Messages

1

General Discussion / Suggestions for LTE/5G modem

« on: October 01, 2024, 08:58:37 pm »

I currently have a LB1120 LTE modem setup as a secondary WAN on my OPNsense box.  Sadly it's VERY slow for whatever reason, I think it's just getting a bit old.  I can only get 20-30 Mbps down on a really good day.  Compared to my cellphone on LTE I can get upwards of 150-170 Mbps down consistently.  Would really like to upgrade to something a bit more robust.  I'm really struggling to locate devices for this.  Lots of hotspots available but I really don't need/want any of the fluff, just need an LTE/5G modem and a ethernet port.

Anyone have any recomendations?  ATT Mobile network currently.   

2

24.7 Production Series / WAN failover seems completly broken

« on: September 28, 2024, 12:51:25 am »

I've had the same configuration for WAN fail-over for years now.  I've always had issues with the connections being a bit sticky after my primary WAN is back online after an outage/fail-over scenario. But otherwise has been flawless.  However, I'm currently failed over to my backup LTE modem due to storm damage taking down the copper lines.  My primary connection shows 100% packet loss and shows offline status under gateway.  However as long as that connection is enabled the firewall continues to route traffic to my primary connection obviously this doesn't work well for having internet connectivity.  I figured this out by watching firewall logs.

I've rebooted all modems and the firewall trying to correct it but OPNsense simply will not route traffic to my secondary fail-over connection until I disable my primary under gateways.  Did something change recently that I missed that might require new configuration or is this simply borked?   

3

24.1 Legacy Series / Re: Multi-WAN not failing gateways back after uplink returns

« on: June 08, 2024, 09:51:37 pm »

FWIW, with the last update, there was a blurb in there about gateway failover.  It didn’t sound completely related, but potentially related.  Since that update, I haven’t had an issue with failback from what I can tell.

Same here. Issue appears to be resolved after the last update.

4

24.1 Legacy Series / Re: Multi-WAN not failing gateways back after uplink returns

« on: May 30, 2024, 02:39:20 pm »

Firewall - Settings - Advanced - Skip rules when gateway is down

have you enabled that? If I remember correctly fail back didn't work well before enabling it.

I admit I don't fully understand what this option does.  But my ruleset defines a gateway group not a specific gateway.  And to be clear failover has worked mostly well for years now, it has only been within the last few updates this started happening. 

Now there was an ongoing issue where some connections are overly sticky and existing connections wouldn't fail back.  However this new issue is different, even new connections choose the lower valued gateway still even after the primary is up.  The only fix is to reboot  the secondary gateway or the firewall itself. 

5

24.1 Legacy Series / Re: Periodic Speedtest

« on: May 29, 2024, 08:25:11 pm »

Wow good job finding that, I'd completely given up on solving it.  Looks like this is your first post too, so very thankful you took the time to make an account to help me out.  Posted a screenshot of the duplicate header.

6

24.1 Legacy Series / Re: Multi-WAN not failing gateways back after uplink returns

« on: May 29, 2024, 02:32:25 pm »

Don't have a fix for you but I'm having the exact same issue, been using multi-wan for years without too much pain, but now it simply doesn't fail back.  Not sure what changed, but it's been within the last few releases.  This is a biggish issue for me as my backup LTE internet is metered.  I didn't notice it hadn't failed back last week until I'd already used about 10Gigs of data.  If you find a fix please post it, I might try creating a bug report shortly.

7

Zenarmor (Sensei) / Re: Tutorial: How to Change a Self-Signed Certificate with a CA-Signed Certificate o

« on: April 17, 2024, 09:52:20 pm »

Hi,

You can import the created certificate but can not create yet. The only option is self-signed certificate for creating.

Import the cert ACME created from Let's Encrypt?  Is this automated or does this need to be manually done every 90 days.  I'm still unclear on this for some reason. 

8

Zenarmor (Sensei) / Re: Tutorial: How to Change a Self-Signed Certificate with a CA-Signed Certificate o

« on: April 16, 2024, 02:54:29 pm »

Not sure that really answers my question.  Currently I use ACME (the way your tutorial instructs) to have a Let's Encrypt cert on my opnsense instance.  What I'm asking is how can I use that same cert and/or process to automatically generate and use an Let's Encrypt cert using ACME on Zenarmor? 

9

Zenarmor (Sensei) / Re: why is eastpect locked to a single core

« on: April 15, 2024, 05:12:08 pm »

Hi All,

We needed to make a bit of differences in our roadmap due to SSE and SASE features. It is kept in roadmap but it seems at the end of this year or at the first quarter of next year.

  disapointing news...  gigabit plus wan and 10 gig lan backbone would have liked to see multicore support.

10

Zenarmor (Sensei) / Re: Tutorial: How to Change a Self-Signed Certificate with a CA-Signed Certificate o

« on: April 15, 2024, 05:09:08 pm »

Thank you for the detailed tutorial.  But is there any way to use the ACME issued cert in Zenarmor for TLS decryption or for the TLS block page? 

11

24.1 Legacy Series / Periodic Speedtest

« on: March 13, 2024, 02:53:41 pm »

I'm not sure when it stopped working but my periodic speedtest cron job doesn't seem to be working.  At least I don't see any tests logged and the widget doesn't show any data.  The cron job seems pretty straight forward but doesn't seem to work.  I know you need to set a parameter for the server id, I'm just using the id digits, does it also need brackets or parenthesis?  Not fully sure how to troubleshoot it. 

12

24.1 Legacy Series / Re: Found a repeatable issue where three Menu entries fail on a new 24.1 install

« on: March 12, 2024, 03:04:52 am »

I don't have any answer to your issue directly.  However, you can fill out a bug/issue report here https://github.com/opnsense/core/issues/new?assignees=&labels=&template=feature_request.md&title=

13

24.1 Legacy Series / Re: Connections are disappearing in firewall

« on: February 02, 2024, 08:29:39 pm »

I added screenshots of the rules on the interface I am currently on and the group interface of the VMs. The interface of the trouble VM has no rules set at all. From my machine, I can ping the firewall, google, other VMs, everything except the vm causing problems. From the VM, I cant ping anything except the firewall. From the other VMs, I can ping everything just as well as from the machine I am using right now.

When trying to trace route, it fails at the IP address of the firewall on the interface my machine is on. I think this matches with my former observations in the live view?

I'm confused, if the interface the VM is on has no rules it shouldn't be able to ping anything.  Are you sure your vlan tags are being applied correctly?  Thinking there is a configuration issue with your vlan not putting the VM on the correct network.  Would explain why your rules seem ineffective. 

If you have group rules you should still be able to see them on each applied interface by expanding the hidden rules at the top.

14

24.1 Legacy Series / Re: Connections are disappearing in firewall

« on: February 02, 2024, 05:40:26 pm »

Thank you for the suggestion. But unfortunately that is what I already did: I deleted all the floating rules; and there was a rule which allowed me to ping the VMs (yes, also the trouble VM) enabled all the time. The problem is that the ping gets into the firewall (I can see that in live view), but it does not get out. It isnt denied or anything, the "out" part of the ICMP request (is it called a request?) just does not appear in the live view. I know that this could mean that logging for the rule blocking the "out" part just is not enabled, but I checked everywhere and there is no rule that rejects anything.

EDIT: in the meantime, I also deleted the VM and set it up again. It now runs with a live image. I also deleted the interface (on the opnsense as well as on the hypervisor), tried with different VLAN tags and with a different set of IP addresses to be used on the interface. None of this helped in any way, the result was always the same..

Don't get too caught up in the out rules, for now at least don't create any "out" rules.  You should have one default rule "let out anything from firewall host itself " that's floating that will cover packets traversing the firewall to other networks. The default rule should have logging enabled as well, if not enable it.

Think of it this way [source vm] ----> (inbound ping rule) ----> [firewall] ----> [destination vm].  Will be all that's needed to allow this traffic. 

15

24.1 Legacy Series / Re: Connections are disappearing in firewall

« on: February 02, 2024, 05:19:09 pm »

It has to be blocked somewhere, slow down and only check one thing at a time. Making multiple changes at once will only increase your frustration and confusion 

You can also create an ICMP rule with source and destination to ANY on the source interface/vlan.  Make sure to enable logging as suggested above.  Send your ping, if you still aren't seeing it in the logs, you may have a configuration issue somewhere else. 

Edit: with the above any any ping rule in place, do some other checking and trace route tests.  Can you ping the firewall itself?  Can you ping www.google.com?  Can you ping 1.1.1.1?  Where does a trace route fail to the VM you are trying to ping?