Messages

[windows virtual machine <-> opnsense virtual machine]

OpnSense after version 20.1 have fatal architecture and kernel type of bug reference to 10G SFP+ and ESXi vmxnet3 devices.

PfSense is shit!!! Big fucking license shit. Developers of pfsense wait opensense community to fix the bug. Do you know why pfsense not updated with lattes FreeBSD kernel?

If OpnSense can not fix bug? Then why the fuck we should use new version? 10Gbps decrease to 2Gbps. These are lattes OpnSense version after 20.1. This is fiasco.

Will you fix the problem are we are going to move back to 20.1? Thise **** from PFsense are very clever. And no! I am not going to migrate to PFSense.


Please update new OpnSense with old FreeBSD kernel!!! Fix the problem in developer release not in stable. Stable release can not allow the changes which decreed speed with 8Gbps. Who is the developer responsible for the fiasco? O, I know why!!! PFSense one.


windows virtual machine <-> opnsense virtual machine
interface vmxnet3 10G SFP+

Code Select Expand

C:\>iperf3.exe -c 192.168.2.1  -p 10570
Connecting to host 192.168.2.1, port 10570
[  5] local 192.168.2.4 port 49827 connected to 192.168.2.1 port 10570
[ ID] Interval          Transfer    Bitrate
[  5]  0.00-1.00  sec  103 MBytes  866 Mbits/sec
[  5]  1.00-2.00  sec  101 MBytes  848 Mbits/sec
[  5]  2.00-3.00  sec  90.0 MBytes  755 Mbits/sec
[  5]  3.00-4.00  sec  69.4 MBytes  582 Mbits/sec
[  5]  4.00-5.00  sec  97.9 MBytes  821 Mbits/sec
[  5]  5.00-6.00  sec  101 MBytes  848 Mbits/sec
[  5]  6.00-7.00  sec  86.0 MBytes  723 Mbits/sec
[  5]  7.00-8.00  sec  67.4 MBytes  564 Mbits/sec
[  5]  8.00-9.00  sec  93.2 MBytes  784 Mbits/sec
[  5]  9.00-10.00  sec  101 MBytes  847 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval          Transfer    Bitrate
[  5]  0.00-10.00  sec  911 MBytes  764 Mbits/sec                  sender
[  5]  0.00-10.00  sec  911 MBytes  764 Mbits/sec                  receiver

iperf Done.



 Why? I want to block just two IPs of attackers. All others are allowed.
1 rule block list
2 rule allow all requests

Agree, most of the IP are cloude machines used for spam, attacks,etc..

The external network is outside my local network.

For WAN, I want to add rule:
- block request from external network (web). Who attempt to send ping for example to my router. Which is source and which is destination? For example: source is blocked_ip, destination is any.

I do not want to block vpn clients who trying to connect to my VPN server. I want to block all request from external web to internal network. I do not understand direction (source: BLOCK_IP_LIST, destination:any) or reverse?

Block_ip_list is firewall aliase with ip list of attackers(hackers list).

What is not ALLOWed on your VPN interface is blocked by default. No need for a specific block rule. Simply only allow clients/ports you want to happen and it should work.

I do not know how to block list of IPs? I want to block attacker from outside?
I have OpenVPN interface for external vpn clients. Plase take a look what I have made. Is this the correct way?

I just want to block external request to vpn clients (from external clients to internal vpn client).

On router OpenVPN server is running and OpenVPN interface is part of the entire network workflow.

[then call from cli:]

revert back old mac
then restart

then call from cli:

Code Select Expand

ifconfig em0
dhclient em0

still can not get interface to be shown in opensense top interfaces list. Then add new redundancy virtual interface as second wan. After rebooting I can get enter into router and switch back to original interface from em1 to em0.

At the end remove em1.

It was really hard... Something is totally wrong with this mac updates. 

How this is related to hardware problem as missing entire interface - WAN?
Now WAN is assigned to different interface, different hardware. My emu0 is missing at all.
Also, how to clean this arp with command?

Delete the ARP cache on the systems you are using to access the firewall.

192.168.1.1 took too long to respond
Try:

Running network diagnostics with Get Help
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_TIMED_OUT

What? Just change virtual mac address to all interfaces and everything complete gone. Can not even access web  on 80 port. How to fix from cli command?

It seems emu0 interface is gone? What? Entire interface can not work at all. How to fix this with cli command?

I try to attach images but give me error:"Your file is too large. The maximum attachment size allowed is 256 KB."

We can not upload simple image. Make 10MB max file size.

256KB is too small for modern world

OpenVPN with DDNS return error when client trying to connect:

It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. I  am now seeing  my ISP external IP in DDNS config table.

The IP is 78.83.81.* This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
All is made in my router.



I located those comment. Still what is the correct way to resolve the problem?



You can change it permamently in OpenSSL configuration. Just modify file /etc/ssl/openssl.cnf

Find the [default_sect] section and change it to:

[default_sect]
activate = 1
[legacy_sect]
activate = 1
Then find the [provider_sect] and use:

[provider_sect]
default = default_sect
legacy = legacy_sect
Save file.

It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. Show me that my external IP from ISP is OK.

The IP is 78.83.81.101. This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
All is made in my router.

Best is to:

- Update OPNsense to latest version
- Set the config of OpenVPN server to best practice (opnsense docs)
- Recreate certficates for the users (no p12)
- Export new profiles
- Install latest OpenVPN on the clients https://openvpn.net/community-downloads/
- Import profile and enjoy

I did that and now I have new error which I am not sure it is related with any problem with OpenSense.

Today error is "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"


https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/


OpenVPN says, the error is may related to:"A NAT gateway on the server's network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server machine."

I did make firewall rule, port forwarding also and the error was not fix. One reason for that may be due to ISP block all port.
I send request to my ISP and hope soon to find out the resone for the problem.

[Backend: Native]

Great help. How to check if it is work?

Took a while to get it working. You get the data from https://freedns.afraid.org/dynamic/v2/?style=2 (v1 is not usable with ddclient). Also, the "native" backend is crucial, otherwise it will not work.

General settings:
Backend: Native

Service: custom
Protocol: DynDNS 2
Server: sync.afraid.org
Username/Password: Your FreeDNS username/password
Hostname(s): Your FreeDNS FQDN there
Check IP Method: FreeDNS
Interface to monitor: WAN
Force SSL: ticked

OpenVPN with DDNS return error when client trying to connect:

It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. Show me that my external IP from ISP is OK.

The IP is 78.83.81.101. This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
All is made in my router.



I located those comment. Still what is the correct way to resolve the problem?



You can change it permamently in OpenSSL configuration. Just modify file /etc/ssl/openssl.cnf

Find the [default_sect] section and change it to:

[default_sect]
activate = 1
[legacy_sect]
activate = 1
Then find the [provider_sect] and use:

[provider_sect]
default = default_sect
legacy = legacy_sect
Save file.

Only one machine can not access web gui of the router.
In firewall for that machine the last log is:
state: FIN_WAIT_2:FIN_WAIT_2 Arule: anti-lock rule

Machine have ping to router.
When try to access port 80 to open web gui of opensense router it is just loading in browser client machine  and not returning any response from router. Stay that, just loading. From other machine not have the problem and I can access web gui. This is how I see logs.