Topics

1

18.1 Legacy Series / Automatic NAT Rules Generation

« on: March 13, 2018, 11:00:09 am »

HI all,

Just deployed pfSense and opnSense together and noticed a small difference.
https://doc.pfsense.org/index.php/Automatic_NAT_Rules_Generation

pfsense says this above and does it. In my case, I have a static routes to all my internal network (10.16.0.0/16). Indeed, I see this on NAT. This is good as I'd like to have my other internal networks transverse this firewall out, but I don't want my firewall has interface to those remote networks.

On opnSense, this seems not the case; after a fairly troubleshooting with tcpdump, I realized that this has to be manually added in NAT rule to get it work.

My question is, is this a "intentionally" done difference, or , is it a "bug".  I am ok with either method of getting it to work, just want to clarify.

Thanks
peng

2

18.1 Legacy Series / DHCP Serving multiple subnets to remote networks (vlans), not directly connected

« on: March 04, 2018, 02:26:56 pm »

Hi Wonder team here!!

I am in a project with an opportunity of replacing Windows AD/DHCP/DNS stuff with BSD/Linux. I have to do it piece by piece.

I plan to have one LAN only with CARP serving as default Gateway for all company's outgoing traffic. This only LAN will be something like, 10.16.229.0/29 with one IP for Primary OpnSense and another for Secondary and a VIP.  I prefer to not have DHCP on this VLAN, becase all these IP are only for OpnSense to use; however, if I have to enable it for the purpose of getting my following purpose served, it's ok for me to enable DCHP on this VLAN as well. The rest of LANs (VLANs) will be on the remote Cisco access switches. They are not directly connected to OpnSense. Otherwise, I can to extend those VLANs across mutiple switch/links to OpnSense, which will be a mess with STP. I'd like to use Layer 3 Routing on those switches to take care of routing to get those remote VLANs.

Instead of setting up another pair of DHCP/DNS server to serve remote VLAN network with centralized pool of multiple subnets, just like what Windows DHCP server does, I'd like to utilize OpnSense's DHCP/DNS function to do this. I don't like to get these remote VLANs directly connecting to OpnSense which complicates things with STP on all switches across the whole company.

For DNS part,  I assume by just pointing to remote DHCP client pc with a DNS IP option with DHCP server, it would work. Correct?

For DHCP server handling out multiple subnets based on remote VLANs interface IP as source of DHCP request, it seems hard to get it set up. All my switches with those VLANs will have Cisco "ip dhcp helper x.x.x.x" configured on Layer 3 VLAN (with one IP  and IP subnet configured on VLAN). When client do DHCP request, this helper will forward that to DHCP server x.x.x.x with source IP of this VLAN's IP.  Windows DHCP server can assign pool of ip subnets well based on IP Helper's source IP.

When I tried do this on OpnSense LAN, I find out no way of doing this. Even I enable DHCP server on this LAN, the additional pool range must be within this LANs Interface subnet.

However, base on the bottom of this post, https://community.spiceworks.com/topic/1331562-isc-dhcp-server-for-multiple-vlans

Only thing we need to to get it isc-dhcp server working for this purpose, is to add this simple declaration within dhcpd.conf.

Quote
# This subnet is the one that the DHCP server is in, has to be here in order
# the server to hand out addresses. It won't hand out IPs on that subnet since
# there is nothing between the curly brackets.
subnet 10.20.20.0 netmask 255.255.255.0 { } 
#VLAN - 211
subnet 10.21.12.0 netmask 255.255.252.0 {
   range            10.21.12.3 10.21.15.254;
        option routers                  10.21.12.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.15.255;
        }

#VLAN - 212
subnet 10.21.20.0 netmask 255.255.252.0 {
   range            10.21.20.3 10.21.23.254;
        option routers                  10.21.22.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.23.255;
        }
       
BASH
interface Vlan211
 description VLAN 211
 ip address 10.21.12.1 255.255.252.0
 ip helper-address 10.20.20.41

interface Vlan212
 description VLAN 212
 ip address 10.21.22.1 255.255.252.0
 ip helper-address 10.20.20.41
Unquote.

Another effort is here.
https://happy-coder.com/2014/06/27/pfsense-custom-dhcpd-configuration/

Another here,
https://blog.tinle.org/2013/01/09/single-dhcp-server-for-multiple-subnets-vlans-one-single-interface/

If this is the case, can you guys help to make this available in the OpnSense? So, ideally, we can choose a OpnSense LAN interface, enable DHCP service on this LAN, but not assigning DHCP address for this LAN (by making an empty declaration for this subnet). It has option then for us to add addition SUBNET info. This will make OpnSense a replacement for Windows DHCP server.

Or, at least, we can still allow assign DHCP address for this specific LAN, at same time, allowing to server other SUBNETs, if "not serving dhcp address" on this LAN is difficult to acchieve.

My project actually goes live on Monday Mar 5 2018. I just didn't plan this and just realized this issue. Would this be a quick easy fix with a minor update from you guys?

My next option plan (least favorite) would be either using a standalone box for this purpose as standalone DHCP server, or extending all those VLANs across many switches to OpnSense.

Thanks
peng

3

17.7 Legacy Series / NAT Reflection

« on: December 23, 2017, 02:17:55 pm »

HI Guys,

Tried Mailinabox with openSense and run into issues. Anyone here has any thoughts to get this working properly?

https://discourse.mailinabox.email/t/letsencrypt-expired-and-dns-errors/2704/97

4

17.7 Legacy Series / WAN CARP or NOT

« on: November 19, 2017, 09:01:16 pm »

HI Guys,
https://docs.opnsense.org/manual/how-tos/carp.html

Based on above link, it seems that we need CARP for LAN, as well as for WAN.

If I have each separate internet connection to each separate opnSense box directly on the box, those two IP from provider would be like, 1.1.1.1 and 2.2.2.2, which are not on same subnet.

If I have to do as what documents said, I would either put provider equipment in router mode and configure it's internal interface to 3.3.3.x, which will be for both provider equipment internal interface , as well as two OpnSense's WAN facing interface and a VIP.

Or, I put two additional routers with ISP's box to get public IP and then another interface with opensense to be put same subnet.

Is this correct?
Can I simply do LAN CARP, and use two seperate WAN connections to each of opnsense box? Then, set up a failover on the WAN side from one Opnsense box to the Other opnsense box's wan, with LAN clients running behind LAN CARP.

Can any one help me with some thoughts and links?

thanks
peng

5

17.1 Legacy Series / policy based routing, multiple routing tables

« on: June 03, 2017, 09:41:25 pm »

Hi Team,

New to use opnSense, which is great! However, I have been using openWRT for more than 10 years and one thing that make me feel difficult for a compete switch over, is that as described below.

In Linux (openWRT), I can leverage policy routing with IPROUTE2 with different routing tables. I can use that to make my VPN Providers connection as default for all 0.0.0.0/1 and 128.0.0.0/1, while I can still make incoming SSH/SMTP etc on my real WAN to get reply packet to WAN, not through VPN Provider. I can also make one of my internal DMZ subnet's outgoing traffic going real WAN, not VPN provider.

I researched a bit on opnSENSE and pfSENSE , it seems not clear to me how to do this. Further research about freeBSD, it says it's possible with "recompile kernel" with multiroutetable=2, etc.

I was wondering whether you guys can provide some leads on this .If it can be done in next release, that's great to know as well.

thanks