Messages

1

24.7 Production Series / Re: Adguard not starting after Update

« on: August 13, 2024, 11:21:39 pm »

Thanks for the input. In the end, I just deleted the .yaml file with the config; it was the fastest solution.

Now AdGuard is up and running again.

2

24.7 Production Series / Adguard not starting after Update

« on: August 10, 2024, 03:28:40 pm »

That's essentially it: After the 24.7.1 update, the Adguard plugin is visible, but refuses to start.

Any ideas?

Best e.

3

23.7 Legacy Series / Re: valid OPNsense admin Password not accepted anymore

« on: October 30, 2023, 11:27:01 am »

keymap issue? Depending on which device you use to type the password for Login and for the tester... In 99.9% of cases incorrect passwords are just that.

Unlikely. I type the password from the same device I use in the tester, same browser as well. Works in the tester, does not work in the login. Also, it‘s a password where the EN end DE keymaps are the same.

4

23.7 Legacy Series / Re: valid OPNsense admin Password not accepted anymore

« on: October 30, 2023, 10:38:27 am »

Did you maybe run into this issue? https://forum.opnsense.org/index.php?topic=36528.0

The fix for that is included in 23.7.7, but it hinges on having integrated auth disabled in the first place to produce this issue.


Cheers,
Franco

Hi and thanks for your reply,

it does not look to me that that‘s the exact issue:

I have my observer user authenticate against „internal database and TOTP“.
My admin user authenticates against „internal database“, and the password is being accepted in the tester.

Any other ideas?

Thanks!

-e-

5

23.7 Legacy Series / Re: valid OPNsense admin Password not accepted anymore

« on: October 30, 2023, 10:35:58 am »

Can you ssh in with the observer account ? Try to su - from there and change the root password

Regrettably, the observer user does not have ssh enabled.

-e-

6

23.7 Legacy Series / valid OPNsense admin Password not accepted anymore

« on: October 29, 2023, 10:42:49 pm »

Hi everybody,

on my OPNsense installation, the login of the administrator is not accepted anymore.

That's true for the web interface and for ssh.

Now for the funny part: I can log into my "observer"-account (limited permissions, essentially only sees logs and stats) via TOTP.

Then, I go to System -> Access -> Tester and test my admin password against the local database. It's giving me: "authenticated successfully".

OPNsense 23.7.6, ZFS, network time matches

Any clue what's going on? And even more important: What's the simplest way to gain access again?

If possible, I'd like to avoid the serial console, as it's a hassle to get to the machine and get it running.

Thanks!

-e-

7

General Discussion / WAN /29 network; port fwd for intl. server coming in at specific IP address?

« on: June 25, 2022, 04:24:14 pm »

Hi,

my OPNsense 22.1.8 connects to the internet per WAN interface via a /29 network, fixed addresses.

Let‘s call the network 56.142.3.73/29, where 56.142.3.73 is the uplink gateway and 56.142.3.74 is the main external address for the gateway.

VPN connections enter via that address, (via DNS resolution of vpn.customer.com into 56.142.3.74)
Now I want to access a local server in that network externally. That server needs internal and external access.

Port forwarding for https seems to be the most obvious way to do it. I figured that out, but I can only connect via 56.142.3.74 (vpn.customer.com), but not via 56.142.3.75 (web.customer.com)

How can I set that up?

Am I missing something about a DMZ? (It seemed impractical to me, as the machine needs internal access for https, smb and ssh anyhow?)

The server runs Debian and has 2 physical interfaces (10G Ethernet)
The gateway has more than enough physical interfaces, but the COLT fiber connection obviously only one.

TIA

-e-

8

Virtual private networks / 2 IPsec VPNs on one OPENsense with different access to local machines

« on: February 24, 2022, 05:09:01 pm »

Hi,

I‘m running an OPENsense 22.1 gateway that provides 2 VPN endpoints:

#1. IKEv2, EAP-MSCHAP, FreeRadius for my road warriors
#2. IKEv1, PSK, Site-to-Site for access to a Windows Remote Desktop Machine and it‘s ability to scan and print back into my local network.

ATM, my firewall rule is simple: Everything in my local Network is accessible from anybody who is allowed to access the VPNs. That was a good solution, as long as I only had VPN #1.

For VPN #2, I‘d like to restrict the access to an IP range of 10.10.0.18 - 10.10.0.35 -> this is my local fixed range for my printers and scanners.

The OPENsense has a fixed external IP address that also resolves into a FQDN.
The remote endpoint gateway for VPN #2 has a fixed IP that also resolves into a FQDN.

Would it be sufficient to build a firewall rule and place it first into the parse order that declares the following:

„All traffic coming from the Interface IPsec with origins from [fixed IP of VPN #2 remote endpoint] can access local network from 10.10.0.18 - 10.10.0.35“?

Is that possible/clever/simple?
Options?

In if advised: How exactly would that look like?

Thanks!

-cg-

9

21.7 Legacy Series / IPsec IKEv2 rekey issue?

« on: September 18, 2021, 07:45:10 pm »

Hi,

I'm running 20 clients into a Scope7 under OPENsense 21.7.2, establishing individual IPsec IKEv2 Tunnels from individual sites via EAP/MSCHAPv2.

The Clients are configured via profiles, running under MacOS or iOS.

Everything is working well, but one problem remains: Every hour, the clients get disconnected.

As the default for rekeying is 3600 seconds, that's my natural first idea to look into.

The log seems to confirm my suspicions:

2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> sending DELETE for ESP CHILD_SA with SPI c5bac60c
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> failed to establish CHILD_SA, keeping IKE_SA
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> no acceptable proposal found
2021-09-17T17:15:00   charon[65375]   13[CFG] <con1|260> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
2021-09-17T17:15:00   charon[65375]   13[CFG] <con1|260> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2021-09-17T17:15:00   charon[65375]   13[ENC] <con1|260> parsed CREATE_CHILD_SA response 864 [ SA No TSi TSr ]
2021-09-17T17:15:00   charon[65375]   13[NET] <con1|260> received packet: from 93.195.52.31[4500] to 192.168.1.48[4500] (192 bytes)
2021-09-17T17:15:00   charon[65375]   13[NET] <con1|260> sending packet: from 192.168.1.48[4500] to 93.195.52.31[4500] (768 bytes)
2021-09-17T17:15:00   charon[65375]   13[ENC] <con1|260> generating CREATE_CHILD_SA request 864 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> establishing CHILD_SA con1{147} reqid 1
2021-09-17T17:15:00   charon[65375]   11[KNL] creating rekey job for CHILD_SA ESP/0xc3269189/192.168.1.48[/size]

The lines: "failed to establish CHILD_SA, keeping IKE_SA; no acceptable proposal found" stand out.

Any ideas where to look? Can I enable PSK in the process?

THX!

atoll

10

20.7 Legacy Series / Re: IPSEC traffic stalling after 20.7.1 upgrade

« on: February 15, 2021, 10:27:37 pm »

If anyone is still affected by IPsec instability, please test the following:

Change the following setting...
System: Settings: Miscellaneous -> Hardware acceleration
...from "AES-NI CPU-based" to "none" and save the change. Be sure to reboot the firewall afterwards.

Please report back.


Thanks
- Frank

Hi Frank,

disabling AES-NI worked for me, too.

IPsecv2 EAP-MS-Chapv2, Scope7 1510 Fiber, OPNsense 21.1

Just one little problem remains: With hardware acceleration, the VPN gives me about 500 Mbit/s. (for about 3,5 seconds, the the packets stop flowing, measured locally via iperf3)

Without, its about 60Mbit/s.

In a production environment, that's a serious problem.