Messages

OK apparently this plugin is not widely used or supported.
Opened an issue on GutHub about this.

Something kills OpenConnect in the boot process. I suspect it is somehow intentional because if you select 11) Restart all services from the console menu the system will hang after OpenConnect starts.

Would be nice if it could just be set to manual startup.

At this time it works but rather in an annoying way.

Power on OpenSense, OpenConnect starts, get DUO push notification for 2FA, system comes up but OpenConnect is stopped.
Go into System->Diagnostics->Services and start OpenConnect, get Duo push notification AGAIN and all is working.

I can live with it!

What cloud provider?
Most of them support IPSEC VPNs. You really don't need a virtual device in the cloud unless you need something like Meraki that is a propitiatory connection.

What IP address is your OpnSense device getting from your ISP?

You say "public", but that's no always the case with modern ISPs.

If it is a 10.x.x.x, or 172.16.x.x or 192.168.x.x then this is a private IP address.

If so, under Interfaces -> [WAN] -> Generic configuration uncheck "Block private networks".

This is not a setting in psSense so if you are a previous pfSense user like me, this setting is a gotcha you are not expecting.

Are these physical NICS or virtual nics?
Either way if they are on the same subnet they can talk.

If you want all 3 of those subnets to talk to each other then you need a /22 subnet.

Again, unsure what the point is though.

VLANs can talk to each other, in Opnsense you have to configure firewall rules to allow traffic to flow between VLANs.

I'm just speaking from reading the documentation, I've never set this up and I'm new to Opnsense (I've used pfSense before)

VLANs might be overkill.

You probably want to configure your LAN side of Opnsense with 172.16.0.0/22
That gives you a network that supports 172.16.0.0 - 172.16.3.255
Your inside address for the Opnsense device can still be 172.16.1.1
Then 172.16.2.1 and 172.16.3.1 can talk to each other and to opensense.
Make sure you setup your DHCP on the LAN interface with subnet 172.16.0.0/22 and make sure your range starts above 172.16.1.1. You could completely exclude 172.16.0.0-172.16.1.255 and just use 172.16.2.1 - 172.16.3.255

I'm not 100% sure what you are asking but in a networking infrastructure if you want multiple subnets to be served by a single DHCP server you need to do DHCP relay.

This is usually done by setting up VLANs on a managed switch and setting the VLAN to forward DHCP packet to the address of the DHCP server in another subnet.

DHCP packets do not route so without something like this it wont work.

In OpnSense like other "modern" networking devices/software you can setup VLANs assigned to Interfaces.

Once your VLAN are setup and assigned to an interface you can configure DHCP for these VLANs.

Your interface will have an IP address, i.e. 192.168.100.1, Your DHCP will have the subnet 192.168.100.0/24. Then you can assign a scope to hand out addresses.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense#5-dhcp-configuration-for-automatic-ip-address-assignment

If Promox allows you to assign a VLAN ID to your virtual networks then this will work.  I am not sure how you would do that if it doesn't.

OK, I can get this working now. The handshake error doesn't prevent traffic from working.
I have an outbound NAT from (my Lan subnet}/24 to {my corp subnet}/8 and it works. I can ping hosts inside my corporate network from a host inside my lan subnet.

Now the problem, if I reboot OPNSense, openconnect starts, I get a push notification for 2FA, It seems to connect and then I see this in the logs:

Code Select Expand


2023-12-07T13:06:45 Notice kernel <6>ocvpn0: link state changed to DOWN


Log onto the console and issue this command:

Code Select Expand


root@OPNsense:~ # /usr/local/etc/rc.d/opnsense-openconnect status
openconnect is not running.


If I start it manually:

Code Select Expand


root@OPNsense:~ # /usr/local/etc/rc.d/opnsense-openconnect start
starting openconnect
DTLS handshake failed: 2
ifconfig: interface tun30000 does not exist
ocvpn0


Not it it works

Code Select Expand


cwilliams-local@mgmntwkst:~$ ping -c3 10.46.128.254
PING 10.46.128.254 (10.46.128.254) 56(84) bytes of data.
64 bytes from 10.46.128.254: icmp_seq=1 ttl=61 time=84.0 ms
64 bytes from 10.46.128.254: icmp_seq=2 ttl=61 time=82.3 ms
64 bytes from 10.46.128.254: icmp_seq=3 ttl=61 time=86.6 ms

--- 10.46.128.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 82.280/84.282/86.590/1.772 ms


Why is this not starting properly on startup? I don't see anything in the logs that would point out what the problem is.

I believe that is considered an active check, which is where I was going to look at. I am also considering writing an OPNsense template, that would show the application components running on an OPNsense firewall.

Yes, you can do that. Anything you can script you can use as an active check, just send the results of the script the stdout.

A word of warning, you have to be careful with scripted active checks. The old saying in Quantum Physics "To monitor a quantum phenomenon is to change it" also holds true with monitoring a computer system. You can seriously impact performance if your active check is called to often.

A few version back in Zabbix the SQL template used active checks and if you just accepted the default 1 minute item interval it would bring your SQL server to its knees! That was a hard lesson learned!

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]

os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.

Thanks, I was looking under the packages.

Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

The standard Zabbix template for FreeBSD treats OPNsense as a server and reports on things like CPU usage, memory usage, and storage usage. It does not treat OPNsense from an application platform perspective, so there is nothing around DNS services, DHCP services, IDS/IPS services, and other services that can be run on OPNsense. The SNMP template that I found: https://www.zabbix.com/integrations/opnsense#opnsense_snmp, has some of this support but its not done in a standard way. It does not utilize the SNMP daemon plug-in that OPNsense supports, but uses the older SNMPD process.

I would love to see OPNsense treated as an application platform. I am looking into writing my own template but that will be a longer term prospect. If I missed a template that does this please let me know.

There is a template for OpnSense.

https://www.zabbix.com/integrations/opnsense

I read several articles on this but I must be missing something, I can't get this to work.

Destination is a Cisco Anyconnect VPN.

I configure the VPN with my username and password, it connects and I get my 2fa push prompt.

I do see DTLS handhske failed: 2 in the logs.

Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

Interfaces > WAN > Block private networks.

Uncheck that feature.

Yeah, I struggled with this for a whole day.

It would be nice if when you configure the wan interface it would detect it has a private IP and warns you to uncheck this option or prompt you to turn it off.

It would save newbies like me some headaches.