"
Thanks for the prompt reply.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
19.7 Legacy Series / openssl-1.0.2t,1 is vulnerable
December 31, 2019, 11:12:50 PM
Hi all,
I just updated my Opnsense to latest version.
OPNsense 19.7.8-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2t 10 Sep 2019
I got this when running security audit:
***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
openssl-1.0.2t,1 is vulnerable:
OpenSSL -- Overflow vulnerability
CVE: CVE-2019-1551
WWW: https://vuxml.freebsd.org/freebsd/d778ddb0-2338-11ea-a1c7-b499baebfeaf.html
1 problem(s) in 1 installed package(s) found.
***DONE***
Should I be concerned? If so, is there anything I can do about it?
I just updated my Opnsense to latest version.
OPNsense 19.7.8-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2t 10 Sep 2019
I got this when running security audit:
***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
openssl-1.0.2t,1 is vulnerable:
OpenSSL -- Overflow vulnerability
CVE: CVE-2019-1551
WWW: https://vuxml.freebsd.org/freebsd/d778ddb0-2338-11ea-a1c7-b499baebfeaf.html
1 problem(s) in 1 installed package(s) found.
***DONE***
Should I be concerned? If so, is there anything I can do about it?
#4
19.1 Legacy Series / Re: IPSec site to site
May 24, 2019, 04:05:48 AM
I am convinced this is a bug of some sort.
I just setup a new site to site from Opnsense to an AWS site and everything can ping each other from both sides, but once again only thing not working is pinging from Opnsense firewall to anything in AWS site.
I cannot see any logical reason this fails.
I just setup a new site to site from Opnsense to an AWS site and everything can ping each other from both sides, but once again only thing not working is pinging from Opnsense firewall to anything in AWS site.
I cannot see any logical reason this fails.
#5
19.1 Legacy Series / Re: IPSec site to site
May 23, 2019, 08:33:14 AM
I found this guide here, which seems to be related to my exact issue:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html
So I created the GW and route which now seems to push the traffic from my firewall correctly over the IPSec tunnel.
However its still not working, seems traffic from the Firewall never leaves SiteA.
The only thing that I notice that might be causing this issue is below:
If I ping from a PC in SiteA to SiteB, tcpdump shows this:
16:26:44.926095 (authentic,confidential): SPI 0xc39181b2: IP 192.168.1.30 > 172.16.7.20: ICMP echo request, id 1, seq 5767, length 40
16:26:44.966963 (authentic,confidential): SPI 0xcbda3874: IP 172.16.7.20 > 192.168.1.30: ICMP echo reply, id 1, seq 5767, length 40
If I ping from the firewall in SiteA to SiteB, tcpdump shows this instead:
16:26:36.071993 (authentic,confidential): SPI 0xc39181b2: IP FirewallName.Domain > 172.16.7.20: ICMP echo request, id 64118, seq 1, length 64
So no echo reply. But it does not show the source as my Firewalls IP, but rather the Hostname of my firewall. Could this be causing the issue? If so, how do change this to IP address instead?
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html
So I created the GW and route which now seems to push the traffic from my firewall correctly over the IPSec tunnel.
However its still not working, seems traffic from the Firewall never leaves SiteA.
The only thing that I notice that might be causing this issue is below:
If I ping from a PC in SiteA to SiteB, tcpdump shows this:
16:26:44.926095 (authentic,confidential): SPI 0xc39181b2: IP 192.168.1.30 > 172.16.7.20: ICMP echo request, id 1, seq 5767, length 40
16:26:44.966963 (authentic,confidential): SPI 0xcbda3874: IP 172.16.7.20 > 192.168.1.30: ICMP echo reply, id 1, seq 5767, length 40
If I ping from the firewall in SiteA to SiteB, tcpdump shows this instead:
16:26:36.071993 (authentic,confidential): SPI 0xc39181b2: IP FirewallName.Domain > 172.16.7.20: ICMP echo request, id 64118, seq 1, length 64
So no echo reply. But it does not show the source as my Firewalls IP, but rather the Hostname of my firewall. Could this be causing the issue? If so, how do change this to IP address instead?
#6
19.1 Legacy Series / Re: IPSec site to site
May 23, 2019, 06:16:34 AM
Ok I almost got this all working now.
Everything from SiteA can reach SiteB except for Firewall (from SiteA).
Everything from SiteB can reach SiteA no issues, even the firewall can reach SiteA firewall.
So only last issue is, the firewall on SiteA cannot reach anything on SiteB.
I suspect its some weird NAT issue or a firewall rule I am missing.
Please help?
Everything from SiteA can reach SiteB except for Firewall (from SiteA).
Everything from SiteB can reach SiteA no issues, even the firewall can reach SiteA firewall.
So only last issue is, the firewall on SiteA cannot reach anything on SiteB.
I suspect its some weird NAT issue or a firewall rule I am missing.
Please help?
#7
19.1 Legacy Series / Re: IPSec site to site
May 23, 2019, 03:04:40 AM
I am running TCPDump on my ipsec site to site interface.
If I ping from a computer in SiteA to SiteB it shows traffic for this successfully.
If I ping from my Firewall in SiteA to SiteB, nothing shows up in TCPdump for ipsec interface.
However, the firewall pings show up under the WAN interface instead which I think is the issue.
I assume this means that my Firewall pings to SiteB are not going through the Site to Site IPsec tunnel but exiting directly via WAN interface?
So how do I make the traffic from the firewall in SiteA to SiteB go through the IPSec site to site interface?
If I ping from a computer in SiteA to SiteB it shows traffic for this successfully.
If I ping from my Firewall in SiteA to SiteB, nothing shows up in TCPdump for ipsec interface.
However, the firewall pings show up under the WAN interface instead which I think is the issue.
I assume this means that my Firewall pings to SiteB are not going through the Site to Site IPsec tunnel but exiting directly via WAN interface?
So how do I make the traffic from the firewall in SiteA to SiteB go through the IPSec site to site interface?
#8
19.1 Legacy Series / IPSec site to site
May 23, 2019, 01:58:06 AM
Hi guys,
I have setup IPSec site to site and it is currently connected (established) but its things are not reachable.
SITE A
LAN
Cisco 3750 switch
Proxmox with VM Opnsense firewall/router (IPsec site to site tunnel)
SITE B
Debian shorewall firewall (strongswan ipsec site to site)
Cisco 3750 switch
LAN
So far, I can ping from any computer from Site A to Site B excluding the Opsnese firewall.
So if I ping from Opnsense firewall to Site B, I get a generated firewall log:
Interface Source Destination Proto
WAN SiteA Public IP SiteB Local LAN IP ICMP
Any ideas?
I have setup IPSec site to site and it is currently connected (established) but its things are not reachable.
SITE A
LAN
Cisco 3750 switch
Proxmox with VM Opnsense firewall/router (IPsec site to site tunnel)
SITE B
Debian shorewall firewall (strongswan ipsec site to site)
Cisco 3750 switch
LAN
So far, I can ping from any computer from Site A to Site B excluding the Opsnese firewall.
So if I ping from Opnsense firewall to Site B, I get a generated firewall log:
Interface Source Destination Proto
WAN SiteA Public IP SiteB Local LAN IP ICMP
Any ideas?
#9
19.1 Legacy Series / Re: IPsec to AWS
April 22, 2019, 12:40:59 PM
OMG, you are a genius. Seriously 1 week I could not figure this out, all it took was that one tip from you, I enabled "Install Policy" and now traffic is flowing both ways and pings are working. Thanks I feel so happy right now!!
Honestly, I felt down all weekend cause I could not get this to work. Thanks again mimugmail!!!
Honestly, I felt down all weekend cause I could not get this to work. Thanks again mimugmail!!!
#10
19.1 Legacy Series / Re: IPsec to AWS
April 22, 2019, 07:05:38 AM
Sorry not sure what Install Policy is. Can you please explain what this is?
#11
19.1 Legacy Series / IPsec to AWS
April 22, 2019, 01:24:09 AM
Hi guys,
I am trying to setup IPsec from my Opsense box at home to my AWS.
Opnsense LAN 192.168.1.0/24
AWS VPC 172.31.0.0/16
I have got the IPSec tunnel to establish but pings etc are not working.
It seems the Opsense side can receive traffic, but cannot send out traffic.
Reason I know this is, if I ping from my AWS to Opnsense I can see the "Bytes in" increases, so means traffic is flowing into Opnsense, but nothing seems to go out from Opnsense because if I ping from Opnsense side to AWS, the "Bytes out" does not change.
These are my current rules:
Firewall > Rules
WAN allow Port:TCP/UDP 500, 4500
IPsec allow Source: 172.31.0.0/16 to any
IPsec allow Source: 192.168.1.0/24 to any
LAN allow Proto: ICMP any any
This is what the status shows on Opnsense IPsec status
Time : 1375
Bytes in : 672
Bytes out : 0
Am I missing some firewall rule, or do I need to add any Routes or NAT rules. Please help???
I have been stuck with this for over a week and its driving me nuts.
I am trying to setup IPsec from my Opsense box at home to my AWS.
Opnsense LAN 192.168.1.0/24
AWS VPC 172.31.0.0/16
I have got the IPSec tunnel to establish but pings etc are not working.
It seems the Opsense side can receive traffic, but cannot send out traffic.
Reason I know this is, if I ping from my AWS to Opnsense I can see the "Bytes in" increases, so means traffic is flowing into Opnsense, but nothing seems to go out from Opnsense because if I ping from Opnsense side to AWS, the "Bytes out" does not change.
These are my current rules:
Firewall > Rules
WAN allow Port:TCP/UDP 500, 4500
IPsec allow Source: 172.31.0.0/16 to any
IPsec allow Source: 192.168.1.0/24 to any
LAN allow Proto: ICMP any any
This is what the status shows on Opnsense IPsec status
Time : 1375
Bytes in : 672
Bytes out : 0
Am I missing some firewall rule, or do I need to add any Routes or NAT rules. Please help???
I have been stuck with this for over a week and its driving me nuts.
#12
General Discussion / Re: Internet failover
April 15, 2019, 07:40:00 AM
Doing some googling, and found this:
https://docs.netgate.com/pfsense/en/latest/book/highavailability/multi-wan-with-ha.html
This looks like the setup that I want. This should work in Opnsense?
Its pretty much a combined CARP + multi WAN setup yeah?
https://docs.netgate.com/pfsense/en/latest/book/highavailability/multi-wan-with-ha.html
This looks like the setup that I want. This should work in Opnsense?
Its pretty much a combined CARP + multi WAN setup yeah?
#13
General Discussion / Internet failover
April 15, 2019, 06:30:09 AM
Hi guys,
My company has 2 internet lines from separate ISP, I am looking at setting up Opnsense failover, so if 1 internet fails, it will automatically fail over to the other internet.
Just trying to clarify, do I follow this guide then: https://docs.opnsense.org/manual/how-tos/multiwan.html
So this setup only requires 1 Opnsense box which connects to both internets?
I also found CARP setup which allows HA so 2 Opnsense box, not sure if this is what I need or not. https://wiki.opnsense.org/manual/how-tos/carp.html
So just to clarify,
1) Multi WAN setup is setup failover for 2 or more internet services, if 1 internet fails, failover to other internet?
2) CARP setup is used for only 1 internet service, and failover is only for the Opnsense boxes, not used for multiple internet?
Is it possible to also combine CARP + Multiwan setup i.e. 2 internet services and 2 Opnsense boxes?
My company has 2 internet lines from separate ISP, I am looking at setting up Opnsense failover, so if 1 internet fails, it will automatically fail over to the other internet.
Just trying to clarify, do I follow this guide then: https://docs.opnsense.org/manual/how-tos/multiwan.html
So this setup only requires 1 Opnsense box which connects to both internets?
I also found CARP setup which allows HA so 2 Opnsense box, not sure if this is what I need or not. https://wiki.opnsense.org/manual/how-tos/carp.html
So just to clarify,
1) Multi WAN setup is setup failover for 2 or more internet services, if 1 internet fails, failover to other internet?
2) CARP setup is used for only 1 internet service, and failover is only for the Opnsense boxes, not used for multiple internet?
Is it possible to also combine CARP + Multiwan setup i.e. 2 internet services and 2 Opnsense boxes?
#14
Web Proxy Filtering and Caching / Re: Firewall to Transparent Proxy
March 01, 2019, 10:30:20 AM
Ah I see, thanks for clarifying and thanks so much for your help. That sounds like it should work. ;D
#15
Web Proxy Filtering and Caching / Re: Firewall to Transparent Proxy
March 01, 2019, 02:19:56 AM
Ok I found something that should be the solution to my problem.
This link here says how to route when Firewall and Proxy are on seperate servers: http://tldp.org/HOWTO/TransparentProxy-6.html
Apparently I need these rules on the firewall, but not sure how to interpret these rules in Opnense?
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
That first rule I assume would be:
LAN TCP ! 10.0.0.2 * * 80 (HTTP) 10.0.0.2 3128
But I am completely lost on the 2nd and 3rd rules.
This link here says how to route when Firewall and Proxy are on seperate servers: http://tldp.org/HOWTO/TransparentProxy-6.html
Apparently I need these rules on the firewall, but not sure how to interpret these rules in Opnense?
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
That first rule I assume would be:
LAN TCP ! 10.0.0.2 * * 80 (HTTP) 10.0.0.2 3128
But I am completely lost on the 2nd and 3rd rules.
