Messages

Did you install the plugin ? GUI or SSH would work just fine

Code Select Expand

pkg install os-realtek-re

Thank You that resolved the issue. All five NICS are now visible and usable by OPNSense.

Did you install the plugin ? GUI or SSH would work just fine

Code Select Expand

pkg install os-realtek-re

No, I did not. I didn't have to with the i5's. However, I will try it.

I just recently purchased five (5) Lenovo M920Q with I3 processors. I also just recently purchase five (5) H!Fiber quad port 2.5G Network Card with the Realtek RTL8125 Chip. One NIC card for each of the M920Qs. All five M920Qs came with Windows 10.

With in Windows all five NICS (4 on the NIC and the one on board or integrated) connect at 1G to a 1G switch. However, when doing automatic port assignment only the on board NIC is recognized to have an active connection. All four ports on the quad NIC and on the switch get link lights but not activity or connection speed light.

I also have two M920Q with i5 processors and they work fine. I do not know if it matters but these were running version 24.7 and I upgraded them t0 25.1. The i3's are a fresh install of 25.1.

I am going to try to install 24.7 for giggles (if I can find the image)

Anybody have any suggestions

Thank You

Does this UPS have a network interface? If yes there should be a web UI for tasks like this. If it doesn't you probably need APC's proprietary software on Windows or Linux and a USB or serial connection.

For my Cyberpower UPS with RMCARD205 I can do it in the web UI.

It does but it is only for surge protection (In and out). It does not receive an IP address.

Thank you. I am trying to get SSH to work so I can try. Using the console would be difficult in my situation.

I am running 25.1.1

I have just connected a APC Back-UPS XS 1500 LCD, I have a few of questions.

• Both in the Apcupsd widget on the dashboard and in status under the Apcupsd service it says the battery date is Dec 7, 2006. I just replaced the battery February 15. How can I update this?
• The APC Windows app has a button to test the UPS, is it possible to perform this test in OPNSense?
• In the APC Windows app the minimum and maximum voltages can be change for it to go on battery. Is it possible to change these in OPNSense?

The way I got it working my not be ideal but I didn't have to beat my head against a brick wall to get it to work.

I first posted on the OpenWRT forums, was told I need to create a route on OPNSense.
I then post here and was told it would be better to create the route on the Debian (spam) server
I posted on the Debian forums and was told I should redo part of my network.

It appeared that it was not going to be fun nor easy to get OPNSense, OpenWRT and Debian to all play nice. So I modified what I already had. I already had a cable connected to the 10.78.239.0 network and one connected to the 192.168.107.0 network, although 192.168.107.0 was DHCP -- not ideal but was meant to be temporary. I changed it to a static IP with no assigned gateway. I then created firewall rules on the Debian server to allow SMTP traffic then block everything else.

Yes, basically I'd have what you described. 10.78.239.106 is my spam server which will forward any "clean" / "legit" email to the exchange server. I do have a web server and an RMM server also in the DMZ, but the spam server will be the only one to send unsolicited or unrequested traffic to the 192.168.107.0 network.

Thanks you for the advice, I have never had to set up a static route on any firewall or OS

I am looking for some assistance adding a route.

From the image below I need to create a route preferably only from 10.78.239.106 to 192.168.107.10. If I understand correctly I need to create another gateway. If so, do I use 10.78.239.1 or 10.78.239.2?

I'd appreciate if somebody could add some clarity or provide a good link that does a good job of describing the process.

Thank You

I got it working, however, being completely honest I have no idea how.

I decided that I did not like the network scheme. It half matched the scheme that I use on my private network. I deceided I wanted my DMZ to closely match the public scheme. I changed the 2nd,3rd and 4th octets of the private IPs to match the 2nd,3rd and 4th octets of my public IPs. Now for what ever reason all port forwards, work as I want.

I am having issues with DNS. It works locally, but will not work for public sites / addresses. But I don't see how that would have affected port forwarding.

I agree with dseven.  Run a packet capture on the WAN. Assuming you see them, then alter your one to one NAT rule to log. Also create a rule on the LAN side to permit logging of packets to the Debian 12 box.

I have run a packet capture on the WAN, and only got a "Who is" with no response. I did run it with one-to-one enable. I will also run it with it disabled.

You do mention that even with the one to one in place, you are getting the wrong IP for outbound packets, so it's possible the packets are making it all the way to the Debian box, but the replies to the TCP handshake come from the .105 ip instead of .106. A packet capture on the Debian 12 box could be informative too.

This is why I posted to the forums as well as here, I have been trying to figure this out for quit a few days and I think I might be getting tunnel vision.

But then again, 443 is open on .105 as well which goes to the Exchange Server. So wouldn't it still report as being open?

I will say you should do more to narrow down in what point in the process are things breaking. With that info, others that have worked with 1 to 1 NATs may have some insight.

Again, this why I asked for help, may times I have been sitting here looking at my screen telling my self I don't know what else to do. I did not think of this.

Is it possible something on the Debian firewall is permitting LAN but not non-LAN?

Possible? I suppose - in theory anyway. But I doubt it. I did try to access it and used the port checker with the host firewall disabled. Both attempts failed.

I have done everything I can think of.

• I can take the IP in question and put it in my notebook and ping in and out.
• I have tried two different versions of OPNSense 24.7.3_1 and 24.7.12
• I have tried two different PCs, one with an Intel quad port NIC and one with two RealTek NICS
• I have restored to defaults and manually reconfigured all settings on both PCs and both versions tried
• Of the three virtual IPs i have set up and enabled with one-to-one enabled I am unable to ping any of them, with the virtual IP disabled I can ping all of them. (Yes I know that is backward.
• Running NMAP on the IP in question with the one-to-one enabled nmap tells me the system appears to be down, with the one-to-one disabled I get more "positive" results IE trace rt, port scan etc.
• I have tried a packet capture on the IP in question and the only thing I got was a "Who is" broadcast, with no response.
• MY ISP (Comcast) swears (I spoke with multiple people) there is no issue with the IP, IE has not been assigned to another customer (which makes since), no router issues, ports not blocked etc. Although I am expecting a phone call by Saturday from tier 2 support.
• Host firewall is in use but disabled for testing purposes
• Other virtual IPs although experience the same behavior with pinging, only get response with one-to-one disabled, all work just fine. IE ports forwarded and work on those IPs just as intended. It is just the one IP that is having issues.

I would ask my ISP for a new block of IPs if I thought that would work, but I don't want to go through all that work, update DNS etc if it isn't going to work. But then on the other hand if I don't try how will I know?

I am at a loss of what to do from here!

Anyone else have any ideas?

Doing further investigation, If the one-to-one is disabled, I can perform a tracert on remote system with a different ISP (IE Verizon, I have Comcast). However, if I have the one-to-one enabled I get to the hop just before it hits my IP then it times out. IE it times out when it should hit my IP.

I have verified that both the public and private IP address' are the correct ones.

I think I have figured out what the issue is, just don't know what to do about it.

It appears that the issue is related to or caused by the one to one NAT. If I run the command curl ifconfig.me I get .105 which is the statically assigned IP address of the WAN. Instead it should provide .106 which is the virtual IP / one to one address. I have deleted and recreated the one to one NAT which did not resolve the issue. I have restarted the firewall and even restored defaults.

I also have two other publicly accessible servers running curl ifconfig.me presents me with the proper IP address of the one to one NAT / virtual IP for that server.

If it matters (I don't see how it could but ...) the OS of the server in question is Debian 12 the other two servers are Ubuntu 24.