Messages

1

24.1 Legacy Series / Re: Routing loop between LANs via L3 switch

« on: July 21, 2024, 07:40:23 pm »

What still does not work is accessing anything in the 192.168.10.0 net from a VLAN50 host (apart from the GUI at 192.168.10.1). Looking at the FW logs, it tells me that TCP traffic coming from 192.168.10.0 hosts to VLAN50 is being blocked by the generic Default deny / state violation rule, even though I have specific rules on that interface to allow 10<->50 traffic of any kind. ICMP works both ways, though, as does -evidently- UDP, since I can send DNS requests to my Piholes on the 10 net.

I finally got this to work by checking Static route filtering in Firewall > Settings > Advanced.

2

24.1 Legacy Series / Re: Routing loop between LANs via L3 switch

« on: July 20, 2024, 03:27:57 pm »

Okay, I've at least figured out why there was no internet connectivity for VLAN50. Had to add an outbound NAT rule for that subnet. Which makes sense in hindsight, since the automatically created NAT rules only apply to the subnets directly connected to the OPNsense machine.

The routing loop kind of... vanished after I played around with the firewall rules. Can't really say why, but good enough.

What still does not work is accessing anything in the 192.168.10.0 net from a VLAN50 host (apart from the GUI at 192.168.10.1). Looking at the FW logs, it tells me that TCP traffic coming from 192.168.10.0 hosts to VLAN50 is being blocked by the generic Default deny / state violation rule, even though I have specific rules on that interface to allow 10<->50 traffic of any kind. ICMP works both ways, though, as does -evidently- UDP, since I can send DNS requests to my Piholes on the 10 net.

3

24.1 Legacy Series / Routing loop between LANs via L3 switch

« on: July 18, 2024, 07:29:43 pm »

I recently got a layer-3 switch to play around with and I ran into a confounding issue while setting up inter-VLAN routing on it.


The relevant network topology is this:

Main router (OPNsense 24.1.10_3-amd64; LAN interface 192.168.10.1/24)

connected to

Main (layer-2 smart) switch (connected to many other hosts on the 192.168.10.0/24 network)

connected via 2-port LAG to

Layer-3 switch (a Cisco SG300-28P; SVI 192.168.10.113/24, the uplink LAG has been set up as a trunk/tagged for all VLANs known to the L3 switch)

On the L3 switch I then configured VLAN50 with SVI 192.168.50.1/24 and enabled DHCP for that subnet that hands out IPs as well as 192.168.50.1 as the default gateway.

Static routes
On main router (manually created):

Code: [Select]

192.168.50.0/24 192.168.10.113/24(created a gateway entry for 192.168.10.113/24)

On L3 switch (obv. all automatically created):

Code: [Select]

0.0.0.0 192.168.10.1         VLAN1
192.168.10.0 Directly Connected VLAN1
192.168.50.0 Directly Connected VLAN50
I configured a single port on the L3 switch as access/untagged for VLAN50 and connected a laptop to it in order to test things. The laptop receives an IP/gateway just fine and is even able to ping hosts on the 192.168.10.0/24 net. However, when I try to ping the router at 192.168.10.1, I run into a loop. Traceroute tells me the traffic is being bounced back and forth between 192.168.50.1 and 192.168.10.1 and never terminating. Is this some sort of asymmetric routing issue? The ping works fine from 192.168.10.1 to the VLAN50 host.

Furthermore, not counting the loop, only ICMP traffic seems to be working to the 192.168.10.0 net (although the culprit here appears to be an issue with my OPNSense firewall rules on the LAN interface; Default deny / state violation rule is being triggered for traffic that should be explicitly allowed).

EDIT: One more caveat: I can access the OPNsense webGUI at 192.168.10.1 from the VLAN50 host, but there is no internet connectivity as all WAN IP routing is stuck in the aforementioned loop and/or because of the overzealous firewall.

4

24.1 Legacy Series / Re: Unbound: umount: /var/unbound/lib: not a file system root directory

« on: April 08, 2024, 04:46:11 pm »

I'm on OPNsense 24.1.5_3-amd64 and seeing similar errors in the log upon reboot:

Code: [Select]

2024-04-08T16:39:41
[Error]
opnsense /usr/local/sbin/pluginctl: The command '/sbin/umount '/var/unbound/lib'' returned exit code '1', the output was 'umount: /var/unbound/lib: not a file system root directory'
2024-04-08T16:39:41
[Error]
opnsense /usr/local/sbin/pluginctl: The command '/bin/kill -'TERM' '56369''(pid:/var/run/unbound.pid) returned exit code '1', the output was 'kill: 56369: No such process'
2024-04-08T16:39:41
[Error]
opnsense /usr/local/sbin/pluginctl: The command '/sbin/umount '/var/unbound/lib'' returned exit code '1', the output was 'umount: /var/unbound/lib: not a file system root directory'
2024-04-08T16:39:41
[Error]
opnsense /usr/local/sbin/pluginctl: The command '/bin/kill -'TERM' '56369''(pid:/var/run/unbound.pid) returned exit code '1', the output was 'kill: 56369: No such process'
2024-04-08T16:35:38
[Error]
opnsense /usr/local/etc/rc.linkup: The command '/sbin/mount -r -t nullfs '/lib' '/var/unbound/lib'' returned exit code '1', the output was 'mount_nullfs: /var/unbound/lib: Resource deadlock avoided'
2024-04-08T16:35:38
[Error]
opnsense /usr/local/etc/rc.linkup: The command '/sbin/mount -r -t nullfs '/usr/local/lib/python3.9' '/var/unbound/usr/local/lib/python3.9'' returned exit code '1', the output was 'mount_nullfs: /var/unbound/usr/local/lib/python3.9: Resource deadlock avoided'
2024-04-08T16:35:37
[Error]
opnsense /usr/local/etc/rc.linkup: The command '/sbin/umount '/var/unbound/lib'' returned exit code '1', the output was 'umount: unmount of /var/unbound/lib failed: Device busy'
2024-04-08T16:35:36
[Error]
configctl error in configd communication Traceback (most recent call last): File "/usr/local/sbin/configctl", line 65, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
Everything seems to be working, though.

5

Virtual private networks / Re: IP packet with unknown IP version=15 seen

« on: April 03, 2024, 07:47:12 am »

Update: I had to reinstall OPNSense due to a faulty SSD and now the warnings are gone (configuration exactly the same after importing a backup config). *shrug*

6

Virtual private networks / IP packet with unknown IP version=15 seen

« on: April 01, 2024, 06:28:26 pm »

I've been seeing the warning from the thread title A LOT in my OpenVPN logs. Like 2,000 entries all at the same time and this dump seems to repeat every 15 minutes. I've googled a bit and tried playing around with the compression settings, since this error can apparently be caused by a server/client mismatch there. But the interesting thing is that the warnings keep coming even if no clients are connected to the server at all, like clockwork.

My server is configured via Servers [legacy].

Server config:
Server Mode: Remote Access (SSL/TLS + User Auth)
Authentication backend: Local db
Protocol: UDP
Device Mode: tun
Topology: net30
Compression: No Preference

Client export config:

Code: [Select]

dev tun
persist-tun
persist-key
data-ciphers-fallback AES-256-CBC
auth SHA256
client
resolv-retry infinite
remote **** udp
lport 0
verify-x509-name **** subject
remote-cert-tls server
auth-user-pass
auth-nocache
I have one CSO defined (to enforce a static tunnel IP), but as I said, the warnings keep coming in even if nothing is connected.

It's worth noting that my VPN works perfectly and clients can connect without issue. It's just these weird log entries that have me scratching my head and frankly make the logs a bitch to use. Running OPNsense 24.1.4-amd64, everything up to date.

7

General Discussion / Re: OPNsense Discord

« on: April 01, 2024, 05:43:24 pm »

+1

An official Discord server would be awesome.

8

24.1 Legacy Series / Re: 24.1 - DHCP server moves to KEA - implications?

« on: February 06, 2024, 05:43:20 pm »

In ISC DHCP it was possible to activate "Deny unknow Clients"

I'd imported all my subnets, settings and reservations, was about to make the switch when I noticed that this option was missing. Are there any plans to add it in the near future?

9

Virtual private networks / OpenVPN + Technicolor CGA4233-EU

« on: August 15, 2023, 10:39:25 am »

Up until recently my network configuration was my ISP's modem/router in bridge mode and an old office PC with an additional network card running OPNSense on it. Worked mostly fine, but yesterday all of a sudden the WAN interface refused to acquire an IP from the upstream DHCP server. After a few hours of tinkering, I was at a total loss as to why (ISP said the connection was fine up until the modem, and indeed you could see the DHCP sending an IP, gateway, etc. in the OPNSense logs...) and since I've had strange connection drops every few weeks ever since switching to bridge mode, I decided to just revert to router mode, setting the OPNSense machine as a DMZ.

This fixed the problem, but now my VPN setup doesn't work anymore. I got OpenVPN running and it was working perfectly with the old config, but now the Technicolor being back to router mode seems to block the connection no matter what I do. As I said, I've basically switched off the inbuilt FW features of the Technicolor and set the OPNSense machine as a DMZ, so everything should get forwarded to it. Tried setting up specific port forwarding regardless, but it didn't make any difference. According to the client log, there's just no response. The public IP is correct, credentials are correct, I've even issued a new client certificate after the change, etc.

FW rule:       IPv4+6 UDP   *   *   WAN address   1194 (OpenVPN)   *   *      OpenVPN OpenVPN_Server wizard allow client access

Any ideas? Is this just something that the modem blocks by default? If you need any more details about my setup, please ask.

Thanks in advance.