Messages

1

19.7 Legacy Series / Re: IPSec VPN – Can access VPN network or Internet, not both!

« on: October 11, 2019, 10:42:39 am »

Seems I'm not alone

This thread https://forum.opnsense.org/index.php?topic=14141.0

Far better explains the issue and the other linked issues regarding the issues around IPSec

2

19.7 Legacy Series / IPSec VPN – Can access VPN network or Internet, not both!

« on: October 10, 2019, 05:03:40 pm »

I have successfully setup IPSec VPN Road Warrior profile for a Windows 10 client using PowerShell and connect OK.

However, I can ONLY access the remote VPN LAN if the split tunnel option (found from the IPv4 Networking, Advanced, IP Settings) "use default gateway on remote network" is ENABLED

When it is enabled I CANNOT access the public Internet.

With the "use default gateway on remote network" DISABLED, I can access the public Internet, but I CANNOT access machines or services within the VPN LAN.

What is required to allow me to access:

• my local LAN
• the Internet
• the remote VPN LAN

Ideally it would be best if I could resolve DNS names for the VPN LAN, but I'll accept being able to access remote resources via IP for now.

Thanks

3

General Discussion / Re: VoIP Issue - Firewall rules

« on: October 01, 2019, 08:47:31 am »

I like the idea of setting each handset to it's own port requirements then fixing those.  Long winded but clear when there is an issue with a single handset.

As it happens this turned out to be an issue with the routing at the providers side! When they updated their record things started working.
(although I have left  “Reflection for port forwards” and “Automatic outbound NAT for Reflection” ticked for now because it's simply working 

4

General Discussion / VoIP Issue - Firewall rules

« on: September 26, 2019, 08:59:19 pm »

I have been using OPNsense for about 6 months but have hit a problem, I cannot for the life of me configure the Firewall ports to allow VoIP traffic. 

I need to allow a range of ports open to allow 3 handsets on my local LAN to communicate with a hosted PBX on the Internet.

The handsets can register with the PBX (myPBX.voipCompany.com) fine as outgoing clients (I assume via the default out rule?) but I do not receive calls because I assume the default deny rule is blocking the incoming port?

I can also call out, but cannot hear the other person, again due to the default deny I'm guessing.  The provider says it’s a firewall issue and will not help further.

Before the details, I have some preliminary questions I cannot find the answer too.

Firewall -> Settings -> Advanced “Network Address Translation”

Do I need to enable “Reflection for port forwards” and “Automatic outbound NAT for Reflection”?

Other posts suggest enabling these, but without reason.

Also some things I have tried that seem to have not helped

• I have tried Firewall -> Settings -> Advanced -> Firewall Optimization = Conservative. No discernible effect.
• I have added and enabled the plugin “Siproxd” to no effect

Some details

Fixed IP: 213.47.33.171
PBX: myPBX.voipCompany.com
Ports: UDP 5060-5070 & 10000-20000 (RTP media)

Please can somebody explain what the magic combination is on the Floating Rules section?

Here is what I tried, creating two rules, one for each of the port ranges:
Interface: WAN
Direction: any
Protocol: UDP
Source: any (but really this should be restricted to myPBX.voipCompany.com)
Destination: LAN net (I assume “LAN net” is the entire local 192.168.0.0/24 range?)
Port Range (other) 5060-5070 & 10000-20000
Log: enabled
Category: VoIP

I have tried, for hours, various combinations but the ports remain closed to the world.

Live view logging does not seem to show anything helpful, should it?

How can I see blocked incoming connections from “myPBX.voipCompany.com”

Please help or I’m going to have admit defeat and buy something from ubiquiti