Topics

Hi

OPNsense default deny rule in "floating" intercepts traffic from IPsec VPN to a network connected directly to OPNsense, there are at least 2 rules which should ensure traffic passing.

I've got a rule for that specific traffic in IPsec (dns and http/s) and added another one allowing all traffic from IPsec to everything in floating.

...any ideas ?

btw. I do have own Deny ALL rules on every interface but this never hit by the IPsec traffic - it goes straight to the floating default deny all rule.


After some more investigation:

IPsec traffic is blocked only if I select the predefined "IPsec net" as source, if I however create an alias with the IPsec network address and use that as the source the traffic is going thru - however responses are then being blocked (as I see it responses are not seen as responses by the firewall but as new connections).

The firewall has several interfaces and all traffic is going as it should - only IPsec has problems.

...and something more:
responses to IPsec traffic are logged several seconds after request leaves the firewall on the correct interface.

I have tried to change IP-address of the VPN just to verify that I don't have a routing issue, I have no problems with traffic between any other interfaces so and the firewall is default gw. on all connected interfaces.

Hi

I have now several times experienced a situation where the firewall crashes and becomes a simple router.

I have experienced this behaviour on running virtualized and on real hardware and both in 15.7 and 16.1.
I do not know what happens (yet) but when the firewall crashes the result should be no traffic passing instead of all traffic passing.

After this happens the firewall keep acting as a simple router even after a reboot, only restoring earlier configuration may fix the problem.

I am running with 10 interfaces (on the hardware) and 8 VLAN interfaces on virtual,

I will try to dig the logfiles out of the crashed virtualized tomorrow (9. march).

regrds
Maciej

Hi

I'm trying to get OPNsense to work as an "internal" firewall between our test environments and production, so it ends up with no WAN interface.

My primary problem is that I can't fetch updates, I've tried with proxy and without proxy but the result is the same "Connection Error".  Then I added a WAN port (still behind the corporate firewall) but update still fails.
I can see (on the external firewall) it is connecting successfully to mail.opnsense.org on port 80.

Regards
Maciej

Hi

I've recently replaced a m0n0wall with opnsense and I can't get IPsec passthru working, the same configuration worked with the m0n0wall.

Problem:

Cisco PIX behind opnsense connects to a Cisco ASA, the tunnel is up and networks behind the ASA are able to reach networks behind the PIX but it is impossible to get from network behind the PIX to reach networks behind the ASA.

Configurations on both PIX and ASA are not changed, IP addresses on opnsense are the same as they were on m0n0wall, rules and NAT are copied from the m0n0wall. There is nothing in the logs, only the tunnel coming up.
The internal port of the PIX is connected to my switch (a Cisco CC3560x) which is used as router on the LAN, this switch has static routes to the networks behind the ASA pointing to the PIX. The external port of the PIX is connected to LAN7 interface on the opnsense.
I've got rules for ISAKMP from EXT to the PIX on LAN7, NAT for the same and also the other way

btw. the hardware is an old Checkpoint UTM-1 with 10 1-Gigabit ports, I've named the ports in opnsense as they are named on the box (INT, EXT, DMZ, LAN1..LAN7).

Regards
Maciej