Messages

OPNSense version 25.1.7_2-amd64

I created an IPSEC tunnel (legacy).

I didn't make the rules (I forgot about them) on the WAN (ESP / UDP port 500 / UDP port 4500).

The tunnel goes UP.
How is this possibile?

Reading the documentation, the rules need to be created: https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

Any suggestion will be appreciated.

In System: High Availability: Status
HaProxy Status show stopped

HaProxy is regularly running

I use the following parameters in legacy configuration. What is the equivalent in the new openVPN instances?

auth-gen-token 43200 3600
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

Any suggestion will pbe appreciated.

Does version 24.1 supports OpenVPN Data Channel Offload (DCO) ?

It seems that only OpenVPN 3 correctly implements split-dns.

Is there some plans to implement OpennVPN 3 in OPNSense?

If I use network alias 31.33.34.35/32 packet for host 31.33.34.35 are blocked.

If I use host alias 31.33.34.35 packet for host 31.33.34.35 pass.

It is correct?

Thank you

I'm using OPNsense 23.1.

Creating a new IPSEC tunnel default to Policy Based Routing ([Install Policy] is cheched by default].

So I don't find any route in the routing table.

It works, but what I can't understand is how local network reach remote network without routes.
Where I can monitor the routes from local to remote?

How can an IP packet that start from a local host reach the remote host if on the firewall there is no route?

It works, but I don't understand why  :)

Sorry for the confusion, any help will be appreciated.

Anyone has some news about setup OPNSense High Availability (CARP) setup and a PPPoE connection?

Any suggestion is welcome :-)

Found the solution: you need to add the rule under Public Server

Here same problem.
It seems that the plugin don't write conditions and rules inside haproxy cofiguration file (/usr/local/etc/haproxy.conf) :-(

Maybe a bug with the new opnsense 20 and plugin?

Any suggestion?

I need to block Teamviewer.
I read https://community.teamviewer.com/t5/Knowledge-Base/Which-ports-are-used-by-TeamViewer/ta-p/4139

All teamviewer IP have PTR records that resolve to *.teamviewer.com.

I wish to create an alias that is tru for all IP with a PTR record that resolver to *.teamviewer.com

Can I do this?

Thank you very much

I setup the interface LAN for the network 192.168.250.0/24 and I give IP address 192.168.250.1 to the LAN interface.

Then I added a CARP IP address 10.10.0.1/24 to the LAN interface.

Does internal Alias "LAN Net" comprises both 192.168.250.0/24 and 10.10.0.0/24 subnets?

I configured the LAN interface with multiple CARP IP coming from different subnet (192.168.250.1/24 and 10.100.0.1/27).

Instead of adding two rules (one with source 192.168.250.0/24 and the other with source 10.100.0.0/27), adding only one rule with source "LAN net" works but I wish to know if there is an explanation of how "LAN net" is constructed.

Thank you

That's what I wanted to hear, thanks! :)

So this don't works for LAN interface.

The same configuration on WAN interface works. I image that the reason is that WAN interface has a gateway, right?

Thank you very much for the explanation, now I have a more clear idea of what means traffic noisy. :-)

I understand that If I use IP Alias for the 2nd IP I need to setup this IP Alias manually also on the failover router.
If I setup IP Alias on the same VHID Group of the CARP address my configuration is still in high availability?

Box1:
Carp IP=8.8.8.8 VHID Group=1
IP Alias=8.8.8.9 VHID Group=2

Box2:
Carp IP=8.8.8.8 VHID Group=1
IP Alias=8.8.8.9 VHID Group=2

If Box1 dies I can still reach both 8.8.8.8 and 8.8.8.9 just like using two CARP IP?

Thanks