Messages

1

16.7 Legacy Series / VPN when behind 3rd party router

« on: November 18, 2016, 11:00:57 am »

Hi,

I have attached a picture which outlines what i'm trying to do and am wondering whether this is possible either with an L2TP/IPsec tunnel. IP addresses are not mine.

Basically, I'm unable to assign a public IP address to the WAN interface of the OPNSense Firewall due to internal politics.  I am however able to get a public IP address routed to the WAN interface of the OPNSense firewall and for the firewall to act on this information.  This works fine and i'm able to access internal systems via NAT and all appears good in the world.

However, when trying to configure L2TP the clients won't connect since the server doesn't know its publicly accessible IP and responds telling the client to connect to the IP address on its WAN interface.  Is it possible to get it to respond with a specified IP address?

I'd prefer to use L2TP/IPSec as this allows more 3rd party systems to gain access but if it requires me to use OpenVPN I may consider that as an option.

Thanks

2

16.7 Legacy Series / Compatibility with 3rd party FW's (for VPNs)

« on: August 16, 2016, 11:22:52 am »

Hi,

I'm trying to find out (since i'm failing) if the OPNSense firewall has been tested with 3rd party firewalls to create VPNs

Specifically thinking about Sonicwall's but also have a requirement to support Fortinet / Meraki / Mikrotik. 

i.e. not OpenVPN, purely IPSec and preferably without having to manually edit ipsec.conf files and just done via wizards.

I want to confirm this is possible before I look to engage support to set this up.

Thanks

Mark

3

16.1 Legacy Series / Re: can a windows >= ver 7 client do a roadwarrior IPSec with opnsense ?

« on: August 12, 2016, 11:48:39 am »

Hi Franco,

are there any plans to create some documentation detailing how to set this up with OPNSense?

I'm unable to get a Windows 7 client to connect to the OPNSense and terminate a VPN connection (in future I will want to do Sonicwall > OPNSense, Meraki > OpnSense, but they also support IKEv2 so hopefully they will be more straightforward)

Thanks

4

16.1 Legacy Series / NAT / PAT & Firewall rules

« on: May 31, 2016, 07:01:16 am »

bit of a newbie question, but this operates differently to what i'm used to.

It would appear that when passing traffic through the firewall it goes through the following path

• NAT:  Where it translates the connection to the internal IP address & port
• Firewall ; Where you have to allow connections to the Internal IP & Port

Is this as expected?  I'm used to it being the Firewall allows connection to the external IP and then gets passed to NAT to redirect.

I have also struggled with PAT, when using PAT what do I enable on the Firewall as the destination IP & port?  Is it the IP/Port pre-NAT or post-NAT?

I'm sure this is noted somewhere but I just can't find it written as a simple flow of how the traffic is processed and am struggling to get a working system in this way?

Thanks for any guidance.

Mark

5

16.1 Legacy Series / Re: Is it possible to restrict what a user can do on the interface?

« on: March 29, 2016, 05:04:39 am »

I must be missing something.  As soon as I give someone those rights they have rights to everything.

Should I be able to give an account limited access without those.

6

16.1 Legacy Series / Re: Is it possible to restrict what a user can do on the interface?

« on: March 26, 2016, 03:47:39 am »

thanks, I looked there but didn't notice the add roles, thought it was just for VPNs etc.

Just need to work out which are required (at present the user has some assigned) as I'm getting a
web page can't be found error, http://10.3.3.201/.widget.php unless I grant access to WebCfg - All pages, which then grants access to all pages and not just those desired.

Any ideas?

7

16.1 Legacy Series / Is it possible to restrict what a user can do on the interface?

« on: March 25, 2016, 10:53:04 pm »

Hi,

Am a newby, but looking for a firewall that allows us to perform a few restrictions.

For example, whilst I obviously want a super-user god like account to manage everything, I'd also like to be able to restrict what certain people can do in the web interface.

i.e. so that they can't change any details under Interfaces or add virtual IP's under Firewall.  Even if I'm required to  change a setting to make them temporarily available/hidden in the UI.

Going forwards, I guess a FR would be required to allow delegated administration to each component to grant the most flexibility.

Thanks
Mark