Messages

1

General Discussion / Re: Traffic not passing through from distant subnet to WAN

« on: February 13, 2019, 11:26:27 pm »

Hi,

Just to let you know that it was a Outbound NAT issue and I just created an hybrid one ; everything works well.

Bye

2

General Discussion / Traffic not passing through from distant subnet to WAN

« on: February 11, 2019, 11:28:06 am »

Hello,

On my OPNsense (18.1.9-amd64 and upgraded to 18.7), I tried to connect a subnet to my LAN but something went wrong : lan ressources are available but no internet connection.  I need some outside help to point out any errors I might have missed.

My config :

Code: [Select]

  Remote PC            Router                  Router            OPNsense
10.143.20.200/22---lan---10.143.20.254/22---mpls---192.168.0.2/30---lan---192.168.0.1/30    (MPLSFOLINKT ETH)
   10.143.7.254/22   (LAN ETH)
   77.158.229.106/30 (WANFOSFR ETH, member of a group)
What I've done :

• System: Gateways: Single >> Add "GWMPLS" 192.168.0.2 (Default and Far Gateway unchecked, appears "online")
• System: Routes: Configuration >> Network : 10.143.20.0/22 - Gateway : GWMPLS - 192.168.0.2
• Interfaces: [MPLSFOLINKT] >> Create new interface,  Block private and bogon networks unchecked, IPv4 Upstream Gateway : None
• Firewall: Aliases: View >> Create a network "ReseauxDistants" including 10.143.20.0/22 & 192.168.0.0/30
• Firewall: Rules: MPLSFOLINKT >>

Code: [Select]

Proto Source Port Destination Port Gateway Schedule Description
IPv4 * ReseauxDistants  * *       * * Allow traffic from VPN MPLS sites distants
IPv4 * * * ReseauxDistants * *         Allow traffic to VPN MPLS sites distants

• Firewall: Settings: Advanced >> Checked Static route filtering : Bypass firewall rules for traffic on the same interface

With this configuration :
Pinging and accessing internet from the 192.168.0.2 router is successful to lan and internet
From the Remote machine (10.143.20.200) I can ping and access LAN ressources but no ping or access to internet


Verification :

• System: Routes: Status

Code: [Select]

Proto Destination Gateway Flags Use MTU Netif Netif (name)
ipv4 10.143.20.0/22 192.168.0.2 UGS 238 1500 em5 MPLSFOLINKT

• Firewall: Log Files: Live View : everything seems to pass

I've triple checked my config and any help would be appreciated,

Thanks in advance :-)

3

17.1 Legacy Series / Re: Certificate Expiration Date Issue

« on: September 14, 2017, 08:10:55 am »

Wow,

I've generated a new "Server Certificate" and now it works perfectly.
Thank you, you saved my life !

Have a nice day

4

17.1 Legacy Series / [SOLVED] Certificate Expiration Date Issue

« on: September 12, 2017, 06:42:02 pm »

Hello,

I've 9 OPNsense in production, 1 of them is an OpenVPN Server and 8 others clients.
(it's a Peer to Peer SSL/TLS server mode)

Today, all clients had stopped working because of a server Certificate Expiration Date Issue 
Each client has a valid certificate generate by the server and the server itself has a certificate (<- this one is expired)

It's slowly going serious because I don't know how to extend expiration certificate date (best way) or how to generate another one properly for this kind of configuration.

Any help will be appreciated

EDIT: Mark as solved

5

17.1 Legacy Series / Re: Latency between OPNsense and its gateway

« on: July 31, 2017, 05:00:49 pm »

Well,

It seems that our router (LookAccess LA-110) has an incompatibilty with other network cards (speed and duplex not the same on each side).

Unfortunalty, our Deciso appliance seems te be concerned.

I'm trying to change the router and in the same time, implementing traffic shaping in order to limit to 3Mbps a 4Mbps bandwidth save our life (300ms).

Regards

6

17.1 Legacy Series / Latency between OPNsense and its gateway

« on: July 27, 2017, 11:34:59 am »

Hello,

I've 9 OPNsense in production and one of them has an issue with its gateway.

This firewall was well working behind another Zyxell firewall (not conventionnal) so I connected it directly to the router with a public IP (I removed the Zyxell and plug its cable into the OPnsense).

When downloading a large file, there is latency / RTT of 600ms

Some tests have been done :
- Update the latest packets for 17.1.9
- Change Speed and duplex from Default to other option matching with router parameters
- Same download directly from console : same problem of latency (so LAN interface is not guilty)
- Same download from another OPNsense : latency is only 100ms

So I think the problem is between router and firewall which have been both rebooted.

I noticed that in the "Interface > [LAN] or [WAN] > Overview" menu there is collisions and Interrupts for both cards

LAN

Code: [Select]

Collisions 2880
Interrupts
irq device         total rate
irq256 igb0:que 0 8
irq257 igb0:que 1 5
irq258 igb0:que 2 4
irq259 igb0:que 3 5
irq260 igb0:link 4 0
WAN

Code: [Select]

Collisions 2313
Interrupts
irq device        total rate
irq261 igb1:que 0 13
irq262 igb1:que 1 6
irq263 igb1:que 2 3
irq264 igb1:que 3 4
irq265 igb1:link 4 0
And another command :

Code: [Select]

root@opnsense:~ # netstat -i
Name    Mtu Network       Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll
igb0   1500 <Link#1>      00:0d:b9:42:53:dc  1086340     0     0  1399872     0  2878
igb0      - fe80::%igb0/6 fe80::20d:b9ff:fe        0     -     -        2     -     -
igb0      - 10.143.32.0/2 opnsense              3142     -     -    24090     -     -
igb0      - 10.143.35.254 10.143.35.254            0     -     -        0     -     -
igb1   1500 <Link#2>      00:0d:b9:42:53:dd  1935039     0     0  1555826     0  2313
igb1      - fe80::%igb1/6 fe80::20d:b9ff:fe        0     -     -        0     -     -
igb1      - 95.170.8.128/ 130-8-170-95.reve   209464     -     -     8998     -     -
igb2*  1500 <Link#3>      00:0d:b9:42:53:de        0     0     0        0     0     0
enc0*  1536 <Link#4>      enc0                     0     0     0        0     0     0
lo0   16384 <Link#5>      lo0                  39739     0     0    39739     0     0
lo0       - localhost     localhost            31401     -     -    31401     -     -
lo0       - fe80::%lo0/64 fe80::1%lo0              0     -     -        0     -     -
lo0       - your-net      localhost           219127     -     -     8338     -     -
pflog 33160 <Link#6>      pflog0                   0     0     0   308625     0     0
pfsyn  1500 <Link#7>      pfsync0                  0     0     0        0     0     0
ovpnc  1500 <Link#8>      00:bd:c2:29:f7:02   318539     0     0   309332     0     0
ovpnc     - fe80::%ovpnc2 fe80::2bd:c2ff:fe        0     -     -        1     -     -
ovpnc     - 10.143.252.0/ 10.143.252.32         4672     -     -     4523     -     -
Do you have any ideas or suggestions ?

Thanks in advance 

7

16.7 Legacy Series / Re: [SOLVED] 16.7.10: DNS Forwarder host overrides have stopped working

« on: December 09, 2016, 12:04:07 pm »

Noticed, I won't use it because last patch works.
Thank you xofer

8

16.7 Legacy Series / Re: [SOLVED] 16.7.10: DNS Forwarder host overrides have stopped working

« on: December 09, 2016, 08:20:21 am »

I've patched and it works great 
Many thanks Franco !

9

16.7 Legacy Series / Re: [SOLVED] 16.7.10: DNS Forwarder host overrides have stopped working

« on: December 08, 2016, 07:16:23 pm »

"Glad" to see that I'm not alone...

Another GUI solution that works for me, switch between DNS Forwarder to DNS Resolver which also allows host & domain overrides.

xofer : you just copy /var/etc/dnsmasq-hosts to /etc/hosts ? do you have an example of /var/etc/dnsmasq-hosts ?

Thanks for your help

10

16.7 Legacy Series / Re: [SOLVED] 16.7.10: DNS Forwarder host overrides have stopped working

« on: December 08, 2016, 02:50:23 pm »

That's definitively strange,
patch doesn't work in my configuration...

What I've ever done :
* On a 16.7.10, I reinstall dnsmasq plugin, it doesn't work
* I reset to factory defaults (same 16.7.10/2.76,1 version, fresh config) : after reconfiguring, it still doesn't work
* I reinstall a fresh 16.7 version, upgrade to 16.7.10 and reconfigure dnsmasq : it doesn't work and chmod is ok
* I force a "chmod 644 /var/etc/dnsmasq-hosts" and "Restart  Service" but same result.

I'm going crazy  Am I missing something ?

Any help will be appreciated

11

16.7 Legacy Series / Re: [SOLVED] 16.7.10: DNS Forwarder host overrides have stopped working

« on: December 07, 2016, 08:42:35 am »

Hello,

On a new OPNsense firewall running OPNsense 16.7.9-amd64 firmware,
dnsmasq works perfectly.

I won't upgrade to 16.7.10-amd64 and will wait for a patch... looking the changelog.

I 've noticed something strange : both firmwares are running dnsmasq 2.76,1
(see it in System > Firmware > Updates)

To be continued

12

16.7 Legacy Series / Re: [SOLVED] 16.7.10: DNS Forwarder host overrides have stopped working

« on: December 06, 2016, 10:12:14 pm »

I've just tried to check/unchek System > Settings > General "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" but result is still the same.

Computer on LAN has OPNsense LAN IP address as first DNS.
OPNsense has to resolv a host support.XXX.fr with an entry host overrides in dnsmasq but it doesn't work : I get a public IP instead of a private IP

Tomorrow I'm going to configure another firewall andmake some tests with a previous firmware...

But there is still a bug :/

13

16.7 Legacy Series / Re: [SOLVED] 16.7.10: DNS Forwarder host overrides have stopped working

« on: December 06, 2016, 08:20:41 pm »

Bad news,

# pkill dnsmasq and save the configuration didn't solved the problem.
I've also rebooted the firewall, it didn't work better.

Everything seems to be well configured :

Code: [Select]

root@opnsense:~ # ls -lah /var/etc/dnsmasq-hosts
-rw-r--r--  1 root  wheel    46B Dec  6 19:48 /var/etc/dnsmasq-hosts
root@opnsense:~ # cat /var/etc/dnsmasq-hosts
10.143.7.245    support.XXX.fr support
But when from LAN I try to resolve support.XXX.fr, opnsense stills return a public address (not 10.143.7.245)

In the same time, Domain Overrides works perfectly.

I don't know what to do now, any suggestion ?

14

16.7 Legacy Series / Re: [SOLVED] 16.7.10: DNS Forwarder host overrides have stopped working

« on: December 06, 2016, 03:04:40 pm »

Hello,

After upgrading OPNsense to 16.7.10-amd64, Host Overrides in DNS Forwarder (version 2.76,1) doesn't work.

A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname.

I've checked :

Code: [Select]

root@opnsense:~ # ls -lah /var/etc/dnsmasq-hosts
-rw-r-----  1 root  wheel    46B Dec  6 14:30 /var/etc/dnsmasq-hosts
So I've made a chmod and restarted dnsmasq service from web and console (service dnsmasq stop, service dnsmasq onestart) but it still doesn't work.

Code: [Select]

root@opnsense:chmod 644 /var/etc/dnsmasq-hosts
root@opnsense:/var/log # ls -lah /var/etc/dnsmasq-hosts
-rw-r--r--  1 root  wheel    46B Dec  6 14:50 /var/etc/dnsmasq-hosts
root@opnsense:/var/log # service dnsmasq stop
Stopping dnsmasq.
Waiting for PIDS: 62881.
root@opnsense:/var/log # service dnsmasq onestart
Starting dnsmasq.

Am I missing something ?

15

General Discussion / Re: Squid - Replace message by a single pixel

« on: August 30, 2016, 04:35:46 pm »

Well, just in case someone is wondering how to do it,
you just have to restart Squid to get your new png file displayed.

(CTRL+F5 to reload web page without cache isn't enough)