Messages

1

24.7 Production Series / Re: Aliases broken

« on: August 29, 2024, 03:06:26 pm »

Is there a common alias type whose data is missing? Are manually entered Host(s) and Port(s) aliases empty as well?

Logs for URL Table alias fetches are in Firewall > Log Files > General.

2

24.7 Production Series / Re: IPsec issues with 24.7.2

« on: August 29, 2024, 01:49:43 am »

Finally reaching out for some help after following this thread and applying both patches Franco released the other day, and I am still struggling with IPSEC tunnels dropping. I am terminating between a Sonicwall 2650 and OPNSense, prior to 24.7.2 no issues, now having issues w/ P2 dropping. Below is the issue I think and I have validated that proposals match:

2024-08-28T10:25:58-05:00   Informational   charon   06[IKE] no acceptable proposal found   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[ENC] parsed CREATE_CHILD_SA request 31 [ SA No TSi TSr ]

The Sonicwall does not have PFS enabled. This is confirmed by the missing MODP_2048 in received proposals. You should pick "default" for your ESP.

3

24.7 Production Series / Re: Traceroute / ICMP issue after 24.7.1 update

« on: August 25, 2024, 11:14:35 pm »

It actually doesn't matter if we test on FreeBSD or OPNsense kernel because we talk about the same code change.

I'm late to the party, but I got the impression that upstream thinks we did this to ourselves by choosing to diverge from their kernel. Would validating it on a vanilla FreeBSD kernel as @Uwe suggested remove that argument? It is a slippery slope.

I'm seriously discouraged from spending time experimenting with all that stuff to find out what else got broken on the way to report it only to be told "that's downstream problem".

Can a quick A-B test with their kernel help here as well? Now, this assumes our kernels are not bifurcated to the extent we lose functionality or significantly affect production. I also do not know how feasible this is, or how much work is involved to do this. It was just a thought after reading @Uwe's comment.

4

24.7 Production Series / Re: Port Forward to 127.0.0.1 works, but not to ::1 [+ workaround]

« on: August 25, 2024, 07:36:03 pm »

Using the ULA for loopback is a great solution. When I was setting this up, I ended up creating a Dynamic IPv6 Host alias of my WAN SLAAC, and using that as my redirect target. I might switch to using your method instead.

5

24.7 Production Series / Re: unable to install at all -- dell server with raid card

« on: August 04, 2024, 08:55:28 pm »

I am not running this hardware, but have you checked out this thread? OP mentioned turning off X2APIC so it might apply here as well.

https://www.reddit.com/r/freebsd/comments/136o9xi/freebsd_on_dell_r730xd_woes/

6

24.1 Legacy Series / Re: Cannot get out on the internet with Comcast Business service

« on: May 25, 2024, 02:06:15 am »

I can confirm that Bridge Mode must be set to "Disable" if you have static IP addresses assigned. But, /32 is not the correct subnet mask. Check the Static IP Information page for your account. Write down the usable IP range, subnet mask and gateway IP listed there. Then, take that gateway IP and confirm it is setup on your modem. It is listed as "WAN Static IP Address (IPv4)" under the Gateway > Connection > Comcast Network page. If you do not see that entry or if the IP address is different, contact Comcast Business Support. They need to provision that static IP on your modem. Those tend to get lost whenever Support reinitializes the modem. They sometimes think that is a quick fix when you call them for support.

7

24.1 Legacy Series / Re: IPv6 Goes away after hours of perfect functionality without explanation

« on: May 23, 2024, 09:55:16 pm »

Tried everything, IPv6 still goes off :/

If you have not done it already, I suggest turning on Debug logging under Interfaces > Settings > IPv6 DHCP header.

8

24.1 Legacy Series / Re: States and iMessenger

« on: April 21, 2024, 05:12:37 pm »

If you are using a time schedule on that rule, those states are automatically cleared when the time comes. Info is at https://docs.opnsense.org/manual/firewall_settings.html#schedule-states

9

Virtual private networks / Re: DHCP Relay through VPN (ISC DHCPv4)

« on: March 21, 2024, 02:36:50 pm »

According to a customer this works even better than the ISC relay. And the nicest thing is you can now (as in "development release") run DHCP server and relay in tandem.

Gentlemen you had my curiosity ... but now you have my attention.

Thanks franco and team!

10

24.1 Legacy Series / Re: No console menu

« on: February 25, 2024, 05:48:14 pm »

Try this as root to put the shell back:

Code: [Select]

chsh -s /usr/local/sbin/opnsense-shell root

11

24.1 Legacy Series / Re: After update OPNsense 24.1.2 and Suricata 7 VoIP is dead

« on: February 25, 2024, 05:28:15 pm »

I got this to work only after copying the entire app-layer: section from suricata.yaml and inserting error-policy: ignore at the first indent - same level as protocols:.

The Suricata 7 documentation states that adding app-layer: in custom.yaml overwrites the one in suricata.yaml. I recommend anyone still having issues to try this if disabling IPS is not an option.

If the same section, say outputs is later redefined after the include statement it will overwrite the included file. Therefore any include statement at the end of the document will overwrite the already configured sections.

12

24.1 Legacy Series / Re: OPNsense : openssl-3.0.12_2,1 is vulnerable- AGAIN?!?!?!

« on: February 01, 2024, 03:27:33 pm »

I was really hoping I won't see this after the update. In fact someone was beating their chest swearing that the new upgrade will fix this?

Upon reading this, I thought 24.1 did not update OpenSSL. But the vuln.xml link in OP listed its discovery date as January 30th so these are new vulnerabilities. The ones from the original discussion was addressed by the update since they are no longer listed.

13

23.7 Legacy Series / Re: Azure IPsec Basic VNG with Non-Legacy Connection

« on: December 01, 2023, 05:02:28 pm »

That great! For Phase 2, I have the settings you quoted (GCMAES256-GCMAES256-None) set on Azure, and "default" for ESP Proposals in OPNsense. Every thing else on that dropdown specifies a PFS Group. If you are not using PFS, "default" is your only option.

14

23.7 Legacy Series / Re: Azure IPsec Basic VNG with Non-Legacy Connection

« on: November 28, 2023, 07:23:23 pm »

It shows my SKU to be GW1. It is definitely not Basic so that might be the difference.

Code: [Select]

SkuText  : {
        "Capacity": 2,
        "Name": "VpnGw1",
        "Tier": "VpnGw1"
        }


15

23.7 Legacy Series / Re: Azure IPsec Basic VNG with Non-Legacy Connection

« on: November 26, 2023, 06:28:23 pm »

Your comment made me remember that I tweaked the Azure Connection resource. You're correct; it was not part of the standard Azure proposals. I updated my post with that information. It has been some time since I set all this up.