Topics

1

19.7 Legacy Series / strongswan.conf location

« on: August 14, 2019, 04:51:52 pm »

Hello. I'd like to connect a remote Linux server to my firewall via IPsec using the existing strongswan.conf on my firewall as a basis for the configuration of the new tunnel. Where is strongswan.conf kept?

2

19.1 Legacy Series / Changing DHCP settings from console?

« on: March 29, 2019, 08:50:58 pm »

I've made a mistake configuring a new firewall: I enabled DHCP on LAN and after connecting to the web interface I checked "Deny unknown clients" without immediately adding any hosts to the static mapping list. I didn't realize the problem at first, it only became apparent when my host tried to renew DHCP. I can still log in via the console, but I can't reach the web interface at all. Is there a config file I can edit to disable "Deny unknown clients" for the LAN interface?

I've tried setting "denyunknown" in /conf/config.xml to 0 and rebooting, but this didn't do the trick.

EDIT: Disaster averted! For anyone reading this thread in the future, just follow these steps to save yourself:

• Log into the firewall console as root or some other admin user.
• If you logged in as root, hit 8 to go to the shell.
• Edit the file /conf/config.xml
• Go to the section <dhcp> and find the subsection <lan>
• Add the line <enable>1</enable> just underneath <lan>
• Remove the entire line <denyunknown>1</denyunknown>, don't just set it to 0!
• Save the file
• Reload DHCP; if you are logged in as root just go back to the console and hit 11 to reload all services

3

19.1 Legacy Series / Limiting cross-interface DNS in Unbound

« on: March 27, 2019, 04:26:08 pm »

Hi all, I'm setting up a guest Wi-Fi network in OPNsense. All Wi-Fi is handled via the PUBLIC interface, and I use firewall rules to prevent any traffic from reaching my LAN interface PRIVATE. However, I'm using Unbound DNS  on both interfaces. PUBLIC users could still get the IP of PRIVATE hosts using nslookup, ping, etc. Is there any way to prevent that?

How it currently is:

• PUBLIC host nslookups PRIVATE host
• IP address of PRIVATE host is displayed

How I'd like it:

• PUBLIC host nslookups PRIVATE host
• ** server can't find [PRIVATE host]: NXDOMAIN

4

18.7 Legacy Series / Configuring CARP outbound NAT correctly?

« on: December 03, 2018, 06:31:48 pm »

I set up CARP using the OPNsense docs, and it mostly works; the firewalls sync and failover correctly. For the sake of example, let's say my setup has the same WAN IPs as the OPNsense docs:

Primary	172.18.0.101/24
Secondary	172.18.0.102/24
Virtual IP	172.18.0.100/24

I've made a manual outbound NAT rule with the following settings:

Interface	WAN
Source	any
Source Port	*
Destination	*
Destination Port	*
NAT Address	172.18.0.100
NAT Port	*
Static Port	NO

However there are two major problems:

• When the primary firewall comes back up, the secondary firewall will not relinquish master status. The secondary-master must be brought down/rebooted for the primary to reclaim CARP master.
• Regardless of which firewall is currently the backup, its WAN interfaces are perpetually down. This seems to be because it is trying to use the WAN virtual IP, but that IP is already used by the current master.

I tried everything I could think of to fix this, and eventually I found the following note in the pfSense CARP docs:

Never add outbound NAT rules that could match the WAN/Public IP addresses of the cluster. This includes both rules that have the public IP addresses listed explicitly and also rules that have any set as a source. These NAT rules will cause other problems/unintended behavior, and will break outbound connectivity from the secondary node when it is in a BACKUP state.

This exactly describes at least one of my problems. Assuming "the WAN/Public IP addresses of the cluster" would refer to 172.18.0.100, this seems to be at odds with the OPNsense CARP docs, which state the following:

Go to Firewall -> NAT and select outbound nat. Choose manual outbound nat on this page and change the rules originating from the 192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100).

So, if you aren't supposed to use the WAN virtual IP, which NAT address should be used to set up outbound NAT correctly?

5

18.7 Legacy Series / General log gets "no active session, user not found" every second

« on: November 13, 2018, 10:05:49 pm »

My firewall's system log (System -> Log Files -> General) is unusable because it is getting the same "no active session, user not found" message every second. Each message is prefaced by "api" and a random number in brackets. I'm not sure what is causing this or how to fix it. Any ideas?

6

18.7 Legacy Series / Unbound DNS Override for Web GUI?

« on: October 22, 2018, 10:36:38 pm »

I have a fairly complex firewall setup with multiple physical LANs and WANs. I use DHCP static mappings to help control which hosts can connect to which LAN, and Unbound to provide DNS on each LAN and the oVPN server. The web GUI is running on a separate physical interface called CONTROL, which connects to one of the LANs, called TRUSTED.

I want to be able to access the web GUI by entering the firewall's hostname and domain in my browser, as normal, but this isn't possible right now because when I nslookup the firewall, it shows the network address of all LANs and the VPN; the interfaces marked as Network Interfaces in Unbound. I tried creating a DNS override in Unbound with just the CONTROL IP, but this just added it to the list of addresses found when using nslookup.

How can I use Unbound to provide DNS to my various LANs and VPN servers, but retain only one DNS entry that corresponds to the web GUI?

7

18.7 Legacy Series / Managing DNS between branch offices?

« on: September 05, 2018, 07:05:13 pm »

I have OPNsense firewalls deployed to two different offices that communicate with each other via IPsec tunnels. The trouble is that I need to somehow keep the DNS records of 300+ hosts consistent between the two. It would be a hassle to change both firewalls every time there is a change in one location. Is there some way to sync DNS between two different firewalls in two different physical locations?

8

18.1 Legacy Series / Cannot Traceroute WAN Connection?

« on: May 03, 2018, 10:49:17 pm »

My environment has two Netgate XG-2758 firewalls; one is running OPNsense 18.1 and the other is still on PFsense. We also have two ISPs coming in. While both ISP WAN connections work great on the PFsense firewall, they do not work properly on OPNsense despite identical upstream gateway, netmask and IPs confirmed in our block. The gateways and interfaces do not appear to go down, the daemons don't seem to crash, there is nothing unusual in the logs as far as I can tell, but the IPsec VPN tunnel has a weird flickering problem and when I try to traceroute to the firewall it just hits the upstream gateway again and again.

I have already tried all of the following:

• A laptop using the same IP, netmask and gateway as the OPNsense firewall works as expected.
• I have tried using different IPs in our WAN blocks; same results.
• I have tried using different firewall interfaces as WAN; same results.
• I have tried connecting to only one ISP at a time; same results.
• I have tried setting up multi-WAN; same results.
• I have tried disabling IPsec, but this problem was evident from traceroute before IPsec was configured.
• Sticky connections is disabled.

At this point I am not sure what else to do. Does anyone have any idea how to fix this?

9

18.1 Legacy Series / Mounting from ufs:/dev/gpt/rootfs failed with error 19.

« on: February 27, 2018, 08:31:46 pm »

I've managed to get the serial installer working on my troublesome Netgate XG-2758, but I've encountered a lot of bsdlabel and mounting errors during and after install; I'm not very familiar with BSD or GEOM and am not sure what to do about this. I am using the 18.1 serial installer now, but have had the same problems with the 17.7 installer too. The only way I can complete the installation is to use the Guided install -> GPT/UEFI method; anything else results in bsdlabel errors. Choosing Guided install -> MBR produces this error:

Code: [Select]

/sbin/bsdlabel -B -r -w ada0s1
auto FAILED with a return code of 1.

Viewing the log returns the following:

Code: [Select]

  x BSD Installer started                                                    a
  x DFUI connection on tcp:9999 successfully established                     a
  x ,- opened pty to '/sbin/sysctl -n hw.physmem'                            a
  x < 17138442240                                                            a
  x `- closed pty to '/sbin/sysctl -n hw.physmem'                            a
  x `/sbin/sysctl -n hw.physmem` returned: 17138442240                       a
  x ,- opened pty to '/sbin/sysctl -n kern.disks'                            a
  x < da0 ada1 ada0                                                          a
  x `- closed pty to '/sbin/sysctl -n kern.disks'                            a
  x `/sbin/sysctl -n kern.disks` returned: da0 ada1 ada0                     a
  x /dev/mirror exists. Surveying.                                           a
  x ,- opened pty to '/usr/bin/find /dev/mirror/* | /usr/bin/sed             a
  x "s/\/dev\/mirror/mirror/"'                                               a
  x < mirror/OPNsenseMirror                                                  a
  x `- closed pty to '/usr/bin/find /dev/mirror/* | /usr/bin/sed             a
  x "s/\/dev\/mirror/mirror/"'                                               a
  x `/usr/bin/find /dev/mirror/* | /usr/bin/sed "s/\/dev\/mirror/mirror/"`   a
  x returned: mirror/OPNsenseMirror                                          a
  x Testing mirror/OPNsenseMirror                                            a
  x Invoking survey for mirror/OPNsenseMirror                                a
  x Surveying Disk: mirror/OPNsenseMirror ...                                a
  x | Media sector size is 512                                               a
  x | Warning: BIOS sector numbering starts with sector 1                    a
  x | Information from DOS bootblock is:                                     a
  x | The data for partition 1 is:                                           a
  x | sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)                               a
  x | start 63, size 234441585 (114473 Meg), flag 80 (active)                a
  x | beg: cyl 0/ head 1/ sector 1;                                          a
  x | end: cyl 132/ head 15/ sector 63                                       a
  x | The data for partition 2 is:                                           a
  x | <UNUSED>                                                               a
  x | The data for partition 3 is:                                           a
  x | <UNUSED>                                                               a
  x | The data for partition 4 is:                                           a
  x | <UNUSED>                                                               a
  x `->>> Exit status: 0                                                     a
  x ,-<<< Executing `/sbin/bsdlabel -B -r -w ada0s1 auto'                    a
  x | bsdlabel: unable to get correct path for ada0s1: No such file or       a
  x directory                                                                a
  x `->>> Exit status: 1                                                     a

When this happens, it becomes impossible to leave the installer without rebooting as far as I know. <Retry> and <Cancel> will immediately display the same error again; <Skip> will cycle through a few more errors until it comes back to the original. The Manual install option also produces this error, but the <Cancel> option allows you to go back and choose other options. That being said, I was able to install GPT/UEFI on both ada0 and ada1 using the Guided install, and created an OPNsense GEOM mirror using ada0 as the primary and ada1 as the secondary. When booting the system, however, I get the following error:

Code: [Select]

mountroot: waiting for device /dev/gpt/rootfs...
Mounting from ufs:/dev/gpt/rootfs failed with error 19.

Typing "?" at the resulting mountroot prompt gives me four options: mirror/OPNsenseMirror, mirror/pfSenseMirror, ada1 and ada0. I am not sure how to remove the pfSenseMirror, but entering "ufs:/dev/mirror/OPNsenseMirror" produces this error:

Code: [Select]

Mounting from ufs:/dev/mirror/OPNsenseMirror failed with error 22.
The other devices listed present the same error. How can I mount one of these filesystems and get the system working normally?

EDIT: Figured it out. You're supposed to wipe the drives, create the GEOM mirror BEFORE installing OPNsense on either drive, then select mirror/OPNSenseMirror as the device to install to. DO NOT try to install OPNsense on ada0 and/or ada1 THEN create the mirror. Then it should just work!

10

18.1 Legacy Series / Serial installer not displaying over serial connection?

« on: February 08, 2018, 04:13:14 pm »

Hi all, trying to install OPNsense 18.1 on a Netgate XG-2758. While I've installed OPNsense using a VGA monitor and USB keyboard without problem, this model of firewall has no VGA port, only microUSB serial. I have the amd64 serial OPNsense image written to a USB drive, and can get to the BIOS over serial. However, when I choose to boot from the USB drive I get this message:

/boot/config: -S115200 -D

/oading /boot/defaults/loader.confsion 1.1port

After this, the serial connection does not seem to send/receive anymore. I have let it sit like this for an hour with no change. Any ideas what's up with it?

EDIT: Big thanks to pylox and bhsense for the following post: https://forum.opnsense.org/index.php?topic=6998.msg31097#msg31097

Pylox's instructions got the installer displaying correctly for me.

11

17.7 Legacy Series / Unable to start DHCP server?

« on: January 02, 2018, 10:31:13 pm »

I'd like to use PXE boot on my OPNsense box to install desktops on my network. To test this, I have a desktop connected directly to my firewalls LAN interface. While it has a static address now, it needs to be able to get a DHCP address for PXE, so I set the options on the Services -> DHCP -> Server -> LAN page as best as I know how and clicked the "Start Service" button in the upper right corner.

A dialog with the title "Please wait..." and a progress bar briefly appears then vanishes, and the status indicator is still red and showing "dhcpd Service is Stopped". I tried rebooting the firewall but that didn't help. Any idea why it's doing this and how I can find more info about it?

EDIT: I ultimately decided to start fresh, and the DHCP server worked as expected on a new install.

12

17.7 Legacy Series / Only DHCP on WAN interface

« on: December 20, 2017, 11:35:13 pm »

I'm trying to set up OPNsense for the first time on a Netgate XG-1541 1U. This box has two gigabit interfaces, igb0 and igb1. Here's how I set it up initially:

• igb0: LAN assigned a DHCP static mapping address from my edge firewall, so that I can access the web interface from my desktop (which is also connected to the edge firewall via DHCP static mapping)
• igb1: WAN with static IP and DHCP server enabled, connected to a spare desktop with a static DHCP mapping

I was able to access the web interface over the firewall's LAN no problem. My spare desktop connected to the WAN interface did get the IP I specified in its static mapping, but could not ping out, could not get files over TFTP (including PXE booting), and according to Wireshark just asks who has whatever I set as the DNS address (in this case .254) over and over. I even added a WAN firewall rule to allow all to all.

At first I thought there might be a hardware problem with igb1, so I switched them; igb0 was WAN and igb1 was LAN. I also tried setting static IP vs DHCP and connecting to edge firewall vs spare desktop on both. No matter what I tried, only LAN worked - WAN was never able to send more than DHCP lease to the spare desktop, and anything connected to WAN (no matter igb0 or igb1) could reach the firewall.

Other than the static/DHCP settings and user accounts, I haven't changed anything from stock OPNsense defaults. Is OPNsense just incompatible with this hardware for some weird reason? Is there some hidden setting or rules trickery required to get WAN working? What am I missing, and how can I fix this so that I can connect to both the wider network AND a spare desktop or switch with many desktops connected? Eventually I would like this to replace my edge firewall - will I need to change it somehow to do that?