Messages

1

21.1 Legacy Series / Re: Loose internal network when PPPOE connexion is down.

« on: April 12, 2021, 08:05:07 pm »

I will try again to shutdown the PPPOE this night when my wife goes to sleep to do more test.

But for example I have this rules on my LAN vlan (192.168.1.0/24) :
https://trevelian.de/opnsense/gest1.png

gest is the alias of 192.168.7.20 on my BASTION vlan (192.168.7.0/24):
https://trevelian.de/opnsense/gest2.png

No problem when my internet connection is up, I see in the firewall "Live View" that SSH is accepted to "gest"
When PPPOE is down when I try to ssh to "gest" I see that its block by the default block rules in the "Live View"

2

21.1 Legacy Series / Re: Loose internal network when PPPOE connexion is down.

« on: April 12, 2021, 07:25:19 pm »

I have 11 VLAN and nothing in floating (except automatic generated rules)

https://trevelian.de/opnsense/floating.png

3

21.1 Legacy Series / Re: Loose internal network when PPPOE connexion is down.

« on: April 12, 2021, 10:46:37 am »

https://trevelian.de/opnsense/lan.png

If you need more, no problem.

It is possible that the problem is related to my usage of "alias" ?

4

21.1 Legacy Series / Re: Loose internal network when PPPOE connexion is down.

« on: April 12, 2021, 09:47:13 am »

I receive IPV4 and IPV6 from my ISP, but I only use IPV4, no IPV6 on the internal network.

I see on firewall logs that I hit the default block rules, Its like all my allow rules are ignored when the WAN connection is down.

5

21.1 Legacy Series / Re: Loose internal network when PPPOE connexion is down.

« on: April 12, 2021, 08:03:49 am »

I'm not alone -> https://forum.opnsense.org/index.php?topic=15299.0

6

21.1 Legacy Series / Loose internal network when PPPOE connexion is down.

« on: April 11, 2021, 10:49:06 pm »

Hello,

I have multiple VLAN on my homelab and the gateway of each VLAN is an Opnsense interface.
Opnsense is also used for the WAN access (PPPOE)

When there is a problem with my ISP and I loose my internet connexion, I also loose the connexion between my internal VLAN.

Maybe I need to activate this option on internal Interfaces-> "Dynamic gateway policy | This interface does not require an intermediate system to act as a gateway "

But I don't really understand it so I prefer ask before enable that.

Version : 21.1.4

Thanks for your help !
Trevelian.

7

Intrusion Detection and Prevention / Re: IPS PPPoE Interface

« on: December 21, 2018, 08:17:31 pm »

Hello,

Its a limitation of FreeBSD that can be fixed, or its just not possible ?

I use opnsense for Internet access but also for internal network segmentation, and the performance penalty with suricata IPS on LAN interface is too high. So having it on PPPoe seems more appropriate.

Thanks,
Trevelian.

8

Intrusion Detection and Prevention / IPS with VLAN, promiscuous mode ?

« on: November 20, 2018, 03:27:07 pm »

Hello world,

After failing using IPS mode with KVM VirtIO network cards (apparently not supported by the OS under opnsense) I'm starting to test the IPS using VLAN (trunk with vlan tagging) on a physical NIC

The first test was deadly, lost of connection, I found that if I disable the "VLAN Hardware Filtering" It solve my issue.
Reading the documentation I also see that if I monitor a physical NIC with VLAN I must use the promiscuous mode, but after testing with or without the "promiscuous mode" I was not able to see any difference, the IPS is correctly blocking website like http://www.eicar.org/download/eicar.com.txt

So should I enable or disable the "promiscuous mode" ?

opnsense version 18.7
network card Intel Corporation I350 Gigabit Network Connection (rev 01)

Thanks !
Trevelian.