Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - godfather007

#1
Hello,

since a while it is mentioned that DHCP and OpenVPN have legacy status and, after pushing investigations for too long, i started to look into this.


I get it working although routes are not coming through.

They get pushed to the client (linux as well as windows) but only the closest (where the vpn is hosted) is working.

My main location (where's the OPN) is 10.80.0.0/16, the remote location is 10.100.0.0/16 (this gets pushed to the client but not doing anything).


Any adea? I tested this on 2 locations with the same results.

24.7.10


Thanks!


EDIT:

it was a retour route on a wireguard tunnel which was forgotten
#2
Hi,

I'm using truenas scale as a hypervisor for OPN as VM
Giving them multiple cores, 2GB RAM, virtio NIC, latest OPN and tested on different platforms:

System1: and old kabini quad core @ 2.050 MHz
System2: an older Intel Xeon E5-2675 16 core @ 1.800 Mhz
System3: relative new AMD Ryzen 5 3400G 4 core @ 4000 Mhz

My Gbit internet readings are at:
System1: 350Mbit
System2: 750Mbit
System3: 975Mbit

System 1 and 2 get double the performance when providing multiple threads/core-counts but are limited to the readings above while the 3rd system can handle the Gbit speed with even 1 thread/core.

Even when i quadruple system 1 or 2, it does not matter. Readings stay the same and from the CPU indicator, on the mainpage of truenas, it looks like a single thread using 100% core time. Also getting multiple TCP streams does not affect the maximum speed, it stays limited.

Is this explainable by the CPU's frequency alone or should go to the tuning pages of BSD? I'm fine with my 750Mbit though, but just curious.


Thx for any substantiated insights
#3
Hi,

2 weeks ago i upgraded my HA config tot 21.7.7 and today i am experiencing some issues.


  • One of my mainswitches just disappears and reappears from ping requests from my zabbix interface. When it happens, it's not possible to ICMP the thing, only from that same VLAN. Happens every UNKNOWN

  • Another issue, a UDP-state to my other branch does not close so the VPN does not reconnect. A reboot fixed it. This never happened before.

  • A third issue, under interfaces/overview, all the physical interfaces appear as unassigned.


I see there is a new upgrade to 22 series. An upgrade at a 3rd opnsense appliance did not fix the "unassigned" issue. I will try a restore config on 22 and compare the interface section at xml file.

I found a patch at PFsense: https://redmine.pfsense.org/issues/12698
Could this cause my issue(s)?


Thanks in advance
#4
22.1 Legacy Series / RESOLVED OTP device lost
January 30, 2022, 12:42:12 AM
Maybe a simple answer for it, i lost my phone with the authenticator app.

Anyone knows how to login to the root account and re-establish it?

Thx in advance
#5
18.7 Legacy Series / dhcp relay on WAN
February 08, 2019, 12:13:38 PM
We have a problem with DHCP relay over our WAN interface of a branch office in our network.

Our setup is 2 OPNsense firewalls/routers on 2 sites and site 1 is the upstream router for site 2. The internetbreakout is on site 1. Between site 1 and site 2 is 172.16.253.0/30 subnet and no NAT

INTERNET <--> OPNsense1 <--> OPNsense2

On both sites we have DHCP server but we would like to turn off the DHCP server on site 2 and relay DHCP requests to the DHCP server on site 1. This is not possible because the DHCP server is behind the WAN interface of OPNsense2...

WHY??
#6
Hi,

i'm trying to follow the webproxy setup.
Manually the webproxy works with manual settings to 3128 but now i want to change it to transparent.

My setup is:

client @ vlanX (10.80.24.0/24)
opnwebprxy  @ vlanY (10.80.25.32)

Through opngateway (10.80.5.1) i try to create a NAT rule to forward http & https to that 10.80.25.32.
The squid answers:

The following error was encountered while trying to retrieve the URL: /
Invalid URL
Some aspect of the requested URL is incorrect.
Some possible problems are:
Missing or incorrect access protocol (should be http:// or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed.


"Transparent" is already enabled on squid.
I did not enable the CA yet but im first testing it with a non-ssl site.


So: @
interface vlanX
ipv4tcp
source: vlanXnet
source-range: any any
dest: any
dest-range: http http
redirect: 10.80.25.32
target-port: 3128
enable nat-reflection
rule NAT

Moved the rules on the top as i've read this somewhere.

Any idea what i could be missing?

Thanks
#7
18.1 Legacy Series / upgrade problems
April 08, 2018, 07:46:19 AM
Hi,


For a while I'm trying to upgrade from 1.7 to 1.8 without success.

After an  export and import NAT does not work anymore.

From the host i can ping the internet but from my private it cannot be reached: "errors loading the rules /tmp/rules.debug.158"

The lines in there look like this:


Quotescrub on re1_vlan534 all
scrub on re1_vlan536 all
scrub on re1_vlan538 all
scrub on re0_vlan34 all
scrub on gif0 all

157:no rdr proto carp all
158:nat on re0_vlan34 inet from (re1:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
159:nat on re0_vlan34 inet from (re1_vlan502:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
160:nat on re0_vlan34 inet from (re1_vlan504:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
161:nat on re0_vlan34 inet from (re1_vlan506:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
nat on re0_vlan34 inet from (re1_vlan508:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
nat on re0_vlan34 inet from (re1_vlan510:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule


I already switched from "automatic" to "manual" NAT-outbound setting, hoping the wrong bit would flip back to functional state.


Any idea where this could be coming from?
#8
Hi,

looking into webproxy to whitelist access to windowsupdate.com etc. for certain IP's.

Tried to allocate "*.*, 0.0.0.0/0.0.0.0"  to the blacklist but it only accepts single entries thus far: "meuk.com".

Is it possible through the GUI or should i create squid ACL lists at shell level?


Thanks
#9
Development and Code Review / ipv6 alias causes crash
October 22, 2017, 09:32:33 AM
Hi,

when making an alias for an ipv6-range, the box (Alix-APU) has big problem to calculate this:

ipv6:range:low::0 - ipv6:range:between:ffff:ffff:ffff:ffff
ipv6:range:between+1::0 - ipv6:range:high:ffff:ffff:ffff:ffff

and needs to be restored from previous config


The problem does not appear when using the following notation:

ipv6:range:low::0/54
ipv6:range:blck1:0/53
ipv6:range:blck2:0/52

as helped with the following site:
https://www.ultratools.com/tools/rangeToipv6CIDRResult



So, whenever using the "-" notation... the box crashes whenever i hit the apply button.


I don't know if someone is observing the same..
#10
17.7 Legacy Series / USB transmission failed
October 17, 2017, 02:00:14 PM
Hi,

during the second boot (after the resize partition) on my Alix APU, i get these messages :

USB transmission failed
USB transmission failed
USB transmission failed

with some ehci messages in between...

A slow USB-stick continues to boot after 3 of those messages, other sticks endlessly hang during boot.


Is there a fix that i can use (sysctl-adjustment)?


Thanks,
Martijn
#11
17.7 Legacy Series / backup restore question
October 16, 2017, 08:42:37 PM
Hi all,

forgot to use a nano image on my usb stick.
When things started to act weird i rebooted the device but now it hangs on "configuring firewall".
Just before the reboot i made a backup  (5 MB in size, must be with RRD)

When i use that backup to restore a fresh image (only vlan and interfaces restore) it already gets stuck on "configuring firewall"..


Does anybody know why the thing keeps hanging on the "configuring firewall"?


I just switched from PF to OPN and that took me a whole day of work copying all that info by hand.....

Thanks