Messages

Hallo, hatte mir die Frage heute nach einem Heise Posting auch gestellt.

bevor ich - danke by the way - das Posting hier fand, hab ich folgende 2 Postings auf Reddit zum Thema gelesen

https://amp.reddit.com/r/OPNsenseFirewall/comments/jt4el1/nat_slipstream_is_opnsense_vulnerable/
d.h. ALG scheinen auf der opnsense nicht zu laufen.

und dann noch ergänzend bzw. inhaltlich mMn. passend dazu :

https://www.reddit.com/r/PFSENSE/comments/jng0dw/has_anyone_else_seen_the_new_nat_slipstream/gb1bm2f?utm_source=share&utm_medium=web2x&context=3

ist zwar auf die pfsence bezogen - aber der Hinweis bzgl. NAT auf Layer 3 und das davon alte Router betroffen sind macht für mich Sinn.

Code Select Expand

Considering pfSense isn't an ALG NAT, minimal. pfSense is a L3 NAT (Pure NAT) and doesn't use helper apps to make connections. This is common to really old Linux routers, where the NAT is supplemented with ConnTrack and helper apps (for FTP, SIP etc).

p.s. für die FritzBox Nutzer (wie mich daheim) - scheinen auch nicht betroffen

https://twitter.com/avm_de/status/1337096271702749189

Today i aksed me the same question - i found a reply here

https://forum.opnsense.org/index.php?topic=21998.msg104097#msg104097

There is not Sip ALG or other ALG.

If found this one too
https://www.reddit.com/r/PFSENSE/comments/jng0dw/has_anyone_else_seen_the_new_nat_slipstream/
and one other reddit posting - saying more ore less opensense does not use any ALG

Not sure if this information can help you.
I read that modern Browser (with new patches) try to reduce the risc related to H323 and WebRTC for NAT Slipstreaming, too

[Resolved: with System/Settings/General - "Do not use the local DNS service as a nameserver for this system marked" check it out - this removed the 127.0.0.1 from]

Hello to all in this community - i' new her :)

I want to share my solution from "Timeout while connecting to the selected mirror opnsense" in 20.1.x.

A few week ago i updated from last 19.x to 20.1.2. Worked like charm. 2 day ago i wanted to upgrade to 20.1.3 from the WebGUI and i run into Timeout ..., i could get the Security and Healthcheck, from web interface i did DNS Lookup, ping and traceroute for example to ip4.google.com - it worked. Update form console from 20.1.2 to 20.1.3 worked.
At this point i first didn't realised that tracerroute,ping and update from console took a litle longer to start (DNS resolve was slow).

My mistake was (i don't know why) - DNS Lookup took to long (it worked but with this output)

DNS Lookup from WebGUI:

Code Select Expand


Response
Type Address
CNAME ipv4.l.google.com.
A 172.217.23.174
Resolution time per server
Server Query time
127.0.0.1 No response
192.168.100.1 19 msec


Resolved: with System/Settings/General - "Do not use the local DNS service as a nameserver for this system marked" check it out  - this removed the 127.0.0.1 from

Code Select Expand


root@XXXX:~ # more /etc/resolv.conf
domain XXXX.local
nameserver 127.0.0.1
nameserver 192.168.100.1


wich showed in DNS Lookup took to long "No responce".

I hope this helps other people around :-)

Have a good time all :)

###################
Some nice tips - use the Diagnostics from interface if you think you have the same problem or use the shell

Code Select Expand


Ping from shell:

root@XXXX:~ # ping -s 1500 212.32.245.132
PING 212.32.245.132 (212.32.245.132): 1500 data bytes
1508 bytes from 212.32.245.132: icmp_seq=0 ttl=55 time=18.945 ms
1508 bytes from 212.32.245.132: icmp_seq=1 ttl=55 time=18.878 ms
1508 bytes from 212.32.245.132: icmp_seq=2 ttl=55 time=18.150 ms

Traceroute from shell:

root@wse-XXXX:~ # traceroute ipv4.google.com
traceroute to ipv4.l.google.com (172.217.23.174), 64 hops max, 40 byte packets
1  192.168.200.1 (192.168.200.1)  0.768 ms  0.848 ms  0.544 ms
2  62.27.93.143 (62.27.93.143)  10.266 ms  10.335 ms  9.869 ms
3  62.27.94.174 (62.27.94.174)  10.452 ms  10.847 ms  10.881 ms
4  62.27.94.173 (62.27.94.173)  10.289 ms  10.463 ms  10.280 ms
5  212.172.67.98 (212.172.67.98)  10.737 ms  10.404 ms  10.030 ms
6  108.170.252.1 (108.170.252.1)  11.613 ms
    108.170.251.129 (108.170.251.129)  10.961 ms  10.864 ms
7  216.239.47.247 (216.239.47.247)  10.279 ms
    216.239.47.245 (216.239.47.245)  10.827 ms  10.853 ms
8  fra15s22-in-f14.1e100.net (172.217.23.174)  10.340 ms  10.550 ms  10.299 ms