1
24.7 Production Series / Re: Cannot import root CA
« on: October 31, 2024, 10:15:03 am »
Latest update to 24.7.7 fixed this!
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.7 Production Series / Re: Can't install new certificate
« on: October 30, 2024, 07:55:49 pm »
When I edit the certificate all the options other than "manual" are greyed out... Any idea?
3
24.7 Production Series / Cannot import root CA
« on: October 30, 2024, 07:52:31 pm »
Hi,
in order to get ACME working with an internal ACME instance I need to import the root CA used into OPNSense. If I import the crt contents to my pfsense installation all is fine. But on OPNsense I get
Unexpected error, check log for details
and in the log
The crt data appears perfect. Checked the attributes etc. I am at a loss at the moment. Any idea? Trying to import it as a certificate works however then the ACME service is not able to communicate with my local ACME service (Wireshark shows OPNsense to terminate the TLS 1.3 handshake with "Unknown CA").
in order to get ACME working with an internal ACME instance I need to import the root CA used into OPNSense. If I import the crt contents to my pfsense installation all is fine. But on OPNsense I get
Unexpected error, check log for details
and in the log
Code: [Select]
<147>1 2024-10-30T19:45:36+01:00 OPNsense1.localdomain config 64536 - [meta sequenceId="2"] [OPNsense\Trust\Cert:cert.4811211f-f7fd-44bc-9005-340f2f3a74b6.caref] Please select a valid certificate from the list{67227ed0e74ce}
<147>1 2024-10-30T19:50:15+01:00 OPNsense1.localdomain config 54947 - [meta sequenceId="1"] [OPNsense\Trust\Cert:cert.374837b5-c3e5-46d6-9779-840e74649a2c.caref] Please select a valid certificate from the list{67227fe78b7e8}
<147>1 2024-10-30T19:50:15+01:00 OPNsense1.localdomain config 54947 - [meta sequenceId="2"] [OPNsense\Trust\Cert:cert.4811211f-f7fd-44bc-9005-340f2f3a74b6.caref] Please select a valid certificate from the list{67227fe78b7e8}
The crt data appears perfect. Checked the attributes etc. I am at a loss at the moment. Any idea? Trying to import it as a certificate works however then the ACME service is not able to communicate with my local ACME service (Wireshark shows OPNsense to terminate the TLS 1.3 handshake with "Unknown CA").
4
High availability / Re: Help with HA cluster and IPSEC tunnel
« on: September 27, 2024, 06:58:31 pm »
Have you ever found a solution to this? I am stuck in the same problem. The detection that an IPSEC tunnel is actually down (despite DPD etc.) takes forever.
5
High availability / CARP on WAN with 1-3 public IPs
« on: September 24, 2024, 09:56:30 am »
Hi,
with the hosting service I am using I can easily get two virtual servers running OPNSense and create as many virtual networks and virtual network cards as I want. BUT: When it comes to external public IP addresses I am (currently) not able to get a /29 or similar network assigned to the WAN network. I can book one or three individual IP addresses but these would not come from the same network/broadcast domain.
Question: Can this be made to work with CARP on OPNSense. I have read in other forums with pf/CARP that you could assign a private network to the WAN interfaces and give each firewall one unique private IP of this network and configure CARP on that. Then create a virtual CARP IP (public IP not part of the pseudo WAN network) on the WAN interface. Is this common consensus that this should actually work?
The two firewalls will have to communicate with the CARP protocol on the WAN network via their private unique IP addresses correct? This is not only done via the internal CARP networks (LAN interface, pfsync etc.).
Even if it works and is supported (which I hope) I assume it would be nice to still have fixed public IP addresses attached to the individual firewalls. Would I be able to do that?
- WAN Interface 192.168.100.0/24 / WAN FW 1 192.168.100.1, WAN FW 2 192.168.100.2
- public IP floating / virtual IP CARP on WAN interface 1.2.3.4/24
- public IP non floating on Firewall 1, virtual IP WAN interface IP Alias 4.5.6.7
- public IP non floating on Firewall 2, virtual IP WAN interface IP Alias 5.6.7.8
Would this work? Reading the documentation I assume I will not be able to use IPSec, OpenVPN, HA-Proxy etc with the IP Aliases on the WAN interfaces but those should go to the virtual CARP address anyway.
Or can the fixed WAN IPs (that are also being used for CARP) also come from different networks like this?
- WAN FW 1 4.5.6.7, WAN FW 2 5.6.7.8
- public IP floating / virtual IP CARP on WAN interface 1.2.3.4/24
Regards
JP
with the hosting service I am using I can easily get two virtual servers running OPNSense and create as many virtual networks and virtual network cards as I want. BUT: When it comes to external public IP addresses I am (currently) not able to get a /29 or similar network assigned to the WAN network. I can book one or three individual IP addresses but these would not come from the same network/broadcast domain.
Question: Can this be made to work with CARP on OPNSense. I have read in other forums with pf/CARP that you could assign a private network to the WAN interfaces and give each firewall one unique private IP of this network and configure CARP on that. Then create a virtual CARP IP (public IP not part of the pseudo WAN network) on the WAN interface. Is this common consensus that this should actually work?
The two firewalls will have to communicate with the CARP protocol on the WAN network via their private unique IP addresses correct? This is not only done via the internal CARP networks (LAN interface, pfsync etc.).
Even if it works and is supported (which I hope) I assume it would be nice to still have fixed public IP addresses attached to the individual firewalls. Would I be able to do that?
- WAN Interface 192.168.100.0/24 / WAN FW 1 192.168.100.1, WAN FW 2 192.168.100.2
- public IP floating / virtual IP CARP on WAN interface 1.2.3.4/24
- public IP non floating on Firewall 1, virtual IP WAN interface IP Alias 4.5.6.7
- public IP non floating on Firewall 2, virtual IP WAN interface IP Alias 5.6.7.8
Would this work? Reading the documentation I assume I will not be able to use IPSec, OpenVPN, HA-Proxy etc with the IP Aliases on the WAN interfaces but those should go to the virtual CARP address anyway.
Or can the fixed WAN IPs (that are also being used for CARP) also come from different networks like this?
- WAN FW 1 4.5.6.7, WAN FW 2 5.6.7.8
- public IP floating / virtual IP CARP on WAN interface 1.2.3.4/24
Regards
JP
Pages: [1]