Messages

1

Virtual private networks / Re: How switching OpenVPN client on failover [RESOLVED]

« on: September 24, 2024, 01:47:45 am »

There is no need for scripting with devd etc.
Setting up a CARP-Alias for the WAN-interface, adjusting outgoing NAT and finally using this CARP-Address as  OpenVPN interface address is enough to get it running.
Perfectly 

OPNsense is such a wonderful product !

2

Virtual private networks / How switching OpenVPN client on failover

« on: September 21, 2024, 07:02:26 pm »

In a HA-cluster, the OpenVPN client on the backup/master must be disabled/enabled.
Should I do this with a script (devd + ifconfig) or is there an OPNsense internal way ?
The tunel provides IPv6 connectivity to the internet (default route) for some nets with static addresses.

Any tips welcome.

3

General Discussion / Re: <interface>:network contains only 1 net on dual stack interface [resolved]

« on: September 18, 2024, 10:33:13 pm »

I see:
the GUI "<interface> net" rule is split by pf into 2 rules, one for IP4 and one for IP6:
  pass in quick on vlan010 inet from (vlan010:network:1) to (vlan011:network:1) flags
  pass in quick on vlan010 inet6 from (vlan010:network:1) to (vlan011:network:1) flags
Each of them relates to only 1 net.

Thanks, Franco.
Ajr

4

General Discussion / <interface>:network contains only 1 net on dual stack interface

« on: September 18, 2024, 05:37:22 pm »

Some nets have both an IP4 and an IP6 address.
Looking at the rule set with pfctl shows only 1 net.

E.g.
  pass in quick on vlan010 inet from (vlan010:network:1) to (vlan011:network:1)

What could be the reason?
Both addresses are static.

IP6 addresses come from a openvpn tunnel, which may be not yet established wenn pf starts.
Other addresses come via DHCP6.

Should I use aliases instead of <if>:network ?

5

High availability / Re: XMLRPC syncing to none standard port on 24.7.4 [RESOLVED]

« on: September 18, 2024, 05:05:59 pm »

Using the URL fixed the problem.
Thanks Franco.

6

High availability / XMLRPC syncing to none standard port on 24.7.4

« on: September 16, 2024, 11:40:15 pm »

On a new HA setup, I try to get XMLRPC sync working.
I can reach the webGUI of the backup via pfsync interface from CLI at master with curl.
In HA setting/Synchronize Config, I have <ip4>:<port> .
Should that work ?
Where are sync errors logged ?

7

High availability / Re: migrating from single FW/router to HA setup

« on: September 09, 2024, 11:58:22 am »

. . .
All work was done in two evenings, in the maintenance time window,  first day the backup switch trunk and VLAN definitions, IP address planing, testing, basic functionality and main interfaces, the second all the remaining.  In the meantime, the Backup node was disabled. All the time, on every step I made backups of configurations of both firewalls, to step back if needed.

I am working now on two last functions: OpenVPN client access (using internal CA :-( ), and FRR.
. . .

Did you find a solution for the OpenVPN client access failover ?

I'm in the planning state of a new HA setup (adding 2nd node to existing master)  and found your description very helpfull.

8

General Discussion / NAT state expires too quickly

« on: November 13, 2023, 04:59:15 pm »

Hi,

I'm new to the forum and I started with OPNsense a week ago, but had experience with PF on OpenBSD.
By the way the PF GUI of OPNsense is very nice and seems to cover everything, I can do per CLI.

My problem: I'm seeing :

15:18:49.578790 00:0d:b9:48:5c:1d > cc:ce:1e:b3:75:7f, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 63, id 10937, offset 0, flags [none], proto UDP (17), length 79)
    192.168.178.11.12183 > 216.239.36.102.53: 28605+ [1au] A? python.org. (51)
15:18:49.616477 cc:ce:1e:b3:75:7f > 00:0d:b9:48:5c:1d, ethertype IPv4 (0x0800), length 114: (tos 0x0, ttl 60, id 41050, offset 0, flags [none], proto UDP (17), length 100)
    216.239.36.102.53 > 192.168.178.11.12183: 28605 Refused- 0/0/1 (72)

The dns query comes in from a vlan with a private net and is being NATed on the WAN interface.
However the answer gets "refused".
So why is the state gone?
Shouldn't all packets in the NATed flow allow to pass w/o any rule?
This is the WAN interface (igb1 on my pcengines APU)

I did not change settings and automatic rules.

ping to the remote host flows as expected. However, I have a floating rule to allow ICMP queries from any to any.

Please advice.