Messages

1

General Discussion / Re: OpenVPN traffic not routed over IPsec site2site tunnel

« on: May 24, 2024, 02:59:54 pm »

Thank you very much. That worked!

I still used the legacy GUI for the IPsec tunnel (shame on me), but I reconfigured it in the new interface with your settings and now it works.

Thank you!

2

General Discussion / Re: OpenVPN traffic not routed over IPsec site2site tunnel

« on: May 24, 2024, 01:28:40 pm »

Thank you very much for your input!

I have set up a test connection (location B to location C) with an IPsec site2site tunnel to see what is going on the other side (C). The SPD entry worked and the traffic was routed through the tunnel, although the traffic never reached the LAN interface on location C. So pinging the firewall C didn't work, although the firewall rules would allow it.

When I add a normal Phase 2 entry for the OpenVPN net it works though. Am I missing something with SPD entry?

3

General Discussion / Re: OpenVPN traffic not routed over IPsec site2site tunnel

« on: May 24, 2024, 11:42:14 am »

Thank you for your reply!

It isn't at the moment. My idea was to use outbound NAT for the OpenVPN net with the LAN IP to bypass this, because I have no access to the firewall on location A. Is this a bad idea or even possible?

4

General Discussion / [SOLVED] OpenVPN traffic not routed over IPsec site2site tunnel

« on: May 24, 2024, 11:07:39 am »

Hi all,

I have a problemwith a firewall setup and don't know exactly how to solve this.

There is a OPNsense firewall (B) doing client VPN via OpenVPN. The firewall (B) also has a IPsec site2site tunnel to a different location (A). The problem is, that the traffic coming from the OpenVPN net is not routed over the site2site tunnel if the target is in the remote location (A).

[Location A] <----- IPsec site2site -----> [Location B OPNsense] <----- OpenVPN clients

Location A:
- 192.168.50.0/24

Location B:
- 192.168.248.0/24

OpenVPN net:
- 10.200.13.0/24
- pushed routes 192.168.50.0/24,192.168.248.0/24

If I ping a host on location B from the OpenVPN client it works. If I ping a host on location A the packet is directly routed over the WAN interface of the OPNsense and never enters the IPsec tunnel.

Can someone help me identifying this problem?

5

Virtual private networks / Re: IPsec and max MSS questions

« on: January 10, 2024, 12:04:27 pm »

Thank you for the registry keys! We just started to investigate the problems, but this could be very helpful going forward.

6

Virtual private networks / Re: IPsec and max MSS questions

« on: January 09, 2024, 04:37:01 pm »

Thank you for your reply!

I forgot to mention that I used the standard Windows ping for my tests. So -f should be Don't fragment und -l should be size.

Is there any other method I can test if just setting the MSS on the IPsec interface is sufficient?

7

Virtual private networks / IPsec and max MSS questions

« on: January 09, 2024, 01:07:01 pm »

Hi all,

I have performance problems with RDP with some of our virtualized OPNsenses. These firewalls are hosted in a virtual environment and the clients are all connected via IPsec Site2Site tunnels.

[Client]----[Firewall]--------IPsec--------[OPNsense]----[RDP-Server]

The hoster suggested to set the MSS to 1300 for IPsec connections. Which I did in Firewall -> Settings -> Normalization -> Max mss 1300 for the IPsec interface. To test if this setting works, I tried to ping over the tunnel with a payload bigger than 1300 and the "Don't Fragment" flag.

Code: [Select]

ping -f -l 1472 4.3.2.1
I can ping with a size up to 1472 over the tunnel, which should not be possible right? Or do I have to set this on the LAN interface, too? I'm also puzzled how this is possible at all, if the hoster says that 1300 is their max.

8

23.7 Legacy Series / Re: Allow only Internet trafic

« on: November 08, 2023, 09:07:01 am »

We do it like this:

• Create an Alias that contains all private networks as defined in RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
• Create a firewall rule that only allows traffic to that Alias and use the Source/Invert checkbox. This way you'll only allow traffic not directed to private networks
• Optional: Create firewall rules to allow traffic that is directed to the firewall (i.e. DNS) and place it before the RFC1918 rule. This way you can make exceptions for traffic that should reach some of your private network destinations

9

General Discussion / Re: Multiple WANs to one of two gateways

« on: October 16, 2023, 10:35:23 am »

No idea anybody?

10

General Discussion / Multiple WANs to one of two gateways

« on: October 12, 2023, 02:01:32 pm »

Hi all,

I have a problem understanding as how to set this scenario up properly and need some help.

We have an OPNsense Firewall in a hosted cloud environment. We ordered 8 IPv4 addresses for our WAN interfaces and the provider delivers these as individual interfaces. So every IP is bound to a specific interface. On top of that, these IPs are in two different subnets with individual gateways.

So it's something like this:

• WAN_1: 1.0.0.1/24
• WAN_2: 1.0.0.2/24
• WAN_3: 1.0.0.3/24
• WAN_4: 1.0.0.4/24
• WAN_5: 2.0.0.1/24
• WAN_6: 2.0.0.2/24
• WAN_7: 2.0.0.3/24
• WAN_7: 2.0.0.4/24

I have configured two gateways, 1.0.0.254 and 2.0.0.254, where the first is the active gateway.

So my question is: How can I select which WAN interface uses which gateway? In the interface settings I can choose the gateway for one interface, but for the rest I can just select "Auto-detect". If I try to create a gateway for each WAN interface, it tells me that a gateway with this IP already exists.

11

Virtual private networks / Re: Ferner Gateway - 0.0.0.0 - nicht mehrfach möglich / Remote gateway - 0.0.0.0 - n

« on: June 23, 2023, 05:25:05 pm »

Haben Sie auf das Problem je eine Antwort gefunden. Habe die gleiche Situation nach dem letzten Update

12

General Discussion / DSCP processing in OPNsense

« on: March 24, 2023, 09:04:34 am »

Hi all,

I have two questions regarding the processing of DSCP-tagged packets in OPNsense and I hope someone can give me a hint or two. My goal is to prioritize VoIP traffic in my network via DSCP with the EF-tag.

In my current setup the SIP-client on Windows workstations tags SIP and RTP packets with the value EF (confirmed with Wireshark). The packet passes the PBX (3CX) and reaches OPNsense, still with the EF value set. So I think everything is alright so far.

Now my two questions are ...

• Will OPNsense prioritize the EF tagged packets by default or do I have to add some configuration for this?
• For incoming VoIP packets from WAN exists a NAT rule pointing to the PBX. The according auto-generated firewall rule can not be edited to tag these packets with EF. Do I just delete these rules, recreate them manually and add the DSCP tagging or is there something else to do?

The documentation isn't very verbose about this and I would be glad if someone could give some insight.

13

General Discussion / OPNcentral viable for MSP?

« on: March 17, 2022, 03:42:14 pm »

I would like to know if someone has enough experience with OPNcentral to tell me if it is viable for a Managed Service Provider scenario.

We have a bunch of customers with OPNsense firewalls that we manage. Now that OPNcentral is out of beta, we are considering to manage the customer firewalls with it. It would be enough to just trigger updates and see the general status of the firewall and the most important services. Configuration would still be made on the firewall itself.

There are two things that come to my mind, that could make it difficult for us:

• We don't want to establish a "management vpn" to our customers if this is necessary.
• Some of the clients don't have static WAN IPs.

Are these two points necessary or are there some other restrictions that could make problems?

14

German - Deutsch / Re: Netzwerkkopplung

« on: June 18, 2021, 12:46:31 pm »

Als Schuss ins Blaue würde ich mir auf deinem WAN Interface ansehen ob die privaten Netze dort noch geblockt sind. Wenn du nur mit privaten Netzen arbeitest müssen die Haken da auf jeden Fall raus. Siehe Screenshot.

Unbound kann ich mir in der beschriebenen Konstellation erst mal nicht als Problem vorstellen. Hier geht es ja erst mal um reinen IP-Traffic ohne DNS.

15

German - Deutsch / Wie richte ich eine Virtual IP richtig ein?

« on: August 11, 2019, 10:27:36 am »

Hallo zusammen,

nachdem ich letzte Woche 400 km auf der Autobahn verbracht habe, nachdem ich eine Virtual IP erfolglos eingerichtet habe, frage ich vor meinem zweiten Versuch lieber einmal nach. 

Ich habe aktuell ein DMZ/LAN-Setup mit zwei Firewalls. Beheimatet ist momentan noch alles auf einem Proxmox.

Code: [Select]

WAN / Internet
            :
            :
            :
      .-----+-----.
      | OPNSense FW1
      '-----+-----'
            |
            +---------------+ Webserver 10.1.0.5/24
            |
        DMZ | 10.1.0.0/24
            |
      .-----+------.   
      | OPNSense FW2
      '-----+------' 
            |
        LAN | 10.0.0.0/24
         

Ich habe vom Provider ein /29-Netz von welchem ich bislang eine IP auf dem WAN-Interface von FW1 verwendet habe.

FW1

• WAN IP: 116.202.X.X/29
• DMZ IP: 10.1.0.1/24
• Portforward: WAN IP - Port 1194 auf FW2 1194 (OpenVPN)
  

FW 2

• DMZ IP: 10.1.0.2/24
• LAN IP: 10.0.0.1/24
• OpenVPN

Das ganze Setup klappt soweit auch sehr gut. Als ich letztens eine zweite IP auf dem WAN von FW1 binden wollte, ist allerdings alles in die Hose gegangen.

Das habe ich folgendermaßen gemacht:
Firewall -> Virtuelle IPs -> Einstellungen -> Hinzufügen

• Modus: IP Alias
• Schnittstelle: WAN
• Gateway: Gateway IP aus dem /29-Netz

Nach dem Anwenden der Änderungen war für mich dann nichts mehr erreichbar. Ich bin über OpenVPN (FW2) auf den Systemen, was dann nicht mehr funktioniert hat. Leider finde ich zu dieser Thematik keine genaue Anleitung und im Forum auch nur Fragen darüber und keine Antworten. Also falls mir jemand behilflich sein kann, wäre ich sehr dankbar dafür.

Das finale Ziel wäre es dann, einen Server in der DMZ mit der neuen externen IP über One-to-One NAT anzusprechen.

P.S.:
Was mich sehr überrascht hat, als ich im RZ ankam waren beide Firewalls nicht mehr über ihr LAN bzw. DMZ-Interface erreichbar. FW1 musste ich sogar komplett neu aufsetzen, weil das einspielen einer früheren Config auch nichts geholfen hat. Also muss ich hier irgendwo einen ganz massiven Fehler fabriziert haben.