"
Thanks for the input & feedback!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: Passthrough/Transparant Mode Setup - Suggestions on Rules?
June 12, 2025, 06:36:14 PM #2
General Discussion / Re: Passthrough/Transparant Mode Setup - Suggestions on Rules?
June 11, 2025, 08:53:17 PM
If i'm understanding correctly, adding any FW rules to my [WAN] interface would be useless.
Currently, ISP -> FW [WAN] Port
FW [LAN] Port -> My Switch
[BRIDGE] just connects the [WAN] -> [BRIDGE] (all my fw rules here) -> [LAN] -> switch.
From your reply I gather my current config is correct and that moving my block rules from [BRIDGE] to [WAN] won't work or bring any benefits?
Currently, ISP -> FW [WAN] Port
FW [LAN] Port -> My Switch
[BRIDGE] just connects the [WAN] -> [BRIDGE] (all my fw rules here) -> [LAN] -> switch.
From your reply I gather my current config is correct and that moving my block rules from [BRIDGE] to [WAN] won't work or bring any benefits?
#3
General Discussion / Re: OpenVPN configuration for BridgeMode (Passthrough)
June 11, 2025, 08:15:51 PM
ISP -> Firewall -> Switch -> Servers
Because servers have static IP configs on NICs and i'm not NATing, OPN blocks all traffic except IE: 80, 443, 25, etc.. to www.
I connect currently via RDP/SSH to X (Servers) via a few specific locations with static IP's so that's easy enough just add a FW Rule in OPN to allow RDP/SSH traffic to ONLY those specific IPs.
To accomplish the same than above from "random" locations, it becomes more tricky hence usage of a VPN, once connected then I can RDP/SSH to any svr on the network.
That's what i'm trying to do.
Because servers have static IP configs on NICs and i'm not NATing, OPN blocks all traffic except IE: 80, 443, 25, etc.. to www.
I connect currently via RDP/SSH to X (Servers) via a few specific locations with static IP's so that's easy enough just add a FW Rule in OPN to allow RDP/SSH traffic to ONLY those specific IPs.
To accomplish the same than above from "random" locations, it becomes more tricky hence usage of a VPN, once connected then I can RDP/SSH to any svr on the network.
That's what i'm trying to do.
#4
General Discussion / Re: OpenVPN configuration for BridgeMode (Passthrough)
June 10, 2025, 10:52:39 AM
I also considered doing IPSEC but from my research I think that's more suitable for network-to-network tunneling IE: Microsoft Offices NY to Microsoft Offices LA, etc..
My usecase is only a select few users, should be able to connect to my NOC and access my servers and the simplest way to do this in a secure way seemed OpenVPN but i've also noticed some ISPs IE(Orange.fr) a big ISP in france does some kind of packet filtering on certain ports that may be contributing to my strange connect/disconnect issues.
Then again one of my team-members in US running on their ISP Spectrum didnt have this issue when connecting to the out-of-the-box OpenVPN installation:
https://openvpn.net/as-docs/installation.html
But I did from France, I know this because Orange.fr also blocks IE: port 25 for email.
I also tried switching from UDP to TCP 443 to avoid ISP strange issues but i'm getting the same behavior.
My usecase is only a select few users, should be able to connect to my NOC and access my servers and the simplest way to do this in a secure way seemed OpenVPN but i've also noticed some ISPs IE(Orange.fr) a big ISP in france does some kind of packet filtering on certain ports that may be contributing to my strange connect/disconnect issues.
Then again one of my team-members in US running on their ISP Spectrum didnt have this issue when connecting to the out-of-the-box OpenVPN installation:
https://openvpn.net/as-docs/installation.html
But I did from France, I know this because Orange.fr also blocks IE: port 25 for email.
I also tried switching from UDP to TCP 443 to avoid ISP strange issues but i'm getting the same behavior.
#5
General Discussion / Re: OpenVPN configuration for BridgeMode (Passthrough)
June 10, 2025, 10:47:42 AM
Hi Eric,
Thanks for the reply and sorry for the delay in coming back to you, I swore I replied but I must have never posted it.
1) I need VPN for employee's and sometimes when im traveling to access the network remotely in a secure way and I cannot always be adding IE: My hotels IP Address to enable me to RDP or SSH to my machines.
2) Yes, I've installed the OPENVPN installation that's basically a stand-alone installation from OpenVPN as a VM in my NOC that I can OpenVPN into and then have access to the network. Something in it's setup out-of-the-box makes it work compared to me trying to replicate this on OpnSense & Also i had tried on a different Firewall software that gave me the same connecting/disconnecting behavior.
I'm connecting from 1 city to my NOC in a different city, sometimes from different countries.
Thanks for the reply and sorry for the delay in coming back to you, I swore I replied but I must have never posted it.
1) I need VPN for employee's and sometimes when im traveling to access the network remotely in a secure way and I cannot always be adding IE: My hotels IP Address to enable me to RDP or SSH to my machines.
2) Yes, I've installed the OPENVPN installation that's basically a stand-alone installation from OpenVPN as a VM in my NOC that I can OpenVPN into and then have access to the network. Something in it's setup out-of-the-box makes it work compared to me trying to replicate this on OpnSense & Also i had tried on a different Firewall software that gave me the same connecting/disconnecting behavior.
I'm connecting from 1 city to my NOC in a different city, sometimes from different countries.
#6
General Discussion / Passthrough/Transparant Mode Setup - Suggestions on Rules?
June 10, 2025, 10:42:37 AM
Hello Everyone,
I'm using a DEC2687 - OPNsense box in front of my servers at a NOC. I've set it up to run in transparant/bridge mode as all my machines behind have a static IP configuration that's a web accessible IP. In Opnsense i've create a simple ALLOW ALL rule on my WAN interface & then I configure all my block/pass rules on the BRIDGE adapter but since i've added emerging threats and other IP Block lists, in the dashboard I see a large percentage of the pie graph makes up TOR Exit Nodes (Another block rule I added) & Emerging Threats on currently active processes.
My question:
Should I add global block rules IE: Emerging Threats & TOR Exit Nodes and all other global drop/block lists/rules at the WAN level vs the BRIDGE level, would that improve performance in any way if I block it directly at WAN?
Thank you!
I'm using a DEC2687 - OPNsense box in front of my servers at a NOC. I've set it up to run in transparant/bridge mode as all my machines behind have a static IP configuration that's a web accessible IP. In Opnsense i've create a simple ALLOW ALL rule on my WAN interface & then I configure all my block/pass rules on the BRIDGE adapter but since i've added emerging threats and other IP Block lists, in the dashboard I see a large percentage of the pie graph makes up TOR Exit Nodes (Another block rule I added) & Emerging Threats on currently active processes.
My question:
Should I add global block rules IE: Emerging Threats & TOR Exit Nodes and all other global drop/block lists/rules at the WAN level vs the BRIDGE level, would that improve performance in any way if I block it directly at WAN?
Thank you!
#7
General Discussion / OpenVPN configuration for BridgeMode (Passthrough)
May 29, 2025, 01:15:13 PM
I'm having difficulties getting openvpn setup on my opnsense firewall. I'm able to get to a point where my clients can connect, I see the client is assigned the correct IP as configured in opnsense but the clients constantly disconnect and I cannot ping any machine in the assigned networks nor can I access the internet. I'm not sure if it has to do with my routing or where my problem is.
My Infrastructure:
Firewall -> Switch -> Various Machines
(All machines are assigned a static IP, i'm not using NAT which is why i've setup the firewall is transparent mode or bridge mode)
Firewall Config:
- WAN has an allow everything rule setup on it, zero filters or blocks and just this 1 rule to allow everything.
- BRIDGE is where I configure all my fw rules.
- Gateway is setup to my publicly facing networks gateway address from my ISP's switch from the IP allotment they've provided me.
- All my machines on this network are assigned a static publicly facing IP, no NAT.
I've setup in OpnSense the Certificate Authority, Certificates themselves for the CA & Users.
I've configured under VPN > OpenVPN > Instances: The Static Key & OpenVPN Server Instance running on the default port UDP 1194 (Also tested with a different random UDP port & port 443 TCP)
Setup the OpenVPN Server Addresses to 10.2.4.0/24 for VPN clients, under subnet topology
Static Key, Auth & Certs have all been properly configured.
Under the "Routing" Local Network i've inputted there the correct Static IP Network I want my VPN clients to have access too.
Misc Options: client-to-client
Interfaces & F/W Rules:
- Assigned my newly created OpenVPNServer interface & enabled it!
- My WAN interface has from the get-go a allow-all traffic of any type (*) to go through, so that's taken care of.
- In my BRIDGE interface added a rule to allow all variations of ports listed above 1194, 443, random port, etc.. to my BRIDGE address (Not sure if this could be problematic but BRIDGE is where im managing everything as it's transparent mode)
- Create the FW rule to allow everything in on the OpenVPNServer FW/rules area
THEN, POST Config tests:
1) I initially setup the DNS servers to the DNS server's static IPs at my network i'm using.
2) I then tested by switching to Google & 1 IE: 8.8.8.8 & 1.1.1.1
3) I tested "Push Options" initially with (Push block-outside-dns & push-register-dns) and then tested with both those options off (No Push Options, essentially)
None of these tests changed anything in the client connection dropping behavior.
I've tested on my phone & local PC connecting by exporting the config from opnsense, etc.. and loading it onto my openvpn client software.
- I do initially connect, but after a few seconds it disconnects, then reconnects and this over and over again.
- Same symptoms both on local PC & Phone. Phone was disconnected from WIFI and is running on cell network so it's nothing related to my local router/ISP, etc... as i'm running direct from cell network connection.
The only thing I can think of is something my ISP is doing filtering UDP connections but i tested via 443 and i'm experiencing the same behavior so I don't think that's it & also the cell tower connection is a completly different ISP.
There must be a config im doing wrong somewhere?
Once connected to the VPN for those couple of sections, I run an ipconfig and can see i am assigned the correct IP within the range i've allotted in the config of openVPN server. I can ping the opnsense firewall's public IP but not any IPs of the network they should have access too (The same network, the firewall is setup on itself in terms of gateway, etc..) Cannot do any DNS lookups, checking nslookup I do see it sets the name server i've configured and tested my own DNS, 8.8.8.8 & 1.1.1.1 respective with different test attempts but all DNS lookups fail)
Hoping for any shred of advise that could point me in the right direction, happy to do zoom call and pay for anyones time if you could help me troubleshoot this.
Granted my setup is a bit different that tutorials out there on the web as all my machines have static IP configs and i'm not using NAT that must also be something in the euqation.
Weird thing is, I have a OpenVPN virtual machine server running INSIDE this same network and i'm able to connect to it fine but i'm trying to get rid of it since OPNSense does this already I can get rid of that redundant VM.
OPEN VPN config tutorial i've basically followed with minor changes due to my networks layout:
https://sysadmin102.com/2024/03/opnsense-openvpn-instance-remote-access-ssl-tls-user-auth/
My Infrastructure:
Firewall -> Switch -> Various Machines
(All machines are assigned a static IP, i'm not using NAT which is why i've setup the firewall is transparent mode or bridge mode)
Firewall Config:
- WAN has an allow everything rule setup on it, zero filters or blocks and just this 1 rule to allow everything.
- BRIDGE is where I configure all my fw rules.
- Gateway is setup to my publicly facing networks gateway address from my ISP's switch from the IP allotment they've provided me.
- All my machines on this network are assigned a static publicly facing IP, no NAT.
I've setup in OpnSense the Certificate Authority, Certificates themselves for the CA & Users.
I've configured under VPN > OpenVPN > Instances: The Static Key & OpenVPN Server Instance running on the default port UDP 1194 (Also tested with a different random UDP port & port 443 TCP)
Setup the OpenVPN Server Addresses to 10.2.4.0/24 for VPN clients, under subnet topology
Static Key, Auth & Certs have all been properly configured.
Under the "Routing" Local Network i've inputted there the correct Static IP Network I want my VPN clients to have access too.
Misc Options: client-to-client
Interfaces & F/W Rules:
- Assigned my newly created OpenVPNServer interface & enabled it!
- My WAN interface has from the get-go a allow-all traffic of any type (*) to go through, so that's taken care of.
- In my BRIDGE interface added a rule to allow all variations of ports listed above 1194, 443, random port, etc.. to my BRIDGE address (Not sure if this could be problematic but BRIDGE is where im managing everything as it's transparent mode)
- Create the FW rule to allow everything in on the OpenVPNServer FW/rules area
THEN, POST Config tests:
1) I initially setup the DNS servers to the DNS server's static IPs at my network i'm using.
2) I then tested by switching to Google & 1 IE: 8.8.8.8 & 1.1.1.1
3) I tested "Push Options" initially with (Push block-outside-dns & push-register-dns) and then tested with both those options off (No Push Options, essentially)
None of these tests changed anything in the client connection dropping behavior.
I've tested on my phone & local PC connecting by exporting the config from opnsense, etc.. and loading it onto my openvpn client software.
- I do initially connect, but after a few seconds it disconnects, then reconnects and this over and over again.
- Same symptoms both on local PC & Phone. Phone was disconnected from WIFI and is running on cell network so it's nothing related to my local router/ISP, etc... as i'm running direct from cell network connection.
The only thing I can think of is something my ISP is doing filtering UDP connections but i tested via 443 and i'm experiencing the same behavior so I don't think that's it & also the cell tower connection is a completly different ISP.
There must be a config im doing wrong somewhere?
Once connected to the VPN for those couple of sections, I run an ipconfig and can see i am assigned the correct IP within the range i've allotted in the config of openVPN server. I can ping the opnsense firewall's public IP but not any IPs of the network they should have access too (The same network, the firewall is setup on itself in terms of gateway, etc..) Cannot do any DNS lookups, checking nslookup I do see it sets the name server i've configured and tested my own DNS, 8.8.8.8 & 1.1.1.1 respective with different test attempts but all DNS lookups fail)
Hoping for any shred of advise that could point me in the right direction, happy to do zoom call and pay for anyones time if you could help me troubleshoot this.
Granted my setup is a bit different that tutorials out there on the web as all my machines have static IP configs and i'm not using NAT that must also be something in the euqation.
Weird thing is, I have a OpenVPN virtual machine server running INSIDE this same network and i'm able to connect to it fine but i'm trying to get rid of it since OPNSense does this already I can get rid of that redundant VM.
OPEN VPN config tutorial i've basically followed with minor changes due to my networks layout:
https://sysadmin102.com/2024/03/opnsense-openvpn-instance-remote-access-ssl-tls-user-auth/
#8
General Discussion / Re: Migration from 24.4 to 24.10 via webgui, will it reset my rules/config?
May 28, 2025, 03:38:31 PM
Thanks for the confirmation Patrick, do you know if it will automatically pull the business version or switch to the community version, if i'm currently on the business ver
#9
General Discussion / Migration from 24.4 to 24.10 via webgui, will it reset my rules/config?
May 28, 2025, 03:10:07 PM
I'm planning a upgrade from 24.4 to 24.10 via the webgui upgrade button. If upgrade is done will it reset my config/rules and I will have to restore from a backup or will it just upgrade and retain all config/rules? I am using the business edition currently, will it upgrade to the corresponding business version of 24.10 or is that a manual process?
As this unit is in production, I can schedule the upgrade during off-peak hours but if it requires redoing my config/rules i'll have to hold off wanted to check here first.
Thanks,
UserSN
As this unit is in production, I can schedule the upgrade during off-peak hours but if it requires redoing my config/rules i'll have to hold off wanted to check here first.
Thanks,
UserSN
Pages1
