OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of FCM »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - FCM

Pages: [1]
1
Hardware and Performance / OPNsense on Netgate SG-1100 ?
« on: February 21, 2019, 10:08:38 am »
Hello ! :)
I just read that some people manage to make opnsense work on old netgate appliance.
So I'm wondering if we can put Opnsense on SG-1100 in place of PFsense ?
the appliance seems nice and at a good price. (around 160 $/€)
thanks

2
19.1 Legacy Series / [Solved]can we have the old snmp plugin too please ?
« on: February 20, 2019, 11:29:11 am »
Hello,
I use SNMP to check my distant sites (via openvpn)
Until now I used the old SNMP plugin and have no problem with it.
I tried once to make the new one work but it didn't so I let the old one.

but with the 19.1, there is only the net-snmp available. And it doesn't start at all.
When I removed the plugin and install it again I saw these :

Quote
**** This port installs snmpd, header files and libraries but does not
     start snmpd by default.
     If you want to auto-start snmpd and snmptrapd:, add the following to
     /etc/rc.conf:

   snmpd_enable="YES"
   snmpd_flags="-a"
   snmpd_conffile="/usr/local/share/snmp/snmpd.conf /etc/snmpd.conf"
   snmptrapd_enable="YES"
   snmptrapd_flags="-a -p /var/run/snmptrapd.pid"

**** You may also specify the following make variables:

   NET_SNMP_SYS_CONTACT="zi@FreeBSD.org"
   NET_SNMP_SYS_LOCATION="USA"
   DEFAULT_SNMP_VERSION=3
   NET_SNMP_MIB_MODULES="host smux mibII/mta_sendmail ucd-snmp/diskio"
   NET_SNMP_LOGFILE=/var/log/snmpd.log
   NET_SNMP_PERSISTENTDIR=/var/net-snmp

     to define default values (or to override the defaults).  To avoid being
     prompted during the configuration process, you should (minimally) define
     the first two variables. (NET_SNMP_SYS_*)

     You may also define the following to avoid all interactive configuration:

   BATCH="yes"
Checking integrity... done (0 conflicting)
Nothing to do.
So, we really have to do theses modifications to make it work ?
In that case, I prefer the old one...
I don't have an error I can use when I try to start manually the service :
Quote
root: /usr/local/etc/rc.d/snmpd: WARNING: failed to start snmpd

thanks fo any help

3
18.7 Legacy Series / Openvpn clients no more multiple IPV4 remote networks ?
« on: January 10, 2019, 05:15:52 pm »
hello :)
I have some openvpn clients running fine for the last months and I am trying to do a new one.

It was a long time since I did one, so I was surprised when I wanted to put 2 IPV4 networks on the IPV4 remote network field (my LAN and VOIP networks as usual) and I get this message :
Code: [Select]
The field 'IPv4 Remote Network' must contain a single valid ipv4 CIDR range.But the help text still says :
Quote
These are the IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank to only communicate with other clients.

So I thought i messed something and go on my working openvpn clients and try to modify the adresses in the field, and if I let 2 networks comma separated, I have the same error message ! (since there are working fine, I didn't push further)
So is it a modification I missed ? or a bug ?
If it's by design, how I put my 2 networks ? 2 clients ??
thanks a lot.

4
Web Proxy Filtering and Caching / Proxy logs : how long by default ?
« on: September 21, 2018, 04:09:17 pm »
Hello :)
The proxy logs in the GUI shows only the latest cache/auth/store logs (more or less last 30 entries).
I suppose that there is more elsewhere but not visible from the OPNSense gui ?
How many days are logged by default ? can we read it easily ? Do we have to clean it to avoid that the file becomes too huge ?


thanks a lot.

5
18.7 Legacy Series / WPAD/PAC
« on: September 07, 2018, 01:43:46 pm »
Hello,
Since I can't use transparent proxy I am looking for the WPAD/PAC feature described in the wiki.
I search the forum and understood that this feature was removed.
But messages since 2017 are saying it will be back in the 18.7 serie...
But 18.7.2 is out and still no option for WPAD.
Can we have an educated guess for the release version please ? :P
thanks a lot  :)

6
Web Proxy Filtering and Caching / Captive portal only in transparent proxy mode ?
« on: June 27, 2018, 04:57:44 pm »
Hello,
I have an opnsense with the standard proxy (not transparent) linked to my LAN interface.
I would like to put a splash screen saying to the people trying to connect that they have to change their proxy settings.
So I activated a captive portal with no authentification for that but I get no splash screen, even if the proxy settings are good, you can use the Internet with no warning...

Captive portal works only in transparent mode ?
thanks

7
18.1 Legacy Series / IPSec, randomly up and down
« on: June 11, 2018, 04:42:39 pm »
Hello :)
I have 2 distant sites connected to my main site with IPsec VPN.
At first everything was fine...
and then, after less than a day, no more VPN !
The IPsec connexion status on each site said that everything was connected and routed but nothing go through them...
And then, with no reason it was up again ! and after some times (could be 45 mn or 6 hours) it was down again...

It happend with both distant sites, not at the same time (one is running fine, not the other, then the 2 of them, them none,...)

I activated DPD on everyone but it changes nothing...
So what can I check or change ? work or dont work I can understand but when it's random it's not easy to find...

Thanks

I put my log of the main site, in case of :
Code: [Select]
Jun 11 16:40:46 charon: 11[NET] <con1|68> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (464 bytes)
Jun 11 16:40:46 charon: 11[IKE] <con1|68> retransmit 1 of request with message ID 0
Jun 11 16:40:45 charon: 09[IKE] <con2|3> CHILD_SA con2{5} established with SPIs c2e53322_i cc5291b7_o and TS 10.0.0.0/24 192.168.20.0/23 === 10.2.1.0/24 192.168.71.0/24
Jun 11 16:40:45 charon: 09[IKE] <con2|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 11 16:40:45 charon: 09[ENC] <con2|3> parsed CREATE_CHILD_SA response 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jun 11 16:40:45 charon: 09[NET] <con2|3> received packet: from 88.188.61.125[4500] to 192.168.13.4[4500] (528 bytes)
Jun 11 16:40:44 charon: 09[NET] <con2|3> sending packet: from 192.168.13.4[4500] to 88.188.61.125[4500] (468 bytes)
Jun 11 16:40:44 charon: 09[NET] <con2|3> sending packet: from 192.168.13.4[4500] to 88.188.61.125[4500] (1236 bytes)
Jun 11 16:40:44 charon: 09[ENC] <con2|3> generating CREATE_CHILD_SA request 0 [ EF(2/2) ]
Jun 11 16:40:44 charon: 09[ENC] <con2|3> generating CREATE_CHILD_SA request 0 [ EF(1/2) ]
Jun 11 16:40:44 charon: 09[ENC] <con2|3> splitting IKE message with length of 1616 bytes into 2 fragments
Jun 11 16:40:44 charon: 09[ENC] <con2|3> generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jun 11 16:40:44 charon: 09[IKE] <con2|3> establishing CHILD_SA con2{5}
Jun 11 16:40:44 charon: 11[CFG] received stroke: initiate 'con2'
Jun 11 16:40:44 charon: 13[JOB] <67> deleting half open IKE_SA with 80.14.223.215 after timeout
Jun 11 16:40:42 charon: 16[NET] <con1|68> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (464 bytes)
Jun 11 16:40:42 charon: 16[ENC] <con1|68> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:40:42 charon: 16[IKE] <con1|68> initiating IKE_SA con1[68] to 80.14.223.215
Jun 11 16:40:42 charon: 15[CFG] received stroke: initiate 'con1'
Jun 11 16:40:34 charon: 16[IKE] <67> sending keep alive to 80.14.223.215[500]
Jun 11 16:40:26 charon: 16[IKE] <con1|58> establishing IKE_SA failed, peer not responding
Jun 11 16:40:26 charon: 16[IKE] <con1|58> giving up after 5 retransmits
Jun 11 16:40:23 charon: 16[IKE] <con2|3> sending keep alive to 88.188.61.125[4500]
Jun 11 16:40:14 charon: 16[NET] <67> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)
Jun 11 16:40:14 charon: 16[ENC] <67> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jun 11 16:40:14 charon: 16[IKE] <67> sending cert request for "C=NL, ST=ZH, L=Middelharnis, O=OPNsense, E=spam@opnsense.org, CN=internal-sslvpn-ca"
Jun 11 16:40:14 charon: 16[IKE] <67> remote host is behind NAT
Jun 11 16:40:14 charon: 16[IKE] <67> local host is behind NAT, sending keep alives
Jun 11 16:40:14 charon: 16[IKE] <67> 80.14.223.215 is initiating an IKE_SA
Jun 11 16:40:14 charon: 16[ENC] <67> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:40:14 charon: 16[NET] <67> received packet: from 80.14.223.215[500] to 192.168.13.4[500] (464 bytes)
Jun 11 16:40:03 charon: 05[IKE] <con2|3> sending keep alive to 88.188.61.125[4500]
Jun 11 16:39:56 charon: 05[JOB] <66> deleting half open IKE_SA with 80.14.223.215 after timeout
Jun 11 16:39:50 charon: 05[NET] <66> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)
Jun 11 16:39:50 charon: 05[IKE] <66> received retransmit of request with ID 0, retransmitting response
Jun 11 16:39:50 charon: 05[ENC] <66> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:39:50 charon: 05[NET] <66> received packet: from 80.14.223.215[500] to 192.168.13.4[500] (464 bytes)
Jun 11 16:39:46 charon: 05[IKE] <66> sending keep alive to 80.14.223.215[500]
Jun 11 16:39:37 charon: 05[NET] <66> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)
Jun 11 16:39:37 charon: 05[IKE] <66> received retransmit of request with ID 0, retransmitting response
Jun 11 16:39:37 charon: 05[ENC] <66> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:39:37 charon: 05[NET] <66> received packet: from 80.14.223.215[500] to 192.168.13.4[500] (464 bytes)
Jun 11 16:39:36 charon: 05[CFG] ignoring acquire, connection attempt pending
Jun 11 16:39:36 charon: 16[KNL] creating acquire job for policy 192.168.13.4/32 === 80.14.223.215/32 with reqid {1}
Jun 11 16:39:30 charon: 16[IKE] <con2|3> sending keep alive to 88.188.61.125[4500]
Jun 11 16:39:30 charon: 16[NET] <66> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)
Jun 11 16:39:30 charon: 16[IKE] <66> received retransmit of request with ID 0, retransmitting response
Jun 11 16:39:30 charon: 16[ENC] <66> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:39:30 charon: 16[NET] <66> received packet: from 80.14.223.215[500] to 192.168.13.4[500] (464 bytes)
Jun 11 16:39:26 charon: 16[NET] <66> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)

8
18.7 Legacy Series / [solved]IPsec, phase 2 and routing
« on: May 17, 2018, 12:20:09 pm »
Hello there :)

In my long quest to make my distant data lan and voip lan to work, I am trying the IPsec VPN after the OpenVPN...

So I followed the wiki and created IPsec site to site tunnel.

the problem is that the tunnel itself seems to have glitches on site A, and the phase 2 is not in place...

I mirrored all the configuration and don't know where is the problem...
And something bother me, when I look at the routes tables, I see that the distant LAN is routed via the WAN gateway of each Opnsense, is this normal ?

site A and B routes :





My configurations :

IPsec configurations :





IPsec Status :





The glitches that occurs :




I can add connection logs if it can add informations that help...
Thanks

Networks :
Site A
LAN in 192.168.20.32/23
WAN in 192.168.13.4/24
Opnsense behind a Stormshield firewall

Site B
LAN in 192.168.13.1/24
WAN in 192.168.100.16/24

9
18.1 Legacy Series / OpenVPN Tap tunnel, how to ?
« on: April 24, 2018, 11:56:20 am »
Hello
this is following my last post on DHCP through VPN (https://forum.opnsense.org/index.php?topic=7950.0)...
I understood that to make my (Avaya) phones from a distant site to work I have to activate a tap tunnel to let DHCP work.

So is there somewhere or someone who made this kind of configuration and can say how to configure the OPNSense servers on the main and distant site to let the phones on the distant site connect to the server on the main site ?

The wiki for the TUN part was great, I need something similar for TAP... For a beginner like me, at first I assumed that you only have to pass the TUN option to TAP, but there is a lot more to do (remove tunnel informations, create bridged interfaces, no need to route,... ?...)
I tried this one https://forum.opnsense.org/index.php?topic=5716.0 but it lacks details, and it doesn't work...

I need informations on the fact that you have to put "mode server" in the advanced part of the VPN server, because doing that I can't use shared keys anymore.

I am reading PF Sense forum too, and will try what they said, but I don't know if everything working on PFSense will work on OPNSense...

I am trying to make this work, but I am on it for the last 10 days, and my brain is hurting.

So please, if someone use an OpenVPN TAP tunnel to let phones or computers from a distant site connect to a local network to have DHCP lease and network, help me.
My boss doesn't understand why I take so much time to do this, we have other distant sites working with MPLS and doing fine and other TUN vpn were quickly in place... I can't say to him that I lack the knowledge to do this, he already knows that i suppose :(
Thanks

10
18.1 Legacy Series / DHCP relay over VPN ?
« on: April 18, 2018, 05:23:20 pm »
Hello :)

I managed to finaly have a functionnal VPN tunnel between my main site and a distant site.

The problem I have now is with the DHCP :

my phone DHCP is on a VLAN on my network's main site, and I can't edit the address in the phone (avaya), they want to find their information through DHCP.
So to let my phones on the distant site to find the phone server I activated the dhcp relay with the phone server... And I stopped the DHCP on the OpnSense which was used for the LAN addresses...
And I put the address of my main site DHCP inside the DHCP relay so the distant computers get their addresses by the same way than the phones...

but nor computer nor phones get an IP address :(

So Is there something to do to let the DHCP relay work through the VPN ?

thanks

main site :
 - LAN on 192.168.20.0/23, DHCP on 192.168.20.170
 - Phones on 128.42.66.0/24 VLAN 66, Server on 128.42.66.7

Distant site :
 - LAN on 192.168.69.0/24
 - Phones on 128.42.80.0/24 VLAN 66

OpenVPN tunnel on 10.10.0.0/24
OPNsense server on main site interfaces :
 - LAN with 192.168.20.32
 - VOIP with 128.42.66.6
 - WAN through the DMZ
OPNSense server on distant site :
 - LAN with 192.168.69.1
 - VOIP with 128.42.80.1
 - WAN through internet box

thanks a lot

11
18.1 Legacy Series / VPN with DNS and client problem
« on: April 03, 2018, 05:15:23 pm »
Hello :)

1. The situation :
I am trying to have a VPN between our main site and a distant site
The main site use a Stormshield as firewall, the distant use an OPNSense firewall.
Nomad people can reach our main site when connecting to the stormshield with the netasq/stormshield tool
The OPNsense connect to the Stormshield, I can ping computers in the main site network but only with their IP, I can't resolve internal names.
The client computers connected to the OPNsense (using the OPNSense as DHCP and gateway) can't see the main site IP nor named servers.

2. The networks
Main site use 192.168.20.0/23 as main address
Distant site is on 192.168.69.0/24
The tunnel is on 192.168.165.0/24

3. OPNSense settings :
I used the wiki topic on VPN site to Site : https://wiki.opnsense.org/manual/how-tos/sslvpn_s2s.html
And managed to connect both site (vpn connection picture below)
I put the DNS from my main site on the OPNSense, but even if they are interrogated they don't answer about their network (DNS & DNS2 pictures)
I activated the VPN interface (interfaces picture) and the DNSmasq DNS (on all)

4. So What I missed ?
I suppose that firewall and NAT rules has to be made ? but how ? the wiki speak about creating the link but not how letting other computers used it...
For the DNS it is perhaps an option on the DNS or on what interface to put the DNS on, but I don't see how to do that...

I think that my networks are standard so the problem has to be simple to correct but I don't have the knowledge to resolve it.

Thanks in advance.

12
17.7 Legacy Series / Transparent Proxy : HTTPS blacklisted website get no warning message
« on: November 03, 2017, 03:37:25 pm »
Hello again :)

So, one of my last problem is the fact that when people go to blacklisted httpS websites, the page is blocked but they get no message. (work well in HTTP)

Instead they get a failure to the connected page, with an error code SSL_ERROR_RX_RECORD_TOO_LONG...

I am using the "Enable SSL inspection" because our director doesn't want the man in a middle operative mode, nor the certificate obligation...

So, the proxy do the job by blacklisting websites but people will not know why the page is not showed: they will blame our service where they should blame their behaviour...

Logs return this message :
Code: [Select]
kid1| SECURITY ALERT: Host header forgery detected on local=52.178.178.16:443 remote=192.168.4.10:55420 FD 36 flags=33 (local IP does not match any domain IP)
thanks in advance if someone has a clue.
:)

13
17.7 Legacy Series / Captive Portal AND Proxy
« on: November 02, 2017, 03:51:26 pm »
Hello,
I try to make working the proxy service and the captive portal.
I have successfully set the proxy so people on the targetted LAN can't go where they have nothing to do (not entirely successfull because google.com/google.fr doesn't work anymore, but that's another problem).
Then I have tried (for a long time) to make captive portal to work with...

After a lot of tries, forum checks,..... I only have 2 results :
1. nothing works (it can't find page, like DNS problem... but, yes, the DNS rules is in first)
2. if I remove the automatic NAT rules created by the proxy for the 3128/3129 forcing, It works but the proxy does nothing : all the web sites are free to go...

I checked the "Shared forwarding" rule in advanced/firewall setting
I checked HTTP and HTTPS transparent proxy rules in captive portal zone
The LAN interface is in Proxy interfaces (forward proxy settings)

I tried to create firewall rules in the LAN interface to send data to 3128 and 3129 but it doesn't work

The "setup Guest Network" is great but there is no clue there to make it work with proxy (the rule is in "all accessible mode") :(

So if someone have clues or ideas, I thank you in advance !
(and sorry for my english)

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2