Topics

1

20.7 Legacy Series / firewall groups and interfaces

« on: July 31, 2020, 03:42:17 pm »

First of all thanks for the great work
I’ve updated my lab firewall and all looks good.

Till now I just not understand the meaning of “use firewall groups to group interfaces menu accordingly"

I do not see a direct relation between a group of firewall rules and the interfaces menu
With the result to hide interfaces in sub-menus and possibly duplicate them if you use an interface in more than one group

I found it a bit confusing but maybe I’m missing something obvious;
can someone explain me the reason of this choice ... I’m curious to understand

Thanks again to all the developers and the community
--
Fabio

2

20.1 Legacy Series / Monitoring of "Configuration Synchronization (XMLRPC Sync)"

« on: February 17, 2020, 11:09:44 pm »

Hi All,

I've a couple of opnsense in HA and all works fine.

Now I need to check if the configuration of the 2 node are synced  ... so to be sure to "remember to update your backup server in System: High availablity: status"

Does someone know a sensible way to verify the configuration sync status ? any method/suggestion will be well accepted.

As general idea I would like implement a "nagios plugin" to monitor also this check with my icinga2 servers.

Thanks

3

19.7 Legacy Series / IPSec monitoring

« on: October 24, 2019, 09:26:26 am »

Hi All

I need to check the IPsec tunnel status from my monitoring system (icinga2) … in your opinion which is the “correct” way?
… with the opnsense API  (which is the call)
... via a script run by the “icinga agent” installed on the firewall
… something else

Has someone already impelmented this type of check  ?
I’ll be glade for any suggestion

Thanks
--
Fabio

4

19.1 Legacy Series / HAProxy and Let's Encrypt OCSP stapling

« on: June 05, 2019, 04:21:30 pm »

Hi All,

I would like to add OCSP stapling to my HAProxy + Let's Encrypt

Do you know any sensible method to implement it  ?

Thanks for any idea

5

18.7 Legacy Series / BURP FreeBSD port

« on: November 22, 2018, 02:38:48 pm »

Hi,
I started to use BURP (https://burp.grke.org/) as backup software.

Unfortunately the package is not currently available in opnsense but it's present in the FreeBSD ports under:

Code: [Select]

sysutils/burp
Is it possible add this package to our favorite firewall ?

Thanks
--
Fabio

6

18.7 Legacy Series / Alias Host(s) vs Network(s)

« on: August 05, 2018, 01:05:09 pm »

Hi All,

Which is the difference between Alias the type Host and the Network one?
A /32 Network is identical to a Host type ?

I'm just wondering why there is an alias type who "looks like to" a subset of another

Thanks

7

18.7 Legacy Series / [SOLVED] Missing OpenVPN RADIUS Attr on "reconnection"

« on: August 03, 2018, 06:25:32 pm »

Hi All,

I've noticed that the RADIUS attributes are not pushed to the client if the server see the client connected

To reprocude the bethaviour
01- cliente connection
02- RADIUS auth reqeust
03- RADIUS reply with attributes
04- Framed-IP-Address and Framed-Route are assignes to the cliente
05- client disconnection / connection
07- RADIUS auth reqeust
08- RADIUS reply with attributes
09- Framed-IP-Address and Framed-Route are NOT assignes to the cliente

If you Kill client connection fom the GUI

11- cliente connection
12- RADIUS auth reqeust
13- RADIUS reply with attributes
14- Framed-IP-Address and Framed-Route are assignes to the cliente


At the moment as cliente I've only used "OpenVPN for Android"

Cheers,

8

18.1 Legacy Series / OpenVPN - Adressing pool

« on: May 06, 2018, 11:18:22 am »

Hi,

Mildly related to https://forum.opnsense.org/index.php?topic=7830 topic

To be absolutely sure to not have overlap from my static address assignemt and the dynamic ones I would like to limit this pool to a subnet;

According to the https://community.openvpn.net/openvpn/wiki/Concepts-Addressing#Examplesforsubnettopology documentation page instead to use the "server" directive

Code: [Select]

server 10.8.0.0 255.255.255.0
Are needed "ifconfig", "ifconfig-pool", "mode server" and push a couple of configurations to the client

This is a test for "topology subnet"

Code: [Select]

mode server
ifconfig 10.8.0.1 255.255.255.0
ifconfig-pool 10.8.0.4 10.8.0.199 255.255.255.0
push "route-gateway 10.8.0.1"
push "topology subnet"

Unfortunately in the current web page the mandatory field "IPv4 Tunnel Network" set  "server" that is incompatible with this implementation
so for my prove of concept it I've manually changed the " /var/etc/openvpn/server1.conf" conf file and manually restarted the service.

From my current limited test I do not see problems and OpenVPN assign only addresses in the ifconfig-pool range


Maybe in one of the next release you may consider to implement also this feature

9

18.1 Legacy Series / Automatic NAT Address after upgrade

« on: February 10, 2018, 12:01:08 pm »

Hi All,

I've noticed that the "Automatic outbound NAT rule generation" in 18.1.x use "WAN" instead "WAN address":
I've an additional Virtual IP and i see the outgoing traffic sourced from both the address.

As workaround  I replaced the automatic rules with the manual ones

Cheers
--
Fabio

10

17.7 Legacy Series / Collectd and openvpn stats

« on: October 01, 2017, 01:16:20 pm »

Hi
I would like to collect openvpn stats via collectd so I've manually added:

Code: [Select]

LoadPlugin openvpn
<Plugin openvpn>
 StatusFile "/var/run/openvpn-status.log"
 CollectIndividualUsers true
 CollectUserCount true
 CollectCompression true
 ImprovedNamingSchema false
</Plugin>to my /usr/local/etc/collectd.conf

and

Code: [Select]

status /var/run/openvpn-status.log

in the Advanced field of "VPN: OpenVPN: Servers"

This seems works fine so I'm asking you, if it's possibile, to add an "Advanced" field also in collectd
field simply appended to /usr/local/etc/collectd.conf


Thank you for all your great work and sorry if I've only requests and not code

11

17.7 Legacy Series / Duplicated OSPF Router ID

« on: September 28, 2017, 08:32:02 pm »

I've a couple of pfsense in HA configured also as OSPF router

Recently I've added an additional CARP address and both the device sterted to use this address as ospf router-ID so the "dynamic routing" stopped to works

... after change the ID via CLI the routing start to work again

root@OPN2:~ # vtysh

Hello, this is Quagga (version 1.2.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

OPN2# configure terminal
OPN2(config)# router ospf
OPN2(config-router)# ospf router-id 192.168.0.3

OPN2(config)# write

Unfortunately after a reboot the ID retrun the old one

Is there way to permanently statically set the router-id ?


PS:
I'm not sure which was the IDs before the "new carp address" but the ospf worked fine

12

17.7 Legacy Series / FTP active mode (Outbound NAT)

« on: September 13, 2017, 11:09:45 am »

Hi All
I've problems to connect LAN clients to remote FTPs in active mode; unfortunately I've a couple of suppliers that do not accept passive

The current network configuratin is:
lan_clients (dhcp)  ->  opnsense (Outbound NAT) -> ISP_router (NAT) -> "the internet" -> RemoteFPT

with this conf the connection to the FTP is established but commands retrun errors
instead if I connect the clents directrly to the IPS router Avtie mode works

I googled around and I've made some tests but without success .. do you have any suggestion to solve this ?

Cheers

13

17.7 Legacy Series / OpenVPN and RADIUS attributes

« on: September 02, 2017, 05:24:25 pm »

Hi All,
I would like to push ip address and routes to OpenVPN accounts using a RADIUS server.

With the current OPNSense implementation is it possible assign them with the Framed-IP-Address  and Framed-Route attrs ?

Looking the confiuration file seems the RADIUS server is just use to verify the password ... but maybe I'm wrong

Thanks

14

17.1 Legacy Series / [PARTIALLY SOLVED] 17.1.5 - Gateway problems

« on: April 26, 2017, 09:04:34 pm »

Hi,

After the 17.1.5 upgrade seems the "default gateway switching" and the "Gateways Group" do not work any more

To be honest I'm not completely sure about the gw switching; I've tested it, not in a "deep way", the just last Friday ... but I remember it was working

instead about the "Group" I currently have the Tier 1 offline, the Tier 2 online, in the firewall there is a rule "any" configured with the gw group ... and a traceroute show the traffic is always routed via "Tier1". In this case I'm sure it was working...

Does anyone noticed a similar behaviours after the upgrade

Thanks
--
Fabio