Topics

1

23.1 Production Series / NAT issue

« on: January 27, 2023, 11:54:01 pm »

I had posted this in the 22 forum earlier.  https://forum.opnsense.org/index.php?topic=31961.msg154477#msg154477

The issue with outbound NAT seems to still persist in the 23 version also.  The issue is that if there is a gateway group with dual WAN interfaces in it and for operational reason a specific outbound traffic is redirected to a gateway with a lower priority (other than the gateway group) sometimes the outbound traffic seems to land up on the wrong gateway.  Rebooting the appliance does not seem to solve the issue, but manually clearing the state table again puts the traffic onto the correct gateway. 

This used to work fine in all earlier versions so seems to be some kind of bug introduced recently.

Skip rules when gateway is down is checked to prevent gateway rewrite on failure.

2

22.7 Legacy Series / Something seems broken in NAT

« on: January 19, 2023, 06:21:17 am »

I was managing an OpnSense system which was running flawlessly over the past few years.  But in the last month I started noticing an issue which seems to have been introduced recently as the same configuration had been working find for more than 2 years.  In the setup there is a server in a DMZ interface which needs UDP port 36605 to be forwarded to it.  The server will also contact other servers in the internet on the same UDP port (36605).  This setup is behind a firewall with 2 WAN interfaces.
This particular traffic to port 36605 needs to go via the WAN2 interface (WAN1 is default).  There is rule in the interface which will direct traffic to WAN 2
The inbound NAT seems to work fine, but outbound traffic (even though there is no NAT on the WAN1 interface for the DMZ server network ) seems to end up in WAN1 instead of expected WAN2.  A rough illustration is attached.

Does someone have suggestions or is this a bug.

Thanks

3

22.7 Legacy Series / Feeling Stupid! Where do I do this [SOLVED]

« on: January 15, 2023, 07:33:46 am »

How do I disable the automatically generated VPN rules in Opnsense

I know I had done this earlier.  But right now I am unable to find where I can do it 

thanks

4

22.7 Legacy Series / Restore Backup on Non similar Hardware Issues

« on: October 17, 2022, 08:37:53 pm »

I was in the process of upgrading my Firewall from an old hardware with 4 network cards with another hardware with 6 network cards.  From what I have seen is that the backup when restored does not restore the interface configuration and it has to be manually added.  Even when the interfaces are manually added with the same name it was seen that the Firewall rules are now applied to a wrong interface.  It appears that the firewall rules are tagged to the internal WAN / LAN / Opt_x interface names rather than the physical names.  This makes the backup practically useless for a quick restore.  The rules seem to work only when the new interfaces are added sequentially to mimic the old internal interface names.  Is this a bug that can be fixed where the firewall rules can be tied to the given interface names rather than the internal names?

5

21.7 Legacy Series / Does DHCP relay have a bug??

« on: January 08, 2022, 08:01:53 am »

I have configured one of the interfaces in OPNSense as DHCP relay.  Even thought the IP address is leased successfully the ISC-DHCP-Server complains that the request is not coming from correct network.  I did a Packet capture and it seems that the same request is being sent by OPNsene with some packets having the relay info and some other without the relay server info.  Is this a bug .  I am attaching the wireshark captures which shows the issue

6

20.7 Legacy Series / GUI Crashed and cannot login anymore

« on: December 06, 2020, 11:06:15 pm »

I have this problem where the GUI seems to have crashed.  After successful login it says a problem was detected and does not go any further and only brings up the crash reporter.   The firewall seems to work though only the GUI seems to have crashed. 

Attaching the error report generated.  It seems it is complaining about something 
Parse error: syntax error, unexpected ''/ui/js/tokenize2.' (T_ENCAPSED_AND_WHITESPACE) in /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_layouts_default.volt.php on line 176

7

20.7 Legacy Series / Question on IPSec Interfaces

« on: November 16, 2020, 10:11:42 am »

When we configure a routed VPN there are two interfaces created IPSec 1000 and IPSec.  What are the differences between these interfaces?

Thanks

GG

8

20.7 Legacy Series / Gateway issue

« on: August 31, 2020, 10:12:27 pm »

Hi
Recently I have been noticing a strange behavior on Opnsense.  I have a configuration which has two internet links and the configuration is done to have the first link to have a higher priority than the secondary link.  The traffic will fail-over to the secondary link if there is an issue with the primary link.   But what i have noticed recently is that once OpnSense switches to the secondary link it never falls back to the primary link even though the primary link has been restored and shown online in the GUI.  What is more intriguing is that the route table lists the primary link as active and still all traffic takes the other link.  Any changes to the gateway configs or rebooting OpnSense then switches to the correct gateway.  This is a new behavior noted recently

9

19.7 Legacy Series / Multi WAN Timeouts

« on: November 08, 2019, 06:35:24 pm »

Is there a way to enable a timeout for a Multi-WAN setup.   The issue that I am trying to resolve is I have a site where the primary WAN link is not very stable during some times of the day.  Due to excessive packet losses Opnsense fails over to the secondary link, but then the packet losses disappear for a few cycles and the link switches back to the primary link.  What I need to configure is a time frame (say 15 minutes) where the packets are inspected if there is a fail-over to the secondary link and only if the circuit is OK during that time period should it switch back to the primary link

10

19.7 Legacy Series / [Solved] Is Azure S2S VPN Broken??

« on: August 19, 2019, 04:34:57 am »

I have been trying to setup a routed VPN to Azure with no success whatsoever.  I followed the steps given in https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html.  The tunnel is shown as UP from both Azure side and Opnsense side.  But not traffic is flowing in the tunnel.  I am not able to RDP into any servers in Azure. 

If I change the VPN type from Routed to Policy based VPN then there is no issue and everything works as expected. 

When I check the traffic in the tunnel interface it shows as zero. 

Has anyone been able to get Azure working in t he latest firmware?

11

19.1 Legacy Series / Reset WebGUI password

« on: March 09, 2019, 02:24:34 pm »

Hi
I know this should have been answered in the forums, but couldn't find anything with steps outlining the procedure for the new versions of OPNsense.  I need to reset the WebGUI password of a bunch of OPNsense boxes due to them getting locked out.   I am unable to use the live CD mode as the system does not have any active USB ports (that is a problem to be fixed later).  I am able to boot into the single user mode.  From there what is the process to change the password? 

12

19.1 Legacy Series / FQDN Based Firewall Rules

« on: February 01, 2019, 09:26:24 pm »

Hi

Is there a way to use FQDN as the destination for firewall rules?  With many services moving to the cloud and some online services like Azure Service Bus and AWS Application Loadbalancers does only guarantee namespace and not the IP Address in case of a failure of system restart.  This results in outbound firewall rules needing to be updated manually.   

If the feature is not available is there a roadmap for this?

GG

13

18.7 Legacy Series / Log Format

« on: December 28, 2018, 04:47:18 am »

Is there a documentation on standardized log format for OPNSense?  I am trying to setup and ELK stack for OPNSense and would like to create rules based on the Log Format

14

18.1 Legacy Series / Certificate based Authentication for GUI

« on: April 12, 2018, 06:19:49 am »

Are there any plans to implement Certificate based authentication for the GUI?  As OPNsense already has a USP for having 2FA natively in the system a Certificate based auth would be a worthwhile addition to the security framework and would be useful in a few unique security frameworks which I had come across where currently the solution is to deploy a VPN for GUI access from outside, but a VPN has its own drawbacks due to the unreliability of the transport. 

15

18.1 Legacy Series / Bug in DNS resolution?

« on: April 05, 2018, 03:07:28 am »

Based on the post https://forum.opnsense.org/index.php?topic=7773.0 I was trying to test the DNS resolution using unbound.  It seems there is a bug which does not take into account the setting "Do Not Use DNS Forwarder for the firewall" if there are any DNS servers configured under DNS servers.  I am attaching a couple of screenshots which shows the query being responded by the configured servers.  If all the servers are removed from the configuration then it behaves as expected