Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - ivoruetsche

Pages1
#1
Virtual private networks / NATing LAN2, but not IPSec tunnel with the same subnet range
March 25, 2026, 12:03:34 PM
Hi

I have the problem, that we have two subnet with destination 192.168.2.0/24, one is direct connected to OPNsense (26.01), the other via IPSec:

LAN1: 10.16.5.254/24
LAN2: 192.168.2.3/24
IPSec destination: 192.168.2.0/24

The hosts in the LAN2 subnets should see the hosts from LAN1 with the GW IP 192.168.2.3, reachable from 10.16.5.0 subnet with 192.168.22.0 and no communication back to 10.16.5.0, so only one-way.

The hosts on remote subnet via IPSec must be reachable from LAN1, but not from LAN2 with 192.168.2.0 addresses, also from the remote 192.168.2.0 subnet, the 10.16.5.0 hosts must be reachable.

I try 1:1 NAT, Outgoing NAT, Destination NAT and some combinations of then, Filter roles with and without gateways, no luck. At the most of the configurations, the traffic goes via IPSec, but not to LAN2 or was not NATed.

Any hints are welcome.

Thanks a lot
Ivo
#2
18.7 Legacy Series / Preshared Key no longer accepted?
August 29, 2018, 08:47:58 PM

Hi all

We just updated some OPNsense boxes from 18.1 -> 18.7 and got a problem with the nightly backup process.

The centralized server got all configurations from all boxes with a preshared key and a special backup user, who have no password access to the OPNsense etc.

After the update to 18.7 it doesn't work again, but I found these in the logs:

Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: User backupCFG from 198.18.6.3 not allowed because none of user's groups are listed in AllowGroups
Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: Postponed keyboard-interactive for invalid user backupCFG from 198.18.6.3 port 42896 ssh2 [preauth]
Aug 29 19:01:12 lab-ch-rma01-fw02 opnsense: user 'backupCFG' could not authenticate.

I check with the web gui the "Effective Privileges" from this user and I can't find the point "User - System: Shell account access" anymore.

On the 18.1 configuration, because the security, this user is not a member of the admin group, "/sbin/nologin" is the Login Shell and only the "Effective Privileges" "User - System: Shell account access" was set. With the preshared key we get the configuration with scp. It work's fine.

How can I setup it up with the 18.7 release?

gruss ivo
#3
Hardware and Performance / LTE on APU2?
March 07, 2018, 09:54:05 PM
Hi all

Is anyone out there with experiences with an LTE modem on the APU2 (or APU3) board?

A list with compatible modem can I find here:
http://pcengines.ch/howto.htm#3G

Is there a OPNsense supported modem as well?

Are there any restrictions? How is the modem configured (PIN, APN etc.)?

gruss ivo
#4
17.1 Legacy Series / NAT no longer work after Let's Encrypt update
July 02, 2017, 10:50:31 AM
Hi

Since today, our opnSense FW doesn't route the traffic to the inside servers. The only thing that happens last night was an update:

    7/2/17 00:03:21 11.2 95 KB (system): /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php made changes
    7/2/17 00:03:21 11.2 95 KB (system): /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php made changes
    7/2/17 00:03:21 11.2 95 KB (root): Updated Let's Encrypt SSL certificate: vpn2-zg.4synergy.com
    6/25/17 21:02:49 11.2 95 KB root@192.168.2.65: /firewall_rules.php made changes

I try to revert to the last config from 25.6., but without luck.

For example, we have an internal server with smtp and http from outside to inside (1.2.3.4 > 192.168.1.5), yesterday, the webmail respond on 1.2.3.4, today, the GUI from opnSense. No reaction from SMTP from outside. The same effect on all servers (about 8 oder 9 servers with different external and internal IP's)

On all external IP's from these servers all the ports from openSense respond (https, ssh etc.).

Any idea, it's a big problem at the moment...

gruss ivo
#5
General Discussion / NAT before IPSec question
September 21, 2016, 11:30:40 AM
Hi Forum Members

I try to setup a "NAT before IPSec" connection between two new OPNsense boxes (just install OPNsense, setup the basics, nothing else) in our test environment. I found some comments about, but not an exact statement about does it work or not in the latest version, or a documentation about.

Anyway, I spend some hours to bring it to run, but without luck, here is our test setup:

Site A.80 VLAN: 80 on the em1 interface ("SiteA.80")
Site A.80 IP: 198.18.7.2/25
Site A.80 Test host: 198.18.7.99
Site A outside IP: 2.3.4.5

Site B.110 VLAN: 110 on the em1 interface ("SiteB.110")
Site B.110 IP: 198.18.8.2/25
Site B.110 Test host: 198.18.8.11
Site B outside IP: 3.4.5.6

Site B.110 should be reachable with 198.18.48.0/25 and vise versa, so if I do a ping 198.18.48.11 on the host with the IP 198.18.7.99, the host 198.18.8.11 should be answered.

As I have no luck with the setup, I take other two new boxes and I install pfSense, with the same parameters on phase2 and FW rules on OPNsense and it works. What I doing wrong on the OPNsense site?


VPN/IPSec/Tunnel Settings/Phase1 and Phase 2 proposal is like described at https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

Site A:
VPN/IPSec/Tunnel Settings/Phase2:

  • General information/Mode: Tunnel IPv4
  • Local Network/Type: Network
  • Local Network/Address: 198.18.7.0/25
  • NAT/BINAT/NAT Type: Auto
  • NAT/BINAT/Type: Network
  • NAT/BINAT/Address: 198.18.48.0/25
  • Remote Network/Type: Network
  • Remote Network/Address: 198.18.48.0/25

Firewall/Rules:
  • Allow all traffic on the interface "SiteB.110" from source 198.18.8.0/25 to destination 198.18.48.0/25
  • Allow all traffic on the interface "IPSec" from source 198.18.48.0/25 to destination 198.18.7.0/25

Site B:
VPN/IPSec/Tunnel Settings/Phase2:
  • General information/Mode: Tunnel IPv4
  • Local Network/Type: Network
  • Local Network/Address: 198.18.8.0/25
  • NAT/BINAT/NAT Type: Auto
  • NAT/BINAT/Type: Network
  • NAT/BINAT/Address: 198.18.48.0/25
  • Remote Network/Type: Network
  • Remote Network/Address: 198.18.48.0/25

Firewall/Rules:
  • Allow all traffic on the interface "SiteB.110" from source 198.18.8.0/25 to destination 198.18.48.0/25
  • Allow all traffic on the interface "IPSec" from source 198.18.48.0/25 to destination 198.18.8.0/25


Would be nice, to get a hint :)

gruss ivo
#6
General Discussion / Site2Site VPN with multiple Subnets on both sides
September 17, 2016, 11:43:17 AM

Hi members

Because we are no longer happy with the license politic from Cisco, we want to exchange all the ASA's with an alternative solution. At the moment, we evaluate also OPNsense. It very different than ASA, but it's nice, the frontend is fast and intuitive :)

But at the moment i stuck on this problem:
An side A we have around 25 subnets and VLAN's, on the side B around 5. No all of the subnets have to go through the tunnel, but the most of them.

I go through the steps on https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html, but i don't have any chance to setup more than one LAN-IP on the local and destination side.

Maybe it works with a group of interfaces for the local side, but not so for the destination. If i have to setup all as a combination with each other, i have to setup a lot of them.

What is the correct way to put this all in one phase 2 rule? There is an option "Mode":"Transport", but i can't find any documentation about, maybe this is the solutions?

gruss ivo
Pages1