Topics

1

General Discussion / Upgrading from the stone age to current?

« on: November 12, 2022, 11:17:24 pm »

Let's say I stumble upon an OPNsense firewall that was installed in 2020, but not updated with the major versions since then.

22.10 is presently out.

Is there a way to upgrade from, say, 20.1 to 22.10 in one command at the console or SSH interface? Or do I have to do the upgrades in order until I make it to the latest version?

2

Virtual private networks / IPSec VPN + SIP Phones Advice

« on: November 07, 2022, 06:14:35 pm »

Hi all,

I'm looking for some advice. I've got two locations, a main location and a remote one, connected via an IPSec VPN tunnel. The remote location has about 6 SIP phone handsets, which should be communicating back to the PBX at the main location over the VPN tunnel. It also happens to be where the calls come into for customer support, so the phones NOT working is really noticeable.

Once a month on the 1st Sunday, I reboot both OPNSense firewalls, do firmware updates, etc. The following Monday (today in this case), some of the phones come up in the SIP Status interface of the phone server as being "unavailable." This appears to be due to SIP QUALIFY and SIP OPTIONS traffic not flowing between the two locations appropriately. So I've been chasing this for about 4 months now and I'm banging my head against a wall. I'm wondering if you all would look at my IPSec VPN configuration and see if you see something I'm doing incorrectly...

Phase 1

Setting	Local	Remote
Phase	1	1
Disabled	Unchecked	Unchecked
Connection Method	Start Immediate	Start Immediate
Key Exchange Version	V2	V2
Internet Protocol	IPv4	IPv4
Interface	WAN	WAN
Remote gateway	(Remote Bldg IP)	(Main Bldg IP)
Dynamic Gateway	Unchecked	Unchecked
Description	Remote Bldg	Main Bldg
Phase 1 Auth Method	Mutual PSK	Mutual PSK
My identifier	My IP Address	My IP Address
Peer identifier	Peer IP Address	Peer IP Address
Pre-Shared Key	(The Key - They Match)	(The Key - They Match)
Encryption Algorithm	AES-256	AES-256
Hash Algoritm	SHA1	SHA1
DH Key Group	5 (1536 bits)	5 (1536 bits)
Lifetime	86400	86400
Install Policy	Checked	Checked
Disable Rekey	Unchecked	Unchecked
Disable Reauth	Unchecked	Unchecked
Tunnel Isolation	Unchecked	Unchecked
SHA256 96 Bit Truncation	Unchecked	Unchecked
NAT Traversal	Enable	Enable
Disable MOBIKE	Unchecked	Unchecked
Close Action	None	None
Dead Peer Detection	Unchecked	Unchecked
Inactivity Timeout	(Blank)	(Blank)
Keyingtries	(Blank)	(Blank)
Margintime	300	300
Rekeyfuzz	50	50

Phase 2

Disabled	Unchecked	Unchecked
Mode	Tunnel IPv4	Tunnel IPv4
Description	Local to Remote	Remote to Local
Local LAN Type	LAN Subnet	LAN Subnet
Local LAN Address	(Blank)	(Blank)
Remote LAN Type	Network	Network
Remote LAN Address	192.168.20.0/24	192.168.1.0/24
Protocol	ESP	ESP
Encryption Algorithm	AES256	AES256
Hash Algorithms	SHA1	SHA1
PFS key group	off	off
Lifetime	3600	3600
Automatically ping host	192.168.20.1	192.168.1.1
Manual SPD entries	(Blank)	(Blank)

Under Firewall >> Rules >> IPSec on both firewalls I have an Allow IPv4 Any-Any-Any rule with a description of "Allow IPSec Traffic."

Under Firewall >> Settings >> Advanced I have the Firewall Optimization set to Conservative

Can anyone see something I'm doing wrong here? In talking with the PBX vendor, they advised that I needed to turn off DPD on my Phase 1, which I did. This did resolve some problems, but not all of them.

Thanks in advance for any advice!

3

Virtual private networks / Phase 1 Key Lifetime setting for mobile connections

« on: March 04, 2022, 03:20:05 am »

I've set up hundreds of PPTP, IPSec, L2TP, and OpenVPN connections over the years, so I wouldn't consider myself a NEWB on this topic. But this is the first time I've set one up where the internet has the potential to be this spotty.

I need a "site-to-site" connection between a stationary, physical location with fiber and (get this) a charter bus.

The charter bus has two cellular routers, one each from the leading carriers. Those come into a micro-firewall running OpnSense. And the charter bus is on the highway more often than not, so it's almost always near at least 1 or more cellular towers. But that's where the stability ends. The cellular providers both have agreed (for more money) to give us an APN that doesn't use C-NAT (Carrier-based NAT), so the IP address we see in each router is the IP address that OpnSense sees. This is a big deal because without this change, C-NAT is the default on cellular, and the cellular router has an IP address that google's "What Is My IP" does not confirm. They also firewall off the traffic to the cellular router directly, so the IP address that you see on the cellular router isn't accessible.... which means Dynamic DNS is worthless.

So, here's my question: Assuming I need bidirectional communication as much as possible, what are everyone's thoughts on setting the P1 Key Lifetime very low, like 30-600 seconds kind of low?

The present issue is that if I set that P1 key lifetime to anything normal (say, 3600-28800) and the bus goes through an area with no cellular signal, the VPN tunnel won't reconnect when it acquires cellular service again without me having to remote into both firewalls, disable the VPN tunnels on each one and Apply, then re-enable each one and Apply again. At 2 in the morning, this is really, really annoying.

Is there a precedent for this with strongswan and OpnSense?

Thanks, in advance!

4

21.1 Legacy Series / OpenVPN No Client Export Option - The Solution You're Probably Looking For...

« on: June 29, 2021, 09:52:30 pm »

See https://forum.opnsense.org/index.php?topic=13354.0. You cannot reply to archived threads, so I'm creating a new thread here.

Every once in awhile I have this problem as well, and figuring it out is a pain in the butt, because not everyone does OpenVPN the same. In our case, we use Active Directory as the back end authentication mechanism. When the "Client Export" page has no link at the bottom, you start to pull your hair out trying to figure out what you did wrong... so here's the answer...

Look at the certificate you linked to in your OpenVPN Server configuration. Grab it's name and then go to System > Trust > Certificates. Is it Self-Signed? If so, that's your issue.

Make sure you have a Certificate Authority for your firewall. Add one under Trust > Authorities > Add. It can be Self-Signed, because it's a Certificate Authority (ie: Something that can create and issue certificates).

Next, create a new Certificate under System > Trust> Certificates.
Create an Internal Certificate.
For Certificate Authority, choose the Certificate Authority you created above.
Under Type, make sure you select Server Certificate.
I usually set the Lifetime of this certificate to something like 3650 (10 Years). You likely don't want to have to reissue VPN profiles to users that often.
Fill in all the information. Under Common Name, give it something unique, like SSLVPN Certificate or something similar.
Save it, and let's go back to OpenVPN Servers.

VPN > OpenVPN > Servers
Edit Your Server.
Under the Cryptographic Settings section, look at Server Certificate and select the one you just created.
Go to the bottom and click Save.

Go to VPN > OpenVPN > Client Export. You should now have a link to select.
I'm a fan of "File Only" because it bundles everything up into one nice file for OpenVPN to import.
I also change the Hostname to a DNS resolvable name. This makes life easier when you change ISPs.

Hope this helps!

5

General Discussion / GEOM Mirror Widget?

« on: May 20, 2021, 06:03:23 pm »

This seems funny to me, but in all the conversions I've done from that other *Sense product to OpnSense, I never noticed that there's no GEOM Mirror Widget. Here's what it used to look like:

GEOM Mirror Status Widget

How hard would it be to create one and make it an optional add-on to OpnSense? I know it's some derivative of the "gmirror status" command.

Thanks, in advance, for all you do!
Paul

6

General Discussion / 1:1 NAT Forwarding/Masquerading

« on: May 18, 2021, 04:37:51 pm »

Hi all,

I've done this before, but it's been years and I'm hoping someone can just give me a quick refresher on it.

I have a vendor (gotta love vendors) who has set up an internal network around their manufacturing solution wherein they are utilizing a 192.168.0.0/22, or in more human readable terms, a network where the start address is 192.168.0.0 and the end address is 192.168.3.255.

My boss wants us to connect to this network and pull stats from the manufacturing solution. There's software to do this, and we've purchased it. But the issue is that we already have networks that are on the 192.168.1.0, 192.168.2.0, and 192.168.3.0 networks. Thus, I've set up an opnsense firewall on another VLAN'ed network, which is the 192.168.20.0 network, dedicated to the various manufacturing machines.

So, my "WAN" interface on this firewall looks like this: 192.168.20.254/24
And, my "LAN" interface on this firewall looks like this: 192.168.1.254/22

I've used nmap to scan the entire network for this manufacturing solution, and I find 27 IP addresses between 192.168.0.0 and 192.168.3.255.

What I'd like to do is set up some virtual IPs on the opnSense firewall like this:

WAN 192.168.20.230 = LAN 192.168.1.10
WAN 192.168.20.231 = LAN 192.168.1.15
...

And this way we can ping and communicate with the devices on the manufacturing network using 192.168.20.x network addresses instead of their native 192.168.[0-3].x addresses.

It seems like this was possible and relatively easy once I got the hang of it. But by "getting the hang of it" I mean I did it once about 4 years ago.

Can someone refresh my memory on how to make this work?

Thanks, in advance!
Paul

7

General Discussion / NUT - Client, but not Server?

« on: March 18, 2021, 03:07:14 pm »

Hi all,

Am I correct in saying that NUT (Network UPS Tools) can be a client on OpnSense, but OpnSense cannot act as a NUT server/daemon for other machines to connect to?

8

20.7 Legacy Series / Reporting security vulnerabilities

« on: November 17, 2020, 04:34:12 pm »

Hypothetically, let's say we find a security vulnerability in OPNSense that we want to (privately!) bring to the attention of developers to get it resolved quickly and quietly. Who should we send this data to, and how should we send it?

Thanks!
-Anomaly0617

9

General Discussion / ZeroTier as a replacement for IPSec: Your Opinions, Please?

« on: May 05, 2020, 05:18:21 pm »

Hi all,

We maintain a number of multi-site locations where we've used IPSec and fully-meshed the networks (ie: every location can talk to every other location). The obvious issue with this is the upkeep. Doing the math, if I have 11 locations, that means that every firewall has 10 IPSec tunnels. (Locations * (Locations -1)). So, in the instance of 11 locations, I'm maintaining 110 individual tunnels.

And this is where cloud-meshed VPN solutions (SD-WAN) enters the show. Instead of having to maintain 110 tunnels, I could maintain 11, and the cloud-meshed VPN solution would handle the routing. Or, worst case, I can manage the routes at the centralized console. Point is, the routing becomes easier.

For some of my locations, this is a non-starter. Those locations deal with protected information and an SD-WAN solution leaves too high a possible risk for someone to silently add their own node onto the network and then have time and access to all of the information they can vacuum up without our notice. Yes, I know that these solutions often offer multi-factor authentication at the cloud level. But even multi-factor is being hacked these days.

And this brought us around to ZeroTier. One of my engineers was complaining about what a pain in the rear maintaining all the tunnels was, and how SD-WAN would be so much better a solution. So I decided to give it a try with ZeroTier.

I picked a location that is more or less a "test site" - no issues if that site gets hacked, there's nothing there for them to find. And for the other site (and eventually, sites), I picked a few of our staff's home networks that are in a similar situation - if they get hacked... well, that sucks, but they have firewalls and backups.

I followed this guide and tried to keep the configuration as simple as possible. Get it working reliably first, and then start building rules and filters as necessary. But I didn't get that far.

My experience was that after

• updating OPNsense to the latest version
• getting the zerotier plugin installed
• connecting it to my zerotier portal through VPNs >> ZeroTier and using the API I was given from the ZeroTier portal
• adding the site and approving it in the portal
• creating the network interface and assigning it the appropriate IP address from ZeroTier (note: /24, not /32!)

I would see an uptime of about 45 seconds to 2 minutes, after which my network monitoring software would go from "all green" to "all red" pinging the remote hosts.

I tried adding managed route(s) (example: network 192.168.92.0/24 routes through 10.147.17.197).
I tried rebooting firewalls.
My experience did not change.

I read through the ZeroTier manual. No luck.

I not only disabled the IPSec tunnels that were in place before, I deleted them out of a few firewalls and rebooted. No change.

So, I'm now curious if I did something very obviously wrong, or if this experience is relatable to others? I'm open to the idea of an SD-WAN solution if it's stable, but I'm not going to sacrifice stability for convenience.

Opinions/Comments welcome!

10

20.1 Legacy Series / GeoIP Firewall Question, v19 vs v20?

« on: February 26, 2020, 07:41:59 pm »

Hi all,

I was referencing this documentation the other day to get up country-based IP filtering.

The documentation states "In OPNsense, goto Firewall:Aliases and select the GeoIP settings tab. Enter the URL you have created into the URL box and click Apply, and that’s it."

When I go to Firewall:Aliases on an OpnSense v20.1 server, I see this tab. However, on a v19.7.6 firewall, there is no GeoIP tab. On this one, when you create an alias you can choose GeoIP as an alias type, and then from there select the countries you want to block. Then, in theory, you make a block rule in Firewall:Rules:Floating, selecting all of your outside interfaces, and then block anything with a source of the GeoIP Alias.

I see that in v20 I can still do this with the aliases, as type GeoIP.

So, I'm just looking for clarification. Is the Alias method OK to use? Is the GeoIP method the one we're supposed to use? I don't want to assume that the alias method is working to block inbound traffic from undesirable countries and then find out that it doesn't actually work without MaxMind and the GeoIP tab.

Thanks, in advance!

11

20.1 Legacy Series / Likely an Easy fix - vpn_ipsec.php phase 1 background color

« on: February 10, 2020, 04:36:35 pm »

Hi all,

In the latest release (20.1), there's a hard-coded style element on line 1132 of the output:

Code: [Select]

1129: <style>
1130:  tr.phase1_tr > td {
1131:      font-weight: bolder;
1132:      background-color: #FBFBFB;
1133:  }

Because this is defined after all the css files are rendered, this is breaking themes. For instance, on dark themes (rebellion, tucan) the background is near white and so is the font.

Can this be moved into main.scss or another css file so it can be changed by theme designers?

Thanks!
Anomaly0617

12

Web Proxy Filtering and Caching / [Solved] NGINX Reverse Proxy advice

« on: December 23, 2019, 01:41:09 am »

Hi there,

In the past, I have done this with pfS and the Squid Reverse Proxy tool. But it's been a few years.

I've got OPNsense 19.7-amd64 up and running at a location. I'd like to set up a number of web servers on the LAN side and have NGINX reverse proxy the traffic in to them based on the headers.

I'm not looking to load balance at this point, just setting it so that:

http://sitea.com proxies in to http://192.168.xxx.yyy:80
http://siteb.com:8091 proxies in to http://192.168.xxx.zzz:8091
http://sitec.com proxies in to http://192.168.xxx.aaa:80
https://sited.com proxies in to https://192.168.xxx.bbb:443
https://sitee.com proxies in to https://192.168.xxx.ccc:443

So, I'm starting with one server, siteb.com above. I followed this tutorial, but I doubt I did it correctly. So here's what I've got....

Services: NGINX: Configuration: General
-- Enable nginx: Checked

Services: NGINX: Configuration: Upstream Server (1 Entry)
-- Description: Server1
-- Server: 192.168.xxx.zzz
-- Port: 8091
-- Server Priority: 1

Services: NGINX: Configuration: Upstream (1 Entry)
-- Description: com_siteb
-- Server Entries: Server1
-- Load Balancing Algo: Weighted Round Robin
-- Enable TLS: Checked
-- TLS: Servername override: [Blank]
-- TLS: Supported Versions: [Nothing Selected]
-- TLS: Session Reuse: [Not Checked]
-- TLS: Trusted Certificate: [Nothing Selected]

Services: NGINX: Configuration: HTTP(S): Location (1 Entry)
--Description: com_siteb
--URL Pattern: ^http://siteb.com
--Match Type: Case Insensitive Match ("~*")
--URL Rewriting: [Nothing Selected]
--Enable Security Rules: [Not Checked]
--Learning Mode: [Checked]
--Block XSS Score: [Blank]
--Block SQL Injection Score: [Blank]
--Custom Security Policy: [Nothing Selected]
--Upstream Servers: com_siteb
--Path Prefix: [Blank]
--Cache: Directory: [none]
--File System Room: [Blank]
--Index File: [Blank]
--Automatic Index: [Not Checked]
--Basic Authentication: [Blank]
--Basic Credentials List: [None]
--Enable Advanced ACLs: [Unchecked]
--IP ACL: [None]
--Force HTTPS: [Unchecked]
--Enable HTTP/2 Preloading: [Unchecked]
--Pass Request To Local PHP Interpreter / Threat Upstream As FastCGI: [Unchecked]
--(PHP) Router Script: [Blank]

Services: NGINX: Configuration: HTTP(S): URL Rewriting (1 Entry)
--Short description (to display): root
--Original URL Pattern (Regex): /
--New URL Pattern: $1
--Flag: Redirect

Services: NGINX: Logs: HTTP Access Logs: com_siteb
--Time: 22/Dec/2019:18:32:25 -0500
--IP: [Redacted, but it's mine]
--Username: -
--Status: 404
--Size: 5431
--Referer: http://siteb.com/
--User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
--Forwarded For: -
--Requested Line: GET /favicon.ico HTTP/1.1

Services: NGINX: Logs: HTTP Error Logs: com_siteb
--Date: 2019/12/22
--Time: 18:32:24
--Severity: error
--Number: 35259#100189
--Message: *1 "/usr/local/etc/nginx/html/index.html" is not found (2: No such file or directory), client: [Redacted], server: com_siteb, request: "GET / HTTP/1.1", host: "siteb.com"

13

19.7 Legacy Series / OpnSense stops routing all traffic when WAN drops

« on: December 17, 2019, 04:50:40 pm »

Hi all,

I've got a weird one, but I've now seen it at different locations and it's concerning.

Please note that this one is very similar to this post, also by me, from a while back.

First, some specs because well, everyone loves specs:

System Information

Code: [Select]

Name frasvrfw.{redacted}
Versions OPNsense 19.7.6-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2t 10 Sep 2019
Updates Click to check for updates.
CPU Type Intel(R) Xeon(R) CPU X3450 @ 2.67GHz (8 cores)
CPU usage
Load average 0.53, 0.38, 0.28
Uptime 1 days 03:06:07
Current date/time Tue Dec 17 10:33:25 EST 2019
Last config change Mon Dec 16 3:31:41 EST 2019
State table size 1 % ( 8526/814000 )
MBUF Usage 1 % ( 7100/506546 )
Memory usage 13 % ( 1099/8144 MB )
SWAP usage 0 % ( 0/8192 MB )
Disk usage 2% / [ufs] (1.4G/101G)
Interfaces

Code: [Select]

   GUEST 1000baseT <full-duplex> 192.168.25.254
   LAN 1000baseT <full-duplex> 192.168.3.1
   PLC 1000baseT <full-duplex> 192.168.20.1
   Phones 1000baseT <full-duplex> 192.168.9.1
   Printers 1000baseT <full-duplex> 192.168.6.1
   SAN 1000baseT <full-duplex> 192.168.10.1
   SANBACKUPS 1000baseT <full-duplex> 192.168.16.254
   SECUREWIFI 1000baseT <full-duplex> 192.168.5.1
   SECURITY 1000baseT <full-duplex> 192.168.50.1
   WAN 1000baseT <full-duplex> {redacted}
Ok, with that out of the way, I've got a Dell PowerEdge R210 running as an OpnSense firewall/gateway between multiple networks (separated into VLANs and their own subnets) with the OpnSense firewall at the center.

We've now had this happen twice -- 16-Dec-2019 between 3:20 AM and 7:20 AM, and about a month ago where there was a 35 minute power outage.... so I'm no longer thinking this is a "fluke."

The trigger:
The WAN connection drops at the provider end (in other words, between the internet provider's fiber router and their closest node)

The symptom:
OpnSense stops routing all traffic -- even the internal traffic between internal subnets such as from the LAN to the PRINTER networks. This continues to occur even after the WAN connection is restored and the internet is available again.

The workaround resolution:
Reboot the firewall and all the problems go away... until the next time the internet connection drops.

In both instances, the power in the area has gone out, and our on-site battery backups and generator have kept the building up and running throughout. So my OpnSense logs do not show that the firewall has rebooted. But if I go to Reporting -> Health and look at any metric, ie:

Packets -> LAN
Packets -> WAN
Packets -> IPSec
Quality -> Gateway

They are all flat-lined between those times.

So the question is, what would cause OpnSense to stop routing traffic between internal networks when the WAN connection drops, and is there a way to fix it, short of setting up a check_internet script that reboots the firewall if it can't get to something really common like google?

Thanks in advance, all!

14

19.7 Legacy Series / Zabbix 4.4.1 Proxy Pkg

« on: November 18, 2019, 02:01:42 am »

Hi there,

Just wondering if anyone is actively working on generating a pkg for zabbix4.4 -- I accidentally updated my Zabbix server to 4.4.1 (meant to just go to 4.2.x) and I'm seeing errors in the zabbix server log like:

11068:20191117:195807.381 cannot process proxy "[SiteID]": protocol version 4.0 is not supported anymore

So, totally my fault for upgrading too far, but since I did and it made some database changes, I'm now hesitant to go backwards to 4.2.

If someone can walk me through compiling from source on FreeBSD, I'm generally fluent in POSIX environments. I'd be happy to submit whatever I compile.

Thanks!
-Paul

15

General Discussion / Firewall reboots and will not route packets - problem and possible solution

« on: June 17, 2019, 05:46:24 pm »

Hi all,

Those of you that have been around the *Sense world for awhile probably know me. I've been a fan for a number of years, and have a lot of posts on the pf as well as the opnSense forums. Heck, I may even have a few on m0n0wall, since I go back that far on distros of this firewall.

If you're just now reading this, this is an awesome firewall solution and I've found nothing that compares to it in the commercial world. There's a balance of functionality and UI that I've never seen at this level in a commercial product. So what's below is more for the folks that have been running some version of *Sense for a little while and is not representative of the product of a whole.

Ok, disclaimer over. Now to the real topic:

I have somewhere in the neighborhood of 30-50 *Sense installations in production. These span everything from a terrible DSL connection in the middle of nowhere's-ville to a 200 x 200 Mbps redundant fiber connection in a controlled data center environment. I'm seeing this problem across the board, on all installations. That means everything pf 2.3.2 and newer, and I'm guessing everything opnSense 18.1.x and newer. In other words, I'm thinking this is a FreeBSD problem and not a *Sense problem.

Symptom:

The firewall is set up to reboot on a schedule. After the scheduled reboot, the firewall does not respond to anything remotely. ICMP traffic does not respond, packets are not forwarded, rules are not processed. It's as if the firewall is stuck in the default state of "deny all" for all packets.

Resolution A (a bad one):

Go to the console and log in if necessary. Reboot the firewall using the appropriate menu option. Let the firewall reboot. Check again and see if you can access the outside world, and the outside world can access you.

Resolution B (possibly better?)

Run a script that checks to see if the firewall can reach the gateway device (DSL modem, DOCSIS router, fiber router, etc.) and/or a common website (Google DNS, for instance). If it cannot, issue a reboot command. Possible side-effect: This could reboot the firewall in the middle of the day with no warning to your end users.

Anyone else run into this problem? The most common hardware we use are Dell PowerEdge R2{x}0's as firewalls, so its possible it is specific to those, but I believe I've also seen this behavior on the micro-firewalls we have running made by a reputable Amazon reseller ending in "LI". ;-)

DISCLAIMER: If you can't tell, this email has been formatted to avoid getting a nasty letter from that one company that bought one of the *Sense distributions and has been known for sending nasty letters to people trying to help.