Messages

1

23.7 Legacy Series / Advanced NUT configuration: is it possible ?

« on: October 09, 2023, 02:33:54 pm »

Hi,
I currently have nut server running on a separate device with what I would call an "advanced configuration" (multiple users, certificates, custom notifications script, etc.) In order to save power, I was thinking about using my opnsense box instead of a dedicate device, however the plugins' UI only provides limited configuration means. I found that nut configuration files are located in "/usr/local/etc/nut/" but some state that "Please don't modify this file as your changes might be overwritten..." which makes me think that my configuration may be lost quite easily.

My questions are:

• is there a way to have an advanced configuration with os-nut plugin which remains persistent after reboots / upgrades ?
• If yes how should I proceed ?

Thank you in advance !

2

Virtual private networks / Re: Recommendation VPN

« on: October 06, 2023, 03:08:10 pm »

The way I have it working now is a different OpenVPN server and access server per security group but I don't want to make new OpenVPN and access servers if I need to create a new AD group...

Is it even possible to do with OPNsense in a better more scalable way?

None I am aware of. However did you have a look at https://openvpn.net/access-server/ (https://openvpn.net/product-comparison/ for feature details) ? it seems that you can map AD groups to access groups (https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/ or https://openvpn.net/vpn-server-resources/integrating-active-directory-with-access-server-using-radius-and-post_auth/).

3

23.7 Legacy Series / Re: Bug ? "CARP defaults" rules are generated even if there is no virtual IP

« on: September 26, 2023, 04:25:36 pm »

I think you could follow the same argument about other auto generated rules too. For example, why are there all those "IPv6 RFC4890 requirements (ICMP)" if somebody doesn't even use IPv6?

I think it's a design choice to prevent common mistakes generating lots of support.

I'm not choosing a side here though, just contributing my opinion.

(My opinion is I like those rules because they save me time and prevent human error while not impacting security)

Indeed, this might also apply to the case you just listed.

I'm not against generating rules whenever it allows to avoid common mistakes: that's a great helper feature which needs to be kept. I'm against generating them when they are not needed as it has a performance impact and configuration readability impact.

Regards,

4

23.7 Legacy Series / Re: Bug ? "CARP defaults" rules are generated even if there is no virtual IP

« on: September 26, 2023, 03:33:33 pm »

Well, I see the two "CARP defaults " rules on all my interfaces: WAN, LAN, DMZ, all vlans, OpenVPN, and even Loopback. If they are only generated once as floating then inherited, fine.

The question was about the rationale for having these two rules (+ the NAT ones @Monviech spotted).

• Generating them when having at least one virtual IP with CARP mode declared in "/ui/interfaces/vip" is understandable and required.
• But if no virtual IP in CARP mode are declared I don't understand the rationale, and thus I suggest to have it would be great if someone could have a look at the ticket #6556 (see first post).
  

But again, maybe I'm missing something.

5

23.7 Legacy Series / Re: Bug ? "CARP defaults" rules are generated even if there is no virtual IP

« on: September 26, 2023, 02:08:05 pm »

@Franco: I read the ticket you're providing, let me quote some messages AdShellevis sent to rudiservo the author of the ticket I was writing about:

the ticket is for a different issue

Please keep discussions on the forum.

don't mind if you open a new ticket for it to put it up for debate

In the end rudiservo did it and it resulted in the ticket I linked in my question. He never got an answer since May. He forgot to link back his ticket to the ticket you're mentioning. I just added the link to make things clear.

In other words:

• The ticket you're referring to is for a different issue
• I have not created a new ticket, I linked to the ticket which has been open in May about the issue I'm talking about
• this is an open topic
• i reopen the discussion here on the forum as requested on github

That being said:

• why is there a "page not found" when clicking on the looking glass ?
• If it is due to the fact that no virtual IP are configured: why having the CARP rules being generated if CARP is not configured ?
• If it is mandatory for some reason I cannot yet understand: why having a looking glass next as it leads to a page not found?

To me it looks like there is a bug somewhere:

• There should not be a "page not found" OR
• There should not be CARP generated rules if CARP is not used OR
• There should not be a looking glass next to the rule

Or maybe I'm missing something. If that's the case, please explain.

6

Hardware and Performance / Re: LAN throughput limited to 100mbps

« on: September 26, 2023, 01:18:16 pm »

Hi,

When you say that you have tested wan link, I guess that it was without the opnsense box, i.e. conecting a computer directly into your ISP router. If that's the case:

• Check the negociated speed of your WAN interface. You can check negociated speeds on opnsense dashboard in "interfaces" widget
• If the speed is negociated to 100Mbps, check that the cable is plugged correctly on both ends / replace wan cable to a cable which is at least CAT5e, if it doesn't work try forcing to 1Gbps full duplex on both ends (isp router/opnsense)
• Check if there is no traffic shaping: type "pipe" without quotes in the opnsense search box and check if any pipe is limiting to 100Mbps. If there is one check in the rules tab to which interface it applies
• Last but not least, sorry to ask, but are you sure that it's 100 Mbps and not 100 MBps ? (easy to confuse, and 100MBps is 800Mbps, and depending on your hardware / configuration the difference might be related to the firewall's overhead)

Good luck

7

23.7 Legacy Series / Bug ? "CARP defaults" rules are generated even if there is no virtual IP

« on: September 26, 2023, 11:38:47 am »

Hello,

After having read the "hot" topic about automatically generated rule, I had a look at the generated rules on my opnsense instance. I was surprised to see that two "CARP default" rules are generated for each interface.

As I'm not using CARP, nor virtual IPs, this looked strange, so I clicked on the looking glasses icon next to the two rules, which lead me to a "page not found" (firewall_virtual_ip.php).

If there was no "looking glass" and no "page not found" I would have said nothing, but this looks like a UI bug to me. Or am I missing something ?

Note: Since I started writing this post, I checked the github repository and someone suggested to only add these rules only if Virtual IP interfaces are configured. However he got no answer since last may. https://github.com/opnsense/core/issues/6556

Thanks in advance and kind regards,

M.

8

23.7 Legacy Series / Re: is there a way to make aliases set with /sbin/pfctl command persistent ?

« on: September 21, 2023, 05:10:36 pm »

1. If you have a cron job which updates the tables, why don't you use an @reboot entry in crontab to call that update script on reboot as well?

2. If the file is from a URL, you could as well use one or more "URL Table (IPs)"-type alias(es).

Hi,
1. This is what I'm doing, but it's a workaround
2. No it isn't, it is built from multiple sources that are processed/filtered

9

Hardware and Performance / Re: Looking for guidelines to help choose the optimal hardware or opnsense ?

« on: September 21, 2023, 05:03:01 pm »

I am curious why there isn't more discussion of what I would label middle-ground options that lie somewhere between Decisio and Supermicro on the one hand and stuff you can buy on AliExpress on the other hand. They would seem to offer a better balance of price/performance/quality. Less pricey than the former but much better manufacturing quality control than the stuff being sold on AliExpress and, presumably, also better support. I am thinking of gear from Taiwanese companies like AAEON, Jetway, Up Systems (all affiliated in some way with Asus), GigaIPC (Gigabyte) and Lanner.

Well the initial question was to help me "select the right hardware based on requirements", but yes as a next step, I agree with you. I already had a look at the brands you listed as well as at lanner and other brands too. The problem is their availability, factory lead times (for instance there is a 27 week factory lead time on one product I'm interested in) shipping costs and "how to make sure that it will work as expected" as nobody seems to have tried before to run opnsense on it (and who wants to be a "guinea pig" ?)

10

23.7 Legacy Series / Re: is there a way to make aliases set with /sbin/pfctl command persistent ?

« on: September 21, 2023, 04:51:04 pm »

There is an API which you can use for handling aliases: https://docs.opnsense.org/development/api/core/firewall.html

Cheers
Maurice

Once again, thanks a lot Maurice.

11

23.7 Legacy Series / is there a way to make aliases set with /sbin/pfctl command persistent ?

« on: September 21, 2023, 01:58:34 pm »

Hello,

I have a script which updates an alias twice a day (it replaces its content with a list of IPs taken from various sources). The script and cron job both (seem to) work fine. I only have one issue: if the opnsense box is rebooted, the alias is empty, it does not keep the last values which have been set by the script.

Here is the last part of the script which updates the alias:

Code: [Select]

# Update table from temp file
RESULT=`/sbin/pfctl -t ${ALIAS_NAME} -T replace -f ${TMP_FILE} 2>&1`

Is there a way to make this persistent in order to not have an empty list after reboot ? Is there another problem (such as alias flush at reboot) ?

Thank you in advance!

12

23.7 Legacy Series / Re: No internet if I turn off SNAT on router connected to opnsense LAN port

« on: September 21, 2023, 01:51:06 pm »

Translation target for the outbound NAT rule is "Interface address", static port shouldn't be required. Other than that, sounds good. 👍

Ok it works thank you, I only have strange issues when adding routes/subnets I have to enable/disable the route to make it work.

Have a nice day!

13

23.7 Legacy Series / Re: No internet if I turn off SNAT on router connected to opnsense LAN port

« on: September 21, 2023, 01:34:39 am »

@Maurice : thank you.

I understand that I have to do the following, is it correct ?

• create a "single" gateway for the "Lan interface" with IP address 10.100.100.2
• For each subnet behind router, create a route to the subnet through the created gateway
• Switch outbound NAT from automatic to hybrid
• add all subnets behind router to an alias "myalias"
• add an outbound NAT rule on interface WAN, with "myalias" as source, "Interface address" as "NAT address" and "static port"

Edit: it works, but is it the most optimal way to do it ?
Edit 2: it does not work...  :'(
Edit: looks lke it works... erratically... will check tomorrow.

14

23.7 Legacy Series / No internet if I turn off SNAT on router connected to opnsense LAN port

« on: September 20, 2023, 10:58:42 pm »

Hi,

I have the following topology (simplified view):

Code: [Select]

Internet --- ISP router ---(WAN interface)--- opnSense Firewall ---(LAN interface)--- Router --- ...
                                                      |
                                                     DMZ

The "Router" is in charge of inter-vlan routing and filtering while the opnsense firewall is among other things, in charge of IDS/IPS.

On opnsense side: the IP of "LAN interface" is configured statically to 10.100.100.1/29. A rule (let's name it "rule_pass") is configured on "LAN interface" to "pass" all traffic having WAN as destination. And NAT is configured to "Automatic outbound NAT rule generation".

On the router's side: IP is configured to 10.100.100.2/29 and traffic allowed to reach the WAN (or DMZ) reaches "LAN interface"

Until now, the "Router" was configured to do SNAT. Everything was working fine except that in opnsense logs the src of all traffic coming from from "LAN interface" is logged with the IP 10.100.100.2, which is not readable nor useful when trying to find culprits. Therefore I wanted to remove SNAT on router side.

The problem is that when I disable SNAT on the router, I cannot access the firewall, nor the internet anymore. Opnsense webui is unreachable, ssh server is unreachable, I cannot ping the firewall anymore, everything seems to be blocked. There is no message in opnsense logs, nor in the logs of "router".

However if I turn on logging on "rule_pass", I see that the traffic coming from the router reaches correctly the firewall as I see now the IPs of all devices which trigger the "rule_pass" rule, including icmp pings, and not "10.100.100.2" anymore.

What am I missing / doing wrong ? Is it a NAT issue ? How can I debug this situation ?

Thank you in advance!

15

Hardware and Performance / Re: Looking for guidelines to help choose the optimal hardware or opnsense ?

« on: September 20, 2023, 11:43:01 am »

As of today, the price tag of the DEC 695 is around 750 CHF after VAT and import taxes to Switzerland. Compared to the N5105 device with i226v NICs that I own and which I paid less than 150 CHF (all included)

That's what I would call "dirt cheap"  Care to share a link, please?

For the DEC695: https://shop.opnsense.com/product/dec695-opnsense-desktop-security-appliance/
Product price: 649€ == 623 CHF
Shipping: free
Custom fees: 3% of "product price + 15CHF" + 15 CHF == 34 CHF
VAT: 7.7% of "product price + custom fees" == 51 CHF
So I made a mistake, it's 708 CHF, not 750 CHF.

For the N5105: https://vi.aliexpress.com/item/1005004880536701.html
I paid for it 140.47 CHF including shipping and custom fees during a promo in March. As I had a spare m.2 ssd and memory from a dead laptop, I could order the device with no RAM and no SSD.