Messages

After investigation, PR_CONNECT_RESET_ERROR occurs on apply button of Aliases, Virtual IP, firewalls pages.

Problem seems to be bound to gateways. I've two wan interfaces so two gateways configure with monitoring enable, if a disable gateway monitoring no more "PR_CONNECT_RESET_ERROR"

Config to avoid error is as following:

Code Select Expand

  <gateways>
    <gateway_item>
      <interface>opt5</interface>
      <gateway>A.B.C.D</gateway>
      <name>WAN_GTW_V6</name>
      <priority>240</priority>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <interval/>
      <descr>WAN outgoing via public vlan 6</descr>
      <monitor_disable>1</monitor_disable>
      <defaultgw>1</defaultgw>
    </gateway_item>
    <gateway_item>
      <interface>wan</interface>
      <gateway>E.F.G.H</gateway>
      <name>WAN_GTW_V7</name>
      <priority>250</priority>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <interval/>
      <descr>WAN outgoing via public vlan 7</descr>
      <monitor_disable>1</monitor_disable>
      <force_down>1</force_down>
    </gateway_item>
  </gateways>

Regards,
Math

Hello,

After adding a rule or a virtual ip, after press "Apply", browser is loading during a few seconds and return me a PR_CONNECT_RESET_ERROR. I'm not sure when the issue happen first but I think it's when I editing a virtual IP.

If I have open a ssh session on the firewall to watch the logs i'm disconnected.

I'm not able to see anything in the logs, is there any way to have more verbose logs of the GUI ?

OPNsense 20.1.3-amd64

Regards,
Mathieu

I have to check, yes correct. I've edited my post.

With help of opnsense github support, i manage to resolve my issue:

After a tcpdump, i find my packet matching this rule:
@73 pass out log on vmx1 route-to (vmx1 172.18.4.21) inet from 172.18.4.25 to ! (vmx1:network:1) flags S/SA keep state allow-opts label "2ff18b6378c052f6d36a245571286063"

I find the rule in WEBUI and find the guilty config, i need to uncheck " Disable automatic rules which force local services to use the assigned interface gateway. " under Firewalls > Settings > Advanced.

Sorry for the inconvenience and thanks you very much for you help mimugmail.

Regards,
Math

Hello,

• I already have a WAN gatewau mark as upstream.
• Outbound NAT is Manual
• Outbound NA entry are corrects

Behaviour is still the same: Routing table is correct but wrong routing decision is taken when making a traceroute.

root@OPNsense:~ # netstat -r4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            A.B.C.D            UGS        vmx3
A.B.C.D/24          link#4             U          vmx3
OPNsense           link#4             UHS         lo0
10.2.0.0/24        link#16            U      vmx8_vla
OPNsense           link#16            UHS         lo0
100.64.0.0/24      172.18.4.21        UGS        vmx1
100.64.2.0/23      172.18.4.21        UGS        vmx1
100.64.4.0/23      172.18.4.21        UGS        vmx1
100.64.6.0/23      172.18.4.21        UGS        vmx1
100.65.0.32/29     link#7             U          vmx6
OPNsense           link#7             UHS         lo0
localhost          link#11            UH          lo0
172.18.4.16/28     link#2             U          vmx1
OPNsense           link#2             UHS         lo0
172.20.0.0/16      link#1             U          vmx0
OPNsense           link#1             UHS         lo0
172.21.0.0/16      172.18.4.20        UGS        vmx1
192.168.4.0/24     link#15            U      vmx8_vla
OPNsense           link#15            UHS         lo0
192.168.10.0/24    192.168.4.250      UGS    vmx8_vla
192.168.12.0/24    192.168.4.250      UGS    vmx8_vla
192.168.14.0/24    192.168.4.250      UGS    vmx8_vla
192.168.15.0/24    192.168.4.250      UGS    vmx8_vla
192.168.18.0/24    192.168.4.250      UGS    vmx8_vla
192.168.24.0/24    192.168.4.250      UGS    vmx8_vla
192.168.30.0/24    192.168.4.250      UGS    vmx8_vla
192.168.31.0/24    192.168.4.250      UGS    vmx8_vla
192.168.32.0/24    192.168.4.250      UGS    vmx8_vla
192.168.33.0/24    192.168.4.250      UGS    vmx8_vla
192.168.42.0/24    192.168.4.250      UGS    vmx8_vla
192.168.43.0/24    192.168.4.250      UGS    vmx8_vla
192.168.44.0/24    192.168.4.250      UGS    vmx8_vla
root@OPNsense:~ # traceroute 172.21.10.1
traceroute to 172.21.10.1 (172.21.10.1), 64 hops max, 40 byte packets
1  172.18.4.21 (172.18.4.21)  0.319 ms  0.234 ms  0.202 ms
2  *^C

No, not on WAN interface, but if I change to autodetect, it's even worse

Hello,

Auto-detect is already set.

Regards,
Mathieu

Hello,

I've got a strange static routing behavior with 19.7.2 firmware.

Here is my routing table:

root@OPNsense:~ # netstat -r4
Routing tables
Internet:
Destination        Gateway            Flags     Netif Expire
default                  A.B.C.D               UGS        vmx3
100.64.0.0/24      172.18.4.21        UGS        vmx1
172.21.0.0/16      172.18.4.20        UGS        vmx1


I'm able to contact 100.64.0.0/24 but not able to contact 172.21.0.0/16, there is the traceroute:
root@OPNsense:~ # traceroute 172.21.169.103
traceroute to 172.21.169.103 (172.21.169.103), 64 hops max, 40 byte packets
1  172.18.4.21 (172.18.4.21)  0.523 ms  0.262 ms  0.200 ms

Wrong next hop is choosen. If I change Gateway priority of the two gateway (172.18.4.21 / 172.18.4.20), the behavior is reversed (172.21.0.0/16 is reachable but not 100.64.0.0/24)

On 17.1 problem is not present.

Regards,
Math

Hello,

I've got the following network (simplified, i've got many more networks of right side)

172.18.3.0/24<----->.150 vmx0[OPNSENSE BOX]vmx8_vlan2595 .150<---->192.168.151.0/24

I'm trying to nat the whole 192.168.151.0/24 to another subnet (10.155.0.0/24) because i'm not able to readdress this network.

I need to setup
- a source nat to replace source IP vmx8_vlan2595 ip
- a destination nat to translate 10.155.0.0/24 destination ip to real 192.168.151.0/24 ip.

rules extract from pfctl
nat on vmx8_vlan2595 inet from any to 10.155.0.0/24 -> 192.168.151.150 port 1024:65535
rdr pass log on vmx0 inet from any to 10.155.0.0/24 -> 192.168.151.0/24

For now it's not working. Same configuration is working on Sophos firewall

Iptables extract from sophos
Chain fw6_nat_out (1 references)
pkts bytes target                prot opt in     out     source               destination          optimization
    0     0 RANGENAT              all  --  *      *       0.0.0.0/0            0.0.0.0/0           skip_ip_match       hostset --dstid 405  RANGENAT --from 10.155.0.1-10.155.0.254 --to 192.168.151.1-192.168.151.254

Chain fw6_nat_pre (1 references)
pkts bytes target                prot opt in     out     source               destination          optimization
    0     0 RANGENAT              all  --  *      *       0.0.0.0/0            0.0.0.0/0           skip_ip_match        ENTITY MATCH  --fwruleid 6 hostset --dstid 405  RANGENAT --from 10.155.0.1-10.155.0.254 --to 192.168.151.1-192.168.151.254


Regards,
Mathieu

Hello,

Is there any way to bind frrouting service to carp status to avoid manual start on backup when failover occur ?

I want to have:
CARP status is master --> frrouting service start
CARP status is backup --> frrouting service stop

On pfsense we can use /etc/rc.carpbackup / carpmaster to handle this setup but this files not exist on opnsense.

Regards,
Math