/24

incoming ICMP traffic from remote 192.168.0.0/24 net reach a client on 192.168.100.0/24 but reply isn't redirected in the IPSEC tunnel.

I think the problem is because of WAN NAT on 192.168.1.254 for outside.

I have tried too with an IP alias on LAN with 192.168.111.1/24 and NAT on this IP before the tunnel but it doesn't work.

Does anyone tell me wich configuration may be used in my configuration ?

Thanks for your help.
Regards,
Renaud.