Topics

1

18.1 Legacy Series / [FEATURE REQUEST] IPSEC Fail-over

« on: January 13, 2018, 04:46:43 pm »

Would it be possible to include a Secondary Gateway option for IPsec VPN failover?

You wouldn't need to re-configure any firewall policies, static routes or encryption. Just have a Primary IPSec Gateway and Secondary IPsec Gateway option as a backup in the IPsec tunnel connection properties. Sonicwall UTM's seem to have this feature and it looks pretty slick.

2

17.1 Legacy Series / [SOLVED] Multiple Management Interfaces

« on: May 01, 2017, 08:29:32 pm »

Hi,

I have a setup where there are two isolated networks. VLANID:1 (192.168.1.x)  & VLANID:2 (192.168.100.x)  I would like the management interface for OPNSense to be available remotely on both internal management interfaces. For instance:
If VLANID:1 Ethernet Port 1 is 192.168.1.1 Then from a public computer I would like to be able to navigate to http://my_public_ip:4443 to access the OPNSense web interface.
If VLANID:2 Ethernet Port 2 is 192.168.100.1 Then from a public computer I would like to be able to navigate to
https://my_public_ip

The reason for this, is regardless of what interface is connected there will always be an accessible remote management interface. I do not plan on using both interfaces at the same time but i'd like the option available depending on what interface is plugged in to be automatically setup and functional for remote configuration.

Presently, I can remote administer the OPNsense router by going to https://my_public_ip

However, when I create a NAT rule on the WAN port for 4443 to map to 192.168.1.1:443 it fails to connect me to the OPNSense Web Interface,  the connection times out.

I can access both https://192.168.1.1 & https://192.168.100.1 from each internal network to manage the router.

Nevermind, I accidentally typo'd the remote WAN hostname compliments of autofill.

3

17.1 Legacy Series / Concerns & VLANS

« on: April 22, 2017, 08:06:19 pm »

To whom it may concern,

When I change the WAN adapter settings Enable/Disable
-  Block private networks   
- Block bogon networks
Save the settings the router doesn't recover and prevents traffic from routing out the gateway. The only way to restore routing functionality is to reboot the router.
There are also a few other areas pertaining to NAT that prevent the Router from routing after applying settings and the router only resumes after a reboot. Disabling the WAN interface and re-enabling the interface doesn't correct the problem.

4

17.1 Legacy Series / Cannot Create Floating Rules

« on: April 22, 2017, 12:14:27 am »

My "deny" floating rules do not appear to be applying to outbound LAN traffic destined to the WAN interface.

5

17.1 Legacy Series / [RESOLVED] Problem with DHCP Server

« on: April 21, 2017, 10:32:46 pm »

I'm not sure what I might be doing wrong.
I have enabled the DHCP server and it works.
However, if I select Deny Unknown Clients checkbox and input my network card MAC address under MAC Address control ->Enter a list of partial MAC addresses to allow it. Then save my changes the DHCP server refuses to issue an IP to my computer. Any suggestions?

Here is the version information I am running:
OPNsense 17.1.4-i386
FreeBSD 11.0-RELEASE-p8
OpenSSL 1.0.2k 26 Jan 2017

Thanks in advance,
Paul

6

17.1 Legacy Series / Block Internal IP Range from Accessing Internet

« on: April 21, 2017, 10:12:27 pm »

Hi,

Is it possible to take a range of IP's on a class C subnet such as 192.168.1.229-192.168.1.254 and allow only allow that range to access the WAN port?

While having a second rule that deny's access to those devices in the IP range of 192.168.1.2-192.168.1.228 from not being able to access the internet?

For instance, only allow the router and the assigned DHCP pool access to the internet, while all other devices that might be statically assigned are refused internet connection.

I've attempted to create these firewall rules by specifying the IP ranges in either the Host(s) or Network(s) alias type and I've placed those Alias's within a the appropriate Firewall Rule policy under LAN to enable and disable each range of specified IP's listed in the Firewall Alias.

I've also moved the Deny Policy above all allow policies and it still doesn't seem to stop the traffic. I'm baffled.

7

17.1 Legacy Series / VMTOOLS Package Addon - [Solved]

« on: March 06, 2017, 08:57:56 pm »

Hi there,

I was wondering if it would be possible to install VMWare Tools into OPNSense to ensure a graceful shutdown of an ESXI server? Or if there is a package that can be added to enable this feature down the road?

Kind Regards,
Paul

8

17.1 Legacy Series / [SOLVED] Firewall Block Policy

« on: February 21, 2017, 08:29:59 pm »

I am trying to create an outbound Firewall Block policy from the LAN interface to the WAN. I would like to prevent attempts from the LAN to access public SMB servers. My firewall policy is as follows:

Proto: IPv4 * Source: 192.168.1.0/24 Port: * Destination: WAN Address Port: File & Printer Sharing Port Group Gateway: *

This policy doesn't work even when i change the destination: WAN Address to Wan Net. However, if I make the Destination: "Any" it works but then it blocks access to my remote IPSec Networks as well. Any help would be much appreciated. I still want the LAN users to be able to access File Sharing services on different IPSec subnets.

Regards,

9

16.7 Legacy Series / [SOLVED] IPSec Firewall Policy Security

« on: February 02, 2017, 04:45:53 pm »

Hi there,

On a previous hardware firewall I was able to control the type of service groups (ports) that pass through my IPsec tunnels. I noticed with OPNsense that am unable to customize the firewall service groups (ports) allowed through the IPsec VPN tunnels. I am aware that I can use custom subnetting to allow access to a certain block of computers through the VPN but I would also like to define the service ports via a firewall group to apply to certain IPsec traffic. Does anyone know if this feature will be available at some point?

10

16.7 Legacy Series / [SOLVED] OPEN VPN SSL - Problems accessing Internal Subnet from VPN Subnet

« on: January 31, 2017, 03:32:15 am »

Hi,
I'm new to the forums and to OPNSense. I just recently deployed this great appliance last week and followed the tutorial: ( https://docs.opnsense.org/manual/how-tos/sslvpn_client.html ) to setup a Road Warrior SSL VPN for remote roaming users.  The version of OPNsense I am running is:
OPNsense 16.7-i386
FreeBSD 10.3-RELEASE-p5
OpenSSL 1.0.2h 3 May 2016

I managed to get a remote client PC to connect to the SSL VPN using the Google Authenticator + Password but it doesn't provide access to the local subnet of the OPNsense network (192.168.25.X). My remote client PC virtual adapter gets assigned an internal IP address of:192.168.1.6 and a gateway: 192.168.1.5. The assigned 192.168.1.6 address is pingable on the client however the gateway address (192.168.1.5) is not. After connecting the tunnel successfully I checked my routing table on the remote client PC. The static routes appear correct, however I am not able to ping the gateway or the internal 192.168.25.x network of the OPNSense. I have created the necessary firewall rule mentioned in the tutorial above as shown in my attached screenshot. I am unsure of what needs to be done at this point and I have my suspicion I may need to include some type of local interface on the OPNSense for 192.168.1.X before the client will correctly identify the internal VPN traffic. Any help is much appreciated, please see my attached log file indicating the status of my VPN connection and the screenshot of my LAN firewall rule for 192.168.1.X Network. The type of VPN  I had created was set to a TUN device mode as per the tutorial documentation.

Regards,
Paul