Messages

Hello

I want to deploy transparent bridge firewall
by bridging eth0 and eth1 interfaces together into br0

Then I also want to run Suricata
Question is, whats the difference between attaching Suricata to
eth0 and br0 ?

Thanks

Hello
My setup is:

Host machine: Arch Linux + KVM, has Intel i350 NIC.

Created SR-IOV virtual function, VF on physical interface enp5s0,
then tagged it with VLAN ID 20.
```
echo 1 > /sys/class/net/enp5s0f0/device/sriov_numvfs
ip link set enp5s0f0 vf 0 mac blahblah
ip link set enp5s0f0 vf 0 vlan 20
```
Passed this VF to OPNSense VM.

Also I created VLAN interface on the same port, which is enp5s0,
tagged with VLAN ID 20.
```
ip link add link enp5s0f0 name VIRT type vlan id 20
```
Created bridge on top of this VLAN interface VIRT, for other VMs(Let's call them clients).

I could capture packets on three places: Client VM, OPNSense VM and Host physical interface(enp5s0f0).


When OPNSense VM sends packet to the guest VM(ping):

On OPNSense VM: ping packet is untagged
On Host enp5s0f0: ping packet has VLAN ID 20 (Which is expected, for VF is tagged with VLAN ID 20)
On client VM: ping packet is untagged (Which is expected, for interface that libvirt network bridge is sitting on(VIRT) is VLAN interface on enp5s0 with VLAN ID 20)

Here is the problem.

When client VM sends DHCP request to OPNSense VM,
On client VM: DHCP Req packet is untagged
On Host enp5s0f0: DHCP Req packet is tagged with VLAN ID 20 (Expected)
On OPNSense VM: DHCP Req packet is tagged with VLAN ID 1024 (????????)

DHCP Req packet had VLAN ID 20 at the moment it was passing Virtual Function for it passed VF with VLAN filter of VID 20.

After passing Virtual Function device, it should have changed into untagged packet
But instead, it got VLAN ID 1024.
There must be something wrong with igbvf driver with OPNSense I suspect

I see lots of comrades having a similar setup with me here
If you have intel i350 nics you can use SR-IOV function
Pass VFs to OPNSense instead
SR-IOV + KVM works well with OPNSense
But somewhat tricky to setup VLAN

Hello
I've heard before that BSD has a problem with Linux KVM Virtio network driver implementation.
Is it still a problem today?
Would it be okay if I turn off offload functionalities in OPNSense VM?

Hello

my firewall has WAN side IP of 10.130.10.2 / 24, under gateway 10.130.10.1
And firewall has LAN side IP of 172.17.10.1 / 24.

I want to map 10.130.10.0/24 subnet to 172.17.10.0/24 by 1 to 1 BINAT
only except 10.130.10.2, which is firewall itself

I'm not sure how can I do this
Adding  /32 mapping one by one will take too much time

Code Select Expand

opnsense-patch e8a8ed0ad832da64a79abf49ef45118b07267c4a
:)

OPNSense says...
fetch: https://github.com/opnsense/core/commit/e8a8ed0ad832da64a79abf49ef45118b07267c4a.patch: Not Found
What should I do?...  :'(

------------------------------------------------------------------
I've figured it out! opensense-patch -c plugins worked

For the timeouts, the patch can be installed using the following id: e8a8ed0ad832da64a79abf49ef45118b07267c4a

https://github.com/opnsense/plugins/pull/1211/files

Thanks!!

I made a ticket: https://github.com/opnsense/plugins/issues/1210

Thank you
Is there any way I can manually override nginx.conf temporarily before update arrives?

Do you need a timeout option?

I suspect this the most
https://github.com/abingham/runner_repl/issues/7

He says "proxy_read_timeout" and "proxy_send_timeout" should be configured different from the default value which is 60s

Do you need a timeout option?

I suspect this the most
https://github.com/abingham/runner_repl/issues/7

He says "proxy_read_timeout" and "proxy_send_timeout" should be configured differently than default 60s value

Do you need a timeout option?

I got websocket error code 1006
https://stackoverflow.com/questions/19304157/getting-the-reason-why-websockets-closed-with-close-code-1006

Seems like it's not a firewall issue

I'm not sure that will fix (I don't have enough knowledge)
I've made some multiplayer web game app which uses websocket
but connection gets dropped after certain amount of time (like 2 mins?...)

I need to dig it down further I guess
For now, not 100% sure it's NGINX problem or firewall itself
Could you give me some advice for inspection? I'll start with wireshark

If it's firewall, I'm suspecting "Schedule States" option (Currently not checked) in
"Firewall" -> "Settings" -> "Advanced" tab...
Can firewall or NGINX somehow wipe active connection(websocket traffic of game) somehow?

Hello

I am using NGINX on latest version of OPNSense production distro
Problem I've encountered is, seems like connection is being dropped
after certain amount of time.

I was using openstack-dashboard behind the OPNSense NGINX,
which requires websocket for displaying VNC on web.

Should I explicitly set some options for keeping connection alive?

Hello

I've configured my OPNSense box but
my servers in LAN network can't ping 8.8.8.8

When they do so, in OPNSense firewall log, OPNSense passes icmp packet from 192.168.x.y to 8.8.8.8
but server itself cannot get reply back

I'm not sure what is the problem

Hello
I am using a Zerotier on my OPNSense box and
it has two gateways.
I need my Zerotier traffic to go through one gateway among them
How can I enforce this through OPNSense setting?