Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - ggriff

Pages1
#1
24.1, 24.4 Legacy Series / Re: Bootstrap v24.1 failing on Azure FreeBSD 13.2 VM
July 24, 2024, 11:45:34 AM
Hi Patrick,

Thanks for your response, I got the same issue on a local FreeBSD v13.3 image so ended up using the OPNSense ISO as I was tired of struggling with the bootstrap method.
#2
24.1, 24.4 Legacy Series / Re: Bootstrap v24.1 failing on Azure FreeBSD 13.2 VM
July 09, 2024, 03:57:13 PM
@Patrick thanks for the fast response but I'm still getting the same behaviour with FreeBSD 13.3

Code Select
sudo sh ./opnsense-bootstrap.sh.in -r 23.7
sudo sh ./opnsense-bootstrap.sh.in -r 24.1

both result in:
Proceed with this action? [y/N]: y
fetch: https://github.com/opnsense/core/archive/stable/24.1.tar.gz: size of remote file is not known
/tmp/opnsense-bootstrap/core.tar.gz                   7650 kB 9600 kBps    01s
pkg: 18 packages installed
azure-agent-2.8.0.11: already unlocked
$
#3
24.1, 24.4 Legacy Series / Bootstrap v24.1 failing on Azure FreeBSD 13.2 VM
July 09, 2024, 10:51:11 AM
I have tried multiple times to bootstrap an Azure FreeBSD v13.2 VM with no success. I have done this with v23.7 so am not a NOOB but have no clue why this is failing.

Code Select
sudo sh ./opnsense-bootstrap.sh.in -r 24.1
This utility will attempt to turn this installation into the latest
OPNsense 24.1 release.  All packages will be deleted, the base
system and kernel will be replaced, and if all went well the system
will automatically reboot.

Proceed with this action? [y/N]: y
fetch: https://github.com/opnsense/core/archive/stable/24.1.tar.gz: size of remote file is not known
/tmp/opnsense-bootstrap/core.tar.gz                   7650 kB 9543 kBps    01s
pkg: 17 packages installed
bash-5.2.15: already unlocked

previously it stopped at:
azure-agent-2.8.0.11: already unlocked
so I uninstalled the package but now it stops at the bash package so seems to just be going down the list.

Anyone have an idea why this is not working?

#4
20.1 Legacy Series / Re: Restrict VPN Client to Client Access
April 25, 2020, 03:35:29 PM

Ok so using Topology subnet I can at least see ICMP traffic with tcpdump:

Code Select
23:25:27.881576 IP 172.23.8.2 > 172.23.8.250: ICMP echo request, id 26390, seq 0, length 64
23:25:27.881609 IP OPNsense.localhost > 172.23.8.250: ICMP echo request, id 61533, seq 0, length 64

So traffic from 172.23.8.2 hits the firewall and it is sent to 172.23.8.250

My concern is tha the source address is not in the same subnet meaning the device at 172.23.8.250
does not send the reply back over the tunnel (I can't use Wireshark on the tunnel interface)
#5
20.1 Legacy Series / Restrict VPN Client to Client Access
April 16, 2020, 03:58:30 PM
Hope someone can help with this:

The goal is to restrict VPN client to client access with specific firewall rules

So when un-ticking the VPN server "Inter-client communication" I can no longer ping
other clients and can only ping the VPN interface IP which makes sense.

The problem:
I have enabled all traffic on the OpenVPN interface and all traffic on the TAP interface but can't
ping other clients anymore. I have read that IP forwarding needs to be enabled for this to work.

via the console IP forwarding seems to be enabled already?
Code Select
root@OPNsense:/etc # sysctl -w net.inet.ip.forwarding=1
net.inet.ip.forwarding: 1 -> 1

Found this link https://serverfault.com/questions/736274/openvpn-client-to-client
that explains a solution but involves IPTABLES.
#6
20.1 Legacy Series / Re: Outbound NAT (SNAT) on the tunnel interface is not working
March 24, 2020, 12:17:24 PM

@mimugmail Thank you very much! This works now!

Strange thing is when I was still running OPNSense v19.7 I tried TAP1 & LAN as interface and neither worked...
#7
20.1 Legacy Series / Outbound NAT (SNAT) on the tunnel interface is not working
March 24, 2020, 07:21:19 AM
What I'm trying to achieve:
Client connected to OpenVPN server can access other machines on the LAN

Status:
VPN Client can connect and the LAN network is pushed to the client.
Routing table is setup correctly on the client 192.168.16.0/24 -> 172.30.10.1

Problem:
When pinging a machine on the LAN network from the VPN Client the
ping reply can't be routed back because the traffic has a source IP of 172.30.10.X
I have enabled outbound NAT'ing on the TAP1 interface but it is not overwriting the source IP?

Main Router
Public IP: 1.2.3.4
Port Forward 1194 to 192.168.12.177

OPNSense Router: OPNsense 20.1.3-amd64
Server Mode: Remote Access (SSL/TLS)
Dev Mode: Tun
Topology: Subnet
WAN   192.168.12.177/24 (GW: 192.168.12.1)
LAN   192.168.16.25/24
TAP1   172.30.10.1/24

Outbound NAT Rule: // Hybrid Outbound NAT
Interface:   TAP1
Source:      172.30.10.0/24
Destination:   LAN net
NAT Address:   LAN Address

Tcpdump –i ovpns1:
16:19:52.669289 IP 172.30.10.2 > 192.168.16.222: ICMP echo request, id 1, seq 1447, length 40
16:19:57.526968 IP 172.30.10.2 > 192.168.16.222: ICMP echo request, id 1, seq 1448, length 40   

Can anybody shed some light on this please?
Pages1