Messages

Today I've set new connection setup as a client in OpenVPN section - also everything stopped to route packets at all, although the connection has been established and all routes are pulled properly (visible in routing table).
This "Connections" approach is doesn't work for me totally.

Any idea what happens and how to search for issue/root cause or any clue?

So far I've returned to use those "outdated" setups - this is working absolutely fine and I don't see the reason why You are removing this :/ If the same behaviour will be in v26+, then a lot of vpn "maniacs" will stop upgrading OpnSense :(

Hello :)

Recently I've upgraded my router to version 25.1.7_4 and noticed, that with next release (26) there will be removed support for legacy tunnel vpns.

I have currently one ipsec tunnel set between OpnSense and Mikrotik router and while using legacy ipsec tunnel is working totally fine.
I made a try to convert this tunnel to new connection. Tunnel has started up and both routers shows it up and running, SAs was installed as expected, but no traffic was going through. I could not ping any device on other end (either from router nor from any local network device) (firewall is set to allow all traffic over ipsec device, of course).

What could be wrong and does anyone of You had similar issue and could resolve it to make the connections ipsec working correctly?

I do also have the OpenVPN tunnel on this device, which is also set with legacy controls and I am a bit afraid of moving to new connections controls ;)

Thanks in advance for any hint/advice :)

Hi.

How can I manage filter logs from IDS (those written at /var/log/filter directory)?
Is any possibility to add some gzip or bzip2 function to log rotation? At my installation, every daily file has around 5GB of size and this quickly fills up entire disk. I've now limited to keep only 3 files, but it's not comfortable. Compressing those files would save a lot of space, are they are simple txt files...

Thanks a lot in advance for any hint :) I coudn't find any configuration for this :/

Ok, nevermind - resolved by myself.

It was something with Let's Encrypt CA certificates.
I have removed all their CA from trust settings, then inserted ISRG Root X1 ca cert (cross-signed by DST Root CA X3), then added Let's Encrypt's R3 root CA (cross-signed by ISRG X1) and re-issued webgui cert.

Now pkg update works fine :)

Cheers!

Hi.

I'm trying to check updates on my setup running 22.1.6 version, but it fails:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.6 (amd64/OpenSSL) at Wed Jun  1 12:05:57 CEST 2022
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Anyone can assist to help resolve the issue?
Many thanks in advance :)

Martin.

Have this settings:

Properties
    Network label    vpnHubTrunk
    VLAN ID    All (4095)

Security
    Promiscuous mode    Accept
    MAC address changes    Accept
    Forged transmits    Accept

Traffic shaping
    Average bandwidth    --
    Peak bandwidth    --
    Burst size    --

Teaming and failover
    Load balancing    Route based on IP hash 

vSwitch have 3 bonded interfaces to Cisco switch (C2690) as etherchannel.

Well... not helping at all :/

The problem is only with phase2 channels - phase 1 and one of phase2 (this, which OpnSesne is a part of local network) is working nicely.

What's Your vswitch settings for this interface? Do You pass all vlans to this VM?

I can create vlans as well, but they do not pass any traffic over that vlan. Only the first created one is working. None of later created are passing the traffic: I can't ping this interface from other hosts using same vlan. Even after reboot.

I have ESXi 6.7 for this hypervisor, if that matters... But I have other setup, where is the same hypervisor version, the OpnSense machine have E1000E interface and VLANs are working fine...

Will try that, thanks... I'll let You know :)

Hi :)

I saw last time, that there is some issue with VLANs using VMXNET3 network interface.
Only the first created VLAN is working. Next vlan's aren't detected at all, even after reboots.
Hardware offload is disabled.

For now, I've bypassed this by creating physical interfaces instead, but this is not the way I want, because I can't add new network interfaces on-line to OpnSense and adding them offline can destroy all previous network assignements.
I know, that I can use E1000E adapter type, but this limits the traffic to 1Gbps.

What is current status of vmxnet3 drivers for OpnSense? Is there any work in progress for them?
Thanks in advance for any reply :)

Hi :)

Is it possible to keep alive IPSec tunels for networks, that OpnSense is not a member (means: have no network interface in it)...
Or something that forces to restart the IPSec tunnel, when SP is expired due to no traffic.
I have one site-to-site tunnel with 3 different "local" networks being routed over to 1 common remote.
2 of those "locals" are in fact remote for this OpnSense router and I can't assign new interface so the opnsense is a part of those networks. On the other side is a FortiGate router, which is requiring each 2nd phase tunel isolation and we had a lot of problems to configure those tunels. Now they are working, but only as long as the 2nd phase lifetime is defined (3600 sec). After that time SP expires and is removed from the list, so the network is not routeable anymore...

Is there any way to keep those tunells alive?

Hello :)

Long time no words from me... But now I've facing a problem - how big, this is the question ;)

Little background:
My company is serving an internet access to some clients. Clients are changing, so the agreements are starting and ending.

Problem:
Sometimes, the end date is in some weird date, which colides with my holidays plan in example ;)

Question is:
- is there any way to schedule the activation of an inactive rule in firewall? This would allow me to create in advance for example a rule to drop packets from that client  and start my holidays without disturbing ;)

Thanks for any hint or clue in this matter ;)

Cheers,

Martin.

Working like a charm :D Thanks a lot!

Hello :)

Is it possible to parametrize  flowd.log location in the upcoming versions of OpnSense? ;)

This will allow user to move it to own location (ie. to bigger disk), as it is growing constantly and can fulfill whose available space on disk...

Thanks in advance :)

Best regards,

Martin.

I'm using Firefox 51.0

Here You have a statement from Mozilla Authority:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

Here is info from Apple Authority:
https://support.apple.com/en-us/HT204132

Google also supports this decision in Chrome browser:
http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html

Regards :)