Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - nicovell3

#1
And how can I disable state tracking for those two specific rules? I tried setting those rules with the field "State Type" set to "none", but the State table size keeps getting full.
#2
Hello fabian, thanks for your reply,

When you say "disable state tracking", are you talking about the entire firewall? How can that be done and which implications would that have?

Thanks for your help.
#3
Hello,

I'm trying to setup a new rule at my firewall so it'll allow an specific host to scan all ports from other net.

The only problem I have is that, when the rule is already set and I launch a nmap like this:

nmap -Pn -sS -p- -T5 192.168.20.0/24

And then, the OPNsense state table collapses: I've set a max size of 815000, but if I launch three concurrent scans, it gets full. So what I want is to make a rule which allows the traffic to pass and prevents the firewall from storing every connection at the state table. I think I don't need that connections to be stored at the state table, as I don't need the firewall to perform NAT, the scans will only occur at internal networks.

I've tried different settings when creating a floating quick rule which affects to my "monitoring" interface:

  • State Type as none
  • State Type / NO pfsync activated
  • TCP flags with "Any flags." checked

No matter what I set, the state table keeps getting full with the scans. How can I allow network scans without disabling my firewall?
#4
Hi Greg,

Yes, I have set up static routes for those private networks. I also set up other routes with policy based routing, but I prefer the firewall to route these networks with global routes to avoid specify multiple times the gateway in my rules, as I'd like to do with the multi-wan thing.

Anyway, I'd have to get those gateways declared to use policy routing, so changing that wouldn't solve my problem...

Regards,
Nico.
#5
Hi Franco,

Thanks for your quick reply. But I see two problems there:

- I have more gateways to let my firewall connect to other networks (like laboratory routers), so I cannot simply rely on the firewall to decide which gateway to use. It can try to route my connections to a gateway which can't reach internet.

- That option you talk about has the following description: "If the link where the default gateway resides fails switch the default gateway to another available one. This feature has been deprecated.". So I thought setting this can't be the correct way.

What do you think?

Thanks for your help.
#6
Tutorials and FAQs / Set gateway group as default gateway
February 02, 2018, 09:23:03 AM
Hello,

In a setup with two wan routers and one OPNsense firewall I've configured the two gateways with a gateway group to use the secondary gateway while the first one is down. The problem is that I don't want to configure just one firewall rule with that gateway group, I want the gateway group to be the default gateway for all rules, but there is not such option.

I tried configuring a route for all !RFC1918, but the gateway group does not appear in the gateway list. Which is the most correct and elegant way to set up this?

Thanks in advance ;)

Edit: Wow, I just realized I posted in the wrong section and I don't know how to move the post. Sorry.
#7
Hi all,

Yesterday at the afternoon I updated the firewall, applied the patch with opnsense-patch f0ad55d and rebooted the firewall. Today, the users reported me that the two wireless interfaces (both were protected, one with WPA2-PSK and the other with WPA2-Enterprise) were open without any authentication.

I had to undo the changes today to restore the WPA2 protection.

I don't know which logs I can provide to help in the investigation.

Regards,
Nico.
#8
17.7 Legacy Series / Re: Some bugs found?
September 20, 2017, 03:45:53 PM
Hi franco,

The problem is now solved. I don't know why, now the gateway to route the firewall B traffic through the tunnel can't have the IP configured. If I set up that gateway without IP, then it renames to dynamic and every packet is routed correctly. Services which where running before the gateway change needed to be restarted, but it works again. Thanks for your attention!

Regards,
Nico.

PS: I need to click the restart pf after each rule change to make them to be applied, but that's not a big problem.
#9
17.7 Legacy Series / Re: IPSEC Site to Site VPN
September 19, 2017, 06:19:34 PM
Hi,

Maybe you aren't allowing some part of the traffic? You could place a tcpdump on each enc0 interface (this is the ipsec interface) and see if every packet is being routed through the tunnel.

Good luck!
#10
17.7 Legacy Series / Re: Some bugs found?
September 19, 2017, 03:43:46 PM
Hi Franco,

Thanks very much for your response! I've found the Packet Filter restart button, but it doesn't show me the progress as the Filter reload section did... Thanks anyway, that'll let me change rules without connecting over SSH.

Also, I don't remember which version I had before the update. I think it was 17.1.8, because the last time I had updated the firewall was in june.

Regards,
Nico.
#11
17.7 Legacy Series / Some bugs found?
September 19, 2017, 12:49:06 PM
Hi,

Since the last OPNsense update (yesterday), some things stopped working at my firewall.

First of all, I have an IPsec tunnel established with my other firewall (always updated at the same time, so they have always the same versions of software). Every connection from each of the clients can be routed through the IPsec tunnel, but not the firewall connections. Let's put an example:

Firewall A          <->    Firewall B
10.0.0.0/24                10.1.0.0/24

My firewall B IP is 10.1.0.1 and the DNS server is at 10.0.0.2. When I try to send things from 10.1.0.1 to 10.0.0.2, the packets are not reaching the destination. I've listenned at enc0 in both firewalls and this is the problem: at firewall B I see the packets going out but at firewall A I can't see those incoming packets (but I see the firewall B clients traffic). I've verified that I've got rules to allow all that traffic and I've set the necesary gateway and route at firewall B (if that wasn't done, I wouldn't see the outgoing packets at enc0). And this is the only IPsec tunnel enabled at each firewall (firewall A has another IPsec tunnel, but it's not enabled). This worked before the 17.7.2 update...

And also, I've got a lot of rules at my firewall. When I click apply rules (after modifying some firewall rule), a popup is displayed with the text "The settings have been applied and the rules are now reloading in the background.". But my rules are not reloaded in background. Before this update, I had a feature at the menu called "Filter reload", which I activated to force the application of the new rules, but now it doesn't appear at the menu. I have to log in through SSH and run "/usr/local/etc/rc.filter_configure". And then, rules are applied.

Does someone know how to fix these two things?

Regards.
#12
17.7 Legacy Series / Re: IPSEC Site to Site VPN
September 19, 2017, 12:19:47 PM
Hi,

At my company we have two phase2. You can have as many phases 2 for each phase 1 you want

Regards.