Messages

I have figured out why the NAT reflection for me didn't work -> the interfaces in the NAT rule need to include the "internal" networks too and not just the WAN interface. Despite the misleading hint "in most cases, you'll want to use WAN here." ;-)

Maybe it is the same "problem" for you too?

For NAT reflection to work, the interfaces in the NAT rule need to include the "internal" networks too and not just the WAN interface. Despite the misleading hint "in most cases, you'll want to use WAN here." ;-)

Is somebody using the pagekite client on OPNsense? I will be looking soon into running it on my OPNsense boxes and thought asking if someobdy has already some experience with it on OPNsense.
-> https://pagekite.net/

@awnpbmdhmmfkbwlu
I would like to use PXE for deploying OPNsense and I was wondering which image are using to boot OPNsense? What file is "/os/bsd/opnsense/boot/pxeboot"? Thanks for a hint :-)

Hi

Summary of my setup and the problem that I am facing with NAT reflection:
igb2      : WAN
igb1      : multiple VLANs
igb1_vlan2: VLAN 2
igb1_vlan3: VLAN 3 -> used in bridge0
igb1_vlan4: VLAN 4
igb0      : no VLANs
bridge0   : igb0, igb1_vlan3

I have a HTTPS server sitting behind the bridge0 and have a NAT port forward rule:
Interface: WAN
Destination port range: HTTPS
Redirect target IP: 192.168.232.100 (IP on igb1_vlan2)
NAT reflection: Use system default

Firewall: Settings: Advanced: Network Address Translation
Reflection for port forwards: enabled
Reflection for 1:1: enabled
Automatic outbound NAT for Reflection: enabled

The NAT rule works fine from WAN side. But NOT from the internal network on bridge0, it gets blocked:
action: block
dir: in
dst: 192.168.232.100
dstport: 443
interface: bridge0
label: default deny / state violation rule

If I add manually a firewall rule on the bridge0 interface to allow the traffic, it works:
action: pass
interface: bridge0
direction: in
destination: 192.168.232.100
destination port range: 443

I would expect that OPNsense would create that rule automatically based on the NAT reflection? May it be a problem with the bridge+VLAN interface?

Thanks for any hint in the right direction
KoS

Ich hatte gerade das gleiche "problem" -> du musst nen POST statt GET machen, dann klappts. Siehe https://forum.opnsense.org/index.php?topic=23625.msg112396#msg112396

@pmhausen
sure this is possible and is what I have to do for new installations where I want to use OPNsense.
This makes the setup less transparent, as not all trunk ports on the switch can be configured the same way. in the end it is ONLY the trunk port for OPNsense that needs to be configured differently, as the trunk ports for uplinks to other switches or APs can be configured all the same way.  -> and on existing installations i cannot just replace the existing router box (running voyage linux on the Alix APU boards) as I first need to re-configure the port on the switch.

I found the root cause of my problem: There is a limitation in OPNsense/FreeBSD that you cannot use a physical network interface with VLAN interfaces AND an untagged interface in bridges.
As I had the similar setup previously running on Linux, I didn't expect this to be a problem/limitation.

see e.g. here: https://redmine.pfsense.org/issues/11139

FYI: I have all "management" traffic un-tagged on the switches and all "data" traffic in different VLANs. e.g.  Ubiquiti UniFI access points have the "management" traffic always untagged and cannot be forced to use another VLAN. -> Even if it would be possible to change the management traffic to a tagged VLAN, it won't be possible to just plug-in a new access point out-of-the-box and it configures itself automatically by connecting to the UniFi controller, as you would first need to configure it manually.

The client-config-dir is not used (anymore?) as the client-specific overrides are provided via the client-connect script. See the issue here: https://github.com/opnsense/core/issues/4293

Note: That way the ccd-exclusive option could also not be used as it useless if no client-config-dir config files are being used.

Hi

I have an Alix APU with 3 ports.

• One port is for WAN
• One port is connected to a Switch where I have multiple VLANs, but where I can also have untagged traffic on it.
• One port should be bridge into one of the VLANs

To make the setup more flexible, I have bridged all VLANs and am assiging IP adress only to the bridge interfaces.

So the current configuration looks like this:

Code Select Expand

igb0
igb1 -> LAN
igb1_untag
igb1_vlan2
igb1_vlan3
igb1_vlan4
igb1_vlan5
igb1_vlan6
igb2 -> WAN

bridge0 = OpenVPN_Server_1, igb0, igb1_vlan3
bridge1 = igb1_vlan4
bridge2 = igb1_vlan2
bridge3 = igb1_vlan5
bridge4 = igb1_vlan6
bridge5 = OpenVPN_Server_2, igb1_untag


I have a DHCP server on each of the bridge interfaces. If I connect a device at the switch on a port of e.g. VLAN2, I can successfully receive an IP address via DHCP. But neither can I ping the router, nor do I see any traffic coming in on that bridge interface (tcpdump). Neither can I get any traffic out from the router on that bridge. I have checked the firewall rules, but as don't even see that the packets would get blocked, it seems the problem must be somewhere else. Is my setup with the bridge & vlans wrong? Shall I do it somehow else to get to my desired result? Any idea where I shall start debugging?

If I connect a device on an "untagged" port of the switch, I end up successfully on bridge5 and can access the router & the internet.

FYI, the OpenVPN_Server_1 and 2 are in TAP mode, as I need to have the full traffic (including broadcast) via the VPN.

Update: after installing the system from the 1st USB stick and booting into the new system with only the 2nd USB stick connected, i could run the importer from command line and select that stick. So the problem seems not to be the stick, but OPNsense that only shows the installer stick during installation and not both sticks?

I have two USB sticks: one with the installer, and one with a configuration back (GPT, FAT32, /conf/config.xml).

I can successfully boot up the installer from the 1st USB stick on an alix apu2 board. Unfortunately the 2nd stick doesn't show up neither in the opnsense-importer, nor if i check manually with geom disk list or camcontrol devlist.

When I connect the 2nd stick, it shows me in the terminal that an USB device got attached:

Code Select Expand

ugen0.3: <SanDisk Ultra USB 3.0> at usbus0
umass1 on uhub1
umass1: <SanDisk Ultra USB 3.0, class 0/0, rev 3.00/1.00, addr 2> on usbus0
umass1:  SCSI over Bulk-Only; quirks = 0xc100
umass1:3:1: Attached to scbus3


Any idea what I am doing wrong? I suppose at that "level" (geom disk list) it does NOT depend if it is MBR/GPT and what kind of filesystem.

(FYI, the installed SSD and the installer USB stick show up as devices ada0 and da0)

@Nephiria
Ich wollte gerade fragen ob du danach mit

Code Select Expand

icinga2 node wizard den Agent aufgesetzt hast, weil es bei mir zu nem komisches Permission denied Fehler führt. Hab jetzt aber gerade gesehen, dass das ein FreeBSD Problem ist (https://github.com/Icinga/icinga2/issues/7854)
Ich lasse das mal hier als Referenz wenn jemand anderes icinga2 mit node wizard aufsetzen will.

Konfiguriere ich halt den agent manuell....

I have the same problem. KoS, have you found a solution?

No. I thought maybe I will have to fork the plugin and customize it for me needs :-(

As the GeoIP from MaxMind needs registration the IPFire team has built their own location database, called IPFire Location. Maybe that could be of use for OPNsense too as some kind of collaborative approach?
--> https://blog.ipfire.org/post/a-new-location-database-for-the-internet
Not sure about the internals of the IPFire location approach and if/how it could be integrated into OPNsense.