1
24.1 Legacy Series / Re: Traffic forwarded to the default gateway when the configured ones are down
« on: April 03, 2024, 04:57:49 pm »
Hi, this option is exactly what I was looking for, thank you for your help !
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.1 Legacy Series / Traffic forwarded to the default gateway when the configured ones are down
« on: March 31, 2024, 05:18:39 am »
Hi,
I've encountered a very disturbing OPNSense behaviour and I was wondering if it was an expected one.
On my Opnsense 24.1.3 firewall, I've configured multiples interface gateways. Some of this gateways are grouped together, from the page under System > Gateways > Group. I've one of this group destined to my DNS traffic, and containes 2 gateways but not the default one. I'm not sure that changes anything, but the gateways from this group are from OpenVPN connections. For the lisibility, let's name this group GW-DNS.
On the outbound NAT part, my DNS servers have NATs configurations for the gateways through GW-DNS, and the LAN they are from has a NAT conf through the default gateway. Also, I don't know if it's relevant, I've selected the "Manual outbound NAT rule generation" option.
On the firewall rules, I've one which allows traffic from my DNS servers to the ports 53 and 853 through the GW-DNS. This rule is a quick one, and is named "DNS VPN".
I've no other rule which allows traffic to this dest ports, and neither which allows traffic from this servers (or the whole LAN) to internet, outside of debian mirrors.
Usually with my Opnsense firewall, nat and gateways configuration, my DNS traffic reaches external DNS servers through the GW-DNS and the "DNS VPN" rule.
However, I've discovered that if all of the GW-DNS are down (they have a red color in System > Gateways > Group), the DNS traffic from my DNS servers will still be forwarded to their destinations with the "DNS VPN" rule, but through the default gateway.
This behaviour feels like a buggy one, but I'm probably missing something. Can anyone help me understand it ?
I've encountered a very disturbing OPNSense behaviour and I was wondering if it was an expected one.
On my Opnsense 24.1.3 firewall, I've configured multiples interface gateways. Some of this gateways are grouped together, from the page under System > Gateways > Group. I've one of this group destined to my DNS traffic, and containes 2 gateways but not the default one. I'm not sure that changes anything, but the gateways from this group are from OpenVPN connections. For the lisibility, let's name this group GW-DNS.
On the outbound NAT part, my DNS servers have NATs configurations for the gateways through GW-DNS, and the LAN they are from has a NAT conf through the default gateway. Also, I don't know if it's relevant, I've selected the "Manual outbound NAT rule generation" option.
On the firewall rules, I've one which allows traffic from my DNS servers to the ports 53 and 853 through the GW-DNS. This rule is a quick one, and is named "DNS VPN".
I've no other rule which allows traffic to this dest ports, and neither which allows traffic from this servers (or the whole LAN) to internet, outside of debian mirrors.
Usually with my Opnsense firewall, nat and gateways configuration, my DNS traffic reaches external DNS servers through the GW-DNS and the "DNS VPN" rule.
However, I've discovered that if all of the GW-DNS are down (they have a red color in System > Gateways > Group), the DNS traffic from my DNS servers will still be forwarded to their destinations with the "DNS VPN" rule, but through the default gateway.
This behaviour feels like a buggy one, but I'm probably missing something. Can anyone help me understand it ?
3
High availability / Looking for information about the clustering and data replications
« on: May 07, 2022, 07:21:19 pm »
Hi !
After pushing my little PCEngine to the max use of its poor CPU, I've decided to build an other box from a PC. But, because currently I don't need to put an other firewall anywhere in my LAN and don't like to have hardware rusting in a closet, I though I could instead start to play with the OPNSense HA. However, there are some points I fail to understand :
1. What is the purpose of the PF sync ? Is it only for not breaking the user sessions when the failover starts ?
2. About the interfaces, as far as I understand this, I'll have to create them by hand on each boxes, right ?
3. If yes to the previous question, how does it work with VPN interfaces ? Would I have to also make the assignment by hand ?
4. About the replication, as I understand it, it's only from the main box to the slave box. Does it mean I can have specific rules and configurations on the slave box, and if they are, for example on dedicated interfaces (which don't exist on the main box), they will not be overwritten by the replication ?
5. How does work the setting replications with plugins ? For example, I have a telegraf supervision, FRR configurations, reverse proxy, few VPN (OpenVPN, Wireguard and Ikev2), etc.
The main thing with my new box is that it doesn't have at all the same hardware than the APU : it has less network interfaces, no wifi, and much more power, for running a suricata, zenarmor and other resource hungry services at the full speed of my internet connection.
After pushing my little PCEngine to the max use of its poor CPU, I've decided to build an other box from a PC. But, because currently I don't need to put an other firewall anywhere in my LAN and don't like to have hardware rusting in a closet, I though I could instead start to play with the OPNSense HA. However, there are some points I fail to understand :
1. What is the purpose of the PF sync ? Is it only for not breaking the user sessions when the failover starts ?
2. About the interfaces, as far as I understand this, I'll have to create them by hand on each boxes, right ?
3. If yes to the previous question, how does it work with VPN interfaces ? Would I have to also make the assignment by hand ?
4. About the replication, as I understand it, it's only from the main box to the slave box. Does it mean I can have specific rules and configurations on the slave box, and if they are, for example on dedicated interfaces (which don't exist on the main box), they will not be overwritten by the replication ?
5. How does work the setting replications with plugins ? For example, I have a telegraf supervision, FRR configurations, reverse proxy, few VPN (OpenVPN, Wireguard and Ikev2), etc.
The main thing with my new box is that it doesn't have at all the same hardware than the APU : it has less network interfaces, no wifi, and much more power, for running a suricata, zenarmor and other resource hungry services at the full speed of my internet connection.
4
22.1 Legacy Series / Re: Can't install on a PCEngine APU4
« on: February 01, 2022, 12:18:21 am »
Hi, thank you for your answer
I'm aware of the PCEngine issues with the USB sticks. With the one I use, I have been able to setup older OPNSenses, until the 21.1, with no problems. I don't have anymore any USB 2 stick.
I would like to install it to an internal mSSD device, which is healthy. However, I'm stuck during the boot process, right after the network interfaces are turned on, I don't have access to the setup.
About the missing GPT backup table, I had this errors as well with other OPNSense installs, but this didn't prevent me to make them.
I have thought of doing the setup on the internal drive on an other endpoint, but instead I would have rather prefered to solve this issue. But since it seems I'm the only one with this problem, I'll do it anyway, when I'll have some freetime, with the hope than someone has an other idea to test in the meantime
I'm aware of the PCEngine issues with the USB sticks. With the one I use, I have been able to setup older OPNSenses, until the 21.1, with no problems. I don't have anymore any USB 2 stick.
I would like to install it to an internal mSSD device, which is healthy. However, I'm stuck during the boot process, right after the network interfaces are turned on, I don't have access to the setup.
About the missing GPT backup table, I had this errors as well with other OPNSense installs, but this didn't prevent me to make them.
I have thought of doing the setup on the internal drive on an other endpoint, but instead I would have rather prefered to solve this issue. But since it seems I'm the only one with this problem, I'll do it anyway, when I'll have some freetime, with the hope than someone has an other idea to test in the meantime
5
22.1 Legacy Series / Re: Can't install on a PCEngine APU4
« on: January 30, 2022, 09:49:40 pm »
After a firmware upgrade to the 4.15.0.2, I still have the same problem 
6
22.1 Legacy Series / Re: Can't install on a PCEngine APU4
« on: January 30, 2022, 04:24:47 pm »
Thank you for the suggestion. I have the v4.0.33, maybe it's time for an upgrade 
Which version would you recommend for the OPNSense compatibility and stability ?
Which version would you recommend for the OPNSense compatibility and stability ?
7
22.1 Legacy Series / Can't install on a PCEngine APU4
« on: January 30, 2022, 03:07:47 pm »
Hi,
Since the 21.7 I'm unable to upgrade or install a new version of OPNSense on my APU 4. I thougth it was because of some changes on the HardenedBSD core, so I waited the version 22.1 for reinstalling my fw.
But with this version, I'm still unable to install it from a USB key with a serial image. After booting from the USB key, I have the usual log outputs until the network interfaces are turned on, then some errors about a missing GPT table at the end of the media and then nothing else happens.
However if I try to do the same with the version 21.1, it works fine. I still have the missing GPT header error, but the boot process continue and I can setup my fw.
Am I the only one with this problem ?
Since the 21.7 I'm unable to upgrade or install a new version of OPNSense on my APU 4. I thougth it was because of some changes on the HardenedBSD core, so I waited the version 22.1 for reinstalling my fw.
But with this version, I'm still unable to install it from a USB key with a serial image. After booting from the USB key, I have the usual log outputs until the network interfaces are turned on, then some errors about a missing GPT table at the end of the media and then nothing else happens.
However if I try to do the same with the version 21.1, it works fine. I still have the missing GPT header error, but the boot process continue and I can setup my fw.
Am I the only one with this problem ?
Pages: [1]