Messages

I just got stuck in the same spot. I was previously using an external Elasticsearch DB but that external machine was unreliable so I reset to defaults and went back through to select a local db. Have you made it past that point yet?

Looked further into this and error 554 5.7.1 apparently means it's rejected on the recipient server - sorry, I'm slightly ignorant on SMTP. So apparently Gmail is rejecting it, but why are my other services using the same postfix server going through to the same gmail address correctly?

Also read that a From=<> might be correct to prevent a loop of bounce messages. So I'm not 100% sure what ZenArmor is doing or where it's failing.

I don't mind changing the setting, this is just the defaults for the postfix docker container I used. I still think there may be a bug since it's not including it, though.

I have a Postfix docker container running that I use to send email from all services on my network. It works fine for everything so far except for Zenarmor, using the same settings.

When I test the connection, it's giving me an "access denied" error, and looking at the postfix log, it looks like Zenarmor is not including the "from" parameter when it's connecting.

Here's an example of the (scrubbed) logs from Monit on the same device when it sent an email successfully:

Code Select Expand

2022-07-25T21:22:03.586198+00:00 INFO    postfix/smtpd[27765]: connect from OPNsense.mydomain[10.10.0.1]
2022-07-25T21:22:03.641992+00:00 INFO    postfix/smtpd[27765]: 9B5BA460496: client=OPNsense.mydomain[10.10.0.1]
2022-07-25T21:22:03.685299+00:00 INFO    postfix/cleanup[28526]: 9B5BA460496: message-id=<1658784123.d72d7861dc0a9c1f@OPNsense.mydomain>
2022-07-25T21:22:03.689927+00:00 INFO    postfix/smtpd[27765]: disconnect from OPNsense.mydomain[10.10.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2022-07-25T21:22:03.690487+00:00 INFO    postfix/qmgr[227]: 9B5BA460496: from=<root@opnsense.mydomain>, size=813, nrcpt=1 (queue active)
2022-07-25T21:22:04.890003+00:00 INFO    postfix/smtp[28527]: 9B5BA460496: to=<myemail@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.115.26]:25, delay=1.3, delays=0.1/0.01/0.71/0.48, dsn=2.0.0, status=sent (250 2.0.0 OK  1658784124 i14-20020a056870344e00b0010c38471ee7si9722681oah.78 - gsmtp)
2022-07-25T21:22:04.890585+00:00 INFO    postfix/qmgr[227]: 9B5BA460496: removed

but here is what happens when Zenarmor tries and fails:

Code Select Expand

2022-07-26T01:00:18.698596+00:00 INFO    postfix/smtpd[32282]: connect from OPNsense.mydomain[10.10.0.1]
2022-07-26T01:00:18.737756+00:00 INFO    postfix/smtpd[32282]: NOQUEUE: reject: RCPT from OPNsense.mydomain[10.10.0.1]: 554 5.7.1 <myemail@gmail.com>: Recipient address rejected: Access denied; from=<> to=<myemail@gmail.com> proto=ESMTP helo=<OPNsense.mydomain>
2022-07-26T01:00:18.779415+00:00 INFO    postfix/smtpd[32282]: lost connection after RSET from OPNsense.mydomain[10.10.0.1]
2022-07-26T01:00:18.779572+00:00 INFO    postfix/smtpd[32282]: disconnect from OPNsense.mydomain[10.10.0.1] ehlo=2 mail=1 rcpt=0/1 rset=1 commands=4/5

it doesn't seem to matter what I put in the From field in the ZenArmor config, it doesn't show up in the postfix logs, which seems to indicate it's not being sent in the connection.

OK - so for example,

• first I would create the LAGG
• then under INTERFACES: OTHER TYPES: VLAN add the VLANS with the LAGG as the parent interface - the vtnet1 VLANs are already there.
• next it looks like I would need to do assignments, since if I try to create a bridge right now, it only shows interfaces from the assignments screen, so create new interfaces for the VLANs that are coming from the LAGG. at this point each VLAN has 2 interfaces, one with the LAGG as parent and one with vtnet1 as parent
• then create a bridge and add the pair of interfaces that are the same VLAN
• but then where does the IP for that VLAN subnet get set - in each interface or the bridge? maybe I've confused a step above

Without actually creating a bridge I'm not sure how it will end up. And then would I have to redo all the firewall settings since they're specified for the current interface assignments?
Thanks for the help

How do I do a LAGG + Bridge + VLANs? I am running on Proxmox and want to passthrough my 4 port NIC (assuming I can get IOMMU to cooperate and put it in its own group) but I am not sure how to transition from my current setup to handling the above things inside OPNsense.

Currently, I have the LAGG setup as bond0 in Proxmox to an external switch that trunks about 5 VLANs including the WAN. The bond0 in the Proxmox setup is part of vmbr1 which is an OVS Bridge that is also used by several other VMs, they have their virtual NIC as an access port to a specific VLAN on vmbr1. Finally, my OPNsense VM has 2 NICs on vmbr1 - one is on an access port to the WAN VLAN, and the other trunks all the LAN ones - so from the OPNsense point of view, it just sees 2 NICs, one WAN, and one LAN and I separate out the VLANs in there.

If I passthrough the whole NIC, I want to use one port as WAN directly not going through the switch, and 2 ports as LAGG to the switch, like it currently is trunking the LAN VLANs, but also setup a bridge with a virtual NIC on vmbr1 to communicate with the other VMs. My thought is this will improve performance a little since devices on the switch won't have to also go through the vmbr1.

I'm not sure how to set it up - once I passthrough the 4 port NIC, I'll be able to remove the WAN virtual NIC from OPNsense and I'll have 5 total NICs showing up. I would first setup the LAGG on 2 of them that connect to the switch, and assign one to WAN. Then how do I do the VLAN assignment with the bridge - do I create the bridge and add the LAGG and the virtual NIC to it, and then split out the VLANs on the bridge device?

I'm concerned about doing something in the wrong order and losing access to the GUI. I have the built-in eth port on Proxmox that I can connect to and use another VM to access it through vmbr1 or I can use the serial terminal on the Proxmox host to configure it via CLI if I have to, but it would be nice to know the best way to accomplish this.

I've been setting up my OPNsense router gradually, while it's been behind my main router.
Original configuration was:

Modem --- OpenWRT router with 192.168.0.1/20 network --- OPNSense router with 10.10.0.1/16 subnet and others on VLANs.

The OpenWRT router has an external HDD shared on the network that I was still able to access from the OPNSense subnets. Today, I finally moved everything behind the OPNSense router and swapped the modem over to connect directly to WAN on the OPNSense router, but I'm trying to figure out how I can temporarily still access the share on the OpenWRT router until I get a chance to migrate that HDD to the OpenMediaVault server on the new subnet?

I currently have a LAN port on the WRT router still plugged in - it's tagged for a VLAN from the WRT router - and I've created an interface on the OPN router for that VLAN. I was trying to setup a 2nd gateway - and the OPNSense router gets an IP on the 192 network but I can't get it to access it from a subnet - I can ping it and ssh to it when I'm ssh'd into the OPNSense router though, and there is a route for it.

Or do I need to connect the WAN on the WRT instead - basically completely reversing the original config - but would I run into an issue where I can't access any of the 192 subnet from the 10 subnet due to the NAT?