"This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
24.7, 24.10 Legacy Series / Re: Captive Portal - Template download error
February 11, 2025, 03:45:24 PM #2
Virtual private networks / Re: Manual SDP Entry becomes invalid if remote gateway changes dynamic IP
January 28, 2025, 10:14:29 PM
Hi,
Same issue here with 2 ipsec tru STARLINK CGNAT dynamic IP.
Not with landline standard dynamic IP.
Any SPD are mapped with the last and the new tunnel endpoint then, no data flows
By the way, i used tunnel isolation, mobike disable, Unique=replace
and Dynamic gateway mode enabled
Looking to dev a script to reload correctly the TUNNEL and clear all SPD enties.
So far, only disable - clear tunnel - enable makes the job - manually.
maybe it's relarive to this case:
https://github.com/opnsense/core/issues/6061
thanks for help
Same issue here with 2 ipsec tru STARLINK CGNAT dynamic IP.
Not with landline standard dynamic IP.
Any SPD are mapped with the last and the new tunnel endpoint then, no data flows
By the way, i used tunnel isolation, mobike disable, Unique=replace
and Dynamic gateway mode enabled
Looking to dev a script to reload correctly the TUNNEL and clear all SPD enties.
So far, only disable - clear tunnel - enable makes the job - manually.
maybe it's relarive to this case:
https://github.com/opnsense/core/issues/6061
thanks for help
#3
High availability / Re: CARP UNICAST - ISSUE MAC AGEOUT
December 10, 2024, 05:12:54 PM
Yes, exactly.
I noticed that with this CARP UNICAST packets wich were flooded to other branches on the network.
I was just now checking on a slave firewall and see that it was receiving trafics.
it the same in fact. Receiving packets from clients.
And i cant see any gateway mac-address on the switch (aruba).
It's clear that any devices has to performe arp request to send packets... anyway.. switch wich doesnt realise such request doenst learn about the gateway mac adress... so far, the packets are flooding to any.
I'm gonna check on other devices to see of they receives this "flood".
Again, i would suggest to realise a gratuitous arp option... not only as an option but as a mandatory.
This kind of mecanism are usualy available on other prof soluction (STORMSHIELD or FORTINET).
I might be wrong on all of this or just victim of the switching infrastructure but it looks so far by the way. How thos packets, from the CARP itself or now, from clients could reach the slave in other cases. I've made traces on both firewalls, analyses mac-adress on them and on the switch core..
thanks for help
regards
I noticed that with this CARP UNICAST packets wich were flooded to other branches on the network.
I was just now checking on a slave firewall and see that it was receiving trafics.
it the same in fact. Receiving packets from clients.
And i cant see any gateway mac-address on the switch (aruba).
It's clear that any devices has to performe arp request to send packets... anyway.. switch wich doesnt realise such request doenst learn about the gateway mac adress... so far, the packets are flooding to any.
I'm gonna check on other devices to see of they receives this "flood".
Again, i would suggest to realise a gratuitous arp option... not only as an option but as a mandatory.
This kind of mecanism are usualy available on other prof soluction (STORMSHIELD or FORTINET).
I might be wrong on all of this or just victim of the switching infrastructure but it looks so far by the way. How thos packets, from the CARP itself or now, from clients could reach the slave in other cases. I've made traces on both firewalls, analyses mac-adress on them and on the switch core..
thanks for help
regards
#4
High availability / Re: CARP - UNICAST - HA SYNC ISSUE - yes or not?
November 18, 2024, 12:26:04 AM
Issue on my interface after modifying the vhid group / it kepts two groups and got to reboot.
executing /usr/local/etc/rc.filter_synchronize pre_check_master
pre_check_master: backup mode, exit
helped me to understand.
regards,
BN
executing /usr/local/etc/rc.filter_synchronize pre_check_master
pre_check_master: backup mode, exit
helped me to understand.
regards,
BN
#5
High availability / CARP - UNICAST - HA SYNC ISSUE - yes or not?
November 14, 2024, 05:23:28 PM
hi all,
this is a question to those who use the CAP in UNICAST since the 24_10 version:
the HA SYNC configuration tru cron isnt working anymore. Not even a error message.
I got this first when all CARP interface were not configured or active.
Has anyone this kind of issue?
thanks for help
Regards,
this is a question to those who use the CAP in UNICAST since the 24_10 version:
the HA SYNC configuration tru cron isnt working anymore. Not even a error message.
I got this first when all CARP interface were not configured or active.
Has anyone this kind of issue?
thanks for help
Regards,
#6
High availability / CARP UNICAST - ISSUE MAC AGEOUT
November 14, 2024, 05:20:22 PM
Hi all,
Regarding the usage of CARP (VRRP2) UNICAST, it appears that the Interface mac of the slave, when this last isnt soliciting by any other service, protocole or monitoring is aged out on the network.
Meaning that, any unicast CARP packets send from the master are flooding onto the network.
My immediate solution is to declare in static the mac of the slave for those interface.
I hesitated to use monit to ping the slave or something like this.
My asking would be to got a specific menu to send gratuitous arp from the interface GUI.
What do you think about it?
regards,
Regarding the usage of CARP (VRRP2) UNICAST, it appears that the Interface mac of the slave, when this last isnt soliciting by any other service, protocole or monitoring is aged out on the network.
Meaning that, any unicast CARP packets send from the master are flooding onto the network.
My immediate solution is to declare in static the mac of the slave for those interface.
I hesitated to use monit to ping the slave or something like this.
My asking would be to got a specific menu to send gratuitous arp from the interface GUI.
What do you think about it?
regards,
#7
High availability / Re: opnsenseBE (OPNsense 24.10_7) still sending Multicast while all VIPs are Unicast
November 14, 2024, 03:31:13 PM
Hi,
From me, it means that your carp hasnt syncrhonized in unicast.
did you add the ACL to permit the trafic?
i dit sthg like this /maybe there is sthg easier:
create alias with all IP from master / create alias with all IP from SLAVE
floating ACL
any interface concerned
acl from master alias to slave alias
acl from slave alias to master alias
From me, it means that your carp hasnt syncrhonized in unicast.
did you add the ACL to permit the trafic?
i dit sthg like this /maybe there is sthg easier:
create alias with all IP from master / create alias with all IP from SLAVE
floating ACL
any interface concerned
acl from master alias to slave alias
acl from slave alias to master alias
#8
High availability / Re: CARP DHCP Cluster - Failover Split Ignored
November 14, 2024, 03:06:47 PM
Hie all,
Have you any idea regarding the split failover in ISC DHCP - while the param is synchronised and might should not be?
Could it be possible to exclude it from sync?
Regards,
James.
Could it be possible and not overrided by any code if modifying
like: if (isset($dhcpifconf['failover_peerip']) && $dhcpifconf['failover_peerip'] != '') {
if (isset($dhcpifconf['failover_split']) && $dhcpifconf['failover_split'] != '') {
> dont know the exact variable / just an exemple / but it would probably be overrided.
/usr/local/etc/rc.filter_synchronize
// dhcpd, unchanged from legacy code (may need some inspection later)
if (is_array($transport_data['dhcpd'])) {
foreach($transport_data['dhcpd'] as $dhcpif => $dhcpifconf) {
if (isset($dhcpifconf['failover_peerip']) && $dhcpifconf['failover_peerip'] != '') {
$int = guess_interface_from_ip($dhcpifconf['failover_peerip']);
$transport_data['dhcpd'][$dhcpif]['failover_peerip'] = get_interface_ip($int);
Have you any idea regarding the split failover in ISC DHCP - while the param is synchronised and might should not be?
Could it be possible to exclude it from sync?
Regards,
James.
Could it be possible and not overrided by any code if modifying
like: if (isset($dhcpifconf['failover_peerip']) && $dhcpifconf['failover_peerip'] != '') {
if (isset($dhcpifconf['failover_split']) && $dhcpifconf['failover_split'] != '') {
> dont know the exact variable / just an exemple / but it would probably be overrided.
/usr/local/etc/rc.filter_synchronize
// dhcpd, unchanged from legacy code (may need some inspection later)
if (is_array($transport_data['dhcpd'])) {
foreach($transport_data['dhcpd'] as $dhcpif => $dhcpifconf) {
if (isset($dhcpifconf['failover_peerip']) && $dhcpifconf['failover_peerip'] != '') {
$int = guess_interface_from_ip($dhcpifconf['failover_peerip']);
$transport_data['dhcpd'][$dhcpif]['failover_peerip'] = get_interface_ip($int);
#9
Virtual private networks / IPSEC CLIENT FAILOVER if no trafic source
October 07, 2024, 11:51:04 PM
GESTION DU FAILOVER IPSEC CLIENT
This script has been built from differents intel sources and added some adjustement.
It isnt perfect and might be unfinished for any use cases.
Context:
- IPSEC in client mode
- working uppon a carp IF, isnt capable to switch over when firewall are in master/backup mode
- if no trafic is coming from it.
- When the MASTER fails, the tunnel on the BACKUP stands down while it has previously give up after satying without any response.
This configuration components can make it.
- if you have no trafic source from the client
- if you dont want to create special rules coming from the client
If you want to improve it, welcome.
If i mistake, welcome for sharing.
I've been testing it tonight and it works in the usual case for the specified WAN interface and its VHID status.
I'm now looking for the way to send parameters from the cron job to the action module and then pass it to the script (wich is not describe here)
variables are:
CONN="con#" > connexion ID
VHID="vhid ###" > vhid ID
Ø IPSEC TUNNEL MODE CLIENT + IF CARP VIP
Ø SCRIPT+ACTION + CRON
SCRIPT
root@fw-slave:/usr/local/opnsense/service/conf/actions.d # cat /home/admin/script-monit/script-monit-carp-wan-ipsec.sh
#!/bin/sh
# TEST un CARP VHID ET AGIT SUR IPSEC SELON ETAT
CONN="con#"
VHID="vhid ###"
ifconfig -a | grep 'carp:' | grep -e "$VHID" > /dev/null
if [ $? = 0 ]; then carp_state="DISABLED" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep BACKUP > /dev/null
if [ $? = 0 ]; then carp_state="BACKUP" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep MASTER > /dev/null
if [ $? = 0 ]; then carp_state="MASTER" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep INIT > /dev/null
if [ $? = 0 ]; then carp_state="INIT" ; fi
echo $carp_state
#exit
IPV4_REGEX="(([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])\.){3}([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])"
if [ $carp_state == "BACKUP" ]; then ipsec down $CONN ; fi
if [ $carp_state == "INIT" ]; then ipsec down $CONN ; fi
if [ $carp_state == "MASTER" ]; then
#check if tunel exists
ipsec statusall 2>&1 | grep -e "$CONN" > /dev/null 2>&1
#Save the retuned status code
tmp=$?
#If tunnel exists
if [ $tmp -eq 0 ]; then
ipsec statusall | grep -e "$CONN" | grep -i "rekeying" > /dev/null 2>&1
if [ $? -eq 0 ]; then
ipsec statusall | grep -e "$CONN" | grep -v "rekeying" | grep -E "$IPV4_REGEX" > /dev/null 2>&1
#If tunnel is up and match IP REGEX
if [ $? -eq 0 ]; then
echo "Tunnel $CONN look ok"
tunnel=0
fi
else
echo "Tunnel $CONN not ESTABLISHED"
tunnel=1
ipsec down con1
wait 5
ipsec up con1
fi
else
echo "Tunnel $CONN does not EXISTS"
tunnel=2
/usr/local/sbin/configctl ipsec start
fi
echo $tunnel
fi
ACTION
root@fw-slave:/usr/local/opnsense/service/conf/actions.d # cat actions_ipsecfailover.conf
[check]
command:/home/admin/script-monit/script-monit-carp-wan-ipsec.sh
parameters:
type:script_output
message:Ipsec check and reload status and CARP
description: mon_failover_ipsec_carp
service configd restart
configctl ipsecfailover check
CRON
just select the action.
i made it working */5 minutes.
It does the trick during failover.
Looking now for something similar for the openvpn client tunnel wich could fail for some reason after few tries. The the process is stopped and the machine is lost.
Regards all,
James.
This script has been built from differents intel sources and added some adjustement.
It isnt perfect and might be unfinished for any use cases.
Context:
- IPSEC in client mode
- working uppon a carp IF, isnt capable to switch over when firewall are in master/backup mode
- if no trafic is coming from it.
- When the MASTER fails, the tunnel on the BACKUP stands down while it has previously give up after satying without any response.
This configuration components can make it.
- if you have no trafic source from the client
- if you dont want to create special rules coming from the client
If you want to improve it, welcome.
If i mistake, welcome for sharing.
I've been testing it tonight and it works in the usual case for the specified WAN interface and its VHID status.
I'm now looking for the way to send parameters from the cron job to the action module and then pass it to the script (wich is not describe here)
variables are:
CONN="con#" > connexion ID
VHID="vhid ###" > vhid ID
Ø IPSEC TUNNEL MODE CLIENT + IF CARP VIP
Ø SCRIPT+ACTION + CRON
SCRIPT
root@fw-slave:/usr/local/opnsense/service/conf/actions.d # cat /home/admin/script-monit/script-monit-carp-wan-ipsec.sh
#!/bin/sh
# TEST un CARP VHID ET AGIT SUR IPSEC SELON ETAT
CONN="con#"
VHID="vhid ###"
ifconfig -a | grep 'carp:' | grep -e "$VHID" > /dev/null
if [ $? = 0 ]; then carp_state="DISABLED" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep BACKUP > /dev/null
if [ $? = 0 ]; then carp_state="BACKUP" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep MASTER > /dev/null
if [ $? = 0 ]; then carp_state="MASTER" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep INIT > /dev/null
if [ $? = 0 ]; then carp_state="INIT" ; fi
echo $carp_state
#exit
IPV4_REGEX="(([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])\.){3}([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])"
if [ $carp_state == "BACKUP" ]; then ipsec down $CONN ; fi
if [ $carp_state == "INIT" ]; then ipsec down $CONN ; fi
if [ $carp_state == "MASTER" ]; then
#check if tunel exists
ipsec statusall 2>&1 | grep -e "$CONN" > /dev/null 2>&1
#Save the retuned status code
tmp=$?
#If tunnel exists
if [ $tmp -eq 0 ]; then
ipsec statusall | grep -e "$CONN" | grep -i "rekeying" > /dev/null 2>&1
if [ $? -eq 0 ]; then
ipsec statusall | grep -e "$CONN" | grep -v "rekeying" | grep -E "$IPV4_REGEX" > /dev/null 2>&1
#If tunnel is up and match IP REGEX
if [ $? -eq 0 ]; then
echo "Tunnel $CONN look ok"
tunnel=0
fi
else
echo "Tunnel $CONN not ESTABLISHED"
tunnel=1
ipsec down con1
wait 5
ipsec up con1
fi
else
echo "Tunnel $CONN does not EXISTS"
tunnel=2
/usr/local/sbin/configctl ipsec start
fi
echo $tunnel
fi
ACTION
root@fw-slave:/usr/local/opnsense/service/conf/actions.d # cat actions_ipsecfailover.conf
[check]
command:/home/admin/script-monit/script-monit-carp-wan-ipsec.sh
parameters:
type:script_output
message:Ipsec check and reload status and CARP
description: mon_failover_ipsec_carp
service configd restart
configctl ipsecfailover check
CRON
just select the action.
i made it working */5 minutes.
It does the trick during failover.
Looking now for something similar for the openvpn client tunnel wich could fail for some reason after few tries. The the process is stopped and the machine is lost.
Regards all,
James.
Pages1
