Messages

Issue with latest firmware and DMZ+ (Fake Pass-through). Friend of mine just had this issue. Took us a while to come across this issue as we just did a new unifi AP deployment and thought it was related to that.

https://forums.att.com/t5/AT-T-Fiber-Equipment/PACE-11-1-0-531418-DMZ-Issue/m-p/5745153#M7940

Is there other detail that I should provide?

It appears that recent upgrades have VPN speeds capped around 100Mbs. I have tried building OpenVPN and IPSEC tunnels to test. I used to get over 100 on 18.7 versions.

I've tested with 3 sites
Two are VMs and One Bare Metal
All use Intel Nics
One is using vmxnet3 other is e1000
All support AES-NI Core counts are 8@4ghz, 6@2.8ghz, and 4@3.2ghz
Deleted all Traffic shaping that was applied to one FW
Rebooted everything
Main site that is involeved in all testing is on 19.1.1
Secondary sites are 18.7.x and 19.1.1

Main has 400/20
two sites have 1G/1G

OpenVPN
Tried AES-128-CBC and GCM
SHA 256
DH 2048 and 4096
fast-io;
push "fast-io"; (also set on the other end as I'm not sure if push works)
sndbuf 524288;
rcvbuf 524288;
push "sndbuf 524288";
push "rcvbuf 524288"

IPSec
Tried AES128CBC and GCM
SHA1 and SHA 256
Tried no encryption on Phase2

This makes sense and should work for this solution. I think I'll just the to modify the script slightly to do an external dyndns check. Thanks!

I have AT&T gig fiber. Their "awesome" modem doesn't support direct passthrough. So you have to configure IP passthrough to get the public IP on the WAN interface. If we loose power the OPNsense box reboots quicker than the ONT and I don't get a public IP until I reboot OPNsense again. This is an issue for things like remote access VPN. Is there an easy way to force a renew or reboot with the API or over SSH so I can build a reboot or renew script.

forgot to add..


you can just take the interface down and back up using



ifconfig igb0 down

ifconfig igb0 up


Of course you need to make sure that the interface id is correct.. in my case it is igb0.

I have AT&T gig fiber. Their "awesome" modem doesn't support direct passthrough. So you have to configure IP passthrough to get the public IP on the WAN interface. If we loose power the OPNsense box reboots quicker than the ONT and I don't get a public IP until I reboot OPNsense again. This is an issue for things like remote access VPN. Is there an easy way to force a renew or reboot with the API or over SSH so I can build a reboot or renew script.

Hi,

Firewall -> Settings -> Advanced -> Firewall Maximum Table Entries

br

I think this worked, set it to 2M for now.

It appears that a Alias using "URL Table (IPs)" has a limit of 13000 lines. Is there anyway to increase this?

I am trying to import a custom block list of IPs that hit/scan my honey pot. My list has grown to roughly 70k IPs and when I looked at my list under Firewall>Diagnostics>pfTables it was empty. After some troubleshooting I found if I only had 13k IPs in the list it would work.

Do you have a screenshot of settings? Obfuscate as need.

Could someone please update the doc on how to configure to backup to Google Drive ?

The steps/screens on the Google end seems to be changed...

Thanks

I just set this up a few days ago, what part are you having issues with?

I would say "issue" is the wrong word, as things continue to work as expected. We thought it was an issue as the user couldn't connect, but was resolved by reloading their config on their iPhone. Now I'm more interested where the error shown. I don't think this is ZFS. I don't remember options selected, but it was all default from a fresh ISO.

[Images]

Can anyone help me out and explain?

Images
QRadar Log Data:
https://drive.google.com/open?id=1QvTP_Kl9DaV1NQsq_GHhgFMN-_Nvpn4d
Rules for DMZ Net:
https://drive.google.com/open?id=13HjGT7RhXGK6Bjb9WRuWhDMNJiAaZjbN

I'm interested in the location of this log as well.

Has anyone seen this issue?

Code Select Expand


openvpn[79319]: iPhone/166.x.x.x:2349 MULTI: problem deleting temporary file: /tmp/openvpn_cc_78c8c78b55e511e75462b4354891a65d2e.tmp

OPNsense 18.7.8-amd64
FreeBSD 11.1-RELEASE-p15
LibreSSL 2.7.4

Is there other information that would assist? Nobody else seeing this in their OVPN logs?

under Firewall: Diagnostics: pfTables the table is also empty - look like it gets not loaded

I also have this issue. I am using US IPv4 as my constraint and the table is empty in pfTables.

Has anyone seen this issue?

Code Select Expand


openvpn[79319]: iPhone/166.x.x.x:2349 MULTI: problem deleting temporary file: /tmp/openvpn_cc_78c8c78b55e511e75462b4354891a65d2e.tmp

OPNsense 18.7.8-amd64
FreeBSD 11.1-RELEASE-p15
LibreSSL 2.7.4