Messages

1

23.7 Legacy Series / Re: FreeRADIUS Logs

« on: December 30, 2023, 10:05:51 pm »

Thanks Fright, clearing the logs solved the problem.

Had nothing to do with sorting the date as I could see the entire log file but I completely missed the giant "clear log" button at the bottom of the screen (thus why I tried deleting the radius.log file via CLI  )

2

23.7 Legacy Series / [SOLVED] FreeRADIUS Logs

« on: December 30, 2023, 03:42:19 pm »

Hello,
Hoping someone can help.  I have FreeRADIUS running on my box and have run into an issue with the logging in the GUI.

In short, the GUI is no longer displaying updated log info. (see attached)

I have logging enabled for all authentications but when I go to the logging tab I don't see any recent authentications that were made.  Latest info was from yesterday (Dec 29) for a single client.

When I go into CLI and look at /var/logs/radius.log for that same client, I can see multiple authentications since yesterday.  It almost seems like the GUI is reading a different file for the log information and it's not getting updated.

The behavior started when I changed the setting "Log to file or syslog" to syslog for testing, and then changed it back to file.

I tried uninstalling/reinstalling the FreeRADIUS plugin, deleting the radius.log file to let it build a new one, and toggling logging settings on/off with service restarts in-between.  Nothing has worked.

Appreciate any help anyone can give.

3

23.1 Legacy Series / Re: Restore Nightly Google Drive Backup To Cold Storage Machine

« on: February 10, 2023, 01:08:44 am »

Glad you got it working.  Much better than the backup workarounds you were looking to do. 

4

23.1 Legacy Series / Re: Restore Nightly Google Drive Backup To Cold Storage Machine

« on: February 03, 2023, 10:17:23 pm »

hi dkanzlemar
When you say a clone of each other does that mean it's virtual and you literally cloned it?  If so, that's why your interfaces are all messed up.  I would suggest spinning up a clean opnsense box so the interfaces match and you can restore the config directly.

You do have a couple alternatives though.
1. Assuming this is a virtual setup, use something like Veeam to backup the whole VM.  Restoring from Veeam is a lot easier IMO.

2. Run backups from a remote computer using a shell script and an SSH key instead of the stuff built into opnsense.  For example:

opnsense ip address: 10.1.1.1
network share ip address: 10.2.2.1
file with user ssh key: ssh_private_key.ppk
(Make sure to paste your ssh key into the "authorized keys" field of the user inside opnsense as well)

Shell script contents:
ssh -o StrictHostKeyChecking=no -i ssh_private_key.ppk USERNAME@10.1.1.1 cat /conf/config.xml > //10.2.2.1/MYSHARE/BACKUPFILENAME.xml

Run the script manually or set it as a cron job/scheduled task.

3. Get HA working.  Not clear why your APs would have issues unless its actually CARP having issues.  CARP can be challenging in virtual setups and you could use routing as an alternative.

5

General Discussion / Re: VLAN routing

« on: February 02, 2023, 03:15:20 am »

Hi orso,
Its difficult to picture what your problem is, sounds like traffic is flowing the way it should.  If you can provide screenshots would be helpful.

I'm envisioning a setup similar to the attached image on the left.  If you are just trying to have your LAN devices access the VPS on TCP/25 (or whatever) all you need is a firewall rule on the LAN and you are done so long as the VPS has opnsense setup as its default gateway.

If you are trying to allow internet access to VPS on TCP/25 its a little more complex but easy enough.  Create a NAT/port forward rule for any traffic hitting your WAN interface on TCP/25 and redirect it to 10.2.2.2. (Attached on right.)  You also need to create a WAN firewall rule allowing Any to 10.2.2.2 on TCP/25. 

If you are just trying to get VPS internet access (or general network connectivity) you need to make sure the VPS has its default gateway set to the opnsense IP for your dmz zone, proper rules are created on the dmz zone, and your outbound NAT statement includes the VPS subnet in the source (attached on bottom right)

6

General Discussion / Re: Traversing 2 OPNsense to access the Internet is not working

« on: February 02, 2023, 02:52:29 am »

Hi Baliste,
You need to configure some routing between your boxes.  You can do this easily enough with static routes.

Look at the routing table in opnsense1.  Willing to bet it doesn't have 10.0.200.0/24 in it.
Opnsense2 only needs a default route/gateway pointing to the LAN ip address of opnsense1 (I assume 192.168.64.1).

Let's say opnsense2's WAN address is 192.168.64.100.  In opnsense1 create a static route for 10.0.200.0/24 pointing to 192.168.64.100 and you should be good.

Make 192.168.64.100 a gateway
System --> Gateways --> Single

Create a route for 10.0.200.0/24 pointing to opnsense2
System --> Routes --> Configuration --> add new
Network address: 10.0.200.0/24
Gateway: 192.168.64.100

Only other thing to call out, make sure NAT is disabled on opnsense2.

May the schwartz be with you.

7

General Discussion / Re: Strange VLAN Behaviour

« on: February 02, 2023, 02:43:23 am »

Hi Spiky,

You are really broaching two topics on your question.  One is VLANs one is subnetting.

If I'm reading the behavior you are seeing correctly it all sounds correct. (see left side of attachment)

In other words, the VLAN 4 ip addres on the switch will only know about/listen for traffic coming from devices in 10.4.4.1-254.  Anything connected to VLAN 4 that does NOT have an IP address in the same subnet will not respond.  This is how subnetting works, period.

On the VLAN side, they are just tags to assign different subnets to.  The layer 3 switch will allow the VLANs to communicate with one another unless ACLs are applied.

To further explain the example (see right side of attachment) the two PCs can communicate but the switch won't be able to talk to them.  And in case you are wondering, the answer is NO, I did not fat-finger PC2's IP address.  Since VLAN 1 knows nothing about these two PCs (because they are connected to VLAN 4 and VLAN 4 is in a different subnet) it doesn't matter what address they have.

I would suggest you youtube a couple subnetting videos.

8

General Discussion / Re: "No route to host": need to reload WAN every ~24 hour

« on: February 02, 2023, 02:22:50 am »

I had the same issue on one of two boxes running in HA except I'm only ipv4.  I ended up reverting back to 22 to resolve the issue.

Two pieces of info to hopefully help the devs:
1. I run BGP between my opnsense boxes and the LAN instead of using CARP.  The box that would fail passing traffic to the WAN continued to advertise the default route via BGP and still had 0.0.0.0/0 as a zebra (K) route installed in the RIB.  Like teapot, pinging an internet address from the opnsense box results in "no route to host" even though the default is in the RIB.  Rebooting fixed the issue for a short period of time...24 hours sounds close enough but I didn't track it that close.

2.  I upgraded the day 23.1 came out and I applied the additional updates immediately when they were available.  I plan on waiting a couple weeks before upgrading again wondering if there was an issue with the original 23.1.0 upgrade path.

9

High availability / Re: BGW320 ATT Modem PFSync question.

« on: February 01, 2023, 07:08:33 pm »

You only have 1x internet circuit and 1x modem, right?  Both of those are single points of failure, so I assume you want to use CARP simply to have redundancy below the modem.  If that's the case I would suggest taking the ATT modem out of bridge mode and just doing a static NAT for all the traffic to opnsense.  (see attached for reference).

Assume your modem WAN IP is 2.2.2.2.  Configure the modem so that all traffic destined for 2.2.2.2 is NATd (port-forwarded) to the 10.1.1.2 CARP VIP of your opnsense boxes.  Make sure to disable any firewall that may exist on the modem and verify you can't access the modem's web interface over the internet so it doesn't get hacked.

Not sure if this satisfies what exactly you are trying to accomplish but it would work.

10

High availability / Re: MultiWan setup route traffic to backup wan loses OPNSense access

« on: January 29, 2023, 07:08:40 pm »

Your description is difficult to visualize.  You make it sounds like the admin PC is accessing opnsense across the WAN but it has a 10.x.x.x RFC1918 address.  Can you provide a diagram?

11

High availability / Re: BGW320 ATT Modem PFSync question.

« on: January 29, 2023, 07:05:04 pm »

TheGreatBellend,

Do you need the modem?  Sounds like its normally a router that NATs and you are just bypassing its normal functionality by putting it into bridge mode.  Can you connect the ATT circuit directly to your own gear?  Or is the modem doing some conversion like coax to ethernet?

If you can remove the modem, and the circuit is larger than a /30 (255.255.255.252), you can just hook the circuit up to a switch (or even a vSwitch on the R740XD if both opnsense boxes are running inside it) and place the WAN interface of each opnsense box in the same vlan...and you are done.

If you can't, the only other thing I can think of (and I've never seen this functionality before...) is if the modem can assume two public IP addresses and bridge each IP address to a different opnsense MAC address.

12

High availability / Re: Is this HA config possible ?

« on: January 29, 2023, 06:49:10 pm »

Hi Eloïse,

I think you are really asking two questions here.
1. How do you make the LTE circuit a failover circuit.
2. How can you apply this failover logic to a set of opnsense boxes running in HA.

For question 1, I think what you are looking for is a gateway group.  You essentially create a group that contains your different gateways (ONT and LTE) and give each gateway a priority so one is preferred over another until it fails or has performance issues like packet loss and latency.
https://docs.opnsense.org/manual/multiwan.html

For question 2, in order for multiple boxes to share a WAN connection the circuits must be larger than a /30 (255.255.255.252) since you need to use 3x IP address (1x for service provider, 1x for opnsense1, 1x for opnsense2).  Assuming this is not a problem, you would simply create the same gateway group on each box where ONT is preferred until it fails which activates LTE.  Would look something like the attached.

13

General Discussion / Re: Casting to and controlling Google devices on different VLANs

« on: December 28, 2022, 02:53:03 am »

Hi Banister,
First, I recommend you do some reading on multicast, IGMP, and PIM to understand how google devices (and others) magically work when everything is on one VLAN.

At a very high level, these DLNA/mDNS devices use multicast instead of unicast to communicate.  If all your vlans are on the same device, IGMP is needed to support multicast communication between them as it can track the IGMP snooping groups.  If there are other devices/routers/switches between the vlans, PIM or some other mechanism is needed on all the devices to route multicast subnets at layer 3 between them and using an established rendezvous point.

pfsense added a PIMD package a couple years back and it worked perfectly.  opnsense is still without a PIM package, however, the post below shows how you can install/configure it manually.
https://forum.opnsense.org/index.php?topic=15385.0

For firewall rules, if you want to leave multicast communication wide open but lock down everything you can do it with three permit rules:
any any PIM
any any IGMP
UDP any to 224.0.0.0/4

14

High availability / Re: HA and Load Balancing with two ISPs using two Opnsense appliances

« on: December 28, 2022, 02:13:04 am »

Hi David,
My understanding of multi-WAN load-balancing/failover feature is that it only works with a single firewall since it leverages the concept of gateway groups...meaning all the circuits you want to balance/failover between need to be physically connected to the same box.

Without seeing a diagram I think the only way you can accomplish your goal this is to implement routing between your opnsense box and your LAN where each firewall advertises the default route equal cost.  Routing will then handle your failover and balancing automatically.

15

High availability / Re: HA not working on hyper-v lab

« on: December 28, 2022, 01:54:31 am »

Hi Olthana,
A few questions and comments on your setup as mine is very similar but on ESXi.

First, when you use the term "private switch" I read that to mean the vswitches you created don't have any physical uplinks?  Assuming that's true, how do you expect a VM on two different physical boxes to communicate if they have no physical interface to send traffic out? 

Second, is there a reason you want to use different vswitches instead of one and just use different vlans for segmentation?  If you go this path just remember to create the layer 2 vlan on all the switches connecting the two physical servers together or they still won't be able to communicate.

Third, as the GUI implies HA uses a multicast address to communicate between the two boxes.  If you have trouble with multicast working you can change this to unicast (box 1 sets peer to 172.16.0.2...box 2 sets peer to 172.16.0.1).  That will fix you for HA but you will probably have the same issue with CARP since it uses multicast as well.  Again, not a hyper-v guy so I can't provide much guidance but in the ESXi world you can enable promiscuous mode, mac address changes, and forget transmits to help support non-unicast communication.

Hope this helps.

Last