"
Do you have set up an outbound NAT rule?
Like: WAN interface, source: your Server, NAT-Adress: your virtal (2nd IP)
Like: WAN interface, source: your Server, NAT-Adress: your virtal (2nd IP)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: opnsense with 2 IP's - for outgoing always use first IP showing
August 28, 2020, 12:24:05 PM #2
General Discussion / Re: Command line firewall rules - easyrule in opnsense?
August 26, 2020, 04:23:26 PM
Thanks a lot! This helps!
#3
General Discussion / Command line firewall rules - easyrule in opnsense?
August 25, 2020, 11:23:51 AM
Hi,
is there something like https://docs.netgate.com/pfsense/en/latest/firewall/adding-rules-with-easyrule.html to easy modify some rules on the cli in opnsense?
Lets say directly after commandline installation I want to temporarily administrate the box from WAN and therefore enable webinterface on wan?
Thanks
is there something like https://docs.netgate.com/pfsense/en/latest/firewall/adding-rules-with-easyrule.html to easy modify some rules on the cli in opnsense?
Lets say directly after commandline installation I want to temporarily administrate the box from WAN and therefore enable webinterface on wan?
Thanks
#4
20.1 Legacy Series / Re: OpenVPN tap/bridge: redirect-gateway - not working?
July 12, 2020, 08:52:08 AM
:) Thanks for the help! After removing the "Redirect Gateway" option it now works. As expected. All internet traffic is going through the vpn to the OPNsense.
Just for understanding this: Yes, my VPN client has now received an IP from the OPNsenses LAN DHCP on the OpenVPN Adapter and an IP from the LOCAL DHCP (which provides also a default gateway) server. How does my Windows client "know" that he has to send everything through the OpenVPN tunnel?
Just for understanding this: Yes, my VPN client has now received an IP from the OPNsenses LAN DHCP on the OpenVPN Adapter and an IP from the LOCAL DHCP (which provides also a default gateway) server. How does my Windows client "know" that he has to send everything through the OpenVPN tunnel?
#5
20.1 Legacy Series / OpenVPN tap/bridge: redirect-gateway - not working?
July 10, 2020, 03:16:04 PM
Hi!
I have an OpenVPN server in bridge mode with a tap interface on OPNsense which is working so far: I can succesfully connect to the VPN, receive an internal IP (from OPNsense DHCP) and can reach internal resources in the remote OPNsense "LAN".
I have also checked "Redirect Gateway" in the server config because I want to have all my local traffic sent through OpenVPN and use the remote Uplink (and its public ip) of the OPNsense server for "internet access" on the VPN-client.
This does not work reliable. The client still routes all traffic to its local default gateway. There is a "NOTE" in Windows 10 OpenVPN logfile:
The routing table looks like that and I think the "Metrik" is the problem? 192.168.41.1 is the local clients default gateway and 192.168.100.0/24 is the remote OPNsenses LAN to which I am bridged with, 192.168.100.7 beeing the local OpenVPN IP received from OPNsense DHCP:
If I manually set
Is this expected behaviour? DO I have to manually deploy the "route-gateway 192.168.100.1" to all my clients?
Thanks for any help with this.
Best regards
I have an OpenVPN server in bridge mode with a tap interface on OPNsense which is working so far: I can succesfully connect to the VPN, receive an internal IP (from OPNsense DHCP) and can reach internal resources in the remote OPNsense "LAN".
I have also checked "Redirect Gateway" in the server config because I want to have all my local traffic sent through OpenVPN and use the remote Uplink (and its public ip) of the OPNsense server for "internet access" on the VPN-client.
This does not work reliable. The client still routes all traffic to its local default gateway. There is a "NOTE" in Windows 10 OpenVPN logfile:
Code Select
Fri Jul 10 14:56:43 2020 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missingThe routing table looks like that and I think the "Metrik" is the problem? 192.168.41.1 is the local clients default gateway and 192.168.100.0/24 is the remote OPNsenses LAN to which I am bridged with, 192.168.100.7 beeing the local OpenVPN IP received from OPNsense DHCP:
Code Select
IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.41.1 192.168.41.87 25
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.7 25
127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 331
...
If I manually set
Code Select
route-gateway 192.168.100.1 (where 192.168.100.1 is the internal LAN adapter IP of the OPNsense) in my openvpn-client config it works as expected and all my traffic is sent through the tunnel. The routing table looks like:Code Select
IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.41.1 192.168.41.87 25
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.7 25
0.0.0.0 128.0.0.0 192.168.100.1 192.168.100.7 281
....
Is this expected behaviour? DO I have to manually deploy the "route-gateway 192.168.100.1" to all my clients?
Thanks for any help with this.
Best regards
#6
20.1 Legacy Series / LTE signal strength?
July 08, 2020, 03:38:52 PM
Hi, I have a configured LTE interface which shows a green up arrow and a (provider assigned) IP adress thats why I suppose I am connected - but where do I find signal quality/strength indication? Does it exist?
I dug through some code an found hints in the widget code that there should be indication of connected time and signal strength in the widget. Are there any known problems or is there another place to find information about this interface? The PPP log is not quite rich in providing these tyoes of info either.
Thanks for any help!
I dug through some code an found hints in the widget code that there should be indication of connected time and signal strength in the widget. Are there any known problems or is there another place to find information about this interface? The PPP log is not quite rich in providing these tyoes of info either.
Thanks for any help!
#7
18.7 Legacy Series / Many VLAN/zones/interfaces - Internet access only from zones (again)
January 03, 2019, 08:30:08 AM
Hi!
Sorry if my first question is a) a stupid one and b) has been asked quite some times (at least according to a quick google search thats the fact), but I am asking it because I did not get the answer right... Thanks for your help!
I have an opnsense device with loths of interfaces/zones/VLANS. And most of these "zones" are internet access only and there should be (mostly) no zone-to-zone-transfer. Firewalling sounds easy at first.
Everything that isnt explicitly allowed is blocked. But how to allow "Internet" access for zones? There seems to be no alias/object for "internet" - so there needs to be an ANY ANY ALLOW Rule for Internet access, doesnt it? Other rules need to BLOCK access to the other zones manually to make this setup work. I have read about the RFC1918-alias workaround to, well, work around this, but is this still the recommended way of handling this?
Is there another option which I am missing? Is there planned change? Is this changeable? Sorry, I have very little backgorund in pf and BSD* - coming from a linux firewall which just had an "Internet"-object to use in the ruleset...
Again thanks for any help on this.
Best regards
daniel
Sorry if my first question is a) a stupid one and b) has been asked quite some times (at least according to a quick google search thats the fact), but I am asking it because I did not get the answer right... Thanks for your help!
I have an opnsense device with loths of interfaces/zones/VLANS. And most of these "zones" are internet access only and there should be (mostly) no zone-to-zone-transfer. Firewalling sounds easy at first.
Everything that isnt explicitly allowed is blocked. But how to allow "Internet" access for zones? There seems to be no alias/object for "internet" - so there needs to be an ANY ANY ALLOW Rule for Internet access, doesnt it? Other rules need to BLOCK access to the other zones manually to make this setup work. I have read about the RFC1918-alias workaround to, well, work around this, but is this still the recommended way of handling this?
Is there another option which I am missing? Is there planned change? Is this changeable? Sorry, I have very little backgorund in pf and BSD* - coming from a linux firewall which just had an "Internet"-object to use in the ruleset...
Again thanks for any help on this.
Best regards
daniel
Pages1
