Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - athisesanr

Pages1 2
#1
24.1, 24.4 Legacy Series / Need understands of CARP advertised Skew with Master and Slave process
June 12, 2024, 12:41:42 PM
Hi Folks,
     
      I just try to understand the master and slave election using carp advertised skew (To determine which physical or virtual machine has a higher priority, the advertised skew is used. A lower skew means a higher score)

Now question is, if i have 10 connection means i do have 10 virtual IPs, so by default I didn't configured any advertised skew even preempt disable on 2nd firewall. so how the carp master will be selected now ?

I could see in my two machine like FW01 and FW02 , that FW01 is always master even i try to reboot it may went slave and back to master once FW01 is up.

Then, now what is calculation behind the master selection if everything is default value in both machine ?


Thanks, 

#2
24.1, 24.4 Legacy Series / [Resolved] Unable to perform the Nat through IPSec
June 12, 2024, 07:40:09 AM
Hi All,

this issue got resolved post adding manual SPD of source ip reply from site B in ipsec.

lets I added like,  10.10.10.15/32 in manual SPD


Thanks all.,


#3
24.1, 24.4 Legacy Series / [Resolved] Unable to perform the Nat through IPSec
June 11, 2024, 02:04:43 PM
Hi Folks,

I have a question regarding IPsec with DANT and SNAT as below steps that I'm trying in OpnSense FW,

Let have steps are configured and checking the connections.,

- IPsec between Site A (OpnSense) to Site B (FortiGate)     (policy-base tunnel Up)
- Site A has a local network of 100.100.100.0/27
- Site B has a local network of 100.200.100.0/27
- Site A has a some vlan connectivity with their internal VLAN network (such 10.10.10.15)
- Site B want to connect 10.10.10.15 through the NAT ip of 100.100.100.10 - this ip chosen from Site B Local subnet free ip.
- ensured that Site A local subnet 100.100.100.0/27 have connectivity to 10.10.10.15
- Able to reach from Site B to Site A local subnet OpnSense configured ip such as interface ip and carp ip.
- Unable to reach from Site B to Site A IP of 100.100.100.10 which is nat to 10.10.10.15
- having port forward NAT (DNAT) on IPsec interface like below,
          (src-100.200.100.10 , dst-10.10.10.15 , translated-100.100.100.10)
- having outbound NAT (SNAT) on internal vlan interface like below,
          (src- 100.200.100.10,dst-100.100.100.10, tanslated-10.10.10.15)


so, checking the traffic, I can able to get the reply from vlan network but i couldn't ping from site B to opn internal vlan network via nat.

16:27:31.135755 IP 100.100.100.10 > 10.10.10.15: ICMP echo request, id 14098, seq 1628, length 64
16:27:31.136089 IP 10.10.10.15 > 100.100.100.10: ICMP echo reply, id 14098, seq 1628, length 64

Hence, I think, I miss somewhere in NAT, can anyone guide to me here.,

pls note all the interface rules are any-any.,

Thanks,


         






#4
24.1, 24.4 Legacy Series / Re: User Group issue with Microsoft LDAP | RBAC
May 16, 2024, 11:36:12 AM
Hi Patrick,

I understand and I meant "team" as number or users :) also I just trying to get the information whether someone experienced same issue in previous their deployments.

and i found the some case here https://forum.opnsense.org/index.php?topic=37435.0

above the 37435.0 conversation says that ldap users needs to be import manually which i did and working fine, but if I try group user let say xyz group have a multi induvial users which is having the issue.

Thanks,
Athisesan R
#5
24.1, 24.4 Legacy Series / Re: User Group issue with Microsoft LDAP | RBAC
May 16, 2024, 11:16:00 AM
Team, anyone have look on this request and any past experience that could solved or any workarounds available ?

Thanks,
Athisesan
#6
24.1, 24.4 Legacy Series / OpnSense remote Backup
May 16, 2024, 11:10:59 AM
Hi Team,

I'm checking backup possibility of opnsense which is only available local and cloud backup from UI.

is there any possible to send a backup from opn to targeted backup server with in LAN or any api query to run the config backup from backup device to opnsense vm directly ?

Thanks,
Athisesan R
#7
24.1, 24.4 Legacy Series / OpnSense Upgrade Query
May 16, 2024, 11:08:22 AM
Hi Team,

I'm looking upgrade possibility of direct upgrade without using mirror, like download the latest patch and transfer to opnsense shell specfic folder to run any upgrade check and run commands.

currently, I'm using 24.1 version which is possible to upgrade from mirror once the firewall have a connection internet.

Thanks,
Athisesan Ramar
#8
24.1, 24.4 Legacy Series / User Group issue with Microsoft LDAP | RBAC
May 03, 2024, 11:32:46 AM
Hi Team,

I am trying to configure RABC policy using Microsoft LDAP.

LDAP configuration done and able to test it with LDAP IDs are login successful.

and while importing required LDAP Ids into users and enabling groups for them and getting user auto removal from the groups when login.

Is any once faced the issue previously and can any one help this to short it out ?

Thanks,
Athisesan R

#9
24.1, 24.4 Legacy Series / Re: how to install VMware Tool for OpnSesne virtual machine in vCenter
May 03, 2024, 11:23:54 AM
thanks, I did installed and getting some error on vcenter layer and let me solve and update this case as solved category
#10
24.1, 24.4 Legacy Series / how to install VMware Tool for OpnSesne virtual machine in vCenter
May 02, 2024, 10:48:51 AM
Hi Team.

I'm looking docs for VMware tool installation for opnsene vm which is running in vmware platform,

Can anyone assist like how to install the vmware tool for opnsense vm in vmware platform ?

Thanks,
Athisesan R
#11
24.1, 24.4 Legacy Series / [SOLVED] Re: OpnSense Carp Issue - Master status on both firewall
April 18, 2024, 08:34:00 AM
Hi Team,

Finally, I fixed CARP issue on vmware esxi dvs level with using  vmware mac learning option.

follow the steps.
- Form the VIP between the Opnsense FWs
- Edit the DVs port group security from vcenter
- setting changes likes

       Promiscuous mode - Reject
       MAC address changes - Reject
       Forged transmits - Reject

       MAC Learning
         Status - Enabled
         Allow unicast floodin - Enabled
         MAC limit - 4096
         MAC limit policy - Allow

https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-networking/GUID-E0246B3D-9FB1-4976-8217-5C085863EA9A.html

Thanks,
Athisesan R
#12
24.1, 24.4 Legacy Series / Re: OpnSense Carp Issue - Master status on both firewall
April 18, 2024, 07:38:35 AM
Hi

I did promiscuous mode enable on connected dvs port group and observing status as both firewall is "Backup" now.

I couldn't get it where the pfsense or vmware vrrp docs where works for here.

https://communities.vmware.com/t5/vSphere-vNetwork-Discussions/Can-t-ping-virtual-router-IP-in-VRRP/td-p/854331
https://www.reddit.com/r/vmware/comments/hh63yd/dvswitch_not_passing_multicast/

Thanks,
Athisesan
#13
24.1, 24.4 Legacy Series / Re: OpnSense Carp Issue - Master status on both firewall
April 17, 2024, 09:18:57 PM
Hi Monviech,

I'm using dvs with portgroup, so is it required to enable forged transmits from dvs port-group security ?

Thanks,
Athisesan R

#14
24.1, 24.4 Legacy Series / Re: Firewall rule Creation through API or CLI
April 17, 2024, 08:36:04 PM
Hi,

Many thanks Franco and Patrick for brief view on API part. and the thought to consider XML edit with particular portion such as nat/rules and ipsec legacy alone till the full function api available in opnsense system.

Thanks,
Athisesan R
#15
24.1, 24.4 Legacy Series / OpnSense Carp Issue - Master status on both firewall
April 17, 2024, 08:29:07 PM
Hi Team,

I'm recently installed opnsense in VMware ESXI platform where deployment completed and try to make the CARP between the two machine gets formed but unfortunately I'm receiving master on both machine.

I did TS on Rules where placed correctly and HA SYNC working as expected and I could see the CARP protocal running (224.0.0.1 and 224.0.0.18) in interfaces.

I tried restart, carp disable, persistence mode those are not helping and thoroughly checked  that Virtual IP configuration where placed as it is.

I do have receiving IANS arp from connected top layer physical firewall
      100.100.102.250   7          00:00:5e:00:01:0a >>>> VIP
      100.100.102.252   0          00:50:56:90:01:6a >>>> FW1
      100.100.102.253   1          00:50:56:90:a5:82 >>>> FW2

I did upgrade the system and still issue remain the same.

CARP issue faced version of OPNsense 24.1 and 24.1.5_3-amd64

General Log file that we receiving both machines,

2024-04-17T23:46:57   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Resyncing OpenVPN instances for interface (100.100.102.250).   
2024-04-17T23:46:57   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member " (100.100.102.250) (10@vmx0)" has resumed the state "MASTER" for vhid 10   
2024-04-17T23:46:53   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Resyncing OpenVPN instances for interface (100.100.102.250).   
2024-04-17T23:46:53   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member " (100.100.102.250) (10@vmx0)" has resumed the state "BACKUP" for vhid 10   
2024-04-17T17:47:42   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Resyncing OpenVPN instances for interface (100.100.102.250).   
2024-04-17T17:47:42   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member " (100.100.102.250) (10@vmx0)" has resumed the state "MASTER" for vhid 10   
2024-04-17T17:47:38   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Resyncing OpenVPN instances for interface (100.100.102.250).   
2024-04-17T17:47:38   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member " (100.100.102.250) (10@vmx0)" has resumed the state "BACKUP" for vhid 10

So, can anyone help me out to how to resolve this issue ?

Thanks,
Athisesan R

 
Pages1 2