Messages

Ok, I looked in the corresponding rules files (the problem applies also to other rules) and found "#@opnsense_download_hash:ec786a61cb5d93b6eb0907e29ca4c166" in the file.

So this seems to be the same problem as https://forum.opnsense.org/index.php?topic=12119.msg55567#msg55567 .

But I wonder -- in the open version there are DShield rules. So why should there be no rules in the Pro edition? And I see traffic that is NOT blocked, but listed on the Dshield website.

ET Open rules:
http://rules.emergingthreats.net/blockrules/emerging-dshield.rules

The same problem applies (at least) to:
drop.rules
compromised.rules
botcc.rules
botcc.portgrouped.rules
ciarmy.rules

Hi!

I activated the ET Pro Telemetry edition. Since then, the DShield Rules which I had in the ET Open version disappeared.
In the download section I have "ET telemetry/dshield" set to activated/drop. But when I search for "dshield" in the rules tab, there are no associated rules. How can I get them back?

Best wishes,
Adrian Schneider

He just writes that these values shouldn't be the defaults. But can be changed when needed.

It solved my problem, so I'm fine with it.

Hi,

I had the same problem and fixed it with the following tuneables:

net.inet.carp.preempt = 1
net.inet.carp.senderr_demotion_factor = 0
net.pfsync.carp_demotion_factor = 0

There is a pfsync thread to this topic.

Hope it works for you!

https://github.com/opnsense/core/issues/3694

How is auth for OpenVPN implemented?

I found this OpenVPN plugin:
https://github.com/brainly/openvpn-auth-radius

which would do both... But I guess it's not advised to install external stuff, right?

Could you advise me, how you would do it?

Hi,

does the OpenVPN server support accounting/can I make it do that?
I need regular updates (Acct-Interim-Interval) so I can manage my IP pool.

Best wishes
Adrian Schneider

Just patch it:

opnsense-patch 7bfadb2

as root.

For the traceroute point:
Could be related to a problem I had.
https://forum.opnsense.org/index.php?topic=13832.0

For the incoming data: Setup port forwarding (NAT -> Port forward) and assign both interfaces for every rule. It's important, that "Diasble Reply-To" in the advanced settings is not checked.

This enables port forwarding, but does not do failover. I set up a dynamic IP from behind the firewall with ddclient so that a domain always points to the active WAN.

Hi there!

I'm planning an OpenVPN Server (tun) with authentication/authorization from Radius. My approach is: Radius sets the Framed-IP-Address so that for example admins have an address in the range 10.0.0.0/24 and normal users 10.0.1.0/24. With the firewall I can then define access to the different resources.
My little test setup works perfectly, but now the crucial question:

Is there any chance that a user changes his IP address in tun mode?

Kind regards
Adrian Schneider

No need to take care of all combinations, I think unit testing would be mostly sufficient. Is there a testing repo? I'm prepared to contribute.

It also sounds like a very interesting task to set up a full virtual lab  ;)

I think I'll go with the patch.

But besides: Isn't there automatic testing for such stuff? I think this could have easily been prevented.

Nevertheless: Great work you're doing here! It's quite enjoyable to work with OPNSense!

I think I found the cause:

https://github.com/opnsense/core/commit/7bfadb2acd4660b05d11059152dec7d88a90b288

I'm not sure, this is related, @tong2x, this sounds different to me.

@mimugmail:

Tried it, does not change anything. BTW, I can use port forwarding on both WANs without ,disable force gateway' without any issue. Access from outside does work perfectly fine.
The only thing that does not work is to use a gateway other than the default gateway for traffic originating from the OPNSense machine itself. (It works perfectly fine for traffic from the LAN(s)).

Even when I use ping -S on the secondary interface: The packet leaves OPNSense on the interface with the default gateway and does not find its way to the secondary gateway.