Messages

This is a broad question. I'm trying to figure out where to migrate my connections.

My IPSEC site-to-site are now labeled as legacy. There is a new connection methodology for that tech. There is also Wireguard as a methodology. But if you add the wireguard plugin there are notes against it.

My use cases are mainly single site-to-site VPNs. Half of the time one side has a static IP. Half the time DuckDNS for both. Also a fair amount of road warriors doing an OpenVPN connection.

One pro of WireGuard is that it works fine with one side static and one side dynamic for site-to-site. From what I've read, the dynamic site is the side that always kicks off the connection. It could also be dual used for road warrior connections.

For road warriors I've had to use only the OpenVPN client bundled in the OPNsense package. New OpenVPN clients don't seem to work with the generated package/key. For me, that'd be another plus for WireGuard. But, the whole

<code>
=====
Message from wireguard-kmod-0.0.20220615_1:

--
At this time this code is new, unvetted, possibly buggy, and should be
considered "experimental". It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission critical environments.
--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Only useful for FreeBSD 12 which is EoL soon.

It is scheduled to be removed on or after 2023-12-31.
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***
</code>

has me confused. This is from a plug-in install.

Thanks for guidance and opinions!

Hello,

There is probably no firm 'real' answer to this question. If there is please let me know. In general, is your router more secure if you do not have an external domain associated with it's public IP? For example is router.walmart.com less secure than only using it's static IP of 12.34.56.78?

In this scenario, it is an OPNsense router with out of the box security enabled. There are IPSEC VPN connections to the box - both tunnel links and OpenVPN temporary connections. No other WAN ports open. I like the idea of setting a DNS name to it. I don't see how it would be less secure.

... I meant for the plugin only.

Blah! I looked all about except for the obvious. Thanks.

Hello,

I've been looking but not finding, any help?

We have a couple dozen pfSense routers we support. Some of the sites have IPSEC VPNs, some use OpenVPN for remote access. Most sites are basic single segment networks - DHCP, DNS, NTP. The plan is to migrate them to OPNsense. Is there a tool/service that we can manage all of the routers from a single dashboard?

It can be a limited overview/manager. Something that takes care of 80% of the jobs. For all of the features of OPNsense we only use 10% of them. Items we're looking for are
* sends the remote router's firmware/version
* allows remote kickoff of updates (yes, I know this can be dangerous)
* check status and restart of IPSEC VPNs
* alerts on gateway failures and packet loss alerts (pull sided vs remote pushing?)
* pull config backups from remote routers so we have a backup locally for future jobs/recovery
* since this is a wish list, a feature that we could semi prep the router (WAN static or DHCP), a public/private SSH key exchange (?), when the user plugs it in, we could then attach and do a little deeper config
* this tool would send out email/sms notifications

I imagine you could do a lot of the reporting with Zabbix. Is the plugin current?. There is Monit on the boxes but I haven't looked into its features yet.

And, yes, we'd happily pay for a quality product, anything that saves us work.

Thanks for ideas and input!

Here's my working setup...

* I'm running Incredible PBX on a Raspberry Pi4
* I use SIPstation as my SIP provider
* I have an OPNsense router
* I have a static WAN (public) IP
* these are the settings for OPNsense and Incredible PBX

In OPNsense
NAT> Port Forward
* this auto-creates the Firewall> Rules entries
* IncredPBX is an OPNsense Alias pointing to my PBX which uses a static LAN IP

                                Source    Destination                  NAT    
Interface   Proto    Address    Ports    Address          Ports          IP                 Ports             Description    
LAN    TCP    *            *        LAN address     80, 443          *                 *                Anti-Lockout Rule    
WAN    UDP    *            *        WAN address    5060 - 5061     IncredPBX     5060 - 5061   IncredPBX 1.1    
WAN    UDP    *            *       WAN address    10000 - 20000  IncredPBX     10000 - 20000    IncredPBX 1.2


NAT> Outbound
* set to Hybrid then add the following rule
* the rule could probably be tightened up a bit

                                Source                       Destination      NAT                 NAT      Static       
Interface  Source     Port      Destination      Port              Address            Port      Port       Description    
WAN    LAN net      *                *                    *              WAN address     *         YES       IncredPBX 1.4



In Incredible PBX
Settings> Asterisk SIP Settings> Nat Settings
* make sure your External Address is accurate
* make sure your Local Networks is accurate

Connectivity> SIPstation
* obviously only if your are using SIPstation
* make sure your Primary SIPstation Server is talking, at times you may need to refresh
* make sure your Secondary SIPstation Server
* test External Connectivity
** the Firewall Status will Fail; lots of reason for this - you are not using FreePBX's firewall/you're using OPNsense/your PBX is not directly on the Internet>>> don't worry about it
** External IP should be accurate



The fix was one of those FM (fricking magic) fixes. It just started working. The real fix was one or more of these...
* I was making changes one at at time but not resetting my States
* my Outbound Static Port = Yes was one of my last changes
* Asterisk SIP Settings> NAT was not accurate there although the SIPstation said things were good

Thanks, but no other router. My OPNsense connects to my cable modem.

And I've set

Firewall> Settings> Advanced> Firewall Optimization to Conservative

I also found these instructions in pfSense docs


Manual Outbound NAT

For Manual Outbound NAT, navigate to Firewall > NAT, Outbound tab, switch from Automatic Outbound NAT to Manual Outbound NAT and press Save. Then at the top of the list, create a rule that looks like so:

*    Interface: WAN
*    Protocol: UDP
*    Source: Network, PBX
*    Source Port: [blank]
*    Destination: Network, SIP_Trunks – Or Any for the type if the SIP trunk IP addresses are not known
*    Destination Port: PBX_Ports (or leave blank)
*    Translation: Interface address if using the WAN IP address, or the external VIP for the PBX
*    Port: [blank]
*    Static Port: CHECKED

Which I interpreted this way

Interface   Source    Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port  Description    
WAN     10.10.20.20/24  udp/ *    *               udp/ *                   11.22.33.44    *              YES    IncredPBX 1.4 

I've tried a number of variations - FreePBX vs Incredible PBX and pfSense vs OPNsense. Since the end result is always the same (calls ring+pick but no audio), I figure it has to be me.

Hello all,

I'm having a devil of the time trying to get my PBX to talk through the router. My belief is that the root cause is my lack of understanding NAT. Any help would be appreciated.

* PBX (10.10.20.20/24) is on the LAN network
* phone (10.10.20.30/24) is on the LAN network
* external/Internet SIP service provider (SIPstation) appears to see/talk to the PBX
* calls ring from my cell (outside network) to PBX phone (inside network)
* calls ring from PBX phone (inside network) to cell (outside network)
* no audio either way
* I've added NAT port forward; in this 11.22.33.44 is my WAN address
Interface  Proto    Address    Ports    Address             Ports             IP                     Ports    Description    
LAN    TCP    *             *            LAN address    80, 443              *                   *             Anti-Lockout Rule    
WAN    UDP    *             *           11.22.33.44    5060 - 5061       10.10.20.20      5060 - 5061    IncredPBX
WAN    UDP    *             *           11.22.33.44    10000 - 20000   10.10.20.20  10000 - 20000  IncredPBX


* doing that auto-added the Firewall Rules
Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description    
IPv4 UDP    *    *    10.10.20.20    5060 - 5061       *         *    IncredPBX 1.1    
IPv4 UDP    *    *    10.10.20.200    10000 - 20000    *         *    IncredPBX 1.2


* I've read some that suggest set NAT Outbound to Hybrid then build a manual rule; I built this but I'm not sure it's valid
- Destination = SIPstation which is an alias to trunk.freepbx.com + trunk1.freepbx.com + trunk2.freepbx.com
- Destination Port = SIPports which is an alias to UDP 5060:5061 + UDP 10000:20000
Interface   Source    Source Port  Destination  Destination Port       NAT Address  NAT Port  Static Port  Description    
WAN     LAN net    udp/ *    SIPstation     udp/ SIPports    Interface address    *      NO        IncredPBX