Messages

1

24.7 Production Series / Re: Routing table does not load route received by OSPF

« on: September 23, 2024, 12:29:07 pm »

I think that system routing table may reflect (import) what the OSPF daemon calculates as routes. Is not this right?
What may I find as possible explanation of my problem?

2

24.7 Production Series / Routing table does not load route received by OSPF

« on: September 23, 2024, 09:56:21 am »

Hi,
I have a strange behavior. This Opnsense has OSPF enabled, that seems working well. It connects to remote OSPF routers, received data and create routing table. In routing -> diagnostic -> OSPF I can see the route I look for, and it reflect connections changes well.
For example, I have a remote network 10.0.0.0/24 that is connected via different paths, and I find the right entry in the table based on paths availability and priorities.

The problem is that the OPSENSE's routing table does not apply this. In system -> route -> status I do not find this entry. And every topology change is not reflected so I have routing problems.

This is really strange for me, but I cannot find a solution. Any idea?

thanks

3

Intrusion Detection and Prevention / Re: Error Msg on OPNsense Console??

« on: May 08, 2024, 10:55:25 pm »

I have this problem, and traffic flow is also broken (still GUI is accessible) 

disabling Suricata has solved the problem and restored flows (without to reboot)

I'm running last OPNSense on vmware, with Suricata checking WAN side (there is a lot of incoming NATs)

4

Virtual private networks / Re: OpenVPN: Session invalidated: KEEPALIVE_TIMEOUT

« on: May 06, 2024, 06:23:53 pm »

sorry, I don't remember the exact settings. I suspect in openvpn server main settings

5

24.1 Legacy Series / upgrade to 24.1 -> default route broken

« on: March 27, 2024, 09:11:34 am »

I've just updated from the last 23.7 to 24.1. After the upgrade, I was able to access the firewall from Internet, but the firewall itself was not able to send packet to any host. The default route was not loaded in routing table, or better it was loaded but assigned to a wrong interface (an ipsec).
The upstream gateway setting was preserved in WAN interface.

I manually added a static route 0.0.0.0/0 to the default upstream gateway and this solved: the right default route is loaded, and the wrong is not reported.

I upgraded many firewalls to 24.1 without this problem, but I'm worried because this is the most important. Is this a known issue? Is this something I can check?

wan is an IPv4 only interface with static public IP. OpnSense runs on a VM

thanks

6

24.1 Legacy Series / Re: Started ignoring rules

« on: March 21, 2024, 05:42:25 pm »

Maybe it's something similar, but I cannot explain nor fix
The first and the second server are in two subnets connected to this OPNSense. Direct and quick connection, no alternate route available.
Also tried to put the firewall in conservative

Also checking "Disable all packet filtering. " seems not solving problems

take a look to attached firewall log

7

24.1 Legacy Series / Re: Started ignoring rules

« on: March 13, 2024, 05:41:04 pm »

sometimes
tcpflags   RA
sometime only A

8

24.1 Legacy Series / Re: Started ignoring rules

« on: March 13, 2024, 05:31:48 pm »

for example:

F03LAN      2024-03-13T17:27:39   10.77.67.3:54052   52.20.40.101:443   tcp   Default deny / state violation rule
F03LAN      2024-03-13T17:27:15   10.77.67.3:56432   34.149.211.227:443   tcp   Default deny / state violation rule

and attached rules for F03LAN. The first is a bypass I added to avoid the problem (that is not working) and the last the rule I aspect that will allow the flow of above blocked logs.

The F03LAN address is 10.77.67.1/26

9

24.1 Legacy Series / Started ignoring rules

« on: March 13, 2024, 05:19:51 pm »

I've a firewall that was working until today (when I updated from  24.1.2 to  24.1.3, but maybe the problem has started before the upgrade), that now is not applying rules as expected.

I can see in the log that packets are dropped because "Default deny / state violation rule", but rules that allow that kind of packet are loaded (and they are working until yesterday).
I've this problem both on rules with SNAT (for example to connect to HTTPS), and without any NAT (for example simple "routing" from client in a network to AD servers in an other).

Tried to restart firewall service, and also all appliance but nothing

This is an hell: something can help me?
thanks

10

24.1 Legacy Series / Re: Rule being ignored occasionally?

« on: March 13, 2024, 03:55:43 pm »

I have a rule that ALLOWS traffic to 443, that has started to be blocked! Logs report that packet has been dropped cause "Default deny / state violation rule"

Is there some big problem?

11

General Discussion / Re: ACME Challenge HTTP-01 stopped working

« on: February 19, 2024, 05:06:11 pm »

try to manually assign the external IP address in challenge's options

12

Virtual private networks / Re: OpenVPN: Session invalidated: KEEPALIVE_TIMEOUT

« on: January 23, 2024, 11:39:02 am »

nothing useful

I solved enabling keepalive frequency and timeout on opnsense side, that were emtpy.

13

Virtual private networks / Re: OpenVPN: Session invalidated: KEEPALIVE_TIMEOUT

« on: January 17, 2024, 04:00:30 pm »

Ok, I see, but still I cannot find an idea about the problem. The VPN is working well, so traffic is ok. What kind of keepalive is the problem? The client can ping OPNSense on the IP address assigned on the tunnel (the first of the subnet). The firewall also does not log any dropped packed.
Is there some setting in my opnsense I miss? I' have many other OpnSense working well with OpenVPN DU and this is the first time I see this problem.

14

Virtual private networks / OpenVPN: Session invalidated: KEEPALIVE_TIMEOUT

« on: January 17, 2024, 11:17:17 am »

Hi,
I have a road warrior OpenVPN tunnel. Authentication is based on local users + user certificates.

Connections are ok and work, but every 45 seconds the connection goes down and OpenVPN Client reconnect it. Its log says "Session invalidated: KEEPALIVE_TIMEOUT"

I cannot find how it tries to perform a keepalive and where the problem can be, any idea?
thanks

15

Tutorials and FAQs / Re: Automatic config backups using os-api-backup

« on: January 16, 2024, 06:40:05 pm »

is there any simple way to package this as a docker container, with a config file to process multiple firewalls (eg a row with parameters related to every remote system)? it will be great