Topics

1

20.7 Production Series / Question on IPSec Interfaces

« on: November 16, 2020, 10:11:42 am »

When we configure a routed VPN there are two interfaces created IPSec 1000 and IPSec.  What are the differences between these interfaces?

Thanks

GG

2

20.7 Production Series / Gateway issue

« on: August 31, 2020, 10:12:27 pm »

Hi
Recently I have been noticing a strange behavior on Opnsense.  I have a configuration which has two internet links and the configuration is done to have the first link to have a higher priority than the secondary link.  The traffic will fail-over to the secondary link if there is an issue with the primary link.   But what i have noticed recently is that once OpnSense switches to the secondary link it never falls back to the primary link even though the primary link has been restored and shown online in the GUI.  What is more intriguing is that the route table lists the primary link as active and still all traffic takes the other link.  Any changes to the gateway configs or rebooting OpnSense then switches to the correct gateway.  This is a new behavior noted recently

3

19.7 Legacy Series / Multi WAN Timeouts

« on: November 08, 2019, 06:35:24 pm »

Is there a way to enable a timeout for a Multi-WAN setup.   The issue that I am trying to resolve is I have a site where the primary WAN link is not very stable during some times of the day.  Due to excessive packet losses Opnsense fails over to the secondary link, but then the packet losses disappear for a few cycles and the link switches back to the primary link.  What I need to configure is a time frame (say 15 minutes) where the packets are inspected if there is a fail-over to the secondary link and only if the circuit is OK during that time period should it switch back to the primary link

4

19.7 Legacy Series / [Solved] Is Azure S2S VPN Broken??

« on: August 19, 2019, 04:34:57 am »

I have been trying to setup a routed VPN to Azure with no success whatsoever.  I followed the steps given in https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html.  The tunnel is shown as UP from both Azure side and Opnsense side.  But not traffic is flowing in the tunnel.  I am not able to RDP into any servers in Azure. 

If I change the VPN type from Routed to Policy based VPN then there is no issue and everything works as expected. 

When I check the traffic in the tunnel interface it shows as zero. 

Has anyone been able to get Azure working in t he latest firmware?

5

19.1 Legacy Series / Reset WebGUI password

« on: March 09, 2019, 02:24:34 pm »

Hi
I know this should have been answered in the forums, but couldn't find anything with steps outlining the procedure for the new versions of OPNsense.  I need to reset the WebGUI password of a bunch of OPNsense boxes due to them getting locked out.   I am unable to use the live CD mode as the system does not have any active USB ports (that is a problem to be fixed later).  I am able to boot into the single user mode.  From there what is the process to change the password? 

6

19.1 Legacy Series / FQDN Based Firewall Rules

« on: February 01, 2019, 09:26:24 pm »

Hi

Is there a way to use FQDN as the destination for firewall rules?  With many services moving to the cloud and some online services like Azure Service Bus and AWS Application Loadbalancers does only guarantee namespace and not the IP Address in case of a failure of system restart.  This results in outbound firewall rules needing to be updated manually.   

If the feature is not available is there a roadmap for this?

GG

7

18.7 Legacy Series / Log Format

« on: December 28, 2018, 04:47:18 am »

Is there a documentation on standardized log format for OPNSense?  I am trying to setup and ELK stack for OPNSense and would like to create rules based on the Log Format

8

18.1 Legacy Series / Certificate based Authentication for GUI

« on: April 12, 2018, 06:19:49 am »

Are there any plans to implement Certificate based authentication for the GUI?  As OPNsense already has a USP for having 2FA natively in the system a Certificate based auth would be a worthwhile addition to the security framework and would be useful in a few unique security frameworks which I had come across where currently the solution is to deploy a VPN for GUI access from outside, but a VPN has its own drawbacks due to the unreliability of the transport. 

9

18.1 Legacy Series / Bug in DNS resolution?

« on: April 05, 2018, 03:07:28 am »

Based on the post https://forum.opnsense.org/index.php?topic=7773.0 I was trying to test the DNS resolution using unbound.  It seems there is a bug which does not take into account the setting "Do Not Use DNS Forwarder for the firewall" if there are any DNS servers configured under DNS servers.  I am attaching a couple of screenshots which shows the query being responded by the configured servers.  If all the servers are removed from the configuration then it behaves as expected

10

18.1 Legacy Series / Excessive initial Load times for GUI

« on: April 03, 2018, 06:18:39 am »

Hi

I have started noticing that the initial load time for the OPNsense login page has become excessive especially after the recent updates.  The page takes approx 43 seconds to load completely.  Once the initial load is complete then there seems to be no issue.  I have tried multiple browsers and the issue seems to exist in all.  Does anyone else also have noticed this.  I am attaching a screenshot of the page load time captured from Firefox with this. 

Thanks

11

18.1 Legacy Series / Firmware Update Fails

« on: March 15, 2018, 06:16:03 pm »

This is in continuation to the earlier post in 17.x version which is here (https://forum.opnsense.org/index.php?topic=6969.0).  The issue still persists in the 18.x version too

I have noticed this behavior forever.  Whenever the update tab is pressed it always fails with the message "Firmware status check was aborted internally. Please try again." But the page lists any new firmware available in the list below.  If I click update again it successfully updates.   I considered this a nuisance, but it would be good if this can be resolved.
Another suggestion that I have is regarding disabling the list of every single update from the day OPNsense was launched (15.1) Since all branches other than 18 is not supported or even revertible to having this in the update tab serves no purpose as the information is available on the OPNsense webpage anyway.  It would be much cleaner to have only the last few updates listed (maybe 4)

12

18.1 Legacy Series / Where is the IPSec Interface

« on: March 14, 2018, 07:16:06 pm »

I have been trying to configure IPsec VPN on a OPNSense box.  The earlier versions had an IPsec interface in the interface list where I can configure the firewall rules for the IPsec connection.  But this seems to be missing in the the 18 series.  Could someone help on where I can find it. 

13

18.1 Legacy Series / Please bring back logging

« on: March 12, 2018, 03:46:48 pm »

The logging changes in 18.1 is really frustrating.  Recently had to spend more than 2 days troubleshooting a block issue.  The earlier answer to my question on logging was answered by Franco as all the information is available in live view.  But that is simply not true.  My issue was as follows.  One of the clients was complaining of connection issues to a VMWare service which was used infrequently by some  critical users.  Whenever the team troubleshoots the issue using live view as the client was not connected there is no information on what was being blocked.  The overview tab also is not of any help as there is no display where it links the client IP address to what is being blocked, only a total count of what was blocked with no drill down.  In addition the information is limited to 5000 entries which is very small and gets filled up fairly quickly.  Finally had to manually download the plain view, export it to Excel and figure of what was happening.  With limited information on the type of log generated this was another long process. 

Do not understand why OPNsense had to tweak a working logging and introduce something with less features 

14

18.1 Legacy Series / Backward step in Logging

« on: February 22, 2018, 04:01:09 pm »

Does someone think that in 18.1 the logging has taken one step forward and two backwards??  In the earlier version the non live logging was in a readable format.  But with 18.1 what we have is a raw feed, and a overview screen which is good information, but does not have any drill down capability.  So I know that I have a bunch of requests being blocked by the firewall, but no way to find out what they are unless i analyze the arcane raw log.  Or am in missing something here   

 

15

17.7 Legacy Series / IPSec VPN ECC Support Missing

« on: November 20, 2017, 06:55:16 am »

Hi

  In the IPSec Configuration it seems that all the DH Groups for Ellliptic Curve is missing (Group 19,20,21) even though StrongSWAN supports all these three groups.  This along with Group 24 (Supported) are part of the Next Generation Encryption.  Has these been omitted for any specific reason and is there a road map for this?

Thanks