1
German - Deutsch / Re: Static routes seems to not forward traffic on GRE tunnel after reboot
« on: December 30, 2020, 05:00:20 pm »
I know, i was just wondering if you guys can help.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
German - Deutsch / Static routes seems to not forward traffic on GRE tunnel after reboot
« on: December 30, 2020, 04:29:56 pm »
Hi everyone,
i'm having a nasty issue here.
I have 2 sites with 2 opnsese fw as gateways.
Now the current conf may be heard as a useless mess, but trust me: there's a reason.
Let's say i have a site A with two lans, one wan, one gre
- igb0 172.115.28.90 (MPLS IP assigned by ISP)
- igb1 192.168.1.0/24
- igb2 172.16.10.0/24
- gre0 10.10.10.1/30 (Leaning on WAN igb0 GW 10.10.10.2)
Let's say i have a site B with one lan and one wan
- igb0 172.115.28.100 (MPLS IP assigned by ISP)
- igb1 172.16.10.0/24
- gre0 10.10.10.2/30 (Leaning on WAN igb0 GW 10.10.10.1)
Now, all stuff works fine without the GRE tunnel, i'm not natting anything cause MPLS net has the needed routes on it in order to route traffic trought my sites. Actually, all is working fine even with the GRE tunnel up and routes that makes traffic flows in it from one fw to the other.
Site A routes when GRE is up:
192.168.0.0/24 via 10.10.10.2
Site B routes when GRE is up:
192.168.1.0/24 via 10.10.10.1
172.16.10.0/24 via 10.10.10.1
Problem is: every morning i found traffic flowing trough MPLS and not in GRE tunnel, notice that GRE tunnel is up and reachable both directions. I'm actually just solving the problem disabling and enabling back the 3 routes writed above: after that i can see all the traffic flow over GRE tunnel as expected. i'm solving the issue, true, but i can't do it every day, and i want to understand where the problem is, or what i'm missing.
Notice that i have a scheduled Cron task that make firewalls to reboot every night, both at 20.00pm
Did you guys ever faced this issue? I'm actually stuck in here, cause i'm not getting where the logical issue can be located.
Thanks in advance for your help.
See ja.
Hele.
i'm having a nasty issue here.
I have 2 sites with 2 opnsese fw as gateways.
Now the current conf may be heard as a useless mess, but trust me: there's a reason.
Let's say i have a site A with two lans, one wan, one gre
- igb0 172.115.28.90 (MPLS IP assigned by ISP)
- igb1 192.168.1.0/24
- igb2 172.16.10.0/24
- gre0 10.10.10.1/30 (Leaning on WAN igb0 GW 10.10.10.2)
Let's say i have a site B with one lan and one wan
- igb0 172.115.28.100 (MPLS IP assigned by ISP)
- igb1 172.16.10.0/24
- gre0 10.10.10.2/30 (Leaning on WAN igb0 GW 10.10.10.1)
Now, all stuff works fine without the GRE tunnel, i'm not natting anything cause MPLS net has the needed routes on it in order to route traffic trought my sites. Actually, all is working fine even with the GRE tunnel up and routes that makes traffic flows in it from one fw to the other.
Site A routes when GRE is up:
192.168.0.0/24 via 10.10.10.2
Site B routes when GRE is up:
192.168.1.0/24 via 10.10.10.1
172.16.10.0/24 via 10.10.10.1
Problem is: every morning i found traffic flowing trough MPLS and not in GRE tunnel, notice that GRE tunnel is up and reachable both directions. I'm actually just solving the problem disabling and enabling back the 3 routes writed above: after that i can see all the traffic flow over GRE tunnel as expected. i'm solving the issue, true, but i can't do it every day, and i want to understand where the problem is, or what i'm missing.
Notice that i have a scheduled Cron task that make firewalls to reboot every night, both at 20.00pm
Did you guys ever faced this issue? I'm actually stuck in here, cause i'm not getting where the logical issue can be located.
Thanks in advance for your help.
See ja.
Hele.
3
Italian - Italiano / Re: Differenza tra LAN Net e Address
« on: December 30, 2020, 03:52:25 pm »
Lan net indica la network mentre Lan Address l'interfaccia sul fw.
Ipotizzando di avere una lan con classe 192.168.0.0/24 il firewall è comunque un host sulla rete e ha un ip, per esempio 192.168.0.1
Ora la prima regola accetta tutto il traffico sull'int Lan in ingresso da ogni sorgente per qualsiasi protocollo che punti all'ip Lan del fw, la seconda accetta tutto il traffico sull'int Lan che abbia come destinazione il Gw in questione.
se non avessi la prima regola, non potresti accedere al firewall dal suo ip lan (forse qui ti slava l'anti lockout in floating), non risponderebbe a icmp, ecc ecc.
Sono 2 regole con 2 aim diverse.
Ipotizzando di avere una lan con classe 192.168.0.0/24 il firewall è comunque un host sulla rete e ha un ip, per esempio 192.168.0.1
Ora la prima regola accetta tutto il traffico sull'int Lan in ingresso da ogni sorgente per qualsiasi protocollo che punti all'ip Lan del fw, la seconda accetta tutto il traffico sull'int Lan che abbia come destinazione il Gw in questione.
se non avessi la prima regola, non potresti accedere al firewall dal suo ip lan (forse qui ti slava l'anti lockout in floating), non risponderebbe a icmp, ecc ecc.
Sono 2 regole con 2 aim diverse.
4
Italian - Italiano / Re: Unable to fetch Firewall Rules via firewall-plugin API
« on: December 30, 2020, 03:45:48 pm »
Il plugin crea una nuova sezione sotto Firewall > Automation
Le regole di riferimento vanno inserite lì.
Le regole di riferimento vanno inserite lì.
5
Italian - Italiano / Unable to fetch Firewall Rules via firewall-plugin API
« on: July 03, 2020, 03:11:51 pm »
Ho posto la seguente domanda anche su github, la copio qui sotto, è in inglese, se crea problemi traduco.
--------------
I'm having some troubles trying to fetch fw rules. I read the dock and looked at the examples at the page https://docs.opnsense.org/development/api/plugins/firewall.html but i still have problems. I'm trying to use the searchRule API via python, and i can't get anything back with a simple call without any attributes, here's my code
import json, requests
KEY = "my_key"
SECRET = "my_secret"
url = "https://192.168.2.1/api/firewall/filter/searchRule"
r = requests.get(url, verify=False, auth=(KEY, SECRET))
print(r.text)
result is always
{"rows":[],"rowCount":0,"total":0,"current":1}
Well, i've tryed to add some attributes to the call, but nothing changes, notice that i setted "icmp_dummies_rule" as the rule description cause i thought taht searchPhrase matches that field (also there's no unique name filed available, as far as i can see) I tryed:
url = 'https://192.168.2.1/api/firewall/filter/searchRule?searchPhrase="icmp_dummies_rule"'
url = 'https://192.168.2.1/api/firewall/filter/searchRule?searchPhrase=icmp_dummies_rule'
url = 'https://192.168.2.1/api/firewall/filter/searchRule?current=1&searchPhrase="icmp_dummies_rule"'
url = 'https://192.168.2.1/api/firewall/filter/searchRule?current=1&searchPhrase=icmp_dummies_rule'
Also i can't pass any UUID cause i don't know the rule UUID (but i prefere to retrive all the rules for flexibility reason and cleaner code).
Any idea here?
Thanks.
--------------
--------------
I'm having some troubles trying to fetch fw rules. I read the dock and looked at the examples at the page https://docs.opnsense.org/development/api/plugins/firewall.html but i still have problems. I'm trying to use the searchRule API via python, and i can't get anything back with a simple call without any attributes, here's my code
import json, requests
KEY = "my_key"
SECRET = "my_secret"
url = "https://192.168.2.1/api/firewall/filter/searchRule"
r = requests.get(url, verify=False, auth=(KEY, SECRET))
print(r.text)
result is always
{"rows":[],"rowCount":0,"total":0,"current":1}
Well, i've tryed to add some attributes to the call, but nothing changes, notice that i setted "icmp_dummies_rule" as the rule description cause i thought taht searchPhrase matches that field (also there's no unique name filed available, as far as i can see) I tryed:
url = 'https://192.168.2.1/api/firewall/filter/searchRule?searchPhrase="icmp_dummies_rule"'
url = 'https://192.168.2.1/api/firewall/filter/searchRule?searchPhrase=icmp_dummies_rule'
url = 'https://192.168.2.1/api/firewall/filter/searchRule?current=1&searchPhrase="icmp_dummies_rule"'
url = 'https://192.168.2.1/api/firewall/filter/searchRule?current=1&searchPhrase=icmp_dummies_rule'
Also i can't pass any UUID cause i don't know the rule UUID (but i prefere to retrive all the rules for flexibility reason and cleaner code).
Any idea here?
Thanks.
--------------
6
Italian - Italiano / OPNSense auto NAT
« on: May 20, 2019, 12:09:50 pm »
Salve,
Prima volta che uso il forum quindi spero di non fare errori e non essere off-topic.
Ho configurato un sistema opnsense, quello che non mi è chiaro è perchè mi faccia NAT automatico da un interfaccia ad un'altra.
Le Int in questione sono:
[LAN] 192.168.100.0/23 (ip 192.168.101.1/23)
[ZRT] 19.168.103.0/24 (ip 192.168.103.176/24)
Ora l'int ZRT è una int logica creata da una VPN zerotier, il punto è che senza rotte statiche specificate pingando da un PC (es 192.168.103.238) della VPN un pc su rete lan (es 192.168.100.50/23 senza gw settato) icmp risponde.
Se faccio un dump vedo infatti che il ping mi arriva sulla macchina mascherato da Gw lan, infatti vedo un pacchetto ICMP src:192.168.101.1/23 dst:192.168.100.50/23
Io non ho specificato da nessuna parte di nattare in questo caso, tantomeno ci sono rotte statiche sull'apparato.
Gentilmente, sapete dirmi se la funzione è disabilitabile e perchè di default è così?
Grazie,
Hele.
Prima volta che uso il forum quindi spero di non fare errori e non essere off-topic.
Ho configurato un sistema opnsense, quello che non mi è chiaro è perchè mi faccia NAT automatico da un interfaccia ad un'altra.
Le Int in questione sono:
[LAN] 192.168.100.0/23 (ip 192.168.101.1/23)
[ZRT] 19.168.103.0/24 (ip 192.168.103.176/24)
Ora l'int ZRT è una int logica creata da una VPN zerotier, il punto è che senza rotte statiche specificate pingando da un PC (es 192.168.103.238) della VPN un pc su rete lan (es 192.168.100.50/23 senza gw settato) icmp risponde.
Se faccio un dump vedo infatti che il ping mi arriva sulla macchina mascherato da Gw lan, infatti vedo un pacchetto ICMP src:192.168.101.1/23 dst:192.168.100.50/23
Io non ho specificato da nessuna parte di nattare in questo caso, tantomeno ci sono rotte statiche sull'apparato.
Gentilmente, sapete dirmi se la funzione è disabilitabile e perchè di default è così?
Grazie,
Hele.
Pages: [1]