Topics

1

21.7 Legacy Series / NPTv6 PD?

« on: December 22, 2021, 11:39:00 am »

Is there any way to use NPTv6 alongside PD, I had hoped to be able to use it in order to be able to failover to a secondary ISP but it looks like it expects you to manually set the prefixes to be translated.

Sadly I have no way of knowing what my V6 prefix will be for that wan as it's assigned by DHCPv6-PD and it tends not to be sticky either.

2

Zenarmor (Sensei) / Should router on a stick work?

« on: December 21, 2021, 10:07:27 am »

i3-6100T USFF machine 8gb ram, ~300Mbit connection.

Wan is a VLAN on em0
Lan is native
Various other VLANs.

Opnsense 21.7.7

Having Zenarmor installed even running in passive mode seemed to cause some weridness like connections hanging or being slow to establish.

Not sure if it's underpowered hardware or it gets upset at seeing the WAN vlans as well.

Only way to split the WAN and LAN interfaces would be to add a USB3 NIC.

3

18.7 Legacy Series / Zerotier plugin needs an option to ignore managed routes

« on: February 01, 2019, 11:52:01 pm »

Otherwise if you have a ZT network with 0.0.0.0/0 to make other devices route via opnsense it tries to add the route on opnsense itself which usually leads to the opnsense appliance being somewhat unreachable.

4

18.7 Legacy Series / 18.7.10_3 Loses interface

« on: January 19, 2019, 01:35:47 am »

upgraded a Pair with one physical opnsense and one virtual from 18.7.6 i think it was to 18.7.10_3 and the now one of my Vlans can't ping out via the physical unit

its bce0_vlan101 so a broadcom NIC.

Oddly when I put the physical machine into carp maintenance mode and rebooted it I was able to ping it's IP address from one of the VM's on that Vlan, as soon as I took it out of maintenance mode and it took over the VIP I lost the ability for the VM to ping both the firewalls Real IP and the virtual ip.

At the moment I've left it in maintenance mode with the virtual secondary handling the traffic, one difference is the VM doesn't have Vlans where as the psychical does for the VM the Vlan tagging is done by the hypervisor so opt1,opt2.etc is just seen by opnsense as an additional nic

5

19.1 Legacy Series / Feature Request: Tie FRR to CARP.

« on: December 15, 2018, 04:02:32 pm »

pfsense has a rather nice feature where you can tie FRR to the status of a CARP IP so it doesn't run unless the firewall is the master.

Allows you to do some nice things like only have the primary firewall participating in BGP and avoids stuff occasionally being accidentally routed via the secondary

Any chance of getting this in opnsense,

6

18.7 Legacy Series / 18.7.1 default mirror

« on: September 24, 2018, 10:14:28 pm »

Both of my 18.7.1 firewalls were reporting "Could not find the repository on the selected mirror." until I changed the mirror from (default) to explictly setting one.

7

18.1 Legacy Series / HAproxy Ipv6

« on: February 25, 2018, 02:25:38 pm »

What's the format to make HAproxy listen on port 80/443 on an IPv6 address

It looks like the form only manages to accept either a host name on an Ipv4 

8

18.1 Legacy Series / em0 watchdog timeout (Unraid)

« on: February 02, 2018, 11:25:47 pm »

I have a Virtual opnsense running in unraid 6.4 with the network type set to e1000 (For some weird reason that interface goes awol when set to virtio) - anyway since upgrading to 18.1 s stuck going em0 watchdog timeout -- resetting.

It was working on 17.7

9

17.7 Legacy Series / Haproxy acl - Source IP matches IP or Alias

« on: November 04, 2017, 04:56:03 pm »

How do you get it to work with alias?

I've tried tabbing the field but that doesn't seem to work (firefox) and if I don't put an actual IP then it seems ha proxy gets upset.

I wanted to use an negative match on a list if IP's (I.e the rule says deny access to /wp-admin/ on the backend server but if it's one of those IP's on the trusted list the rule shouldn't fire)

10

17.7 Legacy Series / redirect targe port any does not work on TCP/UDP nat rule

« on: October 30, 2017, 10:02:14 pm »

If you try and create a nat rule that is destination port any redirect target port any you get the following error

Code: [Select]

The following input errors were detected:

    A valid redirect target port must be specified. It must be a port alias or integer between 1 and 65535.
I would take "any" to be 1-65535 in the case of proto tcp and/or udp.

11

17.7 Legacy Series / WAF/IDS haproxy?

« on: October 30, 2017, 02:34:06 pm »

Given Suricata tends not to play nice with virtIO nics and tends to be CPU heavy is there a way to use the HTTP/HTTPs threat rules with HAproxy instead?

Would be nice if possible as it's already acting as the front-end load balancer/proxy and decoding any incoming https 

12

17.7 Legacy Series / HA Sync and mismatched interfaces

« on: October 21, 2017, 01:08:43 pm »

If you have an HA pair of firewalls but the interfaces don't match the wrong rules will sync

For instance firewall1 terminates a GRE tunnel that isn't HA (And I can't be bothered to fix that as it's not cricital) so the GRE interface is opt1 and the CARP interface is OPT2

Firewall 2 doesn't have this interface so the CARP interface is OPT1, which means it gets the firewall policy for the GRE tunnel rather than the one for the CARP interface.

Would be good if there was some way to manually pair them, or parse the name/description rather than assuming both firewalls are identical

13

17.7 Legacy Series / Secondary FIrewall

« on: October 19, 2017, 10:41:36 pm »

Does it cause any issues if the Primary firewall in a HA pair was physical and the secondary was a VM?

Nothing of much importance behind them, just doing Nat for my lab/playground/personal servers environment

14

17.7 Legacy Series / [SOLVED] Ha Proxy Frontend IPv6?

« on: September 17, 2017, 06:48:18 pm »

Is it possible to make HAproxy bind to an Ipv6 address?

It looks like HAproxy itself can support it but the validation for listen address in the frontend config doesn't understand IPv6 addresses. 

Edit:

NVM i'm being a prat and forgot to hit tab after typing the IP   

15

17.7 Legacy Series / IPSEC and Carp?

« on: August 13, 2017, 03:07:40 pm »

Have 3 Opnsense firewalls connecting to a RouterOS device.

2 of them are a pair, the other is standalone (Different Network)

On the pair in HA/CARP the connection will drop and not re-establish (no phase2) unless I bounce the Primary of the Pair.

Peer is 0.0.0.0 with a Identifier set due to the remote end being a dynamic IP.

This worked when it was just a single firewall so I suspect the issue is around CARP/the VIP.

Nat rules are set so 500/4500 get's natted to the VIP going out and the VIP is set as the IP to use in the IPSEC settings, tried changing the identifier on the Opnsense end from "Interface Address" to manually set and then put in the VIP address.

Tried flushing the SA's on the RouterOS side and restarting strongswan on opnsense but it doesn't seem to help.

Code: [Select]

Aug 13 13:05:41 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:41 charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 13 13:05:41 charon: 11[IKE] sending cert request for "C=GB, ST=here, L=ssd, O=ssd, E=here@here.local, CN=internal-ca"
Aug 13 13:05:41 charon: 11[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:05:41 charon: 11[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:05:41 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:41 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:30 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:30 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:30 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:30 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:25 charon: 11[JOB] deleting half open IKE_SA with 81.108.xxx.xxx after timeout
Aug 13 13:05:25 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:25 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:25 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:25 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:20 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:20 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:20 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:20 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:18 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:18 charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 13 13:05:18 charon: 11[IKE] sending cert request for "C=GB, ST=here, L=ssd, O=ssd, E=here@here.local, CN=internal-ca"
Aug 13 13:05:18 charon: 11[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:05:18 charon: 11[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:05:18 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:18 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:10 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:10 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:10 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:10 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:05 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:05 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:05 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:05 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:03 charon: 13[JOB] deleting half open IKE_SA with 81.108.xxx.xxx after timeout
Aug 13 13:05:00 charon: 13[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:00 charon: 13[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:00 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:00 charon: 13[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:04:55 charon: 13[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:04:55 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 13 13:04:55 charon: 13[IKE] sending cert request for "C=GB, ST=here, L=ssd, O=ssd, E=here@here.local, CN=internal-ca"
Aug 13 13:04:55 charon: 13[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:04:55 charon: 13[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:04:55 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:04:55 charon: 13[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:04:45 charon: 13[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:04:45 charon: 13[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:04:45 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Edit:

Tried disabling NAT-T, no difference.