Messages

1

23.1 Legacy Series / Re: IPv6 /56 wan without upstream static routing

« on: April 13, 2023, 10:17:33 am »

Hi Zan,

thank you so much for your reply.
I modified my setup as per your suggestion. IP assignation via SLAAC works fine.
Unfortunately, the behaviour doesn't change. From a client in LAN i can ping both the OPNsense LAN IP and WAN IP but not the upstream gateway nor anything else in the WAN.

Thank you,
Marco

2

23.1 Legacy Series / IPv6 /56 wan without upstream static routing

« on: April 12, 2023, 11:55:48 am »

Hi,

my (cloud) provider delivers me a /56 subnet. Their gateway is the first IP of the subnet. The /56 is not statically routed through the MAC of my NIC, I need NDP. Also, DHCPv6 is not provided on their end.Setting up a WANv6 IP for OPNsense works fine. I'm able to allocate a ::2/56 IP, set ::1 as gw and the firewall can ping / reach the internet on v6. What I can't get to work is traffic from the LAN / other interfaces.

I have tried many different configurations but none of these announced via NDP the IPs I had on other interfaces and on the clients. Also Router Advertisements wasn't helpful, even when manually putting a /64 under Advertise Routes. This way I see from tcpdump the packages leaving on the WAN, then the solicitations arriving from the upstream router but no answer from OPNsense.

What's the right way to do this?

3

23.1 Legacy Series / CARP implementation in weird setup

« on: March 31, 2023, 02:31:55 pm »

Hi,
I'm trying to setup OPNsense to route public IPs to a specific interface but still keeping them subject to the firewall rules.

What's working

Setting up a static ARP on the wan switch or manually telling the upstream to route through the OPNsense WAN IP. In this situation the WAN IP address of OPNsense is a CGNAT address /32 and he correctly receives packages for the public IPs. I then

Code: [Select]

route add -host PUB.LI.C.IP -interface vtent2 and set a rule to allow ICMP on WAN with destination PUB.LI.C.IP. From the outside I am then able to correctly ping the machine behind OPNsense. In this context, on vtent2 OPNsense also has a CGNAT IP /32 and the VM has PUB.LI.C.IP/32 as IP and the OPNsense as far gateway.
The setup works just fine and accomplishes the goal of terminating the public IP on the VM without natting.

What's NOT working

The same setup but using CARP. I was trying to understand if it's possible to make this setup HA so I started configuring a master node. I see, once I create a CARP IP from the Web GUI, a route for the public IP on lo0 gets created. I then have to drop this route in order to re-create it on vtent2. This - apparently - somehow breaks the routing. At this point OPNsense can ping the VM on the LAN CGNAT IP and vice-versa but pinging an external address from the VM results in no answer. From tcpdump I see ICMP replies hit the WAN interface but are never routed on vtnet2.

I might be wrong but I feel like it's just a small configuration issue, just can't figure out what's messed up.

Any help would be appreciated.

4

22.1 Legacy Series / Memory getting saturated

« on: February 10, 2022, 12:20:01 pm »

Hi,

upgraded almost 2 weeks ago from 21 and now having a problem with the RAM. Its usage gets higher and higher up to when important processes like unbond get killed and the network stops working.
Had nothing like this before the upgrade. Any clue?

Thanks in advance,

5

Virtual private networks / Re: Cannot reach client LAN in OpenVPN site to site

« on: August 26, 2021, 10:22:12 am »

Any idea?

6

Virtual private networks / Cannot reach client LAN in OpenVPN site to site

« on: August 04, 2021, 07:59:58 pm »

Hi all,

I've setup a OpenVPN tunnel between two OPNSense firewalls. This the diagram:

LAN <-> Firewall A (OpenVPN client) <-> WAN <-> Firewall B (OpenVPN server) <-> other LAN/hosts

The status quo is that the clients in the LAN of A are able to ping/reach all hosts through the tunnel. Not the same from B, nor from the firewall itself or from the hosts behind it.
From packet capture on B I see packets with destination A's LAN exiting on the OpenVPN tunnel but on A they do not enter from the tunnel. Where are those packages left?
Tried both with peer to peer and remote access but nothing. I can add, I already ran into this problem in other setups.

Hope someone can help!
Best,
Marco

7

Virtual private networks / VPN site to site but with wrong static routes IPs

« on: January 14, 2021, 10:29:27 pm »

Dear all,

I just configured a site to site OpenVPN between two OPNSense. The two can connect and ping each other BUT the static routes are not generated correctly.
In fact, host 1 has ip 192.168.168.1 and host 2 has ip 192.168.168.2. The tunnel has network 192.168.168.0/29.
The static routes generated and visibile from the web gui though are wrong: it reports the remote network respectivley with gateway 192.168.168.6 (on host 1) and 192.168.168.5) on host 2. Why is this happening? Is a my own misconfiguration?

Thanks in advance

8

High availability / Re: Sync interfaces changes in OPNSense HA

« on: October 07, 2020, 02:41:46 pm »

Okay thanks but this would be anyway a cool feature though. Maybe just for the "virtual" interfaces? Some proprietary firewall has this feature.

9

High availability / Re: Sync interfaces changes in OPNSense HA

« on: September 28, 2020, 06:22:01 pm »

May we convert this into a feature request?

10

High availability / Sync interfaces changes in OPNSense HA

« on: September 24, 2020, 05:46:37 pm »

Hi,

we were trying to setup HA in OPNSense but encountered the following issue: when we add a new interface to the master (e.g. a VLAN), which occurs often, the same interface isn't created in the slave. Therefore,
1. the slave can't handle the new interface if necessary;
2. if you create a new interface in the slave in an ordred that is not congruent with the master (opt3 -> opt2) you'll get many troubles.

Any way this can be fixed? Top would be that when we create a new VLAN in the master this is created in the slave too.

Thanks,
Marco