Messages

1

19.1 Legacy Series / Re: IPSEC Tunnel not working anymore

« on: March 14, 2019, 08:49:42 am »

Salü Franco

For sure we only use opnSense :-)

Without the patch in the main office, we had different versions in place; between 19.1.2 and 19.1.4 and we can't connect to any side.

Maybe this is interesting: We patch only the FW on the main office (19.1.4 + patch) and it runs fine with the unpatched 19.1.4 boxes and 19.1.2 to .3 from the branch offices.

gruss ivo

2

German - Deutsch / Re: Extreme Leistungs-Drosselung durch die Firewall

« on: March 14, 2019, 08:08:35 am »

Hallo zusammen

Die verwendete Hardware wäre doch noch interessant und hat mal jemand die MTU kontrolliert?

Wir betreiben eine opnSense auf einem Intel Server mit XEON in einem Datacenter mit 10GB Fiber und haben keine schlechteren Ergebnisse als mit unserer grossen Cisco ASA im gleichen Datacenter und gleicher Leitung.

gruss ivo

3

19.1 Legacy Series / Re: Packets from LAN to OpenVPN road warrior client get routed to WAN

« on: March 13, 2019, 08:49:26 pm »

Salü gs

Why you trace to 10.10.12.3 and not to 10.10.12.2?
What about 10.10.12.1, where you define it?

gruss ivo

4

19.1 Legacy Series / Re: IPSEC Tunnel not working anymore

« on: March 13, 2019, 07:54:06 pm »

Salü Franco

It looks fine after applying the patch:

- Update 19.1.2 --> 19.1.4
- Manual Reboot
- Applying patch
- Manual Reboot

Besten Dank und schönen Abend.

gruss ivo

5

19.1 Legacy Series / Re: IPSEC Tunnel not working anymore

« on: March 13, 2019, 05:02:59 pm »

In the console:

opnsense-revert -r 19.1.2 opnsense

6

19.1 Legacy Series / Re: IPSEC Tunnel not working anymore

« on: March 13, 2019, 04:13:25 pm »

Yes, same on our side, we go back to 19.1.2 and have to request a maintenance window to try the patch.

ivo

7

18.7 Legacy Series / Re: Preshared Key no longer accepted?

« on: October 05, 2018, 06:30:03 am »

Thank you for sharing your code. We use it vise-versa (our server pull it from opnsense), because the external FW boxes can't reach the backup server.

I think from the security perspective, it was safer in the 18.1 version to have a ssh key and a dedicated user without any permissions, just pull the configuration. Now, we have to give the backup admin and bash rights.

gruss ivo

8

18.7 Legacy Series / Preshared Key no longer accepted?

« on: August 29, 2018, 08:47:58 pm »

Hi all

We just updated some OPNsense boxes from 18.1 -> 18.7 and got a problem with the nightly backup process.

The centralized server got all configurations from all boxes with a preshared key and a special backup user, who have no password access to the OPNsense etc.

After the update to 18.7 it doesn't work again, but I found these in the logs:

Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: User backupCFG from 198.18.6.3 not allowed because none of user's groups are listed in AllowGroups
Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: Postponed keyboard-interactive for invalid user backupCFG from 198.18.6.3 port 42896 ssh2 [preauth]
Aug 29 19:01:12 lab-ch-rma01-fw02 opnsense: user 'backupCFG' could not authenticate.

I check with the web gui the "Effective Privileges" from this user and I can't find the point "User - System: Shell account access" anymore.

On the 18.1 configuration, because the security, this user is not a member of the admin group, "/sbin/nologin" is the Login Shell and only the "Effective Privileges" "User - System: Shell account access" was set. With the preshared key we get the configuration with scp. It work's fine.

How can I setup it up with the 18.7 release?

gruss ivo

9

Hardware and Performance / LTE on APU2?

« on: March 07, 2018, 09:54:05 pm »

Hi all

Is anyone out there with experiences with an LTE modem on the APU2 (or APU3) board?

A list with compatible modem can I find here:
http://pcengines.ch/howto.htm#3G

Is there a OPNsense supported modem as well?

Are there any restrictions? How is the modem configured (PIN, APN etc.)?

gruss ivo

10

17.7 Legacy Series / Re: [SOLVED] slow IPsec performance

« on: February 13, 2018, 08:46:57 pm »

Hi all

We have also some DSL <-> Fiber VPN's (both side connected by pppoe via a bridge/converter to the provider) and we need to reduce the MSS to 1380 on the LAN side. Without, RDP is useless.

gruss ivo

11

18.1 Legacy Series / Re: 18.1.r1 failed to fetch

« on: January 11, 2018, 07:42:05 pm »

Hi all

18.1.r1 is a release candidate?

If I press "Check for updates" on all of our production firewalls, this version is also listet as an update. Was this expected?

gruss ivo

12

17.7 Legacy Series / Re: I'm not able to boot with usb in inspiron 1300

« on: January 06, 2018, 11:46:07 pm »

Did you try to boot with CD?

13

17.7 Legacy Series / Re: [SOLVED] slow IPsec performance

« on: January 06, 2018, 11:41:09 pm »

Salü mimugmail

Yes, it was also my first intend and I tried some modifications, but I never touched the MSS field. Thank you to give me the kick to go through the thread again. It's solved now, here is how:

I try with ping, what is the biggest size where I got a reply:
[root@linux01 ~]# ping -s 1395 -M do 198.18.8.48
PING 198.18.8.48 (198.18.8.48) 1395(1423) bytes of data.
^C
--- 198.18.8.48 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4000ms

[root@linux01 ~]#
[root@linux01 ~]# ping -s 1394 -M do 198.18.8.48
PING 198.18.8.48 (198.18.8.48) 1394(1422) bytes of data.
1402 bytes from 198.18.8.48: icmp_seq=1 ttl=62 time=15.2 ms
1402 bytes from 198.18.8.48: icmp_seq=2 ttl=62 time=15.0 ms
1402 bytes from 198.18.8.48: icmp_seq=3 ttl=62 time=14.3 ms
^C
--- 198.18.8.48 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 14.316/14.856/15.203/0.386 ms
[root@linux01 ~]#
I set the MSS value "1422" from the "good" ping on the LAN interface on the opnsense and the performance was fine. I try to set it only on location A and it works, but this location is connected via DSL.

I also had a look on the Cisco ASA, there was no settings for MSS, so the default value should be active:
"By default the ASA sets the TCP MSS option in the SYN packets to 1380." (from Cisco).

gruss ivo

14

17.7 Legacy Series / Re: Virtual PPPoE IP Alias

« on: January 05, 2018, 11:27:56 pm »

Hmmm, that's interesting, this is the 1st time where I see this scenario...

But, maybe one of these idea's can bring you forward:

- Configure the PPPoE with the VIP on the WAN Interface of your router and the Subnet Range on the LAN side, the connect the opnsense on the LAN port of the router.

- Or try to configure opnsense with the PPPoE VIP on the WAN interface and the IP range to a "dummy" VLAN on the opnsense and set the GW to the WAN interface.

I never try this...

gruss ivo

15

17.7 Legacy Series / Re: slow IPsec performance

« on: January 02, 2018, 11:51:54 pm »

Hi all

In the last days, we want to exchange our Cisco ASA's with opnsense boxes, but we run in this issue. Our old configuration is a ASA5520 <-> ASA5540 with IPSec tunnel, the new are two opnsense boxes with these CPU's "AMD GX-412TC SOC (4 cores)" <-> "Intel(R) Xeon(R) CPU E3-1280 V2 @ 3.60GHz (8 cores)", but i don't think this is the problem, also with an IPSec tunnel.

On the location A is a VM who get a nightly backup from a VM in the location "B". Both are RHEL 7 VM's and we just switch the gateway from the ASAs to the opnSense Boxes. Routers (Cisco and Draytek), Lines, Switches on both locations are untouched.

The VM in the location B have also a public IP on the opnsense FW. So if we try to download a file from the web server or to a scp via the IPSec tunnel, we just get s hand full of KB/s (scp says "--stalled--"), via the public IP full speed. At the beginning the transfer is fast for a short moment, then it comes down very fast. But not all the time sometimes, it goes a bit longer fast before "stalled".

The tunnel on the ASA side was IPSecV1, on opnsense IPSecV2, both ESP etc.

gruss ivo