Messages

1

20.1 Legacy Series / Re: CGNAT, 100.64/10 separate from "Block private networks" option

« on: March 22, 2020, 03:43:56 pm »

Johnsmi, thank you for your confirmatory response.

I created blocking rules for "real" private networks, so this is solved.

But I left "Block bogon networks" option turned on.

"bogus" option has any side effect which will drop traffic from 100.64/10 range?

2

20.1 Legacy Series / Re: CGNAT, 100.64/10 separate from "Block private networks" option

« on: March 22, 2020, 02:59:38 pm »

First of all, 100.64.0.0/10 is definitly not private. Maybe you have an C&P issue. I guess you ment 10.64.0.0/10.

Check the attached pictures I'am talking about them.

If you state that 100.64/10 is not "private" (which is basicly other type of "private" a.k.a. CGNAT) why is listed in under "Block private networks" list?

3

20.1 Legacy Series / CGNAT, 100.64/10 separate from "Block private networks" option

« on: March 22, 2020, 02:18:25 pm »

Hy all!

As the COVID-19 spread across our country our students ordered to stay home and continue through online learning.

We have a server within school network which stores large media files (learning materials), I published it as FTP server, (not so) few user had trouble to reach this server then I realized our ISP using heavily CGNAT and these users are from same ISP.

So if the user (who is at the same ISP) wants to connect our server (it has fixed public IP) ISP just routing the traffic  towards to our server through the ISP's CGNAT "private" network (100.64.0.0/10)

TL;DR:
- ISP change not an option currently
- We have fixed public IPv4 address for this FTP server.
- We use OPNsense 20.1.3 ( OPNsense 20.1.3-amd64 / FreeBSD 11.2-RELEASE-p17-HBSD / OpenSSL 1.1.1d 10 Sep 2019)
- Our ISP "advice" was not to block 100.64.0.0/10 (CGNAT) address range. This is blocked because I checked "WAN" interface / "Generic configuration" / "Block private networks" option.

How can I allow 100.64/10 perfectly on WAN interface?

Is there a plugin which allows to separate CGNAT from "private networks" block?

I think about an "allow" rule for 100.64.0.0/10 but I can't move this rule above the "Automatically generated rules"

If I disable "Block private networks" could I perfectly replace with custom "block" rule (10/8, 172.16/12, 192.168/16 + 127/8) ?

Is "Block bogon networks" option will affect on custom 100.64.0.0/10 "allow" rule?

Thanks in advance!

4

General Discussion / GEOM SW RAID sensitive to power outage

« on: September 23, 2019, 08:19:42 pm »

Hello,

I have a Dell 860 (II) server, with two commercial grade SATA disk, there is no HW RAID.

I've installed OPNsense 19.7 "Jazzy Jaguar", and i boundled the two disk with GEOM RAID 1.

Every time when power outage happens GEOM blocked the boot process with rebuilding one disk based on the other.

Short answare would be too simple: I should use UPS.

But!

before OPNsense I used Ubuntu server 16.04.xxs LTS on the same hardware (above) and within the same environment, and Ubuntu server never had RAID issue.

Is there any config param to hardening GEOM? Or should I skip avoid GEOM completly in this situation?

OPNsense without GEOM would be sensitive for power outage?

5

19.7 Legacy Series / Re: block all traffic between VLANs

« on: August 20, 2019, 11:24:55 am »

I've did aliases like "intranet_except_VLAN1, intranet_except_VLAN2" so on ... (every alias contains all vlan network address except the one in their names)

created a blocking rule on every VLAN interface put the related alias as destination with any source any port any protocoll

its working and only one rule per VLAN interface, but there should be a more clever way...

by the way why is opnsense allowed traffic between VLANs by default?

6

19.7 Legacy Series / block all traffic between VLANs

« on: August 18, 2019, 06:55:37 pm »

Hi!

I have a gateway/server with fresh OPNsense install (Jazzy Jaguar)

There are 3 NIC: 1 for WAN, 2 for LAN aggregated with LAGG(LACP).

On the LAGG there are 5 VLAN (eg 10.1.x.x/16, 10.2.x.x/16, ...)

So far so good, everything works perfectly.

I'd like to ask which is the simpliest way to block traffic between VLANs.

for example: from VLAN1 user could ping the GW and the public IPs ("The Internet") but not the other VLAN's IP.

I could block other VLAN "net" address one-by-one per interface but I think there should be a more clever solution

The next question is: block all traffic except for one specific IP in VLAN 5 which is an internal web server between VLANs (eg 10.1.0.1 -> http://10.5.0.1,  10.2.3.4 -> http://10.5.0.1)


Thanks in advance