Topics

1

19.7 Production Series / Need to fix firewall rules post-upgrade from 19.1 to 19.7.7

« on: November 21, 2019, 05:00:23 pm »

I'm using this one vLAN as an example, but since upgrading from 19.1.10 to 19.7.7, servers on this vlan cannot access the internet, but can access the servers on other vLANs they have access to. If I change the gateway on the first and last rules to WAN_DHCP, internet connectivity works, but not connectivity to anything outside of the vLAN. I should note that 2 vlans are routed through an HA VPN gateway, and the setup seems pretty complex. Either way, all the rules have stayed the same, but since the upgrade, connectivity has changed.

2

General Discussion / Subnets and Messy Rules

« on: January 28, 2019, 03:57:00 pm »

I'm trying to go from a flat /20 network to subnets. I'm working on dividing my network up as below:

LAN - Currently contains most of the network at this time. Trying to move everything to VLANs/subnets
VLAN10_MGMT - Management network for DCs, DNS, ESXi hosts/vCenter, OoB management/console access, backups (may move to own subnet), monitoring servers/applications, etc. (Should be isolated, but also have access to everything?)
VLAN20_Storage - Network for NAS' with media and the SAN for VM storage. (Permit SAN for ESXi storage)
VLAN50_Users - My desktop, phone, laptop, etc. (Want access somehow to the management network, or everything... Not sure yet.)
VLAN70_DL - Download/torrent servers and DL automation services. (Want to view the web UIs from my Users and MGMT networks. Need to allow to read/write to the NAS on my storage network)
VLAN80_Web - Nginx reverse proxy servers, and any web-facing servers. (Only open ports to necessary services)
VLAN90_RA - Remote access - Squid proxy, VPN access to home network, RDP jumpboxes w/ Duo, ssh jumpboxes w/ Duo.
VLAN100_Guest - Guest wifi (Should be isolated completely with the exception of Plex and my other web services)
VLAN110_Wife - Wife's desktop, phone, tablet, etc. (Should be isolated completely with the exception of Plex and my other web services)
VLAN120_IOT - Internet of things... TV, Nvidia Shield... (Should be isolated completely with the exception of Plex and pi-hole DNS)

Right now, I have a PIA VPN on the firewall routing traffic to Torronto. When this was on, the guest wifi, wife and iot vlans wouldn't get access to the internet. I had to set their gateways to the WAN to fix that.

The problem right now is that when I enable the VPN, the LAN doesn't have access to the internet. Traffic should NOT be routing over that VPN, but something's happening where it's trying to, but is failing. I want it to go over the WAN, but for the time being, I don't want to set the WAN as a gateway, because then I can't access any of the other subnets.

Aside from starting my lab/home network from scratch, how do I make this all possible?

3

General Discussion / 10GbE Networking, Subnets, and performance without Layer 3 switching?

« on: January 24, 2019, 04:17:24 pm »

I have my OPNsense firewall on an ASUS RS200 with an i3 CPU, 4 GbE NICs, and 2x 10GbE NICs that will be installed this weekend.

My two switches are Ubiquiti Unifi US-16-XG and US-24-250. I have a SAN, two NAS', and 4 ESXi hosts. Each of these is connected to the 16-XG for 10GbE and then a 1GbE on the US-24 for failover.

I'm currently working on segregating my network so that it's no longer a flat 10.0.0.0/20, but has 10 different subnets (management, storage, desktops, backup, downloads, web/dmz, remote access, guest wifi, wife's devices, and iot). My problem is that now every subnet is having it's traffic routed through the firewall's 1GbE LAN port. 10 GbE will be installed this weekend, but do I have a way without buying all new Layer 3 switches to keep traffic from completely saturating the firewall? Someone had mentioned running some VMs on my hosts to act as the gateways, but I want to see if there's a better solution before I pursue that or just leave the traffic to route through the firewall once I install 10GbE.

Thanks!

4

Hardware and Performance / 10GbE NIC Recommendation?

« on: January 18, 2019, 02:13:18 pm »

I'm currently working on segregating my network into various vlans/subnets. I have a 10GbE Ubiquiti switch and an Asus RS200-E9-PS2 server that I'm using for my firewall. In my quest for network segregation with 10GbE, I learned that because my gateways are on the firewall, with a 1GbE connection, I'll be limited to 1GbE between devices on vlans that do communicate with each other.

With that said, I've had success with Mellanox Connectx-2s and 3s for SFP+ NICs in ESXi, Debian/Ubuntu, but don't know if these will work with OPNsense/FreeBSD? Can anyone confirm or recommend an SFP+ or RJ45 10GbE alternative?

Thanks!

5

18.1 Legacy Series / Cannot start snmpd service

« on: July 19, 2018, 06:28:43 pm »

I installed the os-net-snmp plugin, but the service is unable to run. I've attempted to reinstall without resolution. I'm running 18.1.12 and have os-net-snmp 1.0_1 installed.

Jul 19 12:21:18    root: /usr/local/etc/rc.d/snmpd: WARNING: failed to start snmpd

Thoughts on getting snmp running?

6

17.1 Legacy Series / OpenVPN Server - No WAN?

« on: May 28, 2017, 10:50:27 pm »

I have setup two VPN clients on my firewall using the method here: https://forum.opnsense.org/index.php?topic=4979.0. This allows all of my traffic to be routed over VPN. One tunnel to the Netherlands for downloads, and another to the US east coast for normal traffic.

I also have a VPN server running on the firewall so that I can connect to my local network from outside the network. I have OpenVPN for Android on my phone that I want to use in order to connect to my home network when I'm off of my home wifi (using tasker to automatically connect VPN when I'm off of my wifi, and disconnect when I connect to my home wifi). The problem that I have now, is that I when I'm connect to the OpenVPN server on my firewall from my laptop or phone, I'm only able to access my local network, and traffic cannot access the WAN. What am I missing here? I also have an ad-block server on my network (pi-hole) that I want to ensure will work on the clients connecting to the VPN server. Below is my config.

OpenVPN Server Config




NAT Outbound Rules