Messages

1

24.7 Production Series / Re: How can I block access to all VLANs with 1 or 2 firewall rules ?

« on: August 25, 2024, 09:42:33 am »

Put a quick allow rule above the generic block one?

I was thinking about this approach but wouldn't that mess up the Firewall \ Traffic ? Usually the block rules go first then allow rules last.

You already opened this exact thread a couple of days ago, right?

https://forum.opnsense.org/index.php?topic=42278.msg208676#msg208676

I could have sworn I answered your last question but my post seems nowhere to be found. DHCP is taken care of by automatic rules. It cannot be blocked by anything you configure in the UI.

See:

Code: [Select]

root@opnsense:~ # pfctl -s all | grep bootp
pass in quick on vlan07 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "e21ba82e2787507de82efd16e930703c"
pass in quick on vlan07 proto udp from any port = bootpc to (self) port = bootps keep state label "55d713eb0d0abdc53fd028019175cd04"
pass out quick on vlan07 proto udp from (self) port = bootps to any port = bootpc keep state label "398a032de2b9975e894f335916afb87e"
pass in quick on vlan01 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "1df7b65b293bf138df10f236a7889eee"
pass in quick on vlan01 proto udp from any port = bootpc to (self) port = bootps keep state label "385edc3329288e020aa9bbe9f9914de5"
pass out quick on vlan01 proto udp from (self) port = bootps to any port = bootpc keep state label "58ca7742b2c97951641023f18e2dd59d"
pass in quick on vlan05 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "cdbcc11b796adf41fbef4eeaf8f2c60e"
pass in quick on vlan05 proto udp from any port = bootpc to (self) port = bootps keep state label "8816b0e3add9c6e0d76c49d2151bc95f"
pass out quick on vlan05 proto udp from (self) port = bootps to any port = bootpc keep state label "a026e0c2fe364a6cad34204149483f6d"
pass in quick on vlan02 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "0c17538b1b995ab50d22bba9de47b66f"
pass in quick on vlan02 proto udp from any port = bootpc to (self) port = bootps keep state label "b142ef4302cd5c25827ce9ec481441e1"
pass out quick on vlan02 proto udp from (self) port = bootps to any port = bootpc keep state label "6d6efb231238eb62b54fb2ed977cb43f"
pass in quick on vlan03 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "4db3295e7047cf30b38a8bd19b6afce9"
pass in quick on vlan03 proto udp from any port = bootpc to (self) port = bootps keep state label "a0895b11d5fdf07c530f097ce0e489c5"
pass out quick on vlan03 proto udp from (self) port = bootps to any port = bootpc keep state label "a5d9128a5eac4049942d7c8e415a9d48"

The rest I explained in the linked thread.

HTH,
Patrick

Yeah, I had the same thread open but since there was no reply I have opened this one. So, if DHCP can't be blocked by anything, how come when I did the Network Group Alias with all the VLANs on the list with the Block rule, I couldn't get IP assigned on my client device ? This seems a little bit confusing for me.

2

General Discussion / Re: How can I block access to all VLANs with 1 or 2 firewall rules ?

« on: August 24, 2024, 11:31:46 am »

Anyone ?

3

24.7 Production Series / How can I block access to all VLANs with 1 or 2 firewall rules ?

« on: August 24, 2024, 11:31:23 am »

Hi,

I have quite a lot of VLANs in my setup and starting to have difficulty with managing firewall rules to block each VLAN individually, one by one using the block option. To make things easier to manage, I created Network Group Alias then selected all of my VLANs in it, then I used the said alias in the block rule to block access to all the VLANs and that seems to work great with exception that I can't exclude the current VLAN that the rule runs on so what ended up happening was, I couldn't get IP from DHCP as the rule was blocking the currently used VLAN. I tried using inverted rules but they don't exclude any VLANs from the alias list as far as I know.

Is there any way to block access to all of the VLANs I created with the exclusion of the currently used that the rule resides in using 1 or maximum of 2 firewall rules ?

Thanks

4

General Discussion / Re: How can I block access to all VLANs with 1 or 2 firewall rules ?

« on: August 18, 2024, 12:35:23 pm »

I have a network group named "Restricted" for all VLANs that are, well restricted, in the sense that they are allowed to access the Internet but not each other.

I attached a screen shot of the "Restricted" rule set. Net4_Local and Net6_Local contain all the locally attached VLANs probably very similar to your setup.

I am a bit lazy in the sense that while I pride myself of running dual stack @home and @work, I only provide DNS, NTP, SMTP over IPv4. Hence the structure of the rules you see in the attachment.

HTH,
Patrick

Since that setup contains all the VLANs on your setup, wouldn't Net4_Local and Net6_Local block the VLAN that's the rule is being run on therefore blocking itself from receiving IP from the DHCP server ? That's the issue that I came across when I used Aliases.

5

General Discussion / How can I block access to all VLANs with 1 or 2 firewall rules ?

« on: August 17, 2024, 08:27:42 pm »

Hi,

I have quite a lot of VLANs in my setup and starting to have difficulty with managing firewall rules to block each VLAN individually, one by one using the block option. To make things easier to manage, I created Network Group Alias then selected all of my VLANs in it, then I used the said alias in the block rule to block access to all the VLANs and that seems to work great with exception that I can't exclude the current VLAN that the rule runs on so what ended up happening was, I couldn't get IP from DHCP as the rule was blocking the currently used VLAN. I tried using inverted rules but they don't exclude any VLANs from the alias list as far as I know.

Is there any way to block access to all of the VLANs I created with the exclusion of the currently used that the rule resides in using 1 or maximum of 2 firewall rules ?

Thanks

6

22.7 Legacy Series / Re: Errors when booting up

« on: March 01, 2023, 08:14:17 pm »

We've seen this too and thought to have deployed multiple fixes. The only theory we have is that the socket in question appears and then disappears again for a few seconds for whatever reason. it only happens on slower hardware as far as we can tell, but operational impact is minimal as the socket eventually comes up fine.


Cheers,
Franco

Is there any way I can check if the sockets are working fine, just to be sure ? Perhaps checking if the socket's service is currently running would do the trick ?

Which error are you talking about in your reply, the carrp and Configd or the python error for Configd.py ? Should I be concerned for any of the listed errors ? As of right now, I'm stuck in the limbo with the said errors as I'm not quite sure what they mean and if I should be concerned about them.

7

22.7 Legacy Series / Errors when booting up

« on: February 15, 2023, 09:41:25 pm »

Hi,

I have noticed a couple of errors when my OPNSense is booting up and I'm not sure if it's something that I should worry about or just ignore them. They are:

PFLog0: Permanently Promiscuous Mode Enabled

I did some research on this error and it looks like it's some kind of a software switch to deactivate/activate internet connection or something like that as the only posts I came across were talking about the above going in a loop from Enable to Disabled every couple of seconds causing network distruptions.

Error in early script "Carp"

Generating Configuration: Carp socket missing

Looking online for the Carp protocol brings up failovers and redundancy, is this feature used by default in OPNSense ? In which cases would I need to use CARP protocol and finally can I just ignore this error ?

Generating Configuration: Configd socket missing

In combination with the above error, the one from below I found somewhere in the Web GUI:

Error Configd.py [Some Type of ID] returned exit status 1

I have checked and it looks like Configd.py is some type of backend for OPNSense which passes actions from the frontend (Web GUI) to the backend\firewall itself. The above error indicates that Configd.py have errored out and terminated to what I think is its backend ? Worrisome for sure.

I have successfully setup my network how I want and everything seems to be in order but the above errors worry me that something with the Firewall itself might be broken e.g WAN rules allowing someone to connect to my OPNSense where otherwise it would be secure to reject any connection attempts to OPNSense and so on.

Will someone please give me a hand with this as I tried to search and search online but can't find any solution to the above errors.

Thanks

8

General Discussion / Re: Strange VLAN Behaviour

« on: February 05, 2023, 10:55:25 pm »

I think you said that backwards. Manual is a static IP. The pc will accept any address you give it.
What  does "wrong IP" mean? If you plug into vlan4, it should get an IP in the vlan4 subnet. Did it not?

Yeah, I got the correct IP automatically assigned as soon as I plugged into VLAN4.

Why wouldn't it accept it?? It doesn't know what network you're connecting to. You set a static IP, it can't tell you "hey, you're giving me the wrong IP for that network.", YOU need to be smart enough to know that.

"Connected" doesn't mean connected to opnsense, the pc wouldn't know what type of router you're using. It means it has an active network connection. I have never seen a pc disconnect when it has the wrong IP assigned. Again, how would it know?? You gave it the IP.

I got it now.

Sounds like the switch isn't configured correctly.

Can you tell me how you came into this conclusion ? I think there might be some misunderstanding and want to double check.

9

General Discussion / Re: Managed Switch - Port Behaviour

« on: February 05, 2023, 10:41:15 pm »

The switch does not change its behaviour. If you remove the router, no devices will be able to talk across VLANs. Devices in the same VLAN will be able to talk to each other just like they do with the router present.

Also make sure you don’t have inter VLAN routing set up on your switch as in that case, router or not, the devices may be able to talk to each other from different VLANs. This is a layer 3 switch feature - something to check.

Isn't Inter VLAN routing handled by OPNSense firewall ? So, if I haven't setup any inter VLAN routing on the switch and when OPNSense is down or off for whatever reason, I should be fine then ?

10

General Discussion / Managed Switch - Port Behaviour

« on: February 03, 2023, 09:38:30 am »

Hi,

I just want to check, what is the behaviour of a managed switch when it's not connected to OPNSense especially with VLANs setup or OPNSense is just turned off ?

I know you configure each port to a specific VLAN on a switch but once OPNSense is not present (turned off or disconnected), how does the switch manage currently connected devices on it ? Does the switch just turn into a standard hub where all the devices can talk with each other or does the connected devices can't still see each other with no DHCP Configuration and just sit there and wait for activity from OPNSense to provide the networking capabilities ?

I'm asking because of security and I don't want my devices to talk with each other at all and that's why I have setup VLANs in the first place.

Thanks

11

22.7 Legacy Series / Configuration File Compatibility

« on: February 03, 2023, 09:26:40 am »

Hi,

I just want to check if you take a backup of your older version of OPNSense, is it compatible with the newer version or will there be some incompatibilies ? Would for example Firewall rules, DHCP configuration or basic settings be retained but more advanced configuration for other parts of OPNSense not properly imported ?

Does anyone know the answer to this ?

12

22.7 Legacy Series / Proper turn offs and Loss of configuration

« on: February 03, 2023, 09:22:10 am »

Hi,

I just want to check what is the correct way of turning off a device that has OPNSense installed ? I have heard on the internet that if you just unplug the device with OPNSense on it from a power source, it can damage configuration and everything would need to be setup from scratch again.

My question are, is the above correct or just a myth and how can you tell this have happened ? Does OPNSense give you some type of a message upon the boot-up of the device so that you are aware that configuration is corrupted ?

Thanks

13

General Discussion / Re: Strange VLAN Behaviour

« on: February 03, 2023, 09:14:07 am »

You are not "getting assigned" an IP, you set the IP. DNS won't be "picked up" unless you use DHCP. Since you set a static IP, you would also need to set the DNS statically.

I did both, manual one picked a wrong IP address and the automatic didn't picked up DNS IP at all.

Yes, that should happen since you're on the vlan4 network, but you set an IP in the vlan1 network.
It's the same as you going to your neighbors house, with a static IP from your house, and plugging into their network. You won't get anywhere.

I understand now. However I'm still puzzled why does my PC still accepts the manual configuration I have entered and the status changes to connected when in fact it didn't connect to OPNSense at all ? Usually when you are connected to a normal router and assign a wrong IP, your connection will disconnect but not in this case for some reason.

Is this behaviour normal and how managed switches work where it will accept any IP address that I inserted in my PC settings even if it's wrong ?

Vlan hopping? No, you're on one network with an IP that isn't routable on it.

I did another test with pinging a device that doesn't exist on the same VLAN and it still shows "Destination Host Unreachable". I may add I can ping the Gateway fine so I presume when a device is connected to the same VLAN I will be able to ping it just fine.

In my example above shouldn't the Ping command not find the device and just hung on the resolved IP since there is no active device ? Shouldn't ping command don't send any packets at all since there's no device rather than displaying  "Destination Host Unreachable"  message ?

Switch seems to be configured correctly.

I know it's a lot of questions but it's my first time setting up VLANs and I'm completely new to OPNSense. I want to correctly configure everything so that VLANs are secured properly. My main question is, how can I test if VLANs work in accordance with my Firewall rules ?

One way I know you can test this is by plugging into each VLAN port then pinging each VLAN Gateway from the currently connected VLAN and see if there's a response. Are there any other tests that people perform to check if VLANs work correctly ? If so, what would you recommend ?


I know this is a bit of a stretch and out of scope of this topic but would you be kind enough to give me another hand in a different thread ? If so, here's the link: https://forum.opnsense.org/index.php?topic=32255.0

Just want to mention that appreciate your and WaffleIron's help on this.

14

22.7 Legacy Series / Handling errors in OPNSense

« on: February 01, 2023, 09:40:19 pm »

Hi,

When booting up my OPNSense, I have noticed that there are quite a few errors poping up at every boot of my device. The errors are:

Error in early script "Carp"

Generating Configuration: Configd socket missing

Generating Configuration: Carp socket missing

PFLog0: Permanently Promiscuous Mode Enabled

This error I found somewhere in the Web GUI:

Error Configd.py [Some Type of ID] returned exit status 1

My questions here are:

• What types of errors I should worry and be looking out for to make sure everything is fine with OPNSense ?
• Does anyone know anything about the above errors and if they are normal ? I tried searching for the Carp error but didn't found much about it besides being served fish pictures and links on Google.
• Is there any way I can view the whole boot up log to look up all the errors ? There are probably some that I haven't managed to note as the boot up process is too quick. Is this action even necessary to perform ? How do you handle errors in OPNSense or know something is wrong ?

Thanks

15

General Discussion / Strange VLAN Behaviour

« on: February 01, 2023, 09:16:52 pm »

Hi,

I have two budget switches, each setup the same way but for some reason I always get the same results. Let me give you an example below.

Let's say VLAN 1 is management and VLAN 4 is a random VLAN.

I insert my RJ45 cable into VLAN 4 port on the switch and when I try to ping VLAN 1, there is no response which is a desired result of using VLANs. However, things change when I do some manual changes for the network card on the PC.

So:

1) While still being connected to VLAN 4 port on the switch, I manually assign IP Address, netmask and gateway to the one of a VLAN 1. To my surprise, I successfully get assigned the available IP Address from VLAN 1 that I selected but DNS for some reason is not picked up.

2) When I try to ping anything on the VLAN 1, I get a response saying "ICMP_Seq=1 Destination Host Unreachable" no matter if there is a device with that IP or not. I can't also access the logon page that's allowed on VLAN 1 which I guess is a good thing.

My questions to this scenario would be:

• Is this how VLANs work behind the scene ?
• Is this what you can call a VLAN Hopping ?
• Is this a result of a misconfiguration on a switch ? 
• Is this behaviour normal ?

I just can't wreck my head around it as from my testing, this seems to happen on many budget switches, irrespectable of the price you paid for the switch.