Messages

1

24.7 Production Series / Re: 24.7.3 and adding new OpenVPN Site-2-Site Issue

« on: September 11, 2024, 11:38:26 pm »

I am bumping my own thread in hopes that someone else has seen this issue when setting up a net new site-2-site openvpn tunnel with 24.7.x. I have a total of 7 site-2-site tunnels where 5 of them were setup before 24.7 and are running flawlessly. The two newest ones setup exactly the same way I am only able to have traffic between the two firewalls.

2

24.7 Production Series / Re: 24.7.3 and adding new OpenVPN Site-2-Site Issue

« on: August 31, 2024, 09:29:15 pm »

I am finding it hard to believe that no one has seen this issue or has discovered this issue after my post that has over 150 views. I have 5 tunnels working that were setup and running before 24.7 and 2 tunnels that were built post 24.7 upgrade that have the p2p between the firewalls but no routes to the network behind them.

3

24.7 Production Series / 24.7.3 and adding new OpenVPN Site-2-Site Issue

« on: August 29, 2024, 03:03:07 pm »

I support multiple family and friends via an openvpn site-2-site connection to assist them with their computer issues (yes I am that guy). All existing openvpn (not legacy) connections that were setup before 24.7 are still functional and routes/access continue to work which allows me access. All new openvpn site-2-site connections created after 24.7 I am able to reach the firewall but no other network hanging off the firewall.

Where there are no ip network conflicts this is just a simple site-2-site (p2p) with routes from the local and remote network. Where there is a nip network conflict BINAT rules have been added to eliminate it. Like I mentioned these continue to work as there where setup before upgrading to 24.7.x.

All rules and tcpdump show the traffic entering the tunnel but the other end never sees it.

I serve as the server and all others are clients. Each client is configured with static keys and a certificate for authentication. Followed the docs on openvpn site-2-site instances for all connections

Has any one tried setting up a site-2-site since upgrading to 24.7.x?

If require more information please let em know and I will provide upon request.

- Ron

4

23.7 Legacy Series / Re: 23.7 Fetch stops for unknown reason - Update not working

« on: October 18, 2023, 05:35:05 pm »

@BruceOS You are not alone. I am also multi-wan and seeing the same issues as you are.

5

23.1 Legacy Series / Re: IPSEC swanctl: [IKE] received (29) error notify

« on: January 27, 2023, 04:11:16 pm »

Did it for me.

Thanks @mimugmail

6

22.1 Legacy Series / Re: Site 2 Site route based (VTI) Netmask Issues

« on: March 22, 2022, 02:18:12 pm »

Thanks Franco for showing me what I was doing wrong. 


Ron

7

22.1 Legacy Series / Re: Site 2 Site route based (VTI) Netmask Issues

« on: March 21, 2022, 02:32:21 pm »

@Franco. I see that but why did the first vpn set a /30 the second vpn set a /29 and when trying to add a third vpn it sets a /30 that conflicts with the second vpn. When doing a VPN like this why would you need something bigger than a /30?

TIA,
Ron

8

22.1 Legacy Series / Re: Site 2 Site route based (VTI) Netmask Issues

« on: March 21, 2022, 01:58:02 pm »

@Franco I am totally aware but I can not find a way or a place to set the netmask when doing a Site route based (VTI) VPN. I even double checked the docs to make sure I did not miss anything before writing this reply.

TIA,
Ron

9

22.1 Legacy Series / Site 2 Site route based (VTI) Netmask Issues

« on: March 20, 2022, 04:28:20 pm »

In setting up multiple site 2 site route based VTI connections following https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html I think I discovered a possible bug. Both sides are running OPNsense version 22.1.3.

I had two site 2 site VTI's configured and when adding a third I discovered that the net mask is not consistent.

My Side IP	Other Side IP	Netmask	Description
10.111.1.1	10.111.1.2	30	remote site 1
10.111.1.3	10.111.1.4	29	remote site 2
10.111.1.5	10.111.1.6	30	remote site 3

When I go to add 'remote site 3' it breaks site 2. To work around this I changed the second octet to 112 for site3 on both sides. This brings up the tunnel but the routing is only working to each of the firewalls. Neither side is able to get to the networks that they have routes.

Both sites have unique IP networks on each side and do not clash.

This appears to only reveal itself when doing more than two site 2 site route based IPsec VPN.

Any ideas?

TIA
-Ron

10

Zenarmor (Sensei) / Re: Sensei stopped swap use greater than 30%

« on: April 27, 2021, 04:28:48 pm »

Below is an output from top. Just had to restart opensense a few minutes ago:

Code: [Select]

last pid: 18745;  load averages:  0.24,  0.17,  0.16                                         up 6+00:49:28  08:26:24
86 processes:  2 running, 84 sleeping
CPU:  0.5% user,  0.0% nice,  0.7% system,  0.5% interrupt, 98.3% idle
Mem: 1617M Active, 5402M Inact, 4398M Laundry, 2589M Wired, 1430M Buf, 1943M Free
Swap: 8192M Total, 2893M Used, 5298M Free, 35% Inuse

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
 6606 mongodb      38  52    0  8120M  5214M uwait    0 103:38   0.26% mongod
70052 root         13  20    0  8218M  2449M nanslp   2 240:45   0.86% suricata
98128 clamav        3  20    0  1416M  1318M select   1  89:15   0.00% clamd
41124 root         11  20  -20  2461M   328M nanslp   1   0:01   0.29% eastpect
42907 root         11  20  -20  2459M   322M nanslp   2   0:01   0.38% eastpect
77240 root          1  20  -20  1269M   161M nanslp   0   0:00   0.00% eastpect
49873 root          1  52  -20  1269M   161M wait     0   0:00   0.00% eastpect
98455 squid         1  20    0  1491M   141M kqread   0  16:20   0.00% squid
64760 unbound       4  20    0   124M    95M kqread   2   8:46   0.00% unbound
52527 root         43  20  -20   125M    58M select   0   0:01   0.31% python3
87726 root          1  22    0    84M    43M accept   1   2:01   0.00% python3.7
 2686 root          1  52    0   190M    39M accept   2   0:01   0.00% php-cgi
18745 root          1  24    0    51M    39M CPU0     0   0:00   0.00% php
69463 root          1  22    0   188M    36M accept   2   0:03   0.00% php-cgi
87774 root          1  26    0   188M    36M accept   3   0:02   0.00% php-cgi
86102 root          1  20    0   186M    34M accept   2   0:00   0.00% php-cgi
 6591 root          1  20    0   188M    33M accept   3   0:02   0.00% php-cgi
22117 root          1  52    0   189M    33M accept   1   0:02   0.00% php-cgi



11

Zenarmor (Sensei) / Re: Sensei stopped swap use greater than 30%

« on: April 26, 2021, 05:34:43 pm »

I have a quad core i5 w with 16 gigs of ram and am running current version of opnsense and am seeing this as well. The only difference I chose to use mongodb instead of elasticsearch. When I click on the link to submit to vendor nothing happens and the box disappears using my primary browser (safari).

12

20.1 Legacy Series / Re: NUT with APC UPS 1500i SmartUPS

« on: March 02, 2020, 09:23:48 pm »

Do you have your UPS hooked directly to OPNsense box or is it attached to another host. Depending on your setup you might need to explore the drop downs in the second tab.  I have no issue with mine since my UPS is plugged into another system and the nut plugin is configured as a monitor.

Hope this helps

13

Web Proxy Filtering and Caching / Re: Nginx client_max_body_size

« on: February 20, 2020, 07:29:11 pm »

#1708 Opened as a feature request.

14

Web Proxy Filtering and Caching / Nginx client_max_body_size

« on: February 20, 2020, 05:26:42 pm »

Is there is place to change the value of "client_max_body_size". One of the services I have sitting behind my OPNsense firewall's Nginx reverse proxy is nextcloud. I have searched through every menu inside of the Nginx proxy and am unable to find where to change this value. My current hack/workaround is editing the file directly till I can find a resolution.

I am aware this is not recommended but am only hoping it is going to be short term.

TIA