Messages

1

21.1 Legacy Series / Re: IPsec Stealing Traffic.

« on: June 24, 2021, 09:11:05 am »

Well that was easy when you know how 

Spent about a week looking at this and wondering why I could not ping the firewall lan interfaces, then yesterday found out it was the ipsec vpn.

now it is all working as required.

Thankyou for the pointer.

2

21.1 Legacy Series / [SOLVED] IPsec Stealing Traffic.

« on: June 23, 2021, 11:09:15 pm »

version 21.1.7

Lan lost of connections to networks all behind 10.0.0.0/8
Head office (Draytek 2962)
Wan
Internet
|
IPSEC vpn Lan to Lan 10.0.0.0/8 - 10.14.182.0/24
|
Internet
WAN
opnsense (21.1.7 in the cloud on esxi)
Lan1 10.14.182.1/28 (Firewall ipv4 any to any)
Lan2 10.14.182.128/28 (Firewall ipv4 any to any)
Lan3 10.14.182.144/28 (Firewall ipv4 any to any)
IPSEC (Firewall ipv4 any to any)

As soon as the vpn comes up I lose connectivity between between the lan interfaces on the opnsense 
(Testing from a pc on lan 1 , lose ping to lan2 and lan 3 interfaces)

My expectation is the routing table takes priority, routing out local interfaces first before sending out the wan  where it is vpned back to head office.
10.0.0.0/8 should be lower priority than a local 10.141.182.1/28 Interface

Is the vpn capturing the traffic before it hits the routing table ?
I have tried with individual phase 2 for each Lan interface which did not help.

Have I done something incorrect.
Hopefully I don't need to create individual phase 2 for all the network hiding behind the head office 10.0.0.0/8

Any guidance welcomed.

Thanks

3

18.1 Legacy Series / Re: TFTP Proxy

« on: June 08, 2018, 04:28:24 pm »

Nat port Forward
LAN   UDP   *   *   *   69 (TFTP)   127.0.0.1   69 (TFTP)   TFTP-Proxy out system default gateway.

Using carp ip I think will be a non starter might work if tftp-proxy was a newer version. more options

Just need to find out how to get inetd to start automatically on a restart?

4

18.1 Legacy Series / TFTP Proxy

« on: June 07, 2018, 05:59:39 pm »

Hi All

Is anyone able to provide guidance on getting the TFTP-proxy to work.

If tried to follow https://github.com/opnsense/core/issues/1810

I have created /usr/local/etc/inc/plugins.inc.d/tftpproxy.inc
I have added "tftp   dgram   udp   wait   root   /usr/libexec/tftp-proxy   tftp-proxy -v" to /etc/inetd.conf

Stuck on "the rest is done by generic Portforward rules"
I think Iv tried passing it to 127.0.0.1:69

This is the only thing stopping me from switching over from the other firewall.

TFTP is a show stopper if this is not available. Unfortunately some of the kit we lookafter is all managed by tftp transfers.
The TFTP servers will be on the internet we are all behind the hopefully new opnsense  firewall.

In an ideal world we would be using a carp address, to source tftp requests from however I would settle for any address that works.

Any help would be great.

thanks
dkeith