Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - @Vorona

Pages: [1]

Development and Code Review / Save configuration from code

« on: December 17, 2023, 05:22:12 pm »

Hello!
I need help! I write script, which generate user certificate by local CA, using internal functions. I have problem with saving this certificate in config.
Fragment:

Code: [Select]

@require_once("config.inc");
@require_once("certs.inc");
@require_once('util.inc');

$certs = &config_read_array('cert');

const CAREFID='..........';
const CERT_DAYS=7;
$email='......';
$login='....';

cert_create($user_cert, CAREFID, 2048, CERT_DAYS, Array('emailAddress' => $email, 'ST'=>'State', 'O'=>'Org','L'=>'Location','CN'=>$login,'C'=>'CN'), 'SHA256');

$user_cert['descr'] = 'certificate-'.$login;
$user_cert['refid'] = uniqid();
$certs[]=$user_cert;
var_dump(write_config('Generate webmail cert for '.$login));

var_dump returns correct configuration array with my new certificate. But I don't see it in web interface or in /conf/config.xml. In general log file I see:

Code: [Select]

2023-12-17T18:57:16	Notice	configctl	event @ 1702828636.28 exec: system event config_changed	
2023-12-17T18:57:16	Notice	configctl	event @ 1702828636.28 msg: Dec 17 18:57:16 hostname.localdomain config[30917]: config-event: new_config /conf/backup/config-1702828636.2734.xml

But config not applying, also backup config file not exists.

What I'm doing wrong? Please, help!

Virtual private networks / Re: OSPF via GRE/IPSec

« on: August 30, 2023, 09:06:56 am »

Hello!
I found working solution!
In last version mikrotik firmware added network type "unnumbered p-t-p". With this type all works fine.

General Discussion / Re: rdr action on GRE interface

« on: April 13, 2022, 10:22:30 am »

Hello!
I found one thing. If GRE terminated on IPSec tunnel ends traffic doesn't go to filter engine. But there is kernel options net.inet.ipsec.filtertunnel
Default is 0. That means, that pf not filters inbound traffic from tunnel interfaces, assigned with IPSec.
If I set this option to 1, all rules works. But I heve One more IPSec tunnel without GRE. This tunnel with this option drops outbond packets.

In internet I foud more kernel options, which can affect to this traffic:
net.enc.out.ipsec_bpf_mask
net.enc.out.ipsec_filter_mask
net.enc.in.ipsec_bpf_mask
net.enc.in.ipsec_filter_mask

What I need to set up for correct traffic flow: pure IPSec filtering in enc0, but gre over IPSec filtering in greN?

General Discussion / Re: rdr action on GRE interface

« on: April 11, 2022, 07:42:55 pm »

I have new information:
This bug I can see if I set up gre tunnel over IPSec (site-to-site, tunnel mode). When I try to set up test pure GRE allrules works.
How fix it?

General Discussion / Re: rdr action on GRE interface

« on: April 10, 2022, 11:01:21 pm »

I found one more interesting thing:
None of all PF rules is not works on gre interfaces. All traffic just pass to any directions.
In statistic page I see, that all rdr rules on gre interfaces has 0 bytes/pkts (rules page). Also, I see very strange, that on gre interfaces has only outgoing traffic (in bytes/pkts is 0).
But in tcpdump I see traffif incoming and outgoing.

General Discussion / rdr action on GRE interface

« on: April 10, 2022, 06:28:27 pm »

Hello!
I try to set up transparent proxy on my OS. I have a problem. My rdr rule is not works.

My situation:
There is 2 physical interfaces (LAN, WAN)
Several GRE interfaces.

Gre intefaces is "LAN segment". I try to add porf-forward rule to my firewall.
I got this rule in /tmp/rules.debug:
rdr pass on gre9 inet proto tcp from {any} to {87.250.250.242} port {80} -> 127.0.0.1 port 3128 #rule not works

This rule isn't works, and traffic goes directly from network, behind gre9 interface.
But, if I add same rule for LAN, from network, behind LAN interface all works:
rdr pass on gre9 inet proto tcp from {any} to {87.250.250.242} port {80} -> 127.0.0.1 port 3128 #rule works

I see, that rule not work on GRE interfaces. What I doing wrong?

Virtual private networks / Re: OSPF via GRE/IPSec

« on: November 11, 2021, 02:21:52 pm »

Hi!
I see, that this problem can be resolved by changing FRR to bird

I tried to upgrade FRR to 7.5.1 from FreeBSD repositories, but interface gre still be unnumbered. I think for that reason I see "empty" routes in ospf at mikrotik side.

Virtual private networks / Re: OSPF via GRE/IPSec

« on: April 21, 2021, 04:47:49 pm »

Good!
What hardware do you use with opnsense? What version?

In my gre I see OSPF traffic in both ways too, but route wrong.

Virtual private networks / Re: OSPF via GRE/IPSec

« on: April 16, 2021, 05:25:33 pm »

Quote from: pmhausen on April 13, 2021, 01:54:11 pm

But could you try to disable IPsec just for debugging purposes and try if OSPF works over GRE alone?

I cannot do that. Only one point has real IP address. Otrer point behind NAT. For this reason IPSec works in tunnel mode. Why do you think, that IPSec can break OSPF, wich works in GRE? Tunnel works, firewall on tunnel at both sides are open.

Quote from: mimugmail on April 14, 2021, 09:23:02 am

I currently set up a lab cause of wireguard reports with OSPF, I'll try to test this too

You mean RB IPSec or OSPF relations between Opnsense and MikroTik?

Virtual private networks / Re: OSPF via GRE/IPSec

« on: April 13, 2021, 10:43:45 am »

Sadly...

Maybe this is something bug in frr ospfd? I found similar problem, but it was with bgp protocol on old version opnsense.

Virtual private networks / Re: OSPF via GRE/IPSec

« on: April 13, 2021, 10:04:19 am »

And there is!

One directly attached to opnsense network is in BB area. Directly attached network to Mikrotik and network between opnsense and Mikrotik in other area. I know, how works ospf and I am supporting big network on cisco an juniper hardware too, but this problem is new for me.

Virtual private networks / Re: OSPF via GRE/IPSec

« on: April 12, 2021, 11:48:57 am »

/routing ospf area
set [ find default=yes ] disabled=yes
add area-id=172.16.117.0 name=area1

area1 - is just local name (description) of area in config. Area, configured at MikroTik is 172.16.117.0, аt opnsense backbone (0.0.0.0). In BB area network 172.26.0.0/28. In area 172.16.117.0 network 172.16.117.0/24 and 100.100.100.40/30 (Gre tunnel's network)

Virtual private networks / Re: OSPF via GRE/IPSec

« on: April 09, 2021, 06:20:46 pm »

Show neigbors:
At MikroTik:
> /routing ospf neighbor print
0 instance=default router-id=172.26.0.1 address=100.100.100.41
interface=vorona-gate priority=1 dr-address=0.0.0.0
backup-dr-address=0.0.0.0 state="Full" state-changes=19 ls-retransmits=0
ls-requests=0 db-summaries=0 adjacency=8h28m11s
At opnsense:
# show ip ospf neighbor detail
Neighbor 172.16.117.1, interface address 100.100.100.42
In the area 172.16.117.0 via interface gre1
Neighbor priority is 1, State is Full, 5 state changes
Most recent state change statistics:
Progressive change 8h29m40s ago
DR is 0.0.0.0, BDR is 0.0.0.0
Options 2 *|-|-|-|-|-|E|-
Dead timer due in 34.152s
Database Summary List 0
Link State Request List 0
Link State Retransmission List 0
Thread Inactivity Timer on
Thread Database Description Retransmision off
Thread Link State Request Retransmission on
Thread Link State Update Retransmission on

Show links:
MikroTik:
> /routing ospf lsa print detail
instance=default area=area1 type=router id=172.16.117.1
originator=172.16.117.1 sequence-number=0x80000100 age=66 checksum=0x8785
options="E" body=
flags=
links (type, id, data, metric)
Point-To-Point 172.26.0.1 100.100.100.42 10
Stub 100.100.100.40 255.255.255.252 10
Stub 172.16.117.0 255.255.255.0 10

instance=default area=area1 type=router id=172.26.0.1 originator=172.26.0.1
sequence-number=0x80000014 age=1481 checksum=0x224A options="E"
body=
flags=BORDER
links (type, id, data, metric)
Point-To-Point 172.16.117.1 0.0.0.8 10

instance=default area=area1 type=summary-network id=172.26.0.0
originator=172.26.0.1 sequence-number=0x80000012 age=1411 checksum=0x6C56
options="E" body=
netmask=255.255.255.240
metric=10

Opnsense:
# show ip ospf database router

OSPF Router with ID (172.26.0.1)

Router Link States (Area 0.0.0.0)

LS age: 1715
Options: 0x2 : *|-|-|-|-|-|E|-
LS Flags: 0x3
Flags: 0x1 : ABR
LS Type: router-LSA
Link State ID: 172.26.0.1
Advertising Router: 172.26.0.1
LS Seq Number: 80000014
Checksum: 0x22cb
Length: 36

Number of Links: 1

Link connected to: Stub Network
(Link ID) Net: 172.26.0.0
(Link Data) Network Mask: 255.255.255.240
Number of TOS metrics: 0
TOS 0 Metric: 10

Router Link States (Area 172.16.117.0)

LS age: 211
Options: 0x2 : *|-|-|-|-|-|E|-
LS Flags: 0x6
Flags: 0x0
LS Type: router-LSA
Link State ID: 172.16.117.1
Advertising Router: 172.16.117.1
LS Seq Number: 80000100
Checksum: 0x8785
Length: 60

Number of Links: 3

Link connected to: another Router (point-to-point)
(Link ID) Neighboring Router ID: 172.26.0.1
(Link Data) Router Interface address: 100.100.100.42
Number of TOS metrics: 0
TOS 0 Metric: 10

Link connected to: Stub Network
(Link ID) Net: 100.100.100.40
(Link Data) Network Mask: 255.255.255.252
Number of TOS metrics: 0
TOS 0 Metric: 10

Link connected to: Stub Network
(Link ID) Net: 172.16.117.0
(Link Data) Network Mask: 255.255.255.0
Number of TOS metrics: 0
TOS 0 Metric: 10

LS age: 1625
Options: 0x2 : *|-|-|-|-|-|E|-
LS Flags: 0x3
Flags: 0x1 : ABR
LS Type: router-LSA
Link State ID: 172.26.0.1
Advertising Router: 172.26.0.1
LS Seq Number: 80000014
Checksum: 0x224a
Length: 36

Number of Links: 1

Link connected to: another Router (point-to-point)
(Link ID) Neighboring Router ID: 172.16.117.1
(Link Data) Router Interface address: 0.0.0.8
Number of TOS metrics: 0
TOS 0 Metric: 10

Virtual private networks / Re: OSPF via GRE/IPSec

« on: April 09, 2021, 12:30:39 pm »

Yes, here: TAP

Virtual private networks / OSPF via GRE/IPSec

« on: April 09, 2021, 12:32:18 am »

Hello!
I try to configure dynamic routing with MikroTik.
Now I have working GRE tunnel between opnsense and routerboard.
After start ospf instanses I have corrects routes on opensense. But on MikroTik I have routes without gateway address and interface.

/routing ospf> neighbor print
0 instance=default router-id=172.26.0.1 address=100.100.100.41
interface=vorona-gate priority=1 dr-address=0.0.0.0
backup-dr-address=0.0.0.0 state="Full" state-changes=50 ls-retransmits=0
ls-requests=0 db-summaries=0 adjacency=23m31s

Here we can see, that address 100.100.100.41 (opensense)
But in recieved routes I have:

Why I haven't gateway address here?

Also, I haven't this route in routing table for this reason.

configs:
Tik:
/routing ospf area
set [ find default=yes ] disabled=yes
add area-id=172.16.117.0 name=area1
/routing ospf instance
set [ find default=yes ] router-id=172.16.117.1
/routing ospf interface
add passive=yes
add interface=vorona-gate network-type=point-to-point
/routing ospf network
add area=area1 network=100.100.100.40/30
add area=area1 network=172.16.117.0/24

Opensense:
frr version 7.4
frr defaults datacenter
hostname gate.vorona.su
log syslog
!
interface gre1
ip ospf area 172.16.117.0
!
interface vtnet1
ip ospf area 0.0.0.0
!
router ospf
ospf router-id 172.26.0.1
passive-interface vtnet1
!
ip prefix-list test seq 10 permit 172.26.0.0/28
!
line vty
!
end

Gre interfaces has addresses from 100.100.100.40/30 network

What I'm doing wrong?

Pages: [1]