Messages

Hello,

Could you please let me know if the "voucher" method is supported or no for the Proxy Authentication method.
The "voucher" method is proposed but not seems to work using captive portal voucher.

Any help would be greatly appreciated.

Thx by advance
Christophe

Hello,

With the last version.

OPNsense 21.1.2-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1j 16 Feb 2021

I set the voucher as authentication mode for proxy trought Services => Web Proxy => Administration => Forward Proxy ==> Authentication Settings => Authentication method = "Radius NAS, Voucher"

I've generated voucher with  Services => Captive Portal => Vouchers.

When i use an unused voucher to authenticate, I get "Cache Access Denied".
With an Active Directory account retrieved with Radius, it's ok.

I'm not sure that using voucher from captive portal must be the good way. I haven't found where to generate voucher for Proxy.

Thanks by advance
Christophe
French charity association

Hello,

I've got the same issue due to UEFI boot instead of GPT.
After changing the boot mode in bios, it's ok.

Christophe

Hello,

With the last version.

OPNsense 21.1.2-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1j 16 Feb 2021

I set the voucher as authentication mode for proxy trought Services => Web Proxy => Administration => Forward Proxy ==> Authentication Settings => Authentication method = "Radius NAS, Voucher"

I've generated voucher with  Services => Captive Portal => Vouchers.

When i use an unused voucher to authenticate, I get "Cache Access Denied".
With an Active Directory account retrieved with Radius, it's ok.

I'm not sure that using voucher from captive portal must be the good way. I haven't found where to generate voucher for Proxy.

Thanks by advance
Christophe
French charity association

Hello,

I've lot of trafic coming from 45.142.195.xx and despite GeoIp blocking all IP V4 trafic except FR, the trafic pass trough OpnSense. The smtp server is attacked massively.

2020-04-16T13:58:35   filterlog: 69,,,0,re0,match,pass,out,4,0x0,,57,39637,0,DF,6,tcp,60,45.142.195.xx,192.168.1.254,53080,25,0,S,1841383170,,29200,,mss;sackOK;TS;nop;wscale

I've check the CSV IPV4 file from GeoIp Zip file and I find 45.142.192.0/22.
So the subnet 45.142.192.0/24 , 45.142.193.0/24 , 45.142.193.0/24  and 45.142.193.0/24 are from Germany (Allemagne) , not FR, so the address must be blocked.

network   geoname_id   locale_code
45.142.192.0/22   2921044   Allemagne
45.142.196.0/22   248816   Jordanie

The parameters below seem to be good, but surely, something is wrong. Some help would be very appreciate.

I've define the Alias for GeoIP



Just unselect France (FR)



and block all traffic on Wan If for GeoIPAlias



The DB seems to be correctly uploaded



Thanks by advance
Christophe

Hello,

Thank you for your answer. :)

I will investigate in this way.

Best regards
Christophe

Hello,

My FW crashs without any explanation. I've submited reports

OPNsense 20.1.3-i386
FreeBSD 11.2-RELEASE-p17-HBSD
OpenSSL 1.1.1d 10 Sep 2019

Please found the dump analysis.

root@firewall:/var/crash # kgdb /boot/kernel/kernel /var/crash/vmcore.0
GNU gdb (GDB) 8.3.1 [GDB v8.3.1 for FreeBSD]
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "i386-portbld-freebsd11.2".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /boot/kernel/kernel...
(No debugging symbols found in /boot/kernel/kernel)
0xc0cf5d69 in sched_switch ()

Thx for your help
Christophe

Hello,

This behavior is due to ARP table not refreshed enough time.

The solution is to set this tunable parameter "net.link.ether.inet.max_age" to 300 seconds to avoid the ARP problem.

regards
Tof

Hello,

Thx for your reply.

This is a PON huawey Fiber to Ethernet.
Connected to a laptop directly, the connection is reliable.
Connected to OpnSense, the connection is unstable...

I've post a question to my internet provider. I let you know if i've found a solution.

Regards
Christophe

Hello,

With these two commands, the client is correctly setup and the routing is ok.

Add-VpnConnection -Name "VPN_TEST" -ServerAddress "laclairiereXXXXX.fr" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling -AllUserConnection

Add-VpnConnectionRoute -ConnectionName "VPN_TEST" -DestinationPrefix 192.168.1.0/24 -PassThru

where 192.168.1.0 is the LAN subnet.

Regards
Christophe

Hello,

Thx for your reply, i've already define this static route an i get the LAN.
My question is why the route 10.2.0.0 is defined instead of 0.0.0.0 ?

I use a Synology VPN Server and i don't have this behavior.

Thx

Tof

[0.0.0.0 0.0.0.0 On-link 10.2.0.1 27]

Hello,

I've configured a VPN IPsec IKEv2 successfull. The Windows 10 VPN client connects without any trouble.
I've only one issue regardind the IP routing table on Windows 10 side.

The entry 0.0.0.0 to route traffic to the VPN gateway 10.2.0.1 is not set correctly.
Instead of i have 10.0.0.0 to VPN Gateway 10.2.0.1

IPv4 Table de routage
====================================================================
Itinéraires actifs :
Destination réseau    Masque réseau            Adr. passerelle     Adr. interface       Métrique
          0.0.0.0          0.0.0.0                       192.168.0.254     192.168.0.117     45
         10.0.0.0         255.0.0.0                    On-link                10.2.0.1              26
         10.2.0.1         255.255.255.255         On-link                10.2.0.1              281
         
I add a static route and the remote LAN is reachable.

C:\Users\Christophe>route add 0.0.0.0 MASK 0.0.0.0 10.2.0.1 METRIC 2

IPv4 Table de routage
===========================================================
Itinéraires actifs :
Destination réseau    Masque réseau     Adr. passerelle    Adr. interface        Métrique
          0.0.0.0           0.0.0.0                192.168.0.254    192.168.0.117     55
          0.0.0.0           0.0.0.0                On-link               10.2.0.1              27
         10.0.0.0          255.0.0.0             On-link               10.2.0.1              26
         10.2.0.1          255.255.255.255  On-link               10.2.0.1              281

So what i have to do get the 0.0.0.0 target network instead off 10.0.0.0
I'm sorry if it's a newbee question, but i help a charity association and network is not my core competency.

Thanks by advance
Best regards
Christophe (Paris-France)

Hello,

Thank you for your reply.  :)

You speak about an potential issue on configuration 2, but this configuration works without trouble.
I've the issue with the configuration 1 with /32 on wan if.

Any idea ?

Thx
Christophe

Hello,

No idea ?

Thx

[/32]

Hello,

I'm Christophe from Paris. We use OpnSense 18.7.10 for a Charity Association.
I need your help.

Configuration 1 :

Provider GW <- FO-> PON <-Eth-> WAN If - OpnSense - LAN IF  <-Eth-> SW Gb  <-Eth-> NAS, Laptop     
83.243.124.254         83.243.124.66/32 (DHCP)        192.168.1.1                               192.168.1.x/24        

The Far Gateway is activated on WAN If due to /32.

Every 9 mn the Provider GW is unavailable. Just a SAVE and an APPLY on WAN interface parameters panel (or physical disconnect/reconnect) restore the data flow. No event in system.log relative to this failure.

To confirm that issue is under OpnSense, I've tested directly with a laptop connected to the FO PON and i haven't issue. (Down : 890Mb/s, Up : 950Mb/s)

All the parameters like LRO, TSO, EEE are correctly set. I've performed a test with another NIC, and i got the behavior.

Following some researchs :

- opnsense-revert -r 18.7.9 suricata' and reboot. Despite this, the bad behavior still remains. The Service Intrusion Detection is not enabled.
- opnsense-revert -r 18.7.7 unbound. The issue is always present.

Configuration 2 :

Provider GW <-FO-> PON <-Eth-> WAN If - BOX - LAN If  <-Eth-> ==>   
83.243.124.254         83.243.124.66/32            192.168.0.1                                                         
                                DHCP

==> WAN If - OpnSense - LAN IF  <-Eth-> Switch Gb  <-Eth-> NAS, Laptop
        192.168.0.254/24     192.168.1.1                               192.168.1.x/24
        BOX DMZ to this address

I've an issue with Configuration 1 and not with Configuration 2. From my point of view, the /32 on OpnSense Wan Interface could be the root cause !?. Any idea to debug the WAN If activity ?

I would like to implement the configuration 1 to avoid to pay the Box rental.

Best regards and thank you by advance for your advises
Christophe