Topics

1

20.1 Legacy Series / Unbound DNS

« on: April 04, 2020, 05:33:40 pm »

I have two separate LAN networks, each behind an OPNsense firewall with two private domains:

aaa and bbb

The two networks are link via a site-to-site VPN;

On each network, Unbound is configured as the local DNS server to to resolve local host names of the format:
 
host1.aaa and host2.aaa for the one network and host3.bbb and host4.bbb for the other network.

How do I configure the Unbound DNS server on the aaa domain to forward queries for hosts on the bbb domain to the Unbound server on the bbb domain?

2

19.1 Legacy Series / [SOLVED] Root is now read-only

« on: July 11, 2019, 10:43:23 am »

I upgraded to the latest version 19.1.9, but now the root user is read-only.
The second admin user is now also read-only.

I can no longer add / edit users.

Also, when I try and edit a route, I get the following error:

User root denied for write access (user-config-readonly set)

How do I fix this?

3

18.7 Legacy Series / Can't Create Users or Groups - No Permissions

« on: November 15, 2018, 02:57:00 pm »

I am running version 18.7.7 in HA cluster

We use the local database for authentication of users

When logged in as root on the primary fw, it is not possible to create a new User or a new User Group.

The error message is:

You do not have permission to perform this action.

What am I missing here?

4

18.7 Legacy Series / CARP VIP, IP Alias and VHID on VLAN's

« on: November 15, 2018, 09:28:50 am »

I am running the latest 18.7.7 on two identical boxes in a HA cluster with CARP.

On the LAN side, I have 8 VLANS's defined on the the single LAN interface.

Each VLAN has it's own /24 subnet, defined ad follows:

VLAN 10
10.11.10.1/24     CARP VIP, with VHID=10
10.11.10.91/24   Box One Interface
10.11.10.92/24   Box Two Interface
   
VLAN 20
10.11.20.1/24     CARP VIP, with VHID=20
10.11.20.91/24   Box One Interface
10.11.20.92/24   Box Two Interface

etc for all VLANS

This all works very well.

Somewhere I read that CARP monitors a physical link and that that this setup creates unnecessary CARP broadcast traffic that is essentially redundant, as all the VLANS are on the same physical interface and cable. You will not have a failure where only one VLAN subnet (virtual Interface) will fail, all the VLAN virtual interfaces will fail together if the physical interface fails.

What I can remember from the comment, is that it is better to define a CARP VIP for one VLAN and then define IP Aliases for the other VLANS, but define the IP Aliases on the VLAN interface that is defined as a CARP VIP, but I am not sure that I got that right.

Any recommendations or advice will be appreciated

5

18.1 Legacy Series / [SOLVED] Postfix Plugin Configuration

« on: May 17, 2018, 04:36:46 pm »

I need some help on configuration of the Postfix plugin please.

Version is OPNsense 8.1.6-amd64.

I want to use Postfix as a SMTP server to send notification e-mails from the LAN devices to external email addresses.

The internal LAN domain is mydomain, while externally we use mydomain.net. There are proper mx and ptr records for mx.mydomain.net

In the OPNsense System setup, the domain is defined as mydomain

This is my current Postfix configuration:

General

System Hostname:      mx.mydomain.net
System Domain:         mydomain.net
System Origin:           (blank)
Listen IP's:                 all
Trusted Networks:       10.11.0.0/16 (Local LAN), plus the default 127.0.0.0/8 networks
Allow TLS Only:           Yes
Server Certificatae:      star.mydomain.net   (wildcard SSL certificate for mydomain.net)
Root CA:                     Digicert Intermediate CA
SMTP Client Security:   may
Smart Host:                10.11.10.1   (this is the firewall LAN address)
Username:                  postfix
Password:                   ******

Domains
Domain:   mydomain                      Destination:     mx.mydomain.net                 

Senders
Address:  nas@mydomain.net            Action:  OK


On the NAS device, the mail client is configured as follows:

From email:     nas@mydomain.net
SMTP Server:  10.11.10.1
Port:               587
USE TLS          Yes
Username:       postfix
Password:        ******

When I send an email from the NAS device, it fails.

The NAS device can access the Postfix server at 10.11.10.1

There is nothing in the Postfix log files except start and stop messages.

How can I debug this or is my config wrong?

6

18.1 Legacy Series / IPSec Mobile VPN Setup - Missing Option?

« on: April 17, 2018, 11:33:37 am »

I am using OPNsense 8.1.6.

I am trying to set up mobile VPN to allow remote dial-in. I am following the instructions inn your How-To guide for setting up IPsec VPN for mobile clients  (https://wiki.opnsense.org/manual/how-tos/ipsec-road.html)

In the guide, there is an option to specify the Peer Identifier and to define the actual value of the peer identifier. (see attachment)

This option is missing in the software.

In the client setups for iOS and macOS, this value is needed.

What am I missing here?

7

18.1 Legacy Series / Feature Request : Force CARP failover from GUI

« on: March 28, 2018, 01:42:27 pm »

HI,

Is it possible to add an option the GUI to force a CARP failover from Primary to Secondary and or from Secondary to Primary again?

At the moment, I use the CLI command
      sysctl net.inet.carp.demotion = 102

to force failover from Primary to Secondary and
      sysctl net.inet.carp.demotion = -102

Thanks

8

18.1 Legacy Series / Upgrade from 17.7.12 to 18.1.5

« on: March 23, 2018, 08:12:44 am »

Hi,

Currently we have 2 x OPNsense units running version 17.7.12 in a HA cluster on two hardware units from Decisio  (model OPNsense Quad Core Gen3 SSD Rack, SKU: OPN19004R)

Do we need to first upgrade to 17.1.12_1 before we attempt to upgrade to 18.1.5?

Is it better to do a clean install of 18.1.5 and restore the configuration backup?

If there are issues, how do we revert back to 17.1.12?

Regards

9

18.1 Legacy Series / Rolling Updates / Releases versus Stable 18.1 Release?

« on: March 12, 2018, 09:15:24 am »

Hi,

I do appreciate the willingness of the OPNsense team to fix issues and to respond to any bug reports in a timely (weekly) manner, but it also create some uneasiness.

When is 18.1 Production Series stable enough to install on a critical production site?

Is there not a need for a more "stable" release with a list of known issues that can be used on production sites provided you can live with the the known issues?

The frequent 18.1 releases is a just too "bleeding edge" for me, or am I just too conservative?

10

17.7 Legacy Series / Multi-WAN and 1:1 NAT

« on: January 30, 2018, 02:49:10 pm »

HI,

I have two WAN connections, WAN0 and WAN1,  with different sub-nets on each WAN connection.

The gateway for WAN1 is the default gateway.

Internal LAN devices with 1:1 NAT rules defined with public ip addresses from WAN1 sub-net, correctly uses the correct public IP from WAN1 as defined in the 1:1 NAT rule.

The problem is with LAN devices with 1:1 NAT rules defined on public IP addresses from the WAN0 sub-net.

Despite the 1:1 NAT rule, traffic from these devices are still routed via the default gateway for WAN1 (the system default gateway) and not via public ip as defined in the 1:1 NAT rule.

This is for traffic that originates on the LAN device. Traffic that originates from the internet is correctly routed via WAN0 to the LAN device as per the 1:1 NAT rule.

How do I fix this please or what am I missing?

11

18.1 Legacy Series / Feature Request: Rules Groups

« on: January 25, 2018, 12:22:23 pm »

Hi,

A feature request to make it easier to deploy OPNsense in enterprise setups.

On the Cisco ASA series you can define Services Groups, which can the be applied to individual hosts or networks.

Is it possible to consider something similar?

For example, you define a Service Group called "Mail Services" and for this group, you then define all the services (ports) that you want to allow through:
     HTTPS
     POP3
     IMAP
     SMTP
     SUBMISSION

You then apply this to individual hosts or networks etc.

The current Interface Groups is not really that helpful for this, as it is only applicable to interfaces or virtual vlan interfaces

12

17.7 Legacy Series / CARP : Interfaces not in sync when failing over (failing over independently)

« on: January 22, 2018, 12:16:13 am »

Hi,

I have two OPNsense firewalls running on 2 x dedicated hardware units in a new HA CARP cluster that is working fine, except for one problem - unsynchronised failover of the interfaces.

I have two WAN interfaces and one LAN interface, but with a number of virtual vlan interfaces defined on the LAN interface.

Each WAN interface has a CARP VIP, with the other public ip's of the WAN sub-net defined as an IP Alias on top of the CARP VIP of the WAN sub-net (same VHID number).

On the LAN side, each vlan has a CARP VIP and two device ip's.
For the 10.1.1.0/24 subnet and vlan, I have defined:

   OPNsense1  10.1.1.1.91, OPNsense2 10.1.1.92 and CARP VIP 10.1.1.1

The same for the other vlans subnets.

Each WAN interface and each vlan virtual interface has a unique VHID.

The problem is that during a failover, the WAN and virtual interfaces do not fail over at the same time. If I reboot the active unit, I may find that one unit has the WAN interfaces as active with the LAN interfaces as backup and the other unit the reverse. It looks like there is a timing difference between the WAN and LAN interfaces when a decision is made to failover or not. Sometimes even the WAN interfaces are split  or the LAN interfaces are split between the two units.

From my understanding of CARP, each VHID is handled individually and will failover independently of the other VHID's.

This will also be a problem if one interface fails. It will not help if ony that interface fails over to the other fw.

Obviously, this is not going to work.

The main reason for the HA cluster, is failure of the OPNsense hardware units, as I already have dual uplinks to the ISP and dual switches.

How do I ensure that the units fail all interfaces over at the same time?

13

17.7 Legacy Series / HA CARP with x.x.x.x/28 WAN Subnet

« on: January 19, 2018, 07:46:53 pm »

Gents,

I need some help please with 2 x OPNsense fw units in a HA CARP setup.

I have configured the HA CARP correctly and it works 100% with vlans and an IPsec Site-tot-Site link to our other site. Each fw has it's own public ip and then one public CARP VIP. The IPsec link also works with the CARP VIP defined on the WAN subnet.

We plan to use some of the other public WAN ip's with 1:1 NAT and vm's as mail and web servers, each with his own dedicated public IP from the WAN subnet. (This is how we had it previously on our HA Cisco ASA firewalls)

What is not clear to me, is how do I "CARP" the other public wan ip's?

Do I need 3 public ip's for each vm now - one per fw and one CARP VIP assigned to the vm?

Surely that can't be right?

14

18.1 Legacy Series / Release 18.1 rc2: Where to Download?

« on: January 19, 2018, 06:49:43 pm »

Gents,

I am new to OPNsense, but would like to evaluate the 18.1 Release Candiates.

Where and how do I download the releases?

15

17.7 Legacy Series / System: High Availability GUI Corruption

« on: January 18, 2018, 04:40:19 pm »

Hi,

I am using the System: High Availability GUI page to manage the CARP setup between two OPNsense units. Everythung is working fine, except that one of the units crashed and since then, there is a corruption in GUI two input fields

The IP address field of the Synchronize Peer IP and the Synchronize Config to IP has an old value (10.5.1.2) that is never erased. See screenshot attached.

Before i do a save of the page, I have to manually update the ip fields to the correct value (10.18.1.52) and then click on save. It accepts and use the correct value, as the sync etc all works.

However, after the save is done, the old value of 10.5.1.2 returns again immediately. Before the next save, I have to overwrite it again.

I have checked, the wrong value is not in the xml config file that I downloaded and uploaded again. The web GUI is picking it up from somewhere else.

Any ideas where and and how I can get rid of this value?