Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - bruch05

Pages: [1] 2

21.1 Legacy Series / Re: PROXY authentication with Voucher does not work

« on: March 14, 2021, 01:49:13 pm »

Hello,

Could you please let me know if the "voucher" method is supported or no for the Proxy Authentication method.
The "voucher" method is proposed but not seems to work using captive portal voucher.

Any help would be greatly appreciated.

Thx by advance
Christophe

Web Proxy Filtering and Caching / PROXY authentication with Voucher does not work

« on: March 08, 2021, 08:54:28 pm »

Hello,

With the last version.

OPNsense 21.1.2-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1j 16 Feb 2021

I set the voucher as authentication mode for proxy trought Services => Web Proxy => Administration => Forward Proxy ==> Authentication Settings => Authentication method = "Radius NAS, Voucher"

I've generated voucher with Services => Captive Portal => Vouchers.

When i use an unused voucher to authenticate, I get "Cache Access Denied".
With an Active Directory account retrieved with Radius, it's ok.

I'm not sure that using voucher from captive portal must be the good way. I haven't found where to generate voucher for Proxy.

Thanks by advance
Christophe
French charity association

21.1 Legacy Series / Re: Installation issue - Reboot Loop

« on: March 07, 2021, 08:21:34 pm »

Hello,

I've got the same issue due to UEFI boot instead of GPT.
After changing the boot mode in bios, it's ok.

Christophe

21.1 Legacy Series / PROXY authentication with Voucher does not work

« on: March 07, 2021, 08:05:00 pm »

Intrusion Detection and Prevention / GeoIP - Subnet not correctly handled - Help :-)

« on: April 16, 2020, 02:33:50 pm »

Hello,

I've lot of trafic coming from 45.142.195.xx and despite GeoIp blocking all IP V4 trafic except FR, the trafic pass trough OpnSense. The smtp server is attacked massively.

2020-04-16T13:58:35   filterlog: 69,,,0,re0,match,pass,out,4,0x0,,57,39637,0,DF,6,tcp,60,45.142.195.xx,192.168.1.254,53080,25,0,S,1841383170,,29200,,mss;sackOK;TS;nop;wscale

I've check the CSV IPV4 file from GeoIp Zip file and I find 45.142.192.0/22.
So the subnet 45.142.192.0/24 , 45.142.193.0/24 , 45.142.193.0/24 and 45.142.193.0/24 are from Germany (Allemagne) , not FR, so the address must be blocked.

network   geoname_id   locale_code
45.142.192.0/22   2921044   Allemagne
45.142.196.0/22   248816   Jordanie

The parameters below seem to be good, but surely, something is wrong. Some help would be very appreciate.

I've define the Alias for GeoIP

Just unselect France (FR)

and block all traffic on Wan If for GeoIPAlias

The DB seems to be correctly uploaded

Thanks by advance
Christophe

20.1 Legacy Series / Re: Crash OPNsense 20.1.3-i386

« on: April 05, 2020, 05:27:07 pm »

Hello,

Thank you for your answer.

I will investigate in this way.

Best regards
Christophe

20.1 Legacy Series / Crash OPNsense 20.1.3-i386

« on: April 04, 2020, 09:21:15 am »

Hello,

My FW crashs without any explanation. I've submited reports

OPNsense 20.1.3-i386
FreeBSD 11.2-RELEASE-p17-HBSD
OpenSSL 1.1.1d 10 Sep 2019

Please found the dump analysis.

root@firewall:/var/crash # kgdb /boot/kernel/kernel /var/crash/vmcore.0
GNU gdb (GDB) 8.3.1 [GDB v8.3.1 for FreeBSD]
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "i386-portbld-freebsd11.2".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /boot/kernel/kernel...
(No debugging symbols found in /boot/kernel/kernel)
0xc0cf5d69 in sched_switch ()

Thx for your help
Christophe

18.7 Legacy Series / Re: Lost WAN communication every 9 minutes

« on: February 08, 2019, 09:10:04 pm »

Hello,

This behavior is due to ARP table not refreshed enough time.

The solution is to set this tunable parameter "net.link.ether.inet.max_age" to 300 seconds to avoid the ARP problem.

regards
Tof

18.7 Legacy Series / Re: Lost WAN communication every 9 minutes

« on: January 25, 2019, 09:23:37 pm »

Hello,

Thx for your reply.

This is a PON huawey Fiber to Ethernet.
Connected to a laptop directly, the connection is reliable.
Connected to OpnSense, the connection is unstable...

I've post a question to my internet provider. I let you know if i've found a solution.

Regards
Christophe

18.7 Legacy Series / Re: VPN IPsec vs Windows 10 [SOLVED]

« on: January 20, 2019, 09:17:33 pm »

Hello,

With these two commands, the client is correctly setup and the routing is ok.

Add-VpnConnection -Name "VPN_TEST" -ServerAddress "laclairiereXXXXX.fr" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling -AllUserConnection

Add-VpnConnectionRoute -ConnectionName "VPN_TEST" -DestinationPrefix 192.168.1.0/24 -PassThru

where 192.168.1.0 is the LAN subnet.

Regards
Christophe

18.7 Legacy Series / Re: VPN IPsec vs Windows 10

« on: January 20, 2019, 04:23:34 pm »

Hello,

Thx for your reply, i've already define this static route an i get the LAN.
My question is why the route 10.2.0.0 is defined instead of 0.0.0.0 ?

I use a Synology VPN Server and i don't have this behavior.

Thx

Tof

18.7 Legacy Series / VPN IPsec vs Windows 10 [SOLVED]

« on: January 20, 2019, 10:29:51 am »

Hello,

I've configured a VPN IPsec IKEv2 successfull. The Windows 10 VPN client connects without any trouble.
I've only one issue regardind the IP routing table on Windows 10 side.

The entry 0.0.0.0 to route traffic to the VPN gateway 10.2.0.1 is not set correctly.
Instead of i have 10.0.0.0 to VPN Gateway 10.2.0.1

IPv4 Table de routage
====================================================================
Itinéraires actifs :
Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.117 45
10.0.0.0 255.0.0.0 On-link 10.2.0.1 26
10.2.0.1 255.255.255.255 On-link 10.2.0.1 281

I add a static route and the remote LAN is reachable.

C:\Users\Christophe>route add 0.0.0.0 MASK 0.0.0.0 10.2.0.1 METRIC 2

IPv4 Table de routage
===========================================================
Itinéraires actifs :
Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.117 55
0.0.0.0 0.0.0.0 On-link 10.2.0.1 27
10.0.0.0 255.0.0.0 On-link 10.2.0.1 26
10.2.0.1 255.255.255.255 On-link 10.2.0.1 281

So what i have to do get the 0.0.0.0 target network instead off 10.0.0.0
I'm sorry if it's a newbee question, but i help a charity association and network is not my core competency.

Thanks by advance
Best regards
Christophe (Paris-France)

18.7 Legacy Series / Re: Lost WAN communication every 9 minutes

« on: January 17, 2019, 11:25:54 pm »

Hello,

Thank you for your reply.

You speak about an potential issue on configuration 2, but this configuration works without trouble.
I've the issue with the configuration 1 with /32 on wan if.

Any idea ?

Thx
Christophe

18.7 Legacy Series / Re: Lost WAN communication every 9 minutes

« on: January 16, 2019, 10:50:13 pm »

Hello,

No idea ?

Thx

18.7 Legacy Series / [SOLVED] - Lost WAN communication every 9 minutes

« on: January 14, 2019, 09:40:08 pm »

Hello,

I'm Christophe from Paris. We use OpnSense 18.7.10 for a Charity Association.
I need your help.

Configuration 1 :

Provider GW <- FO-> PON <-Eth-> WAN If - OpnSense - LAN IF <-Eth-> SW Gb <-Eth-> NAS, Laptop
83.243.124.254 83.243.124.66/32 (DHCP) 192.168.1.1 192.168.1.x/24

The Far Gateway is activated on WAN If due to /32.

Every 9 mn the Provider GW is unavailable. Just a SAVE and an APPLY on WAN interface parameters panel (or physical disconnect/reconnect) restore the data flow. No event in system.log relative to this failure.

To confirm that issue is under OpnSense, I've tested directly with a laptop connected to the FO PON and i haven't issue. (Down : 890Mb/s, Up : 950Mb/s)

All the parameters like LRO, TSO, EEE are correctly set. I've performed a test with another NIC, and i got the behavior.

Following some researchs :

- opnsense-revert -r 18.7.9 suricata' and reboot. Despite this, the bad behavior still remains. The Service Intrusion Detection is not enabled.
- opnsense-revert -r 18.7.7 unbound. The issue is always present.

Configuration 2 :

Provider GW <-FO-> PON <-Eth-> WAN If - BOX - LAN If <-Eth-> ==>
83.243.124.254 83.243.124.66/32 192.168.0.1
DHCP

==> WAN If - OpnSense - LAN IF <-Eth-> Switch Gb <-Eth-> NAS, Laptop
192.168.0.254/24 192.168.1.1 192.168.1.x/24
BOX DMZ to this address

I've an issue with Configuration 1 and not with Configuration 2. From my point of view, the /32 on OpnSense Wan Interface could be the root cause !?. Any idea to debug the WAN If activity ?

I would like to implement the configuration 1 to avoid to pay the Box rental.

Best regards and thank you by advance for your advises
Christophe

Pages: [1] 2