Messages

Maybe left over from a server crash or something like that. It is safe to delete that file.

It's a brand new server - 4 days old. Give or take a day, I guess.  No crashes.

In any case, it's a once off, not overly concerned about it.

Back on topic, Nginx is working out quite nicely.  This is the first time I've used it for UDP or Streamed data.

nginx can do that in stream mode.

Appears to be working like a charm, thanks!

Had a strange problem where an existing /var/run/nginx_status.sock was preventing nginx from starting, once I deleted that, everything went great.

nginx can do that in stream mode.

Thanks, looking into that right now.

Check out SOCKS

Sorry, I should have specified that it is for traffic coming into the network, not leaving it.

I have two firewalls that synchronise HA Proxy configs.

I need HA Proxy to listen on different IP addresses on each box. When I sync the settings, the master's IP overwrites the slaves IP setting.  This is, of course, expected, but not desired.

I could possible use CARP to do this, but this is undesirable for a number of reasons.

IS there any way I can use a HA Proxy rule that uses a firewall specific IP address?  In this case it should use the LAN  IP address.

I have some UDP traffic I need to proxy.  Since I'm not the default GW for the servers on the inside, NATing will not work.

I've used the tool pen for UDP proxying in the past, but am happy for anything that will allow me to proxy UDP traffic.

Right now the traffic I need to proxy will be SIP and IAX, but there may be other types of UDP in the future.

Any suggestions welcome.

Try disabling "Quick" option, so the action is not taken inmediately. The firewall will continue evaluating for the other rules until it reaches a quick rule or the last matching one.

Can confirm what Greelan said - does not work, only the last rule takes effect.

Confirmation comes from testing...

OP - just a thought. If you configure the IPv4 upstream gateway for the relevant interface under the interface settings, does that achieve the outcome for you?

It has been set all along.  I had reliability issues with multiwan and auto detect years ago, and haven;t used it since.

AFAIK you can't specify simply a "Match" action for a rule.

Can't you just set the reply-to field on all the other rules?

I can, but that creates layers of complexity because I cannot use floating rules or firewall IF groups.

What's the reply-to field in a networking context? I only know this in email.

It tells the firewall to add a field telling it which interface to send the replies out through.  This is used for multiwan where traffic should leave on the interface it came in on.

My setup has a peculiarity where for one type of link the default reply-to doesn't work.  It works for the rest of them, though, which is why I consider it a bug.

Hi all

I need to set a firewall option on all traffic coming into an interface (I need to set the reply-to field. I know I shouldn't need to, but I do.  I think it's a bug).

How do I add a rule that will set the option, but will not pass or block traffic otherwise, and will not interfere with pass or block rules added later?

Thanks in advance.

EDIT: Here is why I need to set reply-to for the entire interface: https://forum.opnsense.org/index.php?topic=24776.0

[I think this is a bug]

I have found a workaround.  If I change related firewall rules to include setting the reply-to to the interface name, everything works as expected.

I think this is a bug, as reply-to should automatically be set unless disabled, and I have not disabled it on my setup.  (If this is a bug, it applies to pfSense too)

How do I go about determining if I need to log this as a bug?

tx

Hi all.  I have three WAN links, Link A (LA), Link B (LB) , and Link C (LC).

LA gives me a public IP address range.
LB gives me a public address range.
LC has a single public IP on the provider's hardware, and an RFC1918 IP on the inside (we use 10.0.0.0/24)

I have LA set as my default gateway. I can connect to my LA firewall IP address with no problems. I can connect to my LB firewall IP address with no problems.  I cannot connect to the catchall LC IP address at all.

If I make LB my default gateway, then I can connect to my LA firewall IP address with no problems. I can connect to my LB firewall IP address with no problems.  I still cannot connect to the catchall LC IP address at all.

If I make LC my default gateway, then I can NOT connect to my LA firewall IP address. I can NOT connect to my LB firewall IP address.  I now CAN connect to the catchall LC IP address with no difficulty.

I have some ports forwarded to other hosts inside my DMZ, linux machines, and the linux boxes can accept connections to all IP addresses all the time.

(There are actually 4 firewalls in a failover configuration using CARP, but to get figure this problem out I've reinstalled 2 of them and they have no other configuration at all. Only putting this here in case I reference things that seem to make no sense later on.)

EDIT: Forgot to mention that traffic dumps show traffic that should be going out LC gets routed out over the default gw, while LA and LB traffic always goes out the correct gateway. LA and LB are fibre rlinks, while LC is a radio link.  Unsure about LA and LB, but LC definitely uses a Mikrotik a gw device (I believe that LA and LB also use Mikrotiks, but am unsure).

Also forgot to mention that the firewalls connect to each WAN link using it's own dedicated VLAN - providers do not share an interface.  The switch used to be a 3COM, but is now a Mikrotik Cloud Switch (although, IIRC, we had the same problem when we were using an old Netgear switch).

Having the same problem with an HP MicroServer N40L.  https://n40l.fandom.com/wiki/Base_Hardware_N40L

AMD CPU, AMD GPU.

Machine has 4GB RAM.

ubuntu and ClearOS install without problems, pfSense installs with no problems, and FreeBSD installs with no problems.

This appears to be a hardened BSD issue.

Jason