"
My firewall is configured to accept any packet on ipsec interface.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
Virtual private networks / IPSEC S2S Issues
March 21, 2025, 05:12:06 PM
Hello,
I've got issue with a IPSEC tunnel site to side between Opnsense and Fortigate.
Here is my setup:
NET A <-> FORTIGATE <-> WAN <-> OPNSENSE <-> NET B
I can access NET A from NET B but I can't access NET A to NET B.
On my Fortigate I see packet going through corresponding IPSEC but I see nothing on Opnsense side (with tcpdump).
What could possibly be wrong ?
Thanks a lot.
Regards,
Mathieu
I've got issue with a IPSEC tunnel site to side between Opnsense and Fortigate.
Here is my setup:
NET A <-> FORTIGATE <-> WAN <-> OPNSENSE <-> NET B
I can access NET A from NET B but I can't access NET A to NET B.
On my Fortigate I see packet going through corresponding IPSEC but I see nothing on Opnsense side (with tcpdump).
What could possibly be wrong ?
Thanks a lot.
Regards,
Mathieu
#3
20.1 Legacy Series / Re: PR_CONNECT_RESET_ERROR on apply modification
April 01, 2020, 02:32:24 PM
After investigation, PR_CONNECT_RESET_ERROR occurs on apply button of Aliases, Virtual IP, firewalls pages.
Problem seems to be bound to gateways. I've two wan interfaces so two gateways configure with monitoring enable, if a disable gateway monitoring no more "PR_CONNECT_RESET_ERROR"
Config to avoid error is as following:
Regards,
Math
Problem seems to be bound to gateways. I've two wan interfaces so two gateways configure with monitoring enable, if a disable gateway monitoring no more "PR_CONNECT_RESET_ERROR"
Config to avoid error is as following:
Code Select
<gateways>
<gateway_item>
<interface>opt5</interface>
<gateway>A.B.C.D</gateway>
<name>WAN_GTW_V6</name>
<priority>240</priority>
<weight>1</weight>
<ipprotocol>inet</ipprotocol>
<interval/>
<descr>WAN outgoing via public vlan 6</descr>
<monitor_disable>1</monitor_disable>
<defaultgw>1</defaultgw>
</gateway_item>
<gateway_item>
<interface>wan</interface>
<gateway>E.F.G.H</gateway>
<name>WAN_GTW_V7</name>
<priority>250</priority>
<weight>1</weight>
<ipprotocol>inet</ipprotocol>
<interval/>
<descr>WAN outgoing via public vlan 7</descr>
<monitor_disable>1</monitor_disable>
<force_down>1</force_down>
</gateway_item>
</gateways>Regards,
Math
#4
20.1 Legacy Series / PR_CONNECT_RESET_ERROR on apply modification
March 31, 2020, 04:13:58 PM
Hello,
After adding a rule or a virtual ip, after press "Apply", browser is loading during a few seconds and return me a PR_CONNECT_RESET_ERROR. I'm not sure when the issue happen first but I think it's when I editing a virtual IP.
If I have open a ssh session on the firewall to watch the logs i'm disconnected.
I'm not able to see anything in the logs, is there any way to have more verbose logs of the GUI ?
OPNsense 20.1.3-amd64
Regards,
Mathieu
After adding a rule or a virtual ip, after press "Apply", browser is loading during a few seconds and return me a PR_CONNECT_RESET_ERROR. I'm not sure when the issue happen first but I think it's when I editing a virtual IP.
If I have open a ssh session on the firewall to watch the logs i'm disconnected.
I'm not able to see anything in the logs, is there any way to have more verbose logs of the GUI ?
OPNsense 20.1.3-amd64
Regards,
Mathieu
#5
19.7 Legacy Series / Re: Static routing issues
August 09, 2019, 04:59:37 PM
I have to check, yes correct. I've edited my post.
#6
19.7 Legacy Series / Re: Static routing issues
August 08, 2019, 02:52:05 PM
With help of opnsense github support, i manage to resolve my issue:
After a tcpdump, i find my packet matching this rule:
@73 pass out log on vmx1 route-to (vmx1 172.18.4.21) inet from 172.18.4.25 to ! (vmx1:network:1) flags S/SA keep state allow-opts label "2ff18b6378c052f6d36a245571286063"
I find the rule in WEBUI and find the guilty config, i need touncheck " Disable automatic rules which force local services to use the assigned interface gateway. " under Firewalls > Settings > Advanced.
Sorry for the inconvenience and thanks you very much for you help mimugmail.
Regards,
Math
After a tcpdump, i find my packet matching this rule:
@73 pass out log on vmx1 route-to (vmx1 172.18.4.21) inet from 172.18.4.25 to ! (vmx1:network:1) flags S/SA keep state allow-opts label "2ff18b6378c052f6d36a245571286063"
I find the rule in WEBUI and find the guilty config, i need to
Sorry for the inconvenience and thanks you very much for you help mimugmail.
Regards,
Math
#7
19.7 Legacy Series / Re: Static routing issues
August 08, 2019, 10:21:26 AM
Hello,
Behaviour is still the same: Routing table is correct but wrong routing decision is taken when making a traceroute.
root@OPNsense:~ # netstat -r4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default A.B.C.D UGS vmx3
A.B.C.D/24 link#4 U vmx3
OPNsense link#4 UHS lo0
10.2.0.0/24 link#16 U vmx8_vla
OPNsense link#16 UHS lo0
100.64.0.0/24 172.18.4.21 UGS vmx1
100.64.2.0/23 172.18.4.21 UGS vmx1
100.64.4.0/23 172.18.4.21 UGS vmx1
100.64.6.0/23 172.18.4.21 UGS vmx1
100.65.0.32/29 link#7 U vmx6
OPNsense link#7 UHS lo0
localhost link#11 UH lo0
172.18.4.16/28 link#2 U vmx1
OPNsense link#2 UHS lo0
172.20.0.0/16 link#1 U vmx0
OPNsense link#1 UHS lo0
172.21.0.0/16 172.18.4.20 UGS vmx1
192.168.4.0/24 link#15 U vmx8_vla
OPNsense link#15 UHS lo0
192.168.10.0/24 192.168.4.250 UGS vmx8_vla
192.168.12.0/24 192.168.4.250 UGS vmx8_vla
192.168.14.0/24 192.168.4.250 UGS vmx8_vla
192.168.15.0/24 192.168.4.250 UGS vmx8_vla
192.168.18.0/24 192.168.4.250 UGS vmx8_vla
192.168.24.0/24 192.168.4.250 UGS vmx8_vla
192.168.30.0/24 192.168.4.250 UGS vmx8_vla
192.168.31.0/24 192.168.4.250 UGS vmx8_vla
192.168.32.0/24 192.168.4.250 UGS vmx8_vla
192.168.33.0/24 192.168.4.250 UGS vmx8_vla
192.168.42.0/24 192.168.4.250 UGS vmx8_vla
192.168.43.0/24 192.168.4.250 UGS vmx8_vla
192.168.44.0/24 192.168.4.250 UGS vmx8_vla
root@OPNsense:~ # traceroute 172.21.10.1
traceroute to 172.21.10.1 (172.21.10.1), 64 hops max, 40 byte packets
1 172.18.4.21 (172.18.4.21) 0.319 ms 0.234 ms 0.202 ms
2 *^C
- I already have a WAN gatewau mark as upstream.
- Outbound NAT is Manual
- Outbound NA entry are corrects
Behaviour is still the same: Routing table is correct but wrong routing decision is taken when making a traceroute.
root@OPNsense:~ # netstat -r4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default A.B.C.D UGS vmx3
A.B.C.D/24 link#4 U vmx3
OPNsense link#4 UHS lo0
10.2.0.0/24 link#16 U vmx8_vla
OPNsense link#16 UHS lo0
100.64.0.0/24 172.18.4.21 UGS vmx1
100.64.2.0/23 172.18.4.21 UGS vmx1
100.64.4.0/23 172.18.4.21 UGS vmx1
100.64.6.0/23 172.18.4.21 UGS vmx1
100.65.0.32/29 link#7 U vmx6
OPNsense link#7 UHS lo0
localhost link#11 UH lo0
172.18.4.16/28 link#2 U vmx1
OPNsense link#2 UHS lo0
172.20.0.0/16 link#1 U vmx0
OPNsense link#1 UHS lo0
172.21.0.0/16 172.18.4.20 UGS vmx1
192.168.4.0/24 link#15 U vmx8_vla
OPNsense link#15 UHS lo0
192.168.10.0/24 192.168.4.250 UGS vmx8_vla
192.168.12.0/24 192.168.4.250 UGS vmx8_vla
192.168.14.0/24 192.168.4.250 UGS vmx8_vla
192.168.15.0/24 192.168.4.250 UGS vmx8_vla
192.168.18.0/24 192.168.4.250 UGS vmx8_vla
192.168.24.0/24 192.168.4.250 UGS vmx8_vla
192.168.30.0/24 192.168.4.250 UGS vmx8_vla
192.168.31.0/24 192.168.4.250 UGS vmx8_vla
192.168.32.0/24 192.168.4.250 UGS vmx8_vla
192.168.33.0/24 192.168.4.250 UGS vmx8_vla
192.168.42.0/24 192.168.4.250 UGS vmx8_vla
192.168.43.0/24 192.168.4.250 UGS vmx8_vla
192.168.44.0/24 192.168.4.250 UGS vmx8_vla
root@OPNsense:~ # traceroute 172.21.10.1
traceroute to 172.21.10.1 (172.21.10.1), 64 hops max, 40 byte packets
1 172.18.4.21 (172.18.4.21) 0.319 ms 0.234 ms 0.202 ms
2 *^C
#8
19.7 Legacy Series / Re: Static routing issues
August 07, 2019, 05:03:06 PM
No, not on WAN interface, but if I change to autodetect, it's even worse
#9
19.7 Legacy Series / Re: Static routing issues
August 07, 2019, 11:33:01 AM
Hello,
Auto-detect is already set.
Regards,
Mathieu
Auto-detect is already set.
Regards,
Mathieu
#10
19.7 Legacy Series / Static routing issues
August 07, 2019, 08:54:06 AM
Hello,
I've got a strange static routing behavior with 19.7.2 firmware.
Here is my routing table:
root@OPNsense:~ # netstat -r4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default A.B.C.D UGS vmx3
100.64.0.0/24 172.18.4.21 UGS vmx1
172.21.0.0/16 172.18.4.20 UGS vmx1
I'm able to contact 100.64.0.0/24 but not able to contact 172.21.0.0/16, there is the traceroute:
root@OPNsense:~ # traceroute 172.21.169.103
traceroute to 172.21.169.103 (172.21.169.103), 64 hops max, 40 byte packets
1 172.18.4.21 (172.18.4.21) 0.523 ms 0.262 ms 0.200 ms
Wrong next hop is choosen. If I change Gateway priority of the two gateway (172.18.4.21 / 172.18.4.20), the behavior is reversed (172.21.0.0/16 is reachable but not 100.64.0.0/24)
On 17.1 problem is not present.
Regards,
Math
I've got a strange static routing behavior with 19.7.2 firmware.
Here is my routing table:
root@OPNsense:~ # netstat -r4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default A.B.C.D UGS vmx3
100.64.0.0/24 172.18.4.21 UGS vmx1
172.21.0.0/16 172.18.4.20 UGS vmx1
I'm able to contact 100.64.0.0/24 but not able to contact 172.21.0.0/16, there is the traceroute:
root@OPNsense:~ # traceroute 172.21.169.103
traceroute to 172.21.169.103 (172.21.169.103), 64 hops max, 40 byte packets
1 172.18.4.21 (172.18.4.21) 0.523 ms 0.262 ms 0.200 ms
Wrong next hop is choosen. If I change Gateway priority of the two gateway (172.18.4.21 / 172.18.4.20), the behavior is reversed (172.21.0.0/16 is reachable but not 100.64.0.0/24)
On 17.1 problem is not present.
Regards,
Math
#11
General Discussion / SUBNET NAT
March 06, 2019, 04:15:18 PM
Hello,
I've got the following network (simplified, i've got many more networks of right side)
172.18.3.0/24<----->.150 vmx0[OPNSENSE BOX]vmx8_vlan2595 .150<---->192.168.151.0/24
I'm trying to nat the whole 192.168.151.0/24 to another subnet (10.155.0.0/24) because i'm not able to readdress this network.
I need to setup
- a source nat to replace source IP vmx8_vlan2595 ip
- a destination nat to translate 10.155.0.0/24 destination ip to real 192.168.151.0/24 ip.
rules extract from pfctl
nat on vmx8_vlan2595 inet from any to 10.155.0.0/24 -> 192.168.151.150 port 1024:65535
rdr pass log on vmx0 inet from any to 10.155.0.0/24 -> 192.168.151.0/24
For now it's not working. Same configuration is working on Sophos firewall
Iptables extract from sophos
Chain fw6_nat_out (1 references)
pkts bytes target prot opt in out source destination optimization
0 0 RANGENAT all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match hostset --dstid 405 RANGENAT --from 10.155.0.1-10.155.0.254 --to 192.168.151.1-192.168.151.254
Chain fw6_nat_pre (1 references)
pkts bytes target prot opt in out source destination optimization
0 0 RANGENAT all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match ENTITY MATCH --fwruleid 6 hostset --dstid 405 RANGENAT --from 10.155.0.1-10.155.0.254 --to 192.168.151.1-192.168.151.254
Regards,
Mathieu
I've got the following network (simplified, i've got many more networks of right side)
172.18.3.0/24<----->.150 vmx0[OPNSENSE BOX]vmx8_vlan2595 .150<---->192.168.151.0/24
I'm trying to nat the whole 192.168.151.0/24 to another subnet (10.155.0.0/24) because i'm not able to readdress this network.
I need to setup
- a source nat to replace source IP vmx8_vlan2595 ip
- a destination nat to translate 10.155.0.0/24 destination ip to real 192.168.151.0/24 ip.
rules extract from pfctl
nat on vmx8_vlan2595 inet from any to 10.155.0.0/24 -> 192.168.151.150 port 1024:65535
rdr pass log on vmx0 inet from any to 10.155.0.0/24 -> 192.168.151.0/24
For now it's not working. Same configuration is working on Sophos firewall
Iptables extract from sophos
Chain fw6_nat_out (1 references)
pkts bytes target prot opt in out source destination optimization
0 0 RANGENAT all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match hostset --dstid 405 RANGENAT --from 10.155.0.1-10.155.0.254 --to 192.168.151.1-192.168.151.254
Chain fw6_nat_pre (1 references)
pkts bytes target prot opt in out source destination optimization
0 0 RANGENAT all -- * * 0.0.0.0/0 0.0.0.0/0 skip_ip_match ENTITY MATCH --fwruleid 6 hostset --dstid 405 RANGENAT --from 10.155.0.1-10.155.0.254 --to 192.168.151.1-192.168.151.254
Regards,
Mathieu
#12
19.1 Legacy Series / CARP & FRROUTING
February 13, 2019, 09:04:01 AM
Hello,
Is there any way to bind frrouting service to carp status to avoid manual start on backup when failover occur ?
I want to have:
CARP status is master --> frrouting service start
CARP status is backup --> frrouting service stop
On pfsense we can use /etc/rc.carpbackup / carpmaster to handle this setup but this files not exist on opnsense.
Regards,
Math
Is there any way to bind frrouting service to carp status to avoid manual start on backup when failover occur ?
I want to have:
CARP status is master --> frrouting service start
CARP status is backup --> frrouting service stop
On pfsense we can use /etc/rc.carpbackup / carpmaster to handle this setup but this files not exist on opnsense.
Regards,
Math
Pages1
