Topics

I recently started noticing that one of the WAN circuits in my dual WAN setup regularly goes down with a dpinger error.  I have started noticing this after upgrading to Opnsense 24.1 and enabling IPv6 on the interface that is failing.  Looking at the logs for Gateways I see these constantly

2024-04-13T13:26:48-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:47-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:46-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:45-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:44-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:43-05:00   Warning   dpinger   WAN_DHCP 142.254.155.185: sendto error: 22   
2024-04-13T13:26:42-05:00   Notice   dpinger   Reloaded gateway watcher configuration on SIGHUP   
2024-04-13T13:26:42-05:00   Notice   dpinger   Reloaded gateway watcher configuration on SIGHUP

This error comes immediately after gateway watcher is reloaded.  Not sure why SIGHUP is being generated when there is no change in the firewall or reboots.  This happens only on one of the gateways (primary)

Is there any way to search or filter on rules in Opnsens?  For example if I want to search for a rule which contains an IP address and destination port.  I have been trying to do this but has not be able to find any easy way

Thanks

I had posted this in the 22 forum earlier.  https://forum.opnsense.org/index.php?topic=31961.msg154477#msg154477

The issue with outbound NAT seems to still persist in the 23 version also.  The issue is that if there is a gateway group with dual WAN interfaces in it and for operational reason a specific outbound traffic is redirected to a gateway with a lower priority (other than the gateway group) sometimes the outbound traffic seems to land up on the wrong gateway.  Rebooting the appliance does not seem to solve the issue, but manually clearing the state table again puts the traffic onto the correct gateway. 

This used to work fine in all earlier versions so seems to be some kind of bug introduced recently.

Skip rules when gateway is down is checked to prevent gateway rewrite on failure.

I was managing an OpnSense system which was running flawlessly over the past few years.  But in the last month I started noticing an issue which seems to have been introduced recently as the same configuration had been working find for more than 2 years.  In the setup there is a server in a DMZ interface which needs UDP port 36605 to be forwarded to it.  The server will also contact other servers in the internet on the same UDP port (36605).  This setup is behind a firewall with 2 WAN interfaces.
This particular traffic to port 36605 needs to go via the WAN2 interface (WAN1 is default).  There is rule in the interface which will direct traffic to WAN 2
The inbound NAT seems to work fine, but outbound traffic (even though there is no NAT on the WAN1 interface for the DMZ server network ) seems to end up in WAN1 instead of expected WAN2.  A rough illustration is attached.

Does someone have suggestions or is this a bug.

Thanks

How do I disable the automatically generated VPN rules in Opnsense

I know I had done this earlier.  But right now I am unable to find where I can do it  ???

thanks

I was in the process of upgrading my Firewall from an old hardware with 4 network cards with another hardware with 6 network cards.  From what I have seen is that the backup when restored does not restore the interface configuration and it has to be manually added.  Even when the interfaces are manually added with the same name it was seen that the Firewall rules are now applied to a wrong interface.  It appears that the firewall rules are tagged to the internal WAN / LAN / Opt_x interface names rather than the physical names.  This makes the backup practically useless for a quick restore.  The rules seem to work only when the new interfaces are added sequentially to mimic the old internal interface names.  Is this a bug that can be fixed where the firewall rules can be tied to the given interface names rather than the internal names?

I have configured one of the interfaces in OPNSense as DHCP relay.  Even thought the IP address is leased successfully the ISC-DHCP-Server complains that the request is not coming from correct network.  I did a Packet capture and it seems that the same request is being sent by OPNsene with some packets having the relay info and some other without the relay server info.  Is this a bug .  I am attaching the wireshark captures which shows the issue

I have this problem where the GUI seems to have crashed.  After successful login it says a problem was detected and does not go any further and only brings up the crash reporter.   The firewall seems to work though only the GUI seems to have crashed. 

Attaching the error report generated.  It seems it is complaining about something 
Parse error: syntax error, unexpected ''/ui/js/tokenize2.' (T_ENCAPSED_AND_WHITESPACE) in /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_layouts_default.volt.php on line 176

When we configure a routed VPN there are two interfaces created IPSec 1000 and IPSec.  What are the differences between these interfaces?

Thanks

GG

Hi
Recently I have been noticing a strange behavior on Opnsense.  I have a configuration which has two internet links and the configuration is done to have the first link to have a higher priority than the secondary link.  The traffic will fail-over to the secondary link if there is an issue with the primary link.   But what i have noticed recently is that once OpnSense switches to the secondary link it never falls back to the primary link even though the primary link has been restored and shown online in the GUI.  What is more intriguing is that the route table lists the primary link as active and still all traffic takes the other link.  Any changes to the gateway configs or rebooting OpnSense then switches to the correct gateway.  This is a new behavior noted recently

Is there a way to enable a timeout for a Multi-WAN setup.   The issue that I am trying to resolve is I have a site where the primary WAN link is not very stable during some times of the day.  Due to excessive packet losses Opnsense fails over to the secondary link, but then the packet losses disappear for a few cycles and the link switches back to the primary link.  What I need to configure is a time frame (say 15 minutes) where the packets are inspected if there is a fail-over to the secondary link and only if the circuit is OK during that time period should it switch back to the primary link

I have been trying to setup a routed VPN to Azure with no success whatsoever.  I followed the steps given in https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html.  The tunnel is shown as UP from both Azure side and Opnsense side.  But not traffic is flowing in the tunnel.  I am not able to RDP into any servers in Azure. 

If I change the VPN type from Routed to Policy based VPN then there is no issue and everything works as expected. 

When I check the traffic in the tunnel interface it shows as zero. 

Has anyone been able to get Azure working in t he latest firmware?

Hi
I know this should have been answered in the forums, but couldn't find anything with steps outlining the procedure for the new versions of OPNsense.  I need to reset the WebGUI password of a bunch of OPNsense boxes due to them getting locked out.   I am unable to use the live CD mode as the system does not have any active USB ports (that is a problem to be fixed later).  I am able to boot into the single user mode.  From there what is the process to change the password? 

Hi

Is there a way to use FQDN as the destination for firewall rules?  With many services moving to the cloud and some online services like Azure Service Bus and AWS Application Loadbalancers does only guarantee namespace and not the IP Address in case of a failure of system restart.  This results in outbound firewall rules needing to be updated manually.   

If the feature is not available is there a roadmap for this?

GG

Is there a documentation on standardized log format for OPNSense?  I am trying to setup and ELK stack for OPNSense and would like to create rules based on the Log Format

Are there any plans to implement Certificate based authentication for the GUI?  As OPNsense already has a USP for having 2FA natively in the system a Certificate based auth would be a worthwhile addition to the security framework and would be useful in a few unique security frameworks which I had come across where currently the solution is to deploy a VPN for GUI access from outside, but a VPN has its own drawbacks due to the unreliability of the transport. 

Based on the post https://forum.opnsense.org/index.php?topic=7773.0 I was trying to test the DNS resolution using unbound.  It seems there is a bug which does not take into account the setting "Do Not Use DNS Forwarder for the firewall" if there are any DNS servers configured under DNS servers.  I am attaching a couple of screenshots which shows the query being responded by the configured servers.  If all the servers are removed from the configuration then it behaves as expected

Hi

I have started noticing that the initial load time for the OPNsense login page has become excessive especially after the recent updates.  The page takes approx 43 seconds to load completely.  Once the initial load is complete then there seems to be no issue.  I have tried multiple browsers and the issue seems to exist in all.  Does anyone else also have noticed this.  I am attaching a screenshot of the page load time captured from Firefox with this. 

Thanks

This is in continuation to the earlier post in 17.x version which is here (https://forum.opnsense.org/index.php?topic=6969.0).  The issue still persists in the 18.x version too

I have noticed this behavior forever.  Whenever the update tab is pressed it always fails with the message "Firmware status check was aborted internally. Please try again." But the page lists any new firmware available in the list below.  If I click update again it successfully updates.   I considered this a nuisance, but it would be good if this can be resolved.
Another suggestion that I have is regarding disabling the list of every single update from the day OPNsense was launched (15.1) Since all branches other than 18 is not supported or even revertible to having this in the update tab serves no purpose as the information is available on the OPNsense webpage anyway.  It would be much cleaner to have only the last few updates listed (maybe 4)

I have been trying to configure IPsec VPN on a OPNSense box.  The earlier versions had an IPsec interface in the interface list where I can configure the firewall rules for the IPsec connection.  But this seems to be missing in the the 18 series.  Could someone help on where I can find it.