OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Remington »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - Remington

Pages: [1]
1
General Discussion / [Solved] Answer Packet is not passing PF but session counter increases
« on: January 29, 2020, 05:43:24 pm »
Sorry, I have missed a few parts to explain.


The packet from 81.169.177.200 is coming in via a Wireguard tunnel.
192.168.70.1 is the local ip of the wg0 interface.

I haven't used the routing from the WireGuard plugin, but created an dedicated gateway for this wg0 interfacee with 192.168.70.1 as gateway IP.
This was working well for traffic to the opposite direction. I was able to reach 81.169.177.200 from 192.168.2.21, but not the other way round as described above.

The wireguard interface on the far end has 192.168.70.2 as IP. This was only reachable, if I have configured a route for this IP to the local wg0 interface using the gateway 192.168.70.1

The solution was to change the destination IP for the wg0 interface from the local ip 192.168.70.1 to the IP of the fart end 192.168.70.2.

Now the traffic is passing regardless of the side it was initiated.
The only address I can't make reachable is 192.168.70.2, which doesn't hurt in my case.

Bye
  Thomas

2
General Discussion / Answer Packet is not passing PF but session counter increases
« on: January 27, 2020, 12:16:47 am »
I try to ping host 192.168.2.21 from 81.169.177.200

I see the echo-request (234) with tcpdump on the inboud interface. I see the request and response on the outbound interface.
The session table shows the same.  The inbound session shows 234 packets in and out, but the out session shows twice as packets for the out counter.

Code: [Select]
all icmp 192.168.2.21:3290 <- 81.169.177.200:3290       0:0
   age 00:03:54, expires in 00:00:09, 234:468 pkts, 19656:39312 bytes, rule 507
   id: 030000005e2df8c8 creatorid: 8368a371
all icmp 81.169.177.200:3290 -> 192.168.2.21:3290       0:0
   age 00:03:54, expires in 00:00:09, 234:234 pkts, 19656:19656 bytes, rule 127
   id: 030000005e2df8c9 creatorid: 8368a371
How can I find out why the echo-response is dropped?

Code: [Select]
@127 pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
  [ Evaluations: 2132      Packets: 4173      Bytes: 1021132     States: 80    ]
  [ Inserted: uid 0 pid 82969 State Creations: 776   ]
@507 pass in log quick on wg0 reply-to (wg0 192.168.70.1) inet proto icmp from <schmu_srv03:4> to <wupp_schapp:3> keep state label "501718afceb1c0ed891df29dd33b09bf"
  [ Evaluations: 67        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 82969 State Creations: 0     ]


3
General Discussion / MDNS Repeater IPv6
« on: June 17, 2019, 10:50:10 pm »
Hi,

mdns repeater is pretty old and doesn't support IPv6.
Found that at least iPhones won't find their printer, if they are connected via dual stack.
Had to disable IPv6 on my printer to get it working again.

Is IGMP Proxy an option to forward mdns over IPv6?

Bye
  Thomas

4
18.1 Legacy Series / Re: Unbound DNS - Domain Override stops working
« on: January 29, 2019, 07:34:20 pm »
Hi,

I have the same issue here but running 18.7.10 with unbound 1.8.3.

Did you made any other change while  troubleshooting?

Thanks
  Thomas.

5
Web Proxy Filtering and Caching / add custom subnet to localnet
« on: August 14, 2018, 12:22:20 am »
Hi,

I didn't found a way to add custom networks to the acl localnet in the squid.conf.
Looks like that only networks of directly attached interfaces get added if they are added to "Proxy interfaces".
But adding e.g. an openvpn interface don't add the network to localnet.

Is there a way to add networks to localnet manually.

Thanks
  Thomas

6
General Discussion / ICMP type logging
« on: March 26, 2018, 10:27:10 pm »
Hi,

is it only me or is it in Version 18.1 that there is not ICMP type logging any more?

my log looks like this:
Code: [Select]
filterlog: 34,,,0,vmx0,match,pass,in,6,0x00,0x00000,255,ICMPv6,58,112,fe80::1:1,ff02::1,
filterlog: 92,,,0,vmx1,match,pass,in,4,0x0,,32,12590,0,none,1,icmp,60,172.20.XX.42,192.168.XX.231,datalength=40
I expect something like request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply at the end.
Not sure if it was there in the past or I have seen it in a pfsense install. Had to look into ICMP details recently and missed this information.

Can someone confirm that this is the standard behavior or was it different in former versions or is it configurable?

Thanks
 Thomas

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2020 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2