Messages

1

General Discussion / Re: Who uses opnsense in companies

« on: November 04, 2024, 02:23:30 am »

Thank you for all the comments, I agree with many of them.

Sometimes opensource is a battle that cannot be won, even though they already use it.

Security auditors are another problem with the same stuff. I remember being told you should get a brand name like Dell, not a white box solution. (To me Dell is a white box)

The biggest problem I see is they don't want to train their people to think, and they do not really care about security because if it just works or they don't need all that training, chances of an insecure configuration or improper logic the chances of an errors goes way up.

2

24.7 Production Series / Re: Central Management - Please upgrade the node to the latest Business Edition....

« on: November 04, 2024, 02:13:42 am »

Not as far as I can tell, please clarify what I could be looking for. ?browser console?

It seems to work some days and then it stops working. ( I have not found the pattern yet)

3

24.7 Production Series / Central Management - Please upgrade the node to the latest Business Edition....

« on: October 28, 2024, 07:45:35 pm »

HJi,

I keep getting

using the links in the central management.

Please upgrade the node to the latest Business Edition and make sure your browser can connect to it

The problem is some cases they seem completely up to date.

Is there a way to override this? So it can be a couple of versions/ updates out.

4

General Discussion / Re: Who uses opnsense in companies

« on: October 28, 2024, 07:37:57 pm »

Thanks for all the input does not help as Cisco uses the big-name approach and look at all our big customers.

As a note, we have more than 20 firewalls running, supporting more than 1,000 users, so this is not small.

The CIO just wants a brand name and easy to use so "any" body can do it.

I find in North America that if you have money, then people feel that if it is a big box company it will be better.

We also seem to have problems with the idea of open source. Some "uneducated" IT people ban open source because it is open source (which large companies like Microsoft, Cisco, Apple, etc. still promote), even though all the large companies use the same open source software in their products.

5

General Discussion / Re: Who uses opnsense in companies

« on: October 22, 2024, 11:16:59 pm »

I agree with that,

I was asked if I could develop a list of "real" companies that use opnsense?

The manager knows nothing about routing and is willing to have it just work (i.e., wide open), which is a disaster in itself.

This is partly driven by one tech who when his company was bought joined the network and his rules in meraki when they exist are any to any rules.

There are a whole bunch of any to any tunnels that "just work" as well.

But the manager does not seem to know enough to recognize this as a problem. etc...

Which is beside the point but I am looking for examples of larger companies that use opnsense. to counter the argument that opnsense is not used for business.

6

General Discussion / Who uses opnsense in companies

« on: October 22, 2024, 10:40:27 pm »

Hi,

Is there a list of companies that use opnsense in larger environments?

I have someone trying to change the networks from opnsense to meraki

Quote
"because it just works and large companies use meraki, and nobody uses opnsense"

7

General Discussion / Re: 24.4.3- ping: sendto: Invalid argument

« on: October 07, 2024, 05:45:24 am »

Figured it out.

When you have a virtual IP of 172.16.0.5/24 (on LAN) and add a static route to point at 172.16.0.1 for the whole range (which is invalid), it causes the IP not to show up on the interface. But you can make it appear by assigning the virtual IP to a different interface and setting it back. (ie to WAN and then back to LAN)

Then when you disable the routes and enable the routes everything appears to work.

So the mistake was adding a local network as a route. (which probably happened months before and then the reboot killed it)

(The interface does not prevent you from adding a route when it exists as a virtual IP)

8

General Discussion / 24.4.3- ping: sendto: Invalid argument

« on: October 04, 2024, 05:38:06 pm »

We upgraded to 24.4.3 and now the internal routing does not work on one of our machines

we have a virtual IP letsay 172.1.1.10/24  and it can not longer ping 172.1.1.1

get a ping: sendto: Invalid argument

when I change and assign the virtual IP to the wan interface and then back to the lan interface it starts working until the next reboot

I also have routes let's say 192.168.4.0/24 that are pointing at 172.1.1.1 and I also get a sendto error, then I disable the route and re enable it then starts working

then I have a address of lets say 10.30.0.1/23 on the lan interface the same interface with the virtual IP and I try and ping the 192.168.4.0/24 range with the source being the 10.30.0.1 IP and I cannot get it to work. This ll worked fine before the upgrade

What could cause this to happen and any suggestions on fixing it.

9

24.1 Legacy Series / Re: Route Add via Webgui - Opnsense 24.4.1

« on: July 12, 2024, 11:31:13 am »

I would still consider this a bug as there is no indication that the gateways are there. It took a long time, and then I searched here to find the scrolling the frame trick.

so I think in edit config --> gateways it should have a better indicator for the gateways otherwise it looks broken.

10

24.1 Legacy Series / Re: Systems Upgraded to 24.1 and shipped - Can change to business

« on: February 29, 2024, 02:57:03 am »

We don't use the hardware as it needs to be ULC certified (Canadian), so we install the download from the website and purchase the business version, then enter the license key and upgrade it to business.

As a note, we did look at purchasing the hardware. (We would sell it if it was easy to do so)

This is how we have always done it, and it was only when we went to 24.1 that it became an issue.

24.4 business is not available till April. It would now require an airplane flight to fix or pay a local tech. (2000KM) away. (and not always in a place with a lot of technical expertise ie remote locations)

11

24.1 Legacy Series / Systems Upgraded to 24.1 and shipped - Can change to business

« on: February 27, 2024, 12:28:07 pm »

I had 8 opnsense boxes go out to remote sites (a plane ride) and found out they had been upgraded to 24.1 and now we need to manage them centrally. So I put in the business license and as I understand it 24.4 is not available until April

In the meantime, I need to add them to central management. How can I do this? I cannot format them! These are far away and I need to get them into production. (actually, 2 of them are in production as of today.)

12

General Discussion / Starlink and Bufferbloat and Speed

« on: January 19, 2024, 08:59:13 am »

This has to do with Starlink Connections

I wondered if there is a way to implement the equivalent of sqm or codel on starlink when the speed is inconsistent.

Running the latest versions of OPNSense with Both Free and Commercial Versions
Hardware is generally an Intel i5, 9th gen, or later with at least 16 gigs of RAM. (there is one 4th gen as well) or better. (NVME on the newer ones)

On some of my clients I get an A rating (Startlink Business Modems only)

On others I get a C with up to 130 to 270ms on the download
Using the following testing site: https://www.waveform.com/tools/bufferbloat

The problem is the bandwidth where I fluctuates a lot. So sometimes it is 50 sometimes 150 etc....

So I cannot just specify a speed. Infact starlink does not even provide an accurate bandwidth number

Of do I need to put some other device inbetween

# Example results below (Checkmark vs warning etc)
BUFFERBLOAT GRADE C
Your latency increased considerably under load.

YOUR CONNECTION
Under Ideal Conditions   Currently, Due To Bufferbloat
Web Browsing   impact_checkmark.svg   impact_checkmark.svg
Audio Calls   impact_checkmark.svg   impact_checkmark.svg
4K Video Streaming   impact_checkmark.svg   impact_checkmark.svg
Video Conferencing   impact_checkmark.svg   impact_checkmark.svg
Low Latency Gaming   impact_warning.svg   impact_warning.svg
Read More
LATENCY
Unloaded
43 ms

Download Active
+124 ms

Upload Active
+26 ms

SPEED
↓ Download
166.4 Mbps

↑ Upload
13.7 Mbps

13

Zenarmor (Sensei) / Re: Senarmor/ Suricata / DMZ interface stops (working now)

« on: August 08, 2023, 04:00:42 am »

Sorry missed the replies, it is working with the same config (No longer in bypass mode) with 23.7

14

23.7 Legacy Series / Phantom IP's/ Route after interface changes

« on: August 07, 2023, 07:26:14 am »

Old firewall IP address "route" shows up on the WAN link but only in the routing table even though the IP is no longer configured.

System --> Route --> Status
ipv4   192.168.100.1   link#5   UHS   NaN   1500   em0   WAN

The route/ link#5 keeps coming back.

I had an issue where I was repurposing a firewall from one building to another for a client and the old client firewall was unreachable on the old internal address. (I need that IP for an in-building link)

In the process of re-purposing it, I just changed the configuration instead of reinstalling it (Which may have been a mistake.

So I had
LAN --> igb3 (Old IP 192.168.100.1/24)
after the move, I was no longer using igb3 for LAN
Not configured --> igb3
It showed up in the arp table for igb3 (Which would imply it is on a different machine which it is not)
Statically setting a different IP on igb3 got rid of the ARP address

Statically setting the IP gets rid of it for a while. But I need the WAN interface to be set to DHCP.

I have searched/ Grep'd the hard drive and looked at the config.xml but cannot find 192.168.100.1 and looked at every webpage (or tried to) and did not find it.

Any suggestions?

15

23.1 Legacy Series / NAT Missing when failing back from a backup wan to the main wan (Solved)

« on: July 21, 2023, 08:32:57 am »

this is for information only, as I "seem" to have fixed it. But it was enough work that I would like to pass back what I did to fix it.

I have a dual internet connection with one the "main" connection having a static IP and the secondary having DHCP

MAIN WAN
Static

Secondary WAN
DHCP

When I failed over the connection (by unplugging the wan) it failed to the secondary wan properly as well as 2 VPN connections to other sites. (Worked Well)

When failing back it would not switch to the "MAIN" connection properly, my first mistake was not setting up a proper failover group

Added a SYSTEM-GATEWAYS-GROUP
In the group I set
MAIN WAN - Tier 1
SECONDARY WAN - Tier 2
Trigger - Packet loss
(I also did some tunning of the packet loss in the gateway settings)

It still would not fail back properly
Now some where along the way my SYSTEM-GATEWAY-LOGS was generating an error message about a duplicate MAIN/Wan gateway. My way of fixing that is to erase the gateway and then check the settings on the one that appears after you delete it. (Which explains my disappearing settings on my gateway)

Then I retested the failover and again I got it to fail but when failing it back to the main connection it did not work.

This time I found that the FIREWALL-NAT-OUTBOUND was missing all of the NAT rules for the "MAIN" wan connection. I noticed that the Secondary WAN had the MAIN interface as part of its NAT rules. So I looked at the interface and found that the INTERFACES-MAINWAN had the  IPv4 Upstream Gateway set to auto. I switched it to the correct gateway.

Then I went back to FIREWALL-NAT-OUTBOUND and it had now generated the outbound nat rules for the main interface. (Nothing I had done to this point would auto-create the NAT rules.)

I hope this helps someone else.