Topics

I have setup a pair of firewalls using three public IPs all within a /24 subnet. This is the same setup as shown in the docs just with different IPs. https://docs.opnsense.org/_images/900px-Carp_setup_example.png.

The problem is the backup firewall (doesn't matter which one) has severe packet loss (40-80%). The primary firewall always works fine when using the VIP.

For example in the diagram above if I ping 8.8.8.8 or any other site from the backup firewall using 172.18.0.102 I get packet loss. If I failover then I get packet loss when pinging from 172.18.0.101.

I haven't got any NAT rules other than for the VIP.

Any idea what could be causing this or what I can check to debug the issue? Thanks

On my opnsense install the /etc/hosts file has a single entry for the firewall but I can't work out how it selects which address to use.

Code Select Expand

root@firewall:~ # cat /etc/hosts
127.0.0.1       localhost       localhost.home
::1             localhost       localhost.home
192.168.2.254   firewall        firewall.home

My firewall has 8 vlans with IPs on and it appears to select one to put into the hosts file.
Is there a way to influence which IP address is used?

It is possible to specify which serial port to use? e.g. /dev/ttyu1

My board has two serial ports and I can see the console on /dev/ttyu0 but not /dev/ttyu1.
I would like to use /dev/ttyu1 if possible.

I have found a strange issue on opnsense 20.7.7_1-amd64 when running multiple OpenVPN servers.

The first server seems to work fine but I am finding the second server (configured the same but with different tunnel subnet and port) users can connect to the VPN but none of their traffic is routed.

I have tested this on two separate opnsense instances and both had strange routing/firewall problems with the second OpenVPN server.

Any ideas why this might happen?

Is it possible to set a default domain on unbound so if a DNS request comes in for a hostname (not fqdn) it appends a default domain to it.
e.g. DNS request for 'printer.' gets mapped to 'printer.home'

Currently I can't get these requests to resolve to anything even with static mappings.

I am trying to get alerts for gateway status. e.g. I would like to receive an email saying gateway x went down at 12:34 03/11/19 and then another email when it came back again.
Unfortunately if the gateway goes down it can't send an email as their is no internet connection so the email would have to be cached until internet is restored. My old firewall used to do this perfectly but I can't find a way to do this on opnsense.
I have found the monit gateway_alert service but this doesn't seem to work for me, possibly because I am not using gateway groups or because the email notifications are failing to send due to no internet.

Is is possible to get opnsense to do what I want or am I better off using an external system to monitor the gateway?

I am running OPNSense on a Xeon X5550 box. We have a 1Gb link to a OpenVPN server which we have tested can provide 800Mb using a desktop PC.
When we use the OPNSense box to connect to the VPN it can only provide 200Mb of throughput through the VPN. I have ssh'd into OPNSense and it only ever appears to be using 45% of a single CPU core. I know OpenVPN is single threaded so I can't expect much, but is it possible to debug what is the bottleneck and why the openvpn process is not using more than 45%?

I need to set the gateway that each interface can use and this needs to be failsafe so I have enabled "Skip rules when gateway is down".
However I find that none of my traffic is reaching the gateway, it appears that the firewall thinks the gateway is down as no rules are created and all my traffic hits the default block rule. If I disable "Skip rules when gateway is down" then all the traffic goes out the default firewall gateway instead of the one I have specified. When I check the gateway under system->gateways all the gateways are marked as online (although gateway monitoring is disabled).

My gateway is not a physical interface but a openvpn client with a virtual IP.
Any idea why this is happening or how to debug this problem?

Edit: I am running 18.7.9

When I select 'redirect gateway' in the openvpn server settings it does not have any effect.
Is this pushed to the client when they connect or should it add a option to the client export config file?

I am trying out OPNsense for the first time and I am having lots of problems with DNS.
DNS works fine if I set unbound up as a forwarder and put 8.8.8.8/8.8.4.4 in the system settings.

However if I disable forwarding, DNS does not work at all. I thought in this mode it should fetch DNS responses from the root DNS servers, however it does not appear to be working. If I use tcpdump I can see lots of responses from root servers as well as ServFail responses.

If I try and use DNSSEC DNS also stops working for all my clients and in the log file I see "unbound: [65437:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN".

I have also noticed I am getting a lot of IPS alerts that are DNS related. With DNS forwarding disabled:
allowed   198.97.190.53   192.168.1.65   SURICATA DNS malformed response data

With DNS forwarding enabled:
allowed   8.8.8.8   192.168.1.65   SURICATA DNS malformed response data

Any idea what is wrong?

Here are my settings:

I have created a USB stick using OPNsense-17.7-OpenSSL-vga-amd64.img but I can't get it to boot. It always hangs on EFI framebuffer information.



I have tried adding to the boot options  set kern.vty="vt" and set console="efi" but not had any success.
Is there anything else I can try?