Messages

I didn't really find anything stating this explicitly, but the sequence matches my experience.
The DHCP server seems to start with the first pool, check if it can assign from there and only moves on the next pool if it can't, and so on.
It would be rather straightforward from an implementation perspective...

Flip your pool definitions and if it works, we'll have more confidence that my hypothesis is correct.

awesome. it worked. so the first pool has to be the pool with the mac identifier so that these will get IP Adresses from that pool.
thanks a lot!

a sequence. oh so the order is important? mine right now is:

192.168.15.1 - 192.168.15.254
In-use DHCP Pool Ranges:
192.168.15.100-192.168.15.199
192.168.15.70-192.168.15.90

the last one is the one only macs starting with 64-62-66 should get. but they dont.
they always get an ip from the "main pool" 15.100 to 15.199

maybe i just dont get it:
"(clients in the address range are known)"
the main pool any mac adress should be allowed.
thats important for new devices.
but if i have a deny unknow clients they wont get an IP right?

thanks for testing.
but i dont wanna deny all unknow devices.
i just want a fixed pool of ips for a certain mac adress range

damn you are right.
that was the problem.
but its still doesnt work.
the devices still get an IP from the regular pool not from the additional pool.
even after dhcp server restart, deleting the dhcp lease and restarting the device.
also tried to deny the partial mac from the regular pool and have it allowed in the additional pool.
but nope.
any ideas?

Cheers,

im trying to setup Mac Adress Control for a specific IP Pool.
But it always gives me following error when trying to save:

"If you specify a mac allow list, it must contain only valid partial MAC addresses."

This is my partial Mac Adress "64-62-66" Every device starting with this should get an IP from
that pool.
Am i doing something wrong or is this a bug?

Awesome. Thanks.
On fw side or on client side or both?

Cheers everyone,

we switched our Companys Firewall a few weeks ago to Opnsense (from Pfsense).
Everything works great now. Except some users, who can connect (they get an IP) and cant ping ressources on the lan but cant access via browser (80,443).
All have in common that they have the same german isp (vodafone) with ds-lite.
If they switch to mobile hotspot, the vpn works fine.
subnets of the private lan and vpn and corp lan are different.

Before with the pfsense it was working too. but i cant find the difference.
i read its a common problem but it seems no one has a solution. could it be mtu?
if anyone has experience with let me know : )

Cheers,

yesterday we installed a site2site wireguard vpn on our opnsense.
new interface was created "wg1". when i clicked apply to the changes of the interfaces there was no working internet anymore.
the logs on all the vlans hat the default deny / state violation rule on, blocking all packets. so somehow the first match rule "allow all" that we have on all interfaces was not matching anymore.

i still dont get why.
we reverted back with a backup. we still have some packets beeing blocked by default deny rule where i also have no clue why.

any help is appreciated.

Screenshots attached. Somehow embedding didnt work

That helped! thanks a lot.

But im still in struggle with the cert export.
As i am authenticating with ldap which cert do export? does every client use the same cert?
Under my Instance i put 10.0.10.0/24 in "Server IPV4"
but it seems every client is trying to get the same IP (10.0.10.2).

Hey everyone,
i configured OpenVPN and with 2/3 Windows Clients with the OpenVPNConnect software its working (connecting, ip adress, routing)
The other windows client and die mac os client and one linux client get all this error on Client side:

VERIFY ERROR: could not extract CN from X509 subject string
2024-08-30 16:21:38 VERIFY ERROR: could not extract CN from X509 subject string ('C=DE, ST=xxxxx, L=xxxxxx, O=xxxxxx, OU=IT') -- note that the username length is limited to 64 characters

In OpenVPN Logs i get a TLS handshake failure.

I know there is no CN in that String.
Auth is obv. with LDAP. Really dont get where the difference is.
How do i add the CN to the subject string?

Awesome! worked like charm.
Thank you!

Hey everyone,

Trying to understand the whole OpenVPN with LDAP Configuration.
My Ldap is configured and tested via Tester and working.
I configured my OpenVPN Server to use Authentication my LDAP.
From the Docs its unclear for me if i need to import users now if i only want them for VPN use
or not, and how to sync so that when a new user is created in LDAP it automatically is created on the Opnsense too.
AFAIK import is only needed for GUI Access which i do not want

Also how do get the Client Certs created and how to import if i dont have to import the users?

oh natürlich...sorry.
OpenVPN

Hey zusammen,

eventuell hat jemand eine Idee zu meinem Problem.
Wir haben derzeit eine pfsense laufen mit folgenden Subnetzen, 1.0, 15.0, 80.0, 85.0, 90.0 und 10.x.x.x für VPN
Wir haben eine Testumgebung mit Opnsense aufgebaut und wollen in ca. 1 Monat damit Live gehen.
Derzeit hängt das WAN Interface im 15er Subnetz für den Zugang zum Internet. Damit kann ich aber natürlich kein VPN von außen testen.

Hatten jetzt einen LTE Router bestellt mit 02 30-Tage gratis Sim. Aber natürlich funktioniert dies nicht da das WAN Interface mit dem LTE Router im Bridge Modus einer 10.0.0.1 bekommt. Wahrscheinlich kein echter Bridge Modus.
Würde sicher eh nicht gehen wegen NAT von Mobilfunk etc.

Einen zusätzlichen normalen Anschluss über Glasfaser oder DSL gibt es nicht. Die werden an der Pfsense benötigt.
Hin und her switchen zwischen den beiden Firewalls geht auch nicht.

Wenn ich das neue 1er Netz erstmal als 2er Netz konfiguriere kann stimmen ja die Static IP Mappings auch nicht.

Falls jemand noch eine Idee hat...eventuell selbst mal in dem Dilemma war....