Messages

1

20.1 Legacy Series / Allow website and content

« on: September 12, 2020, 03:43:27 am »

Hello, it's me again.

This time I'm trying to block internet access from one machine except for one site.

Created an alias with all the host IPs of the machines I want to block, and it works. But now I need to allow them to access a website. This website has a lot of other files linked from several domains (javascripts, fonts, etc) and I need them to load without restriction.

Already created another alias with all the domains I know the website links to. But it doesn't work normally, there's something I'm missing, maybe a linked file is linked somwhere else but I can't see it in the browsers developer tools.

Is there any way I can create a rule/alias that allows something like "ALLOW all from domain.tld and his links"?

Thanks in advance.

2

20.1 Legacy Series / Weird blocking rule

« on: June 07, 2020, 10:05:07 pm »

A couple days ago I was searching through firewall logs and found some weird behaviour.

The thing is:

I have my LAN Network: 172.17.10.0/23
And my OVPN Network: 10.8.1.0/24 and the OVPN server is 172.17.10.2.
I can see the remote VPN Machines, and they can see my LAN.

The problem is that connection drops randomly, I can connect via SSH to the remote OVPN client router, but connection dies a couple seconds after. The same happens when I connect to remote cameras. I can see the video stream but the video stops after a couple seconds.

Looking at the FW logs, I found something that seems very strange to me.

Code: [Select]

   ALLOW      LAN      <-      Jun 7 15:49:41   172.17.10.12:50316   10.8.1.4:2000   tcp   FLOAT LAN TO OVPN   
   DENY      LAN      ->      Jun 7 15:49:41   172.17.10.12:50316   10.8.1.4:2000   tcp   FLOAT LAN TO OVPN   
   DENY      LAN      ->      Jun 7 15:49:36   172.17.10.12:50233   10.8.1.4:2000   tcp   Default deny rule   
   DENY      LAN      ->      Jun 7 15:49:33   172.17.10.12:50233   10.8.1.4:2000   tcp   Default deny rule

Some packets are allowed to reach destination, but the next ones are not. Same ports, same source and destination.
It happens every time I start a connection.

Can you please tell me where to start?

Thanks in advance.

3

20.1 Legacy Series / ZeroTier in MultiWAN environment.

« on: April 12, 2020, 04:17:27 am »

Hi guys, I've been using ZeroTier on my OPNSense box, and it works without any hassle.

The thing is, I have 3 WAN interfaces, the main interface is connected to a 500Mb/s link. The second an third are 10Mb/s. When I installed the plugin it got connected through the third one, so the speed is not the fastest.

I've been searching how to force ZeroTier use the first link, but I can't find anything.

Is it possible? How?

Besides, how can I make it switch automatically to the second or third link in case of any of these failing.

Thanks in advance!


Wash your hands and stay at home! 

4

19.1 Legacy Series / Re: 2 NIC with same GW

« on: September 07, 2019, 10:59:22 pm »

You can add the 2nd IP as an Alias IP to WAN2.
Then you can use outbound NAT to send the packets out the right IP.

Interesting! I'll try this!
Thank you!

This cant work as gateways are bound to interfaces.

Yeah, I was thinking the same, thank you!

I was in a hurry to make it work so finally I "cheated"... The solution I implemented was to use a router before the NIC.

Code: [Select]

ISP2 -> WAN2
ISP2 -> ROUTER -> WAN3
So, I assigned the needed IP to the router an then connected it to the WAN port in the firewall.

May not seem pretty, but it works.

Tanks to everyone!

5

19.1 Legacy Series / Re: 2 NIC with same GW

« on: September 06, 2019, 05:31:55 am »

L

when you say it is for remote access... is it really a WAN?

Yes, it is a WAN.

LAN
WAN1 - INTERNET PROVIDER 1 - AAA.BBB.CCC.DDD
WAN2 - INTERNET PROVIDER 2 - XXX.YYY.ZZZ.123
WAN3 - INTERNET PROVIDER 2 - XXX.YYY.ZZZ.124

Thanks in advance.

6

19.1 Legacy Series / 2 NIC with same GW

« on: September 05, 2019, 08:36:41 pm »

Hi there. I need some help from you, guys.

Currently I have a server with 4 NICs.

• LAN
• WAN DHCP
• WAN STATIC IP: AAA.BBB.CCC.DDD
• WAN STATIC IP: AAA.BBB.CCC.EEE

I need to assign the same GW to NIC 3 and 4. The IPs are different only on the last octet. The IP assigned to the 4th interface is enabled to access a remote server, but the 3rd is the interface of the incoming connections, none of these can be changed.

How can I achieve this?

Thanks in advance!

7

19.1 Legacy Series / Re: Can't connect to PPTP Server

« on: March 15, 2019, 09:12:13 pm »

Well, I've been tweaking some settings and testing some configs, and...

Got this log on the pptp server hosted on the same OPNSense.

Mar 15 17:07:28    pptps: [L-1] Link: Shutdown
Mar 15 17:07:28    pptps: [L-1] Link: SHUTDOWN event
Mar 15 17:07:28    pptps: [L-1] LCP: state change Closed --> Initial
Mar 15 17:07:28    pptps: [L-1] LCP: Down event
Mar 15 17:07:28    pptps: [L-1] LCP: state change Stopped --> Closed
Mar 15 17:07:28    pptps: [L-1] LCP: Close event
Mar 15 17:07:28    pptps: [L-1] Link: DOWN event
Mar 15 17:07:28    pptps: [L-1] PPTP call terminated
Mar 15 17:07:28    pptps: [L-1] LCP: LayerFinish
Mar 15 17:07:28    pptps: [L-1] LCP: state change Ack-Sent --> Stopped
Mar 15 17:07:28    pptps: [L-1] LCP: parameter negotiation failed
Mar 15 17:07:28    pptps: [L-1] LCP: not converging
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] LCP: rec'd Configure Reject #10 (Ack-Sent)
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] MAGICNUM 0x6cdae81a
Mar 15 17:07:28    pptps: [L-1] MRU 1500
Mar 15 17:07:28    pptps: [L-1] LCP: SendConfigReq #10
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] LCP: rec'd Configure Reject #9 (Ack-Sent)
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] MAGICNUM 0x6cdae81a
Mar 15 17:07:28    pptps: [L-1] MRU 1500
Mar 15 17:07:28    pptps: [L-1] LCP: SendConfigReq #9
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] LCP: rec'd Configure Reject #8 (Ack-Sent)
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] MAGICNUM 0x6cdae81a
Mar 15 17:07:28    pptps: [L-1] MRU 1500
Mar 15 17:07:28    pptps: [L-1] LCP: SendConfigReq #8
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MD5
Mar 15 17:07:28    pptps: [L-1] LCP: rec'd Configure Nak #7 (Ack-Sent)
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] MAGICNUM 0x6cdae81a
Mar 15 17:07:28    pptps: [L-1] MRU 1500
Mar 15 17:07:28    pptps: [L-1] LCP: SendConfigReq #7
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MD5
Mar 15 17:07:28    pptps: [L-1] LCP: rec'd Configure Nak #6 (Ack-Sent)
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] MAGICNUM 0x6cdae81a
Mar 15 17:07:28    pptps: [L-1] MRU 1500
Mar 15 17:07:28    pptps: [L-1] LCP: SendConfigReq #6
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MD5
Mar 15 17:07:28    pptps: [L-1] LCP: rec'd Configure Nak #5 (Ack-Sent)
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MSOFTv2
Mar 15 17:07:28    pptps: [L-1] MAGICNUM 0x6cdae81a
Mar 15 17:07:28    pptps: [L-1] MRU 1500
Mar 15 17:07:28    pptps: [L-1] LCP: SendConfigReq #5
Mar 15 17:07:28    pptps: [L-1] AUTHPROTO CHAP MD5
Mar 15 17:07:28    pptps: [L-1] LCP: rec'd Configure Nak #4 (Ack-Sent)

Still trying to connect, though.

8

18.7 Legacy Series / Re: PPTP Setup (Need Help)

« on: March 14, 2019, 11:11:20 pm »

Hi everybody. I'm here trying to make it work too.

I tried just as @hutiucip said and I can't get it to work.

I tried before with a local pptp server. Port Forwarding works, the local server sees the incoming connection, but i can't figure out why it doesn't allow me to connect.

If i try to connect from inside the LAN it works flawlessly, but when I go outside and try to connect from my mobile phone through 3g, the server shows as if I was connected, it even shows my 3g IP address, but shortly after, the connection is lost.

Here you can see more details.

https://forum.opnsense.org/index.php?topic=12061.0

9

19.1 Legacy Series / Can't connect to PPTP Server

« on: March 14, 2019, 10:23:23 pm »

Hi guys, I'm here to ask for your help.

I need to connect two machines,

Machine_1 -> 3G broadband router -> Internet -> OPNSense -> Local PPTP Server (Machine_2)

So, I mounted a PPTP Server on my local Ubuntu Server.

My current network is as follows:

LAN: 172.17.10.1/23

172.17.10.1: OPNsense 19.1.4-amd64 / FreeBSD 11.2-RELEASE-p9-HBSD / OpenSSL 1.0.2r 26 Feb 2019
172.17.10.2: Ubuntu Server 16.04 / pptpd server v1.4.0

The rest of the network has some computers, servers and clients.

What I can't achieve, yet, is to connect a pptp client from outside the LAN. Inside the LAN it works flawlessly, I can connect from my mobile phone, and my laptop with Win7x64. So, I assume that the pptp server is correctly configured.

But when I try to connect from outside the LAN, the local pptp server detects the connection, and shortly after it throws an Error 619. I can see the incoming connection from the Webmin Panel. It even shows my 3g IP address. So, it does see me, but the connection can't be fully established.

My current settings are as follows. And I would love you to tell me if I'm making a mistake.

This is my NAT: Port Forwarding config

WAN     TCP/UDP     *   *   This Firewall   1723 (PPTP)     172.17.10.2     1723 (PPTP)
WAN     GRE         *   *   This Firewall   *               172.17.10.2     *

These are my WAN Rules

IPv4 TCP/UDP    *   *   172.17.10.2     1723 (PPTP)     *       NAT
IPv4 GRE        *   *   172.17.10.2     *               *       NAT

And these, my LAN Rules

IPv4 TCP/UDP    *   *   *   1723 (PPTP)     *           
IPv4 GRE        *   *   *   *               *         

Any help would be really appreciated, thanks in advance.