Topics

1

General Discussion / Traffic not passing through from distant subnet to WAN

« on: February 11, 2019, 11:28:06 am »

Hello,

On my OPNsense (18.1.9-amd64 and upgraded to 18.7), I tried to connect a subnet to my LAN but something went wrong : lan ressources are available but no internet connection.  I need some outside help to point out any errors I might have missed.

My config :

Code: [Select]

  Remote PC            Router                  Router            OPNsense
10.143.20.200/22---lan---10.143.20.254/22---mpls---192.168.0.2/30---lan---192.168.0.1/30    (MPLSFOLINKT ETH)
   10.143.7.254/22   (LAN ETH)
   77.158.229.106/30 (WANFOSFR ETH, member of a group)
What I've done :

• System: Gateways: Single >> Add "GWMPLS" 192.168.0.2 (Default and Far Gateway unchecked, appears "online")
• System: Routes: Configuration >> Network : 10.143.20.0/22 - Gateway : GWMPLS - 192.168.0.2
• Interfaces: [MPLSFOLINKT] >> Create new interface,  Block private and bogon networks unchecked, IPv4 Upstream Gateway : None
• Firewall: Aliases: View >> Create a network "ReseauxDistants" including 10.143.20.0/22 & 192.168.0.0/30
• Firewall: Rules: MPLSFOLINKT >>

Code: [Select]

Proto Source Port Destination Port Gateway Schedule Description
IPv4 * ReseauxDistants  * *       * * Allow traffic from VPN MPLS sites distants
IPv4 * * * ReseauxDistants * *         Allow traffic to VPN MPLS sites distants

• Firewall: Settings: Advanced >> Checked Static route filtering : Bypass firewall rules for traffic on the same interface

With this configuration :
Pinging and accessing internet from the 192.168.0.2 router is successful to lan and internet
From the Remote machine (10.143.20.200) I can ping and access LAN ressources but no ping or access to internet


Verification :

• System: Routes: Status

Code: [Select]

Proto Destination Gateway Flags Use MTU Netif Netif (name)
ipv4 10.143.20.0/22 192.168.0.2 UGS 238 1500 em5 MPLSFOLINKT

• Firewall: Log Files: Live View : everything seems to pass

I've triple checked my config and any help would be appreciated,

Thanks in advance :-)

2

17.1 Legacy Series / [SOLVED] Certificate Expiration Date Issue

« on: September 12, 2017, 06:42:02 pm »

Hello,

I've 9 OPNsense in production, 1 of them is an OpenVPN Server and 8 others clients.
(it's a Peer to Peer SSL/TLS server mode)

Today, all clients had stopped working because of a server Certificate Expiration Date Issue 
Each client has a valid certificate generate by the server and the server itself has a certificate (<- this one is expired)

It's slowly going serious because I don't know how to extend expiration certificate date (best way) or how to generate another one properly for this kind of configuration.

Any help will be appreciated

EDIT: Mark as solved

3

17.1 Legacy Series / Latency between OPNsense and its gateway

« on: July 27, 2017, 11:34:59 am »

Hello,

I've 9 OPNsense in production and one of them has an issue with its gateway.

This firewall was well working behind another Zyxell firewall (not conventionnal) so I connected it directly to the router with a public IP (I removed the Zyxell and plug its cable into the OPnsense).

When downloading a large file, there is latency / RTT of 600ms

Some tests have been done :
- Update the latest packets for 17.1.9
- Change Speed and duplex from Default to other option matching with router parameters
- Same download directly from console : same problem of latency (so LAN interface is not guilty)
- Same download from another OPNsense : latency is only 100ms

So I think the problem is between router and firewall which have been both rebooted.

I noticed that in the "Interface > [LAN] or [WAN] > Overview" menu there is collisions and Interrupts for both cards

LAN

Code: [Select]

Collisions 2880
Interrupts
irq device         total rate
irq256 igb0:que 0 8
irq257 igb0:que 1 5
irq258 igb0:que 2 4
irq259 igb0:que 3 5
irq260 igb0:link 4 0
WAN

Code: [Select]

Collisions 2313
Interrupts
irq device        total rate
irq261 igb1:que 0 13
irq262 igb1:que 1 6
irq263 igb1:que 2 3
irq264 igb1:que 3 4
irq265 igb1:link 4 0
And another command :

Code: [Select]

root@opnsense:~ # netstat -i
Name    Mtu Network       Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll
igb0   1500 <Link#1>      00:0d:b9:42:53:dc  1086340     0     0  1399872     0  2878
igb0      - fe80::%igb0/6 fe80::20d:b9ff:fe        0     -     -        2     -     -
igb0      - 10.143.32.0/2 opnsense              3142     -     -    24090     -     -
igb0      - 10.143.35.254 10.143.35.254            0     -     -        0     -     -
igb1   1500 <Link#2>      00:0d:b9:42:53:dd  1935039     0     0  1555826     0  2313
igb1      - fe80::%igb1/6 fe80::20d:b9ff:fe        0     -     -        0     -     -
igb1      - 95.170.8.128/ 130-8-170-95.reve   209464     -     -     8998     -     -
igb2*  1500 <Link#3>      00:0d:b9:42:53:de        0     0     0        0     0     0
enc0*  1536 <Link#4>      enc0                     0     0     0        0     0     0
lo0   16384 <Link#5>      lo0                  39739     0     0    39739     0     0
lo0       - localhost     localhost            31401     -     -    31401     -     -
lo0       - fe80::%lo0/64 fe80::1%lo0              0     -     -        0     -     -
lo0       - your-net      localhost           219127     -     -     8338     -     -
pflog 33160 <Link#6>      pflog0                   0     0     0   308625     0     0
pfsyn  1500 <Link#7>      pfsync0                  0     0     0        0     0     0
ovpnc  1500 <Link#8>      00:bd:c2:29:f7:02   318539     0     0   309332     0     0
ovpnc     - fe80::%ovpnc2 fe80::2bd:c2ff:fe        0     -     -        1     -     -
ovpnc     - 10.143.252.0/ 10.143.252.32         4672     -     -     4523     -     -
Do you have any ideas or suggestions ?

Thanks in advance