Topics - jarif

#1

Hardware and Performance / Multiple WAN links using a managed switch on DMZ port of the modem

November 25, 2017, 06:16:04 PM

I'm trying to create 4 WAN ports to my OPNsense using a HP OfficeConnect switch and a VDSL2 modem (DMZ port).

The idea is that I could get 4 different bridged connections which I might be able to NAT 1-to-1 some some internal hosts. The modem has only 1 DMZ port, but my ISP offers 5 public IPs, which would be 1 for router and 4 for DMZ in this scheme.

I have 5 ethernet ports in my server, connected as this:

1. OPNsense connected to modem - routing mode VLAN 1
2. switch connected to - modem - VLANs 2-5 tagged
3. OPNsense connected to switch - VLAN 2
4. OPNsense connected to switch - VLAN 3
5. OPNsense connected to switch - VLAN 4
6. OPNsense connected to switch - VLAN 5

Without the separate VLAN's OPNsense crashes miserably when it tries to initialize 2nd WAN-port. Apparently does not like multiple WAN ports in same subnet.

I have configured the VLAN numbers to both the OPNsense and the switch.

Is this totally wrong approache? At least I can not get it up and running...

#2

17.7 Legacy Series / I have a problem with port forwarding

November 13, 2017, 11:22:54 PM

This must have been working at some stage, as I have multiple rules for port forwarding and I have been happy. But it does not work.

I try to connect from external site to a LAN box via OPNsense, and there are rules for port forward and firewall to make it happen.

But when I try that, the connection is said to be timeout.

Setup

- external client: 138.201.119.25 (www)
- router (OPNsense) (wellington)
- internal LAN host: 192.168.1.122 (gauntlet)

Attempt

[jarif@www ~]$ curl -v http://86.115.205.131
* About to connect() to 86.115.205.131 port 80 (#0)
* Trying 86.115.205.131...
* Connection timed out
* Failed connect to 86.115.205.131:80; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 86.115.205.131:80; Connection timed out

But the fireall does not block!

Firewall log tells me that the connection attempts were passed! Is it the port forwarding then?

Doing tcpdump of the LAN host

jarif@gauntlet ~ $ sudo tcpdump -A dst port 80 or src port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:10:41.819431 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:41.819734 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:42.821411 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.4.....w....z.M.P..........r.................
00:10:42.821618 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:43.826671 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:44.827337 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:44.827588 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:46.866648 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:48.835362 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:48.835588 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:11:19.429732 IP gauntlet.fredriksson.dy.fi.43405 > mail.bitwell.biz.http: Flags [.], ack 3695803675, win 1024, length 0
E..(\Q..7.cz...z..w....P.....I}.P.......
00:11:19.471313 IP mail.bitwell.biz.http > gauntlet.fredriksson.dy.fi.43405: Flags [R], seq 3695803675, win 0, length 0
E..(..@.4.....w....z.P...I}.....P.............
00:11:21.614267 IP gauntlet.fredriksson.dy.fi.43661 > mail.bitwell.biz.http: Flags , seq 2603470522, win 1024, options [mss 1460], length 0
E..,.7../......z..w....P.-......`....[......
00:11:21.664992 IP mail.bitwell.biz.http > gauntlet.fredriksson.dy.fi.43661: Flags [S.], seq 3444674754, ack 2603470523, win 29200, options [mss 1460], length 0
E..,..@.4.....w....z.P...Q...-..`.r..%........
00:11:21.665209 IP gauntlet.fredriksson.dy.fi.43661 > mail.bitwell.biz.http: Flags [R], seq 2603470523, win 0, length 0
E..(.=@.@......z..w....P.-......P.......

That is the output while doing curl connection on www.

The line is not dead, blocked or anything, but no tcp socket will be opened!

Is the web server dead on Gauntlet?

I don't think so. To see that I log in to OPNsense

jarif@gauntlet ~ $ ssh wellington
X11 forwarding request failed on channel 0
Last login: Tue Nov 14 00:16:42 2017 from 192.168.1.122
----------------------------------------------
| Hello, this is OPNsense 17.7 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website:   https://opnsense.org/ | @@@\\\ ///@@@
| Handbook:   https://docs.opnsense.org/ | )))))))) ((((((((
| Forums:   https://forum.opnsense.org/ | @@@/// \\\@@@
| Lists:   https://lists.opnsense.org/ | @@@@ @@@@
| Code:      https://github.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
jarif@wellington:~ % curl -v http://192.168.1.122
* Rebuilt URL to: http://192.168.1.122/
* Trying 192.168.1.122...
* TCP_NODELAY set
* Connected to 192.168.1.122 (192.168.1.122) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.1.122
> User-Agent: curl/7.56.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Mon, 13 Nov 2017 22:17:23 GMT
< Server: Apache/2.4.25 (Raspbian)
< WWW-Authenticate: Basic realm="Bacula"
< Content-Length: 462
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.25 (Raspbian) Server at 192.168.1.122 Port 80</address>
</body></html>
* Connection #0 to host 192.168.1.122 left intact

I'm really puzzled with this! Any ideas?

The NAT-rule is:

#3

17.1 Legacy Series / Need help with getting .ovpn file out of this

July 29, 2017, 01:19:48 AM

I setup CA, server and client for this OpenVPN. But nowever was offered a download of an .ovpn file for the client?

How is it done?

Thanks in advance!

#4

17.1 Legacy Series / No IPv6 on WAN

July 15, 2017, 01:39:12 PM

I'm a consumer client for Telia in Finland. I have a VDSL2 modem/router from them, and it is in routing mode, and has both IPv4 and IPv6 addresses. One of the LAN ports of it is in DMZ mode, and my OPNsense firewall is connected to that.

And OPNsense does not get IPv6 no matter how I configure the DHCP6 setting. It is currently in DHCPv6 and no IPv6 address, If I set it to 6to4-tunnel it gets IPv6 address but still http://test-ipv6.com claims I do not have IPv6.

Any ideas?

#5

General Discussion / [solved] I need to install Bacula-client to my OPNsense box, but not available?

July 01, 2017, 02:57:09 PM

I was in the impression that OPNsense (latest) is on top of vanilla FreeBSD, and all packages would be available.

However: pkg search bacula will not find anything.

I'm a newbie with FreeBSD so there must be something that I do not know yet. Any ideas?

#6

17.1 Legacy Series / I need to install Bacula client

June 24, 2017, 10:47:57 PM

I think I was told that OPNsense distro is somewhat plain FreeBSD+OPENsense and removing OPNsense would render me a FreeBSD.

In FreeBSD the command # pkg search bacula would output:

bacula-bat-7.4.7 Network backup solution (GUI)
bacula-client-7.4.7 Network backup solution (client)
bacula-client-static-7.4.7 Network backup solution (static client)
bacula-docs-7.4.4 Bacula document set
bacula-server-7.4.7 Network backup solution (server)
bacula-web-7.2.0 Bacula-web provides a summarized output of Bacula jobs
bacula5-bat-5.2.12_6 Network backup solution (GUI)
bacula5-client-5.2.12_2 Network backup solution (client)
bacula5-client-static-5.2.12_2 Network backup solution (static client)
bacula5-docs-5.2.12 Bacula document set
bacula5-server-5.2.12_2 Network backup solution (server)
nagios-check_bacula-7.4.7_3 Nagios plugin for Bacula
nagios-check_bacula5-5.2.12_2 Nagios plugin for Bacula

In my fresh OPNsense fresh install it renders nothing.

I need bacula-client to have backups, and maybe this nagios-plugin too. How? I do not want to compile from source.