Messages

1

24.1 Legacy Series / 24.1.9 Services on two different ISPs without load balancing

« on: June 20, 2024, 06:29:41 am »

Hi all,

I am trying to replace some old closed-source Firewalls with a pair of OPNsense boxes.

We have two ISPs - Telus and TeraGo

We are running two SFTP sites for reasons beyond my control. On the old firewalls, each one is served via one of the ISPs, so they both can use SSH port

Telus uses DHCP to provide address

TeraGo provides a static /30 with the other IP being their Gateway

I have configured Gateways, with Telus Gateway being the default

I have setup NAT rules on each ISP interface as needed, with the exception that I edited the Firewall rule matching the NAT entry on the TeraGo interface to force it to use the TeraGo gateway to reply

I see traffic coming into the Firewall, and Firewall Liveview shows the packets were accepted and response was allowed, but tcpdump shows no packets actually exit the firewall.

Is this something that simply cannot be done with packet filter?

Thank you,
Lukasz

2

Virtual private networks / Re: Updating IPSec parameters in place breaks tunnel

« on: June 20, 2024, 06:19:26 am »

I found the issue here. The SP database was not updated correctly. I ended up using setkey to remove stale entries from the old configuration, then removing and re-adding the required Phase 2 and Phase 1 entries via the UI, that seems to have resolved it.

3

Virtual private networks / Unable to log into OPNsense WebUI via Wireguard client - wrong credentials?

« on: November 09, 2023, 12:31:04 pm »

Hi team,

I haven't found anything about this specific case on Google. First time setting up WG remote access.

OPNsense is 23.7.7_3

Trying to log into OPNsense WebUI on the Wireguard peer IP (x.x.250.1) results in invalid credentials error.

Tried two different client peers - the WebUI login page loads, but credentials are refused as wrong.

Connecting via OpenVPN, using OPNsense LAN IP works fine with the same credentials.

Curiously, login attempts are not logged in Audit log.

Has anyone run into this and can explain?

4

Virtual private networks / Updating IPSec parameters in place breaks tunnel

« on: March 03, 2023, 09:20:09 am »

Hi OPNsense users,

I am trying to upgrade out of 21.7 since its quite severely out of date. In a VM, I confirmed that I can still do the upgrade by going through 21.7 > 22.1 > 22.7 > 23.1.

To go to 22.1, I need to migrate two tunnels away from 3DES/MD5 to AES256/SHA256. At the same time I am also migrating using an old legacy ISP connection to a new redundant one - both are configured in OPNsense, and we're using both for various things before the migration is complete. The VPN tunnels are some of the last items on the list.

There are two firewalls in HA pair. CARP, PFSYNC etc. appears to work correctly. These are HP 1U servers with 8c 16GB ram and quad port Broadcom network card. We do use VLANs.

I tried updating one of the tunnels but ran into a strange issue:

* I made the local changes, while the person in charge of remote endpoint made theirs to match
* Tunnel came up immediately and P1 and P2 were established
* Traffic from remote site arrived at local destination hosts correctly - confirmed with packet capture
* Local traffic was not sent into tunnel - statistics in Status Overview show 0 bytes sent but loads received and I did not see the traffic arrive at Firewall in live view
* States table was scrambled: flows which should match rule A, were being matched to rule B instead; this was resolved once I cleared the states table, but local traffic was not being sent into tunnel all the same
* Once we rolled back IPSEC and my endpoint IP address, the traffic resumed immediately without any other issues

While writing this, I thought that maybe we should try the following:
* Duplicate the existing tunnel config, with new parameters, but leave the entry as disabled
* Once ready, disable the current tunnel entry, and enable the new tunnel entry

Has anyone seen an issue like this? I tried searching the forum but could not find anything. Not quite sure how to describe it.

Thank you