Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - funfuck1337

Pages1
#1
24.1, 24.4 Legacy Series / Re: Policy based route FW rules without quick match, just would not match
June 11, 2024, 05:14:41 PM
OK, finally i figure it out after a while.

Rule first match and last match really works like the name.

First match would just work like a normal rule. First-come-first-serve according to the rule order.

But with last match everything is inverted. I would match the non-quick rule after all first match rule.
And it would match the non-quick rule from the bottom to the top accordingly, instead of from top to bottom like quick match.

A lesson for me.
#2
24.1, 24.4 Legacy Series / IPsec [New] Missing field for both end peer ID configuration
May 05, 2024, 01:38:12 PM
I am setting up an S2S IPsec transport tunnel. Spec as below:

Code Select
A end: dynamic IP, FQDN provided
B end: static IP, Debian with strongswan installed.

The setup went all good and straight forward.

The problem is OPNsense phase 1 connection config has address field only. There is no way to config peer ID for both end...



And that causing A-end with dynamic IP would never initiate the IPsec connection with below line logged...
Code Select
Informational charon 12[CFG] <|3> no IDi configured, fall back on IP address
Informational charon 12[IKE] <|3> authentication of '[WAN_IP4]' (myself) with pre-shared key
Informational charon 12[IKE] <|3> no shared key found for '[WAN_IP4]' - '%any'

The workaround is config B-end to always be the initiator. But it is not healthy.
Because next I had to setup another S2S tunnel which both end are dynamic IP...

I would like to know if there is a way to get rid of this or could I add peer ID manually in the file?
#3
24.1, 24.4 Legacy Series / Policy based route FW rules without quick match, just would not match
February 20, 2024, 02:34:07 PM
I just set up dual WAN in my environment and tried to add gateway-specified rules without quick match.

PBR rules will never match if you have quick match unchecked.
Attached my rule setup:
dead img /

Everything works great if quick match is checked.

I have tried the same rule on every type of rule set (floating, interface group, interface).

I am wondering if it is my issue. Could anyone try or explain this symptom?
Or this is the limitation that quick match could not be disabled when gateway is specified in the rule.
#4
23.1 Legacy Series / Re: [SOLVED] Issue with nat/portforward from openvpn connection since the upgrade
January 12, 2024, 03:48:41 AM
@xupetas, I have encountered the same problem as you after creating an OVPN server. Port reflection is not working when a user is connected to OVPN. However, the workaround is working like a charm. Thanks for the information.

The 'do not add/remove route' option in the new instances setup method is under the 'Miscellaneous' section > 'Option' > 'route-noexec'.
Pages1