Topics

1

Virtual private networks / VXLAN between two OPNsense

« on: August 28, 2024, 11:50:47 am »

Hi,

I need to configure VXLAN between two OPNsense. This is my situation
OPNsense A as a phisical Firewall in head office

IP Public: a.a.a.a
LAN 1: 192.168.100.1/24
VLAN 200: 192.168.200.1/24
VLAN 210: 192.168.210.1/24
VLAN 220: 192.168.220.1/24

OPNSense B as VM in a DC:

IP Public: b.b.b.b
LAN 1: 192.168.2.1/24

Mi goal is to transport VLANs 200, 210 and 220 of Firewall A to Firewall B in DC so as to allow VLANs 200, 210 and 220 to surf the Internet through Firewall B using its IP Public b.b.b.b .

For various reasons I cannot use any other VPN than VXLAN

I tried some configuration but without luck.

Could you help me, please?

Thank you

2

Virtual private networks / Wireguard 2 WANs IP

« on: July 26, 2024, 05:22:02 pm »

Hello,

I have the following configuration:

• Virtualized OPNSense in a DC witn 1 Static Public IP: a.b.c.d
• An Hardware OPNSense in the Customer Headquarter with 2 WAN (different ISPs) Connections and therefore 2 WANs IPs Addresses (say e.f.g.h and i.j.k.l)

Now in the Customer HQ the first WAN Connection is the primary and the second WAN is the backup. I configured a Wireguard tunnel between DC OPNSense and HQ OPNSense using as peer endpoint IP address (in DC OPNSense) e.f.g.h (primary WAN IP of the HQ OPNSense). Now if the primary WAN connection of the HQ goes down also the Wireguard tunnel goes down because, in the Virtual OPNSense in DC, Wireguard endpoint peer address is set to e.f.g.h (primary WAN  IP address of HQ Connection).
Now the question is: how can I configure, in Virtual OPNSense in DC, a second endpoint peer address ( i.j.k.l) as backup, so if the HQ primary WAN ISP goes down the Wireguard tunnel switch versus the secondary WAN using as peer endopint IP address i.j.k.l ?

Thank you

3

General Discussion / DHCP Server multiple subnets on same interface

« on: January 09, 2023, 10:25:06 am »

Hi to all,

I know this topic has been covered before, but I would like to know if there is any forecast if this feature will be implemented and if so when. The functionality I'm talking about is that the DHCP Server is able to release, and reserve, IPs even for remote Subnets not directly connected to OPNSense. These requests all arrive over the same interface from remote routers, say cisco, which use the dhcp-relay feature. OPNsense, based on the IP of the cisco router that sends the request, responds to the latter by issuing a valid IP.

Thank you

4

General Discussion / VoIP QoS

« on: October 24, 2022, 11:25:43 am »

Hi to all,

we have the following 4 VLANs:

• LAN - VLAN 10: 192.168.10.0/24
• WIFI 1 - VLAN 20: 192.168.20.0/24
• WIFI 2 - VLAN 30: 192.168.30.0/24
• VoIP - VLAN 40: 192.168.40.0/24

We need that the VoIP VLAN has the priority over the others. Our ISP connection is a 100/100 Mb/s. Our goal is that if the connection becomes saturated, the VoIP VLAN takes precedence over the others and, if possible, reserve for the VoIP VLAN, in case of band saturation, at least 15/15 Mb/s.

Thank you

5

Intrusion Detection and Prevention / Suricata to protect WebServer

« on: January 12, 2021, 12:44:31 pm »

Hi,

we have many Web Server with e-commerce (Magento, Prestashop, etc...) and some Windows Servers that must be reachable via RDP on non standar Port (Port forward vs 3389) and we want to test OPNsense to use it as our new firewall. The Web Servers have to be reachable via FTP and SSH from well known IPs (for ssh we will use non standar port). Of course the most important feature for us is Suricata as IPS/IDS. Naturally we will use ET Pro Telemetry, now the questions are:

• which are the rules to enable to protect our Servers?
• And what about false positive?
• Is it enough to enable Suricata only on the WAN Interface?

We will use OPNsense as VM under Proxmox (KVM), could you give me some advice on how to optimize the OPNSense configuration?
Does Sensei help me?

Thank you to all

6

Web Proxy Filtering and Caching / Web filtering problems in HA configuration

« on: September 23, 2019, 09:54:26 am »

Hi,

first of all I'm sorry for my poor English...

I posted some days ago this problem in the "Production Series" forum but without luck.... 

I configured 2 OpnSense in HA and the synchronization is ok. My IP conf is:

• Firewall 1 (Master) WAN Interface a.b.c.11/29
• Firewall 1 (Master) LAN Interface 192.168.0.5/24
• Firewall 2 (Slave) WAN Interface a.b.c.12/29
• Firewall 2 (Slave) LAN Interface 192.168.0.6/24
• WAN CARP VIP on both Firewall a.b.c.10/29
• LAN CARP VIP on both Firewall 192.168.0.254/24

On the Master FW I have checked all the synchronization option, from Dashboard to Unbound DNS.
My problem is with WEB Proxy. I enabled Web Filtering for HTTP (Enable Transparent HTTP proxy checked) and HTTPS (Enable SSL inspection checked). Everything works ok until the Firewall Master is up. When I simulate a down of the Firewall Master, all CAPR VIPs are switched to the Firewall slave, but the Web filtering doesn't work anymore. The firewall rules are the same on both Firewall. From the clients I have access to internet (I can ping google.com) but the clients are unable to browse the internet. The problem is with the certificate. Of course I use the same CA (auto created) and Server Certificate (auto created) on both Firewall.

Can someone help me, please?

Thank you very much

7

19.7 Legacy Series / HA Problems and Web filtering

« on: September 18, 2019, 12:35:51 pm »

Hi,

first of all I'm sorry for my poor English...

I configured 2 Opnsense in HA and the synchronization is ok. My IP conf is:

• Firewall 1 (Master) WAN Interface a.b.c.11/29
• Firewall 1 (Master) LAN Interface 192.168.0.5/24
• Firewall 2 (Slave) WAN Interface a.b.c.12/29
• Firewall 2 (Slave) LAN Interface 192.168.0.6/24
• WAN CARP VIP on both Firewall a.b.c.10/29
• LAN CARP VIP on both Firewall 192.168.0.254/24

On the Master FW I have checked all the synchronization option, form Dashboard to Unbound DNS.
My problem is with WEB Proxy. I enabled Web Filtering for HTTP (Enable Transparent HTTP proxy checked) and HTTPS (Enable SSL inspection checked). Everything works ok until the Firewall Master ip up. When I simulate a down of the Firewall Master, all CAPR VIPs are switched to the Firewall slave, but the Web filtering doesn't work anymore. The firewall rules are the same on both Firewall. From the clients I have access to internet (I can ping google.com) but the clients are unable to browse the internet. The problem is with the certificate. Of course I use the same CA (auto created) and Server Certificate (auto created) on both Firewall.

Can someone help me, please?

Thank you very much

8

17.7 Legacy Series / OPNsense Layer 2 over WAN (L2TPv3 ?)

« on: September 29, 2017, 04:13:06 pm »

Hi,

I have to administrate several OPNsense machines, one on my head office a the rest in multiple branches. My goal is to centralize the firewall of all the branches, but, if possible I don't want to use VPN (to much cost for encrypt and decrypt data). I would like to setup Layer2 a pseudo-wire between head office and branches using L2TPv3. Consider that my head Office has multiple vlans and also branches can have more than one VLAN. Avery branch has a symmetric  connection of 100 Mb/s and 8 static Pubblic IPs. My head office has a symmetric connection at 1 Gb/s and 64 Pubblic IPs. Is It possible to do that with OPNsense?

Thank you