Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - irgendwr

Pages1
#1
19.7 Legacy Series / Outbound rules for One-to-One on second WAN
August 05, 2019, 01:50:33 PM
How can I configure OPNsense to send outbound traffic from a LAN addr (10.10.10.4/32) over a specific interface (WAN2)?
This sounds like a simple problem but I can't seem to solve it nor find any advice.

My goal: Adding a second public IP and "assigning" it to a VM w/ 1:1 NAT.
The second IP uses the same gateway as the one from the WAN interface but it requires a different MAC-address. That's why I created a second interface (WAN2).

What I tried:
I added a One-to-One Rule (BINAT): Interface=WAN2, External IP=..., Internal IP=10.10.10.4;
switched Outbound to "Hybrid outbound NAT rule generation" and added the outbound rule:
Interface=WAN2, Source=10.10.10.4/32, NAT Address=WAN2 address.
(screenshots: https://i.imgur.com/EHvOC0h.png, https://i.imgur.com/DwpSmlA.png)

My issue:
This did not work as expected because incoming requests over WAN2 where answered over WAN with the wrong IP address and outgoing requests from 10.10.10.4 would also go via WAN instead of WAN2.

I tried setting it to LAN which also didn't work and then I tried WAN and that at least changed something but not how I wanted it to: now it's sending out the traffic over the WAN interface but with the WAN2 IP which doesn't work due to MAC-address validation.
#2
19.7 Legacy Series / Re: SSL cert validation broken after upgrade
August 04, 2019, 03:49:43 PM
QuoteAre the valid dates and the subjects different?
Both files produce the exact same output with the same date and subject.

QuoteWhat are the differences between the certificates?
I checked the diff and found something interesting:
OPNsense appends the CA's from "System: Trust: Authorities" to the end of the file...
The Let's Encrypt client plugin (os-acme-client) seems to have added three CA's for Let's Encrypt and one seems to be invalid  ??? . Besides that I only added one for self-signing the Webinterface and OpenVPN certs.

I removed the invalid looking LE CA and now it works! Thank you!  :)
Weird that this only caused issues for me after upgrading.
#3
19.7 Legacy Series / [solved] SSL cert validation broken after upgrade
August 04, 2019, 01:48:18 AM
Hi,

this is my first post and it might be a bit long but I tried to include all of the details and things I tried.
I would be very glad if someone is able to help  :)

After upgrading OPNsense from 19.1.6 to >= 19.1.7 the upgrade process got stuck at fetching a file and would not finish and just fill the log with dots. When clicking the "Check for updates" button again it would tell me:
QuoteCould not authenticate the selected mirror.

I then decided to roll back to a snapshot before the upgrade and export my config. I reinstalled the current version (19.7) and restored my config. After restoring I got the same behavior as described before; Clicking "Check for updates" would tell me:
QuoteCould not authenticate the selected mirror.

I then tried to update via the terminal and it showed the following:
Code Select

Fetching change log information, please wait... Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
4033068160632:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://pkg.opnsense.org/FreeBSD:11:amd64/19.7/sets/changelog.txz.sig: Authentication error


This seemed to indicate that something is wrong with the SSL certificates, which a quick test confirmed:
Code Select

root@OPNsense:~ # fetch https://example.com
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
3276227729016:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://example.com: Authentication error

root@OPNsense:~ # curl https://example.com
curl: (77) error setting certificate verify locations:
  CAfile: /usr/local/etc/ssl/cert.pem
  CApath: none


I tried looking for similar issues in the forum but only found two threads:
1) https://forum.opnsense.org/index.php?topic=12824.msg59372#msg59372
=> not helpful, different issue
2) https://forum.opnsense.org/index.php?topic=12550.0 (german)
=> same issue! But...

It mentions that the cause might be "cert.pem" being empty so I checked it:
Code Select

root@OPNsense:~ # ls -lah /usr/local/etc/ssl/
total 852
drwxr-xr-x   2 root  wheel   512B Aug  2 03:14 .
drwxr-xr-x  32 root  wheel   4.0K Aug  2 01:49 ..
-rw-r--r--   1 root  wheel   798K Aug  2 04:18 cert.pem
lrwxr-xr-x   1 root  wheel    38B Jul 24 00:51 cert.pem.sample -> /usr/local/share/certs/ca-root-nss.crt
-rw-r--r--   1 root  wheel   9.3K Jul 24 09:52 opnsense.cnf
root@OPNsense:~ # ls -lah /usr/local/share/certs/
total 840
drwxr-xr-x   2 root  wheel   512B Aug  2 03:14 .
drwxr-xr-x  29 root  wheel   512B Aug  2 01:49 ..
-rw-r--r--   1 root  wheel   793K Jul 24 00:51 ca-root-nss.crt

Not sure if the files are alright, but at least they are not empty.
The Administrator @franco mentioned that 19.1.7 would fix that but for me anything >= 19.1.7 seems to break SSL instead of fixing anything  ???

Nevertheless I tried his suggestion:
Code Select
cp /usr/local/etc/ssl/cert.pem.sample /usr/local/etc/ssl/cert.pem
 and... it actually WORKED! \o/
So why am I posting this then?

After "reloading all services" or rebooting the "cert.pem" file is 798K again, instead of the 793K from /usr/local/share/certs/ca-root-nss.crt and everything is broken again  :'(

I'm stuck and don't know what else to do anymore. How can I fix this?  :(
Pages1