Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - DL-KK

Pages1
#1
24.1, 24.4 Legacy Series / ACL question regarding RADIUS traffic
June 06, 2024, 09:53:30 AM
Hi
I am having a 802.1x setup and to get 802.1x (wifi) working through a opnsense FW, I have done the following steps

normalization:
disable scrub/normalization for interfaces touching the traffic

Rules:
create a rule allowing port UDP/1812 to NPS server
create a rule allowing port UDP/1813 to NPS server
create a rule allowing any UDP to NPS server (it is this rule I will like to tighten up)

the reason for last rule, is that if I dont have it, I can't get the Fragmented UDP packet through the FW, and then the radius validating fails.

background info,
we are using certificates for 802.1x so that is the reason why the packets are so large, and the need for Fragmenting the packet


Is there a way to allow the fragmented udp packet without allowing all UDP traffic to the server ?
#2
Virtual private networks / wireguard tunnel don't come up after restart
June 24, 2022, 11:43:29 AM
Hi Guys

we have a test setup of 2 x opnsense 22.1.9 firewalls
the first one is public available unit , and the other is behind a NAT firewall (but I dont think the problem is related to this)
the problem is that we can set up Wireguard vpn, and we have a fine stable connection, but when we reboot the firewall, the plugin says that it start handshake, and add it as a peer interface, but we dont see any traffic
going through the tunnel.

the tunnel running great until we reboot the unit. after the reboot the tunnel cant get online but if we try to run
/usr/local/etc/rc.d/wireguard stop
then wait some seconds and then run
/usr/local/etc/rc.d/wireguard start
then it seems to bring up the tunnel (in 1 out for 20 times, just keep rerun the same commands)

the output below is from after a reboot of the unit, but before it is working

did anyone have a idea what is happining here ? and any ideas to a solution ??

system info (both ends):
OPNsense 22.1.9-amd64 (it was same problem with 22.1.8)
plugin: os-wireguard 1.11 (also tried with 1.10)
packages: wireguard-kmod 0.0.20220615 (tried with and without this package)

behind NAT unit conf:
interface: wg0
  public key: 1oFHvZGtjWyaz+u/0CjxcCFLZvsDPdrxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 51113

peer: yD1Dq6WCu8w1lAvpE365pBq9h4Axxxxxxxxxxxxx
  endpoint: x.x.x.x:51113
  allowed ips: 10.4.113.0/24, 172.20.113.0/24
  latest handshake: 10 seconds ago
  transfer: 252 B received, 340 B sent
  persistent keepalive: every 2 seconds

public unit conf:
interface: wg0
  public key: yD1Dq6WCu8w1lAvpE365pBqxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 51113

peer: 1oFHvZGtjWyaz+u/0Cjxcxxxxxxxxxxxxx
  endpoint: y.y.y.y:51113
  allowed ips: 172.20.113.0/24, 10.20.113.0/24
  latest handshake: 1 second ago
  transfer: 13.72 KiB received, 31.25 KiB sent
  persistent keepalive: every 2 seconds
Pages1