Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - skacem

#1
hello

instead of having to configure bgp neighbor per neighbor, it is more interesting to configure a bgp neighbor range
FRRouting has already this functionality

https://docs.frrouting.org/en/stable-10.0/bgp.html#clicmd-bgp-listen-range-A.B.C.D-M-X-X-X-X-M-peer-group-PGNAME

the syntax is
bgp listen range <A.B.C.D/M|X:X::X:X/M> peer-group PGNAME

but it seems the FRR plugin for OPNsense doest include it yet
there is nowhere to enter the (listen range) in the Routing--BGP menu

Thanks

#2
24.7, 24.10 Series / RIP not working on 24.7.1
August 13, 2024, 08:40:17 PM
hello

RIP not working on version 24.7.1


zebra [VXKFG-8SJRV][EC 4043309121] Client 'rip' encountered an error and is shutting down.
ripd [N4CEB-XCAK5] Terminating on signal


Thanks
#3
Hello

i am thinking that rules in the OPNsense Firewall Shaper aren't (quick), so even if there is a match there is no exist and all other rules are also processed, true or false ?

i need to know the (default weight), in another words, traffic which isn't specified in the shaper rules get which weight ?

Best Regards

#4
Virtual private networks / Re: BGP neighbor range
July 24, 2024, 03:24:31 PM
i've asked the question at github
FRRouting has already this functionality

https://docs.frrouting.org/en/stable-10.0/bgp.html#clicmd-bgp-listen-range-A.B.C.D-M-X-X-X-X-M-peer-group-PGNAME

the syntax is
bgp listen range <A.B.C.D/M|X:X::X:X/M> peer-group PGNAME

but it seems the FRR plugin for OPNsense doest include it yet
there is nowhere to enter the (listen range) in the Routing--BGP menu

#5
Virtual private networks / BGP neighbor range
July 22, 2024, 03:49:35 PM
Hi

i want to ask if there is a possibility with the FRR plugin to configure a network range in BGP neighbors

all the OPNsense will share a same network, so it's very heavy and tedious to enter and configure neighbor per neighbor on each OPNsense

Thanks a lot
#6
yes BGP is OK all routes well distributed along the all sites

what it is weird, it is when i log to OPNsense of the remote site1 for example, from OPNsense i can access endpoints on the networks of the central site

but from an endpoint on the network of the remote site1, i cannot access endpoints on the networks of the central site

i tried liveview on OPNsense, and absolutely no traffic displayed when i try a communication from the endpoint on remote site1 to endpoints of central site

of course the endpoint on remote site1 has its gateway the LAN IP of OPNsense of the remote site1, and i m sure absolutely there is a pass any everywhere

at the same time, when i access the OPNsense of the central site, i CANNOT access endpoints on the networks of the remote sites, even all the routing table is ok and this OPNsense can access the tunnel interfaces of the remote sites

it is like IPSec, transport mode is the classical one, but to use dynamic routing we must chose VTI the routed mode

now, for OpenVPN classical mode works, dynamic routing themselves are working but no traffic
so i wonder if there is some parameters to modify on OpenVPN when using dynamic routing
#7
Hello

I am trying the OpenVPN Site To Site architecture.
with the classic configuration everything works fine, there are two sites (client) each of them has two OpenVPN tunnels to a central site which has two OpenVPN Servers configured.

when I say classic configuration, I mean that on the central site, the configuration of the two OpenVPN servers have (Local Networks) and (Remote Networks) configured, as well as the networks of each remote site are configured on (Client specific overrides)
At this stage, I've tested two-way end-to-end communication and it works perfectly.

but as the central site has twenty networks and the remote sites each have five, I decided to configure dynamic routing.
so I removed (Local Networks) and (Remote Networks) from the two OpenVPN servers, installed the FRR plugin, enabled BGP

but at this stage, even though the four tunnels are up, BGP isn't working and I've got (failedpeers) for BGP on the central site and the two remote sites

after research, it turned out that OpenVPN interfaces had to be assigned on all three sites, as BGP needs tunnel interfaces and not the default group of interfaces called OpenVPN

once this was done, BGP worked perfectly and routes were distributed to all three sites.

now, the problem is that the tunnels are up, the BGP is OK, on the firewall rules I've set pass any everywhere but the traffic doesn't pass from end to end in both directions.

on further research, I realized that you need to configure gateways on the sites

on the remote sites, each of them has two interfaces ovpnc1 and ovpnc2, so I configured the gateway OVPNC1_VPNV4 with the IP of OVPNS1 and the gateway OVPNC2_VPNV4 with the IP of OVPNS2.

on the remote site side, as ovpns1 and ovpns2 interfaces connect several tunnels, there are gateways OVPNS1_GW and OVPNS2_GW but no IP address configured

but still no traffic

what i am missing ?

thank you


#8
24.1, 24.4 Legacy Series / Re: FRR plugin
July 20, 2024, 08:08:24 PM
it'is ok now

i had to configure the value (16777216) for the tunables entry (kern.ipc.maxsockbuf)
after reboot, there is a new menu between Firewall and VPN called Routing where to configure all thing related to the FRR plugin


#9
24.1, 24.4 Legacy Series / FRR plugin
July 16, 2024, 12:49:09 PM
Hello
i've installed 2 plugins (os-frr) and (os-rfc2136) on OPNsense
after reboot, (RFC 2136) is added and displayed under (Services), but there is no trace for the FRR plugin under (Services) even if it is still installed under (System -- Firmware -- Plugins)
how can i configure the FRR plugin trough WebGUI ?
the OPNsense version is the latest one : 24.1.10_3
Thanks
#10
24.1, 24.4 Legacy Series / Re: failed update
July 10, 2024, 11:22:18 AM
Thanks a lot for your replies
it is ok, i tried with 20GB and it is working fine
just a habit, trying to migrate from my other pfsense(s) where i've always used just a 10GB disk
(not for firewalling, VPN, but mainly for load balancing, reverse proxy with ver few loads)

@Patrick M. Hausen
thanks for your explanation
when i deleted the swap partition, i was able to move the partition toward the front with GPARTED so i can later extend it toward the back, but the problem is that i couldnt recreate the swap partition with smaller size as GPARTED lack its filesystem type
i understand the differences between ZFS and UFS, i've got by past some crashes with UFS that's why i opt for ZFS, but you're right, the ability to do snapshots and fast restore while working in virtual mode give more insurance
#11
24.1, 24.4 Legacy Series / Re: failed update
July 09, 2024, 07:38:22 PM
it is about disk space unavailable during the update
i m still trying to understand

i gave the VM 10GB disk space
after the failure of the update i booted through GPARTED, and i found that OPNsense partitioned the 10GB disk space creating an 8GB swap partition! and giving the zfs root just 1.54GB!

i don't understand this auto partitioning, normally the swap partition must be 1GB or 2GB disk space at most
i've also tried to use thick disk instead of thin one, (fixed disk in HyperV), but it always the same issue, OPNsense create the biggest partition for the swap

is there a way to adjust the swap partition size ?
i tried to delete it via GPARTED, but once i tried to create a new one more smaller, GPARTED doesn't have the swap for freebsd type


#12
24.1, 24.4 Legacy Series / failed update
July 09, 2024, 01:21:36 PM
Hi
i've installed the 24.1 OPNsense version through the ISO image on HyperV then VMware
once i lauch update, it fails and i cannot access it anymore, i must redo the install from the beginning
please find in attachment the errors displayed
Thanks
#13
Hello

**********
we tried to configure the IPSec Hub To Spoke topology, with a Fortigate as Hub, and OPNsense as Spokes.
**********
the Hub contains a single Tunnel, so point to multipoint
we've configured the Tunnel interface IP as 10.1.1.1 and the peer IP as 10.1.1.254/24
Fortinet names the IP network of the Tunnel interfaces as Overlay, and recommends using the last network address not assigned to a Spoke like the Hub peer, but with the correct Overlay network mask.
**********
on the OPNsense Spokes side, we used Route-based IPsec (VTI)
Spoke1
Local Tunnel IP: 10.1.1.2
Remote Tunnel IP: 10.1.1.1
Spoke1
Local Tunnel IP: 10.1.1.3
Remote Tunnel IP : 10.1.1.1
**********
then, the 2 Tunnels connected normally
Spoke1 <--> Hub is Up Phase1 and Phase2
Spoke2 <--> Hub is Up Phase1 and Phase2
well-configured routing and rules
**********
Problem:
Spokes traffic (Spoke1 &Spoke2) --> Hub is OK
Hub traffic --> Spokes (Spoke1 &Spoke2) is NOT OK
**********
after a thorough diagnosis, the traffic (Spokes --> Hub) works because the Spokes know the IP address of the other end of the Tunnel, Spoke1 and Spoke2 know that IP 10.1.1.1 is their next hop
but for the Hub, after the Tunnels have been set up, it can't find out that the next-hop of the Tunnel with Spoke1 is 10.1.1.2 and that the next-hop of the Tunnel with Spoke2 is 10.1.1.3
**********
Fortinet requires the following command to be added to the Phase1 on both sides of the Tunnel for the Hub and Spokes
"set exchange-interface-ip enable"
Fortinet's definition of this command is
"The exchange-interface-ip option is enabled to allow the exchange of IPsec interface IP addresses. This allows a point to multipoint connection to the hub FortiGate."
**********
so as the Spokes don't send their IPSec Tunnel IP addresses, the Hub can't associate a next-hop for each Tunnel, and so the traffic (Hub --> Spokes) doesn't work.
**********
is there an equivalent command to "set exchange-interface-ip enable" on OPNsense so that the OPNsense Spoke sends its Tunnel IP Address to the fortigate Hub when the IPSec Tunnel is established?
**********

Thanks