Messages

Hi Harps,
I am a heavy BGP user regarding OPNSense; however, all my installs are OPNSense business.

I know there is diff between OPNSense Business and the CE. Are you running the CE version or the OBE?

In case you're running the OBE, I am more than happy to assist.

Kind regards
Nils

Late response, but did you get this working? I've the same lame issue, where I can see my client is getting a ipv6 address but outside the subnet of the interface providing dhcpv6.
Cheers
NIels

Hi all,

I seem to encounter the same issues. I've 3 setups running IDS/IPS.

First setup is a VM guest with 3 interfaces (vmx0,1,2)
IDS/IPS is configured no VLANs or laggs, so promiscuous mode is not selected.
This is working like a rocket, the only issue is that real-time traffic graphs (REPORTING/TRAFFIC) are not working once you enable IDS/IPs. I think there is already a case open for that as well.

The second setup is a DEC2670 (cluster). With vlanned interfaces.
IDS is configured VLANs so promiscuous mode is selected.
As soon as I enable IPS, no more traffic possible from inside. The only way to recover is to restore a backup.

The third setup is a DEC4610 (single). With lagg interfaces
IDS is configured vlans+laggs so promiscuous mode is selected.
As soon as I enable IPS, no more traffic possible from inside. The only way to recover is to restore a backup.

I think there is an issue with VLANs and lagg. The documentation is also not clear. Do I only need to select the physical interface, lagg interface of vlanned interface, or all of them to work?

I am pretty confident that it works perfectly with normal interfaces, but as soon as LAGG's or VLAN's appear it is kinda unpredictable...
Niels

mimugmail,

That's what I expected as well. Probably have to report a bug.
Whatever I put into the "set"  field, it doesn't end up in the vtysh "sh run" .

I see the route maps, but no configuration is added under the header.

Any place where I can find logging where it is logs the parsing of the supplied config?

Niels

Hi guys,

I need some help fine-tuning my FRR BGP Setup.

In particular, setting up "set" parameters on the Route Map.

I need to set a weight or local-preference on the route map via the "set" option as shown on the "Edit route Maps" screen.

However, I've tried adding the following combinations there, but it just doesn't show up in the actual config when issuing sh run from vtysh.

I tried:
local-preference 300
"local-preference 300"
set local-preference 300
"set local-preference 300"

I tried the same for weight, with the same results, they just don't show up in the actual config.

I can add them using "vtshy" and conf term. But I would rather have it done by the gui ;)

Any recommendations on the correct syntax for the "Set" field is more than welcome.

Cheers
Niels

Nils,

Sorry for the late response. Yes, we run on Deciso hardware. It has been quite problematic to get a stable cluster inside VMWARE ESX. Sometimes it works, sometimes it fails, depending on which physical host the machines are running.

Niels

Nils,

Were you able to resolve the issue? I am having exactly the same problem at this moment.
Disabling the peer resolves the issue, but that is not really a solution for the long term.

Niels

I found the root cause, had nothing to do with aliases.
Problem was with RADIUS not responding as expected.

2020-10-04T12:22:39   opnsense[32536]   Radius unexpected response:
2020-10-04T11:56:18   opnsense[42422]   Radius unexpected response:
2020-10-04T11:55:53   opnsense[13094]   Radius unexpected response:
2020-10-04T11:55:43   opnsense[78258]   Radius unexpected response:
2020-10-04T11:55:26   opnsense[55908]   Radius unexpected response:
2020-10-04T11:54:12   opnsense[30413]   Radius unexpected response:


Will have a look to see why this magicly starts happening ;)
Cheers and have a great sunday.
Niels

It seems I am having the same issues as @karam
https://forum.opnsense.org/index.php?topic=15922.0

We are preparing to migrate from our old PFSense to our new OPNSense on DEC2690 (https://www.applianceshop.eu/security-appliances/19-rack-appliances/opnsense-based/opnsense-dual-a10-qc-ssd-rack-gen2.html)

I recreated almost all of the aliases. (now totaling 143) however, when I login via SSH or WEBGUI it takes forever to login.

I do have a lot of nested aliases. For instance, I created a "PROTO_WEB" as an alias and created two aliases "PORT_HTTP" and "PORT_HTTPS". I've added PORT_HTTP and HTTPS to PROTO_WEB.

Is this normal behavior? Is this tuneable? At the moment this is a big show stopper.

Kind regards
Niels

I can confirm this. Found out the hardway that password-less configurations cannot be restored!
I agree this needs to be addressed.
NIels

Hi Chandan,

I understand you need some help here. First, let us try to get rid of any no-brainers, you may have done so, but I just want to be sure.

1. Update your 946gmx bios
2. Reset the bios to factory defaults
3. enable USB booting

Now that we have covered that let's go to the USB booting part. (Assuming Windows)
1. Get a decent USB stick, not a 50 cents aliexpress one.
2. download your image from opnsense.org/download
- get amd64 / vga
3. You should end up with "OPNsense-20.7-OpenSSL-vga-amd64.img.bz2"
4. Use 7-zip to extract the img file from the bz2 file
5. Now you should have  a 1,8Gb img file
6. Start Win32Disk imager
7. Select "OPNsense-20.7-OpenSSL-vga-amd64.img" as the Image file
8. Select your favorite USB stick as "Device"
9. select Write
You are now on you way in frying a OPNSense bootable USB stick.

Once finished, remove it from your PC and insert it in the designated firewall.
You should now see OPNSense booting.
Log in using "installer" to get in installed to your Firewall.

Good luck

mimugmail,

Will schedule update during the next maintenance window.

Hope it will be solved.

Niels

Franco,

Thanks for that ;) my bad.

Niels

BGP Table is fucked up

* >   10.4.0.0/16   0.0.0.0   0      32768   i
1 0 .   60.0.0/17 0.0   .0.0   0   32   768 i   
1 0 .   60.4.128/25 0.0   .0.0   0   32   768 i   
* >   10.60.132.0/22   0.0.0.0   0      32768   i
* >   10.60.136.0/24   0.0.0.0   0      32768   i
* >   10.60.251.0/24   0.0.0.0   0      32768   i

As you can see it is "shifted" a bit. (second and third line)...

Seems to be a parsing error of the configuration. the other side is not receiving any route updates as well (logical in this situation..)

Please advise.
NIels

VIP's seem to have disappeared from GUI. Just updated a cluster and VIP's are not to be found in the GUI below "firewall". Direct link does work.. (https://x.y.z.t/firewall_virtual_ip.php#Firewall_VIP).