Messages

1

General Discussion / Re: Cannot reach a specific domain, firewall shows "pass"

« on: November 02, 2022, 11:22:09 am »

I just found out that other urls like zoom.us are also affected and just had a call with my internet provider, it seems they have strange issues currently so I think it is not related to OPNsense.

2

General Discussion / Re: Cannot reach a specific domain, firewall shows "pass"

« on: November 02, 2022, 11:09:35 am »

Actually pretty nothing:

Code: [Select]

tracert insight.synology.com

Routenverfolgung zu insight.synology.com [159.100.4.210]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     *        *        *     Zeitüberschreitung der Anforderung.
  5     *        *        *     Zeitüberschreitung der Anforderung.
...

3

General Discussion / Re: Cannot reach a specific domain, firewall shows "pass"

« on: November 02, 2022, 11:00:19 am »

Any DNS filterlists applied?

In Unbound DNS? No, I haven't changed anything there, it is all default. Blocklist is not enabled.

4

General Discussion / Cannot reach a specific domain, firewall shows "pass"

« on: November 02, 2022, 10:46:09 am »

Hello all
Since a few hours, I cannot access insight.synology.com anymore from my network. It does work from mobile or from other locations. I haven't changed anything in OPNsense and when I check the firewall log files, I see a lot of entries like:

Code: [Select]

wan 2022-11-02T10:44:05 *.*.*.*:63385 159.100.4.210:443 tcp let out anything from firewall host itself (force gw)
and when using curl, I get:

Code: [Select]

curl -v insight.synology.com
*   Trying 159.100.4.210:80...
* connect to 159.100.4.210 port 80 failed: Timed out
* Failed to connect to insight.synology.com port 80 after 21052 ms: Timed out
* Closing connection 0
curl: (28) Failed to connect to insight.synology.com port 80 after 21052 ms: Timed out
How can I further debug the situation? Many thanks for your help!

5

General Discussion / Re: Site-2-Site VPN and additional clients

« on: November 25, 2021, 09:21:11 pm »

So i tried for hours and it seems that whatever I try, I need the "Client Specific Overrides" for the user to be activated. Otherwise I will always get the problem deleting temporary file when my remote router connects and then it does not work correctly.

6

General Discussion / Re: Site-2-Site VPN and additional clients

« on: November 23, 2021, 04:07:24 pm »

I played around a bit more with the settings and now, even with the settings that worked, it does not work anymore. The problem now is that the Routing Table in the Connection Status only shows one entry with the Target Network 10.10.0.6.

In the OpenVPN Log from OPNsense, I always get the following line when the remote router connected:
user/<externalip>:56882 MULTI: problem deleting temporary file: /tmp/openvpn_cc_12132333c3ab04323692ca9ddea0bc9f.tmp

Could this now be the issue? How can I solve this? I don't remember seeing this warning before.

7

General Discussion / Re: Site-2-Site VPN and additional clients

« on: November 23, 2021, 03:28:28 pm »

I think I got it working! It seems that my only problem was that the "Client Specific Overrides" do not work when the Server Mode ist set to "Peer To Peer (SSL/TLS)" is that correct? Also should I use Peer to Peer with SSL/TLS or with a Shared Key?

8

General Discussion / Re: Site-2-Site VPN and additional clients

« on: November 23, 2021, 02:51:08 pm »

Ok here are some more details.

Here's the network, forget about the Road Warriors for now. I just want a Site-To-Site VPN between the Main and the Remote Network so that each can access the others servers.


Here are the VPN Server Settings and Client overrides. On the Client side, i just imported the exported ovpn file.



Here are the WAN and Firewall Rules:



And here is the connection status of the OpenVPN Server:


As mentioned before, I am able to ping and access "Server A" from "Server B" but not the other way round.
The problem should not be on the Asus router as I have already used it in the exact same szenario with another Asus router as VPN Server. I now just replaced the Asus VPN Server with an OPNsense box.

9

General Discussion / Re: Site-2-Site VPN and additional clients

« on: November 23, 2021, 11:07:19 am »

Thanks for the answer. Yes I saw that there are two server modes: Peer to Peer and Remote Access.
I probably need one server of type Remote Access for the mobile users which directly connect and one server of type Peer to Peer where my remote network is connected to.
Anyway for now I only need the Peer to Peer VPN so I adjusted my server but I still have the same problem:
The client network can access the main network but from the main network, I cannot connect to anything from the client network.
What am I still missing here?

10

General Discussion / Re: Site-2-Site VPN and additional clients

« on: November 22, 2021, 11:03:04 pm »

Ok I guess the first question can be answered by myself.
I think one VPN server is totally fine as there are "Client Specific Overrides" where I can define a remote network for my specific site-2-site client user which I use in the ASUS router. But I still have the issue that I cannot access services on the client network from my main network.
I've attached my client override for my site-2-site client.

11

General Discussion / Site-2-Site VPN and additional clients

« on: November 22, 2021, 10:17:29 pm »

Hello all

I am trying to setup VPN where I want to have a site-2-site connection between two networks (between an OPNsense box (192.168.x.0/24) and an Asus Router (192.168.y.0/24) where the OPNSense box is the server and the Asus router the client) and also to support additional vpn clients like mobile phones or laptops when externally.

So a few questionas arrive:
1. Should I create separate VPN servers? One for the external clients and one for the site-2-site or can this be just one VPN server?
2. How do I configure the VPN server for the site-2-site? I have a pretty default config and the Asus router can connect and can access the resources on the VPN servers network via ip (for example a 192.168.x.50). But how do I get it the other way around so that I can also access resources on the client's network (for example 192.168.y.60)? I tried with setting the "IPv4 Remote Network" to the address range of the clients network (192.168.y.0/24) but that didn't help.

If you need more info I will gladly provide them.

Many thanks for your hints.
Roman

Edit: Added Server Settings

12

General Discussion / Re: Local DHCPv4 custom DNS is not used

« on: October 27, 2021, 09:06:36 am »

I am still suffering from this issue. I disabled Unbound DNS for now which also seems to fix the issue but I am unsure if that is the right way to do it. ANy help would still be very appreciated.

13

General Discussion / Re: Local DHCPv4 custom DNS is not used

« on: October 15, 2021, 12:09:49 am »

I just found out that when I do an nslookup, I see my opnsense as Server and its ipv6 as address. Could my issue be that it uses ipv6 now for some reason (whereas it used v4 earlier on)?

Edit1: Ok, I disabled ipv6 on my PC and now everything works again! So what is the best I should do? Disable all ipv6 in opnsense? Or somehow disable DNS via ipv6? Or somehow give the ipv6 of my DNS server to DHCPv6?

14

General Discussion / Local DHCPv4 custom DNS is not used

« on: October 14, 2021, 11:59:56 pm »

Hello

I have a fairly standard OPNSense box. I use quite some services which are available from the internet like "myservice.mydomain.com" which goes to an nginx-container which forwards to the right service. From external this works perfectly. Now to use the same while in the LAN, I use a custom DNS Server which translates "myservice.mydomain.com" into the LAN IP of the nginx-container.
For this, I added my LAN-DNS-IP into Services -> DHCPv4 -> [LAN] -> DNS servers
This actually worked now for almost a week somehow (but seemed strange as some custom entries from my DNS didn't work) but now it stopped working at all. When I now use "myservice.mydomain.com" from the LAN, I get "A potential DNS Rebind attack has been detected." Also if I ping "myservice.mydomain.com" from LAN, I get my WAN address. It seems as if my custom DNS is entirely skipped.

What could be the issue? What am I missing? I read about "Reflection for port forwards" and "Reflection for 1:1" which in the end would lead my connection to WAN and back so I don't want that, I want to directly go to the correct LAN address instead of doing a round trip to WAN.

Many thanks for your help.

15

General Discussion / New home networking setup with VLANs

« on: August 10, 2021, 11:06:15 pm »

Hello all

First time poster and first time opnsense user.

I am planning to redo my whole home network setup. I am currently just using a customer grade router as main router and I want to switch to opnsense in order to be able to use VLANS.

I have actually prepared a small image on how I imagine the network looks like (physically) and added it to the attachments.

Hardware summary:
- Cable modem, well as fiber modem
- IPU445 with opensense (has 4 ports)
- Various switches, all capable of VLAN tagging I hope
- Two Asus routers as Switches / Access points. They will use FreshTomato or ddr-wrtto use VLANs.

Connection summary:
- Cable modem is connected to one port on the pfsense box which is declared as WAN
- One? port from the opnsense box to the next switch
- One trunk per switch so all have a trunk.
- Devices are normally connected to the switches or via wifi.

My main question/insecurity is that my opnsense box has 4 ports, 1 is used for WAN so I have 3 free. Should I have only one of them as trunk port to the next switch (so multiple vlans and data go thru that port) or should I have multiple ports, maybe even with port aggregation? Or should I use multiple and maybe assign each of them a few vlans?

Also is something bad practice in this setup and should be changed?

Many thanks for you input! I will probably come back later with more questions but those are the most important ones so I can start.

Cheers,
Roman