OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of jamesb2147 »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - jamesb2147

Pages: [1]
1
20.7 Legacy Series / Dual WAN Failover config - Firewall logs show traffic still using down interface
« on: January 07, 2021, 07:45:08 am »
WAN1 is primary, WAN2 is secondary. Primary is used for all traffic unless monitoring stats aren't met (loss or latency), in which case it fails to secondary. Primary has 8x the bandwidth of secondary, hence the preference.

When I pull the upstream on primary (so its local L2 link stays online, but it cannot reach its gateway or internet), it fails to the secondary. I can successfully load web pages. However, I almost immediately start having trouble loading web pages. Looking at the firewall logs in OPNsense, I can see lots of traffic still being "allowed" out using the primary/WAN1 public IP address. However, tonight I did a packet capture on the secondary/WAN2, and found that all the packets had the appropriate secondary/WAN2 public IP address.

I'm not sure what to make of this, but it seems like there's a significant amount of traffic that's likely still trying to route via the primary/WAN1. I'm at a loss as to why that might be. Is there a common failover misconfiguration that might lead to something like this?

If you've read this far, thank you for your time and have a great day! :)

Version: OPNsense 20.7.7_1-amd64

2
19.7 Legacy Series / Strict flow implementation? (port-forwarding not working as intended)
« on: October 03, 2019, 10:35:20 pm »
Hello,

I've posted about this on Reddit a couple of times:

https://www.reddit.com/r/OPNsenseFirewall/comments/dcbyo8/meraki_concentrator_partially_blocked_digging/
https://www.reddit.com/r/OPNsenseFirewall/comments/d98aii/port_forward_not_working/

Basically, I have a strong suspicion that pf or similar software underpinning OPNsense is allowing only one network "flow" through each port, either forwarded or outbound. I have observed:

  • Port forwards have appeared to work for Plex, but only for a single client at a time
  • Port forwards appeared to work briefly with one of my BitTorrent trackers, it now reports I am "unconnectable"
  • Meraki UDP hole punching used for AutoVPN appears to only be working for one of two sites now that it's behind OPNsense

That last observation is what really pointed me at this being a restriction on the number of allowed flows. It uses the same technology at every site, and OPNsense is actually the first firewall I've found that default blocks meshing (Meraki's source paper cited a 90%+ success rate for their technique, BTW).

The port forwarding I consider a serious issue because it doesn't behave as one would expect for a port-forward to behave. However, the behavior of normally restricting users to a single flow per outbound request, while stricter than most firewalls and likely to cause problems with marginal cases (I have a sneaking suspicion this is causing Skype problems for me), is an entirely reasonable choice.

With all that said, I don't really know how to troubleshoot this, much less change it. OpenBSD's packet filter documentation isn't awful, but it is tough to wade through for someone not versed in pf terminology.

Any help in figuring out how to move forward is much appreciated. Have a great day, all!

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2