Topics

1

22.1 Legacy Series / Mail server in LAN - connection timeout to SOME MXes

« on: June 03, 2022, 03:04:35 pm »

Hi.
We replaced a pfSense installation with a freshly installed 22.1.8_1. The mailserver in LAN is unable to contact some remote MX, specifically Gmail / Outlook, but also some other minor providers.
The configuration is pretty simple, there are no LAN rules except the default ones allowing all traffic. No QoS  configured.

Weird enough, telnetting to these hosts work, but mail delivery won't. Can be something related to TLS connections?

The WAN has a 192.168.20.1 address, the modem is 192.168.20.2. Block of private and bogon networks is disabled. This was erroneously enabled, and while web navigation was fine we had another issue: ssh'ing outside from the server was working, but scp didn't. Now scp works, but email still won't get delivered.

What could be blocking these connections?
thanks

Code: [Select]

Jun  3 14:57:12 srv02 postfix/smtp[19722]: 79CA91E33BC3: to=<a.b@domain.it>, relay=mail.register.it[195.110.124.132]:25, delay=3428, delays=3282/0.21/1.2/145, dsn=4.4.2, status=deferred (lost connection with mail.register.it[195.110.124.132] while sending message body)
Jun  3 14:57:49 galasrv02 postfix/smtp[19683]: AA78E1E33CC9: conversation with ASPMX.L.GOOGLE.com[108.177.126.27] timed out while sending message body

EDIT: forgot to say the firewall is running in as a Proxmox VM, network driver virtio

2

20.1 Legacy Series / Multi WAN: unable to ping both modems

« on: October 05, 2020, 10:02:52 am »

Hi.
I've configured 20.1.7 with MultiWAN. It seems to work fine but I cannot figure out why I'm unable to ping both modems at the same time, only one of the two is available.
I checked the config it looks as per docs: the two WANs have two private 172.x networks, I configured the two gateways and gateway groups. The default firewall LAN rule is set in fallback mode, that is traffic going through one gw and using the second as failover. Ping from the firewall works for both modems, but from LAN only one of the two is responding. Ping from LAN to the gw monitoring IP works for both, but traceroute shows the same path for all! I.e. right now despite both gw being online LAN traffic is going through the secondary one!

Any hint on where to have a look? Thanks

3

General Discussion / MultiWAN: cannot reach secondary gateway

« on: May 26, 2020, 06:03:24 pm »

I've configured multi wan following the guide on the doc page. When I configure the load balancing gateway for the LAN I'm unable to reach the WAN02 gateway. dpinger can reach it as well as the configured monitoring IP, but it's not possible from the LAN if balanced gw or WAN01 priority gw is selected.

Also if I traceroute the WAN02 monitoring IP from LAN I get routed through the WAN GW, not the appropriate one. But the correct route for WAN02 (172.31.15.0/24) exists on the firewall.

Both GW are marked as upstream, gw auto switching is enabled in advanced firewall settings. I don't know what else to check.

thanks

4

General Discussion / OpenVPN Client Specific Overrides - where are they stored?

« on: May 20, 2020, 09:05:08 am »

I've created a client specific override for a user with a custom VPN network. Now I'd like to remove it, but I'm unable to, even if I remove the entry the client still get the custom network. I did everything I could:

• removed the entry in CSO
• restarted openvpn service
• restarted opnsense
• upgraded from 19.7 to 20.1
• created an empty CSO entry

the client still get custom routes. On the same computer if I change username it gets the default config.

So I tried sshing to opnsense and had a look into openvpn config file but wasn't able to find where those config are stored. Anyone has hints?

Thanks

5

20.1 Legacy Series / OpenVPN static IP address

« on: May 11, 2020, 12:13:31 pm »

Hi.
I'm trying to assign a static IP to an OpenVPN client. I added in Client Specific Overrides a new rule with the openvpn username as common name, and in Advanced:

Code: [Select]

ifconfig-push 192.168.99.15 255.255.255.0

but it will always get the same (but different) address. Is this still supported? thanks

6

19.7 Legacy Series / NATting OpenVPN -> IPSec

« on: February 25, 2020, 03:04:53 pm »

Hi.
I've an established IPSec tunnel going from our LAN to a remote network.  Then I have an OpenVPN tunnel for accessing our LAN from outside. I need to NAT OpenVPN network to the IPSec tunnel, because I cannot manage the other endpoint to add a new network.

In pfSense I added a second P2 entry with the OpenVPN subnet and I was able to NAT it to the LAN address. In OPNsense I understand I need to use BiNAT, but I must have missed something.

On IPSec I added a manual SPD entry with the OpenVPN net.
In Firewall > NAT > One-to-One I added an entry with OpenVPN NET as External, and firewall's LAN ip as Internal IP. Any as destination.

But this way it's not working. What's wrong?

Thanks

7

19.7 Legacy Series / IPv6 tunnel broker: unable to accept incoming connections

« on: January 11, 2020, 01:24:33 am »

I've set up IPv6 via Tunnelbroker GIF interface. IPv6 is working fine for the LAN, outgoing connections are fine and ping6 from firewall and from LAN clients is ok. But I cannot make work the way around. I'm trying to access the firewall over IPv6 but it doesn't work, neither via https nor OpenVPN server. Actually neither traceroute6 or ping6 to the firewall LAN address (routed /64 from Tunnelbroker) work. I'm not even able to ping the GIF ipv6 address (while it works for the server endpoint).

I've enabled IPv6 ICMP on LAN and GIF interfaces with * destination. At this point I'm not sure if it's a firewall config problem or elsewhere... Any hint would be welcome! Thanks

8

19.7 Legacy Series / Syslog receiver/server

« on: December 11, 2019, 10:02:51 am »

Is it possible to enable OPNsense as a syslog receiver for other devices in the LAN? I found everthing for sending logs outside, but not for being a syslog server.

Thanks

9

Hardware and Performance / Dual SSID on Atheros 6280

« on: November 13, 2018, 03:20:03 pm »

Hi

I've done some searches but couldn't figure out definitely: is it possible to have a dual SSID for an Atheros 6280 card? We've bought a Celeron N2930 based board with the above chipset, which if I got it right should support dual SSID. We would like to have a 2.4 and a 5GHz network.

From what I understand pfSense doesn't support this feature but OPNsense should. I've tried configuring wifi on the latter (latest version downloaded yesterday) but when creating the second WIFI interface it returns error, saying it's probably not supported by the driver or the chipset.

Is this expected to work?
thanks

10

18.1 Legacy Series / Intermittent DNS resolution problems

« on: July 19, 2018, 12:29:37 pm »

Hi.
I've setup a new system with 18.1.12. We have 3 WANs, set up following the guide on the docs.  I've also enabled Unbuond DNS resolver to provider better DNS to the LAN.

Unfortunately sometimes the DNS is not responding, and so far I was unable to track down the problem and understand where it comes from.

As per the guide I've set up a DNS for every WAN (google and opendns), and if I go to Interfaces > Diagnostic > DNS lookup it always work fast (even for 127.0.0.1). But if from the PC where I perform the test via web I try a dig it returns timeout! I repeat the dig command for two or three times always returing timeout! Then, suddendly, I run dig once more and it returns immediately the result.

I've configured the firewall DNS rule (chapter 5 of the guide above), even if I don't exactly understand why it's needed: if the DNS IP is the firewall address, why should a LAN connection use the gateway?

Any hint on how to debug the problem  is very welcome. thanks

11

18.1 Legacy Series / IPsec connected but no traffic

« on: February 06, 2018, 09:51:24 am »

Hi. I'm new to OPNsense, I'm replacing an existing pfSense installation.

I replicated all the configurations and everything seems ok, I'm struggling a bit with VPNs.
Right  now I'm trying to restore IPSect tunnels. Everything seems ok (from the status page), but I cannot reach the remote network. In Firewall > IPsec I've enabled all the traffic, just for testing.

From the status page the P2 is INSTALLED and Routed, but still I cannot ping any host of the remote endpoint, neither from the lan or from the firewall itself.

Any hint?
thanks