OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of zhladik »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - zhladik

Pages: [1]
1
General Discussion / Re: OpnSense breaking UDP hole punching
« on: May 06, 2023, 08:48:00 pm »
Hi,

late answer but I hope it helps someone. I just got the same problem as PassionLynx. I found that as default firewall randomizes the source port on passing packets out. On UDP it can break some apps. Typicaly some streaming or VOIP apps. The reason for this is security by obfuscating info about source port app allocation. But bidirectional UDP traffic needs this to keep the "punch hole" automatically open for bidirectional traffic.

I discovered how to solve this problem. You have two options:

1. If you want to keep NAT more secure, you can create a special Outbound NAT rule only for your app, usually it is enough to specify the destination port or server address and 'STATIC' parameter enabled.

2. You can replace the default NAT rule with a manually configured one with the same parameters as the default one with the difference in 'STATIC' parameter.

Before you are able to make this change you must switch to Manual or Hybrid outbound NAT rule generation

If you can not predict the destination or source address or port, you must use option 2. I think that security risk at this case increase is usually minimal.

2
23.1 Legacy Series / IPSEC "Connections"damaged my tunnel,fresh install does not generate tunnel conf
« on: March 23, 2023, 01:00:49 am »
Hello,

After upgrading from 22.7 to 23.1.3 my IPSEC tunnel link stopped working.
Because VPN link was not critical and I decided to clean up my config so
I installed fresh 23.1 from scratch. and immediately updated to 23.1.4_1.

As the first thing I tried to config IPSEC tunnel by new "Connections (swantcl.conf)"
 way. But I missed any doc, (it supposes experienced StrongSwan experts only?),
so I returned to the "legacy - Tunnel settings" way.

But it seems that any setting of legacy tunnel phase1 does not generate config files for
tunnels. /usr/local/etc/ipsec.conf nor stongswanc.conf. does not reflect any GUI config.

In partialy updated OPNsense IPSEC doc there is an announced "feature freeze on tunnels" in future.
But it seems that legacy tunnel related code is removed too soon.

Any tips on what to check? Maybe I missed some critical step on IPSEC building/activation, but log files
have no glue for me..

I have not much experience with IPSEC, but i am fluent in linux/bsd CLI, so I looked at scripts
and logs, tried to start things from cli, etc. But maybe not enough deep to find where is problem.



Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2