1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
22.7 Legacy Series / OpenVpn CRL problem
« on: October 12, 2022, 09:19:03 am »
After upgrade to 22.7, openvpn client don't connect if in openvpn server i specify internal CRL
This is error
TLS Error: TLS handshake failed
TLS Error: TLS object -> incoming plaintext read error
TLS_ERROR: BIO read tls_read_plaintext error
OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
VERIFY ERROR: CRL not loaded
I have try to delete and recreate CRL, reboot opensense with no success... any idea?
Thanks
This is error
TLS Error: TLS handshake failed
TLS Error: TLS object -> incoming plaintext read error
TLS_ERROR: BIO read tls_read_plaintext error
OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
VERIFY ERROR: CRL not loaded
I have try to delete and recreate CRL, reboot opensense with no success... any idea?
Thanks
3
General Discussion / Re: DHCPv6 and vendor-specific
« on: July 26, 2022, 11:25:58 am »
No, not works...
i need vendor-specific subobtion
i need vendor-specific subobtion
4
General Discussion / DHCPv6 and vendor-specific
« on: July 18, 2022, 08:23:32 pm »
I need to configure in dhcpv6 this options (cisco syntax)
is possible?
vendor-specific 9
suboption 1 address x:x:x:x:x:x:x:x
I can't find vendor specific options in gui
is possible?
vendor-specific 9
suboption 1 address x:x:x:x:x:x:x:x
I can't find vendor specific options in gui
5
Virtual private networks / Filter over ipsec
« on: March 04, 2022, 09:10:19 am »
Hi,
we have make a point to point ipsec tunnel, in my fw rule under ipsec i have an autogenerated rule "IPsec internal host to host" with all ipv4/ipv6 permit for out packet.
I put this an rule with deny ip , direction in.
Remote site cannot ping my site. ok good
Now if i ping an ip to other site, opnsense make an row in state table, now remote site from this ip can ping me.
Why?
Thanks
we have make a point to point ipsec tunnel, in my fw rule under ipsec i have an autogenerated rule "IPsec internal host to host" with all ipv4/ipv6 permit for out packet.
I put this an rule with deny ip , direction in.
Remote site cannot ping my site. ok good
Now if i ping an ip to other site, opnsense make an row in state table, now remote site from this ip can ping me.
Why?
Thanks
6
20.7 Legacy Series / Re: 20.7.4 vMotion breaks network connectivity
« on: March 05, 2021, 05:19:56 pm »
After spend some time, i have resolved my vmotion problem.
In my huawei L3 switch,i have to put
mac-address update arp
undo arp anti-attack entry-check enable
In my huawei L3 switch,i have to put
mac-address update arp
undo arp anti-attack entry-check enable
7
20.7 Legacy Series / Re: 20.7.4 vMotion breaks network connectivity
« on: March 04, 2021, 12:22:28 pm »
I have same problem
Version
OPNsense 21.1.2-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
On vspere7
After vmotion i lost network,
to make network work i need i need
reboot opnsense or
make ifconfig vmxX down ifconfig vmxX up on all interface or
make another vmotion in original server (note,vswitch and vsphere network are ok,other vm make vmotion correctly)
I try to replace vmxnet3 with e1000e , same problem.
No log or error in console and dmesg
Version
OPNsense 21.1.2-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
On vspere7
After vmotion i lost network,
to make network work i need i need
reboot opnsense or
make ifconfig vmxX down ifconfig vmxX up on all interface or
make another vmotion in original server (note,vswitch and vsphere network are ok,other vm make vmotion correctly)
I try to replace vmxnet3 with e1000e , same problem.
No log or error in console and dmesg
8
General Discussion / Re: Intra Fw connection drop after 30 sec
« on: September 28, 2020, 03:34:12 pm »
Is a problem in my router,
i need to remove same interface routing
i need to remove same interface routing
9
General Discussion / Intra Fw connection drop after 30 sec
« on: September 27, 2020, 10:03:30 pm »
Hi,
i have 2 opnsense
Lan1->opnsense1->
wan router
Lan2->opnsense2->
opnsense1 have a static route for lan2,destination opnsense2
opnsense2 have a static route for lan1,destination opnsense1
Hybrid outbound NAT rule generation
In opnsense1 i have a nonat to lan2
In opnsense2 i have a nonat to lan1
Firewal rule in opnsense2, permit ip from lan1
Gateway monitoring is disabled.
Block private network on wan, disabled
Now, communication from lan1 to lan2 and from lan2 to lan1 work correctly buf after after 30 seconds stop.
Is not asymmetric, but i have try "Bypass Firewall Rules for Traffic on Same Interface" with no success
I think is a state problem, but how to resolve?
When i connect from Lan1 to Lan2 (ssh from 172.30.0.164 to 172.30.2.10)
in opnsense 1 i have
all tcp 172.30.0.164:59216 -> 172.30.2.10:22 SYN_SENT:CLOSED
all tcp 172.30.2.10:22 <- 172.30.0.164:59216 CLOSED:SYN_SENT
In opnsense2 i have
all tcp 172.30.0.164:59216 -> 172.30.2.10:22 ESTABLISHED:ESTABLISHED
all tcp 172.30.2.10:22 <- 172.30.0.164:59216 ESTABLISHED:ESTABLISHED
I have try to use policy routing instead static routing with same problem
My opnsense2 intercept syn sent, but syn reply is not intercepted (but is present and routed correctly)
Any ideas?
Thanks
i have 2 opnsense
Lan1->opnsense1->
wan router
Lan2->opnsense2->
opnsense1 have a static route for lan2,destination opnsense2
opnsense2 have a static route for lan1,destination opnsense1
Hybrid outbound NAT rule generation
In opnsense1 i have a nonat to lan2
In opnsense2 i have a nonat to lan1
Firewal rule in opnsense2, permit ip from lan1
Gateway monitoring is disabled.
Block private network on wan, disabled
Now, communication from lan1 to lan2 and from lan2 to lan1 work correctly buf after after 30 seconds stop.
Is not asymmetric, but i have try "Bypass Firewall Rules for Traffic on Same Interface" with no success
I think is a state problem, but how to resolve?
When i connect from Lan1 to Lan2 (ssh from 172.30.0.164 to 172.30.2.10)
in opnsense 1 i have
all tcp 172.30.0.164:59216 -> 172.30.2.10:22 SYN_SENT:CLOSED
all tcp 172.30.2.10:22 <- 172.30.0.164:59216 CLOSED:SYN_SENT
In opnsense2 i have
all tcp 172.30.0.164:59216 -> 172.30.2.10:22 ESTABLISHED:ESTABLISHED
all tcp 172.30.2.10:22 <- 172.30.0.164:59216 ESTABLISHED:ESTABLISHED
I have try to use policy routing instead static routing with same problem
My opnsense2 intercept syn sent, but syn reply is not intercepted (but is present and routed correctly)
Any ideas?
Thanks
10
General Discussion / Re: IPSEC with two remote ip (primary/backup)
« on: September 13, 2020, 06:39:21 pm »
@mimugmail @banym
Maybe I haven't explained myself.
My opnsense is connected to two lines in bgp i have no problems with HA.
I need to connect to an external company that uses Cisco ASA,
wants to create an IPSEC vpn and has 2 internet lines in Active / Standby.
Obviously being an external company, i cannot impose an openvpn configuration (cisco asa does not support it)
and firewalls normally support dual peer active / standby.
@rainerle
in this way I believe that opnsense tries to activate both ike, while they should be active / standby, right?
Maybe I haven't explained myself.
My opnsense is connected to two lines in bgp i have no problems with HA.
I need to connect to an external company that uses Cisco ASA,
wants to create an IPSEC vpn and has 2 internet lines in Active / Standby.
Obviously being an external company, i cannot impose an openvpn configuration (cisco asa does not support it)
and firewalls normally support dual peer active / standby.
@rainerle
in this way I believe that opnsense tries to activate both ike, while they should be active / standby, right?
11
General Discussion / Re: IPSEC with two remote ip (primary/backup)
« on: September 12, 2020, 09:12:11 pm »
@mimugmail thanks
This is onother big limit in a real enterprise deploy...
This is onother big limit in a real enterprise deploy...
12
General Discussion / IPSEC with two remote ip (primary/backup)
« on: September 12, 2020, 06:57:26 pm »
I need to setup my opn sense to make a isec vpn.
The remote firewall have two ip,primary and backup.
In gui i can set only one ip, how i can make this setup?
Thanks
The remote firewall have two ip,primary and backup.
In gui i can set only one ip, how i can make this setup?
Thanks
14
General Discussion / How to block TOR
« on: August 20, 2020, 10:52:14 pm »
Hi,
i need to block TOR network,
there is an equivalent of pfblockng in opnsense?
Thanks
i need to block TOR network,
there is an equivalent of pfblockng in opnsense?
Thanks
15
General Discussion / How to log vpn access
« on: August 14, 2020, 12:33:01 pm »
Hi,
i have setup a openvpn with 2fa and local auth.
1)I need to have a log of login/logout and login failure how to?
2)is possible to launch a command on login/logout?
is usefull to launch zabbix-send to remote log and monitoring access
3)is possibile to send snmp trap on login/logout/login failure?
Thanks
i have setup a openvpn with 2fa and local auth.
1)I need to have a log of login/logout and login failure how to?
2)is possible to launch a command on login/logout?
is usefull to launch zabbix-send to remote log and monitoring access
3)is possibile to send snmp trap on login/logout/login failure?
Thanks
Pages: [1] 2