Topics

1

General Discussion / SOLVED: Multiple Subnets on a Single Interface

« on: August 02, 2020, 12:36:58 pm »

The subject of this post seems to summarize what I've been asking for a while without a definitive answer:

Is it possible to assign multiple subnets to a single interface?

For example:
I have a 2-NIC appliance running OPNsense. I have been using it as a router/firewall for my LAN at 192.168.1.0/24, and now I want to add 2-3 hosts to my network that use 192.168.6.0/24 (I actually have this situation). I want to give these devices on 192.168.6.0/24 access to the Internet through my OPNsense firewall.

Is this possible?

If so, please explain how.

If not possible, can anyone explain the meaning of this statement in the "Advanced" section of the firewall? https://docs.opnsense.org/manual/firewall_settings.html#static-route-filtering

"This may be desirable in some situations where multiple subnets are connected to the same interface."

A definitive answer would really be much appreciated.

2

General Discussion / SOLVED: Rules for LAN with more than one subnet

« on: August 02, 2020, 12:03:50 am »

NOTE: You will not find the answer here. Instead look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553

My LAN uses 192.168.1.0/24, and it works just fine for all hosts with this address range.  The LAN gateway on my OPNsense firewall is 192.168.1.1. It all pretty much auto-configured itself, so I've not had to do much manual configuration.

I've added a new device to the network that insists on using 192.168.6.0/24. This device uses Ethernet-over-USB, and it's plugged into a Linux laptop whose WiFi is assigned via DHCP: 192.168.1.104. I understand that Ethernet-over-USB is indistinguishable from other Ethernet traffic, and requires no 'special handling'.

I think I've got the Linux laptop and its USB device configured properly: I can make an SSH connection from the Linux laptop to the USB device at 192.168.6.2. I can 'ping' the WiFi from the USB device on its 192.168.6.2 interface, and I can ping 192.168.6.2 from the Linux laptop.

My problem is that the devices on the 192.168.6.0/24 net cannot successfully make a connection to the Internet. In addition, I cannot successfully 'ping' the LAN gateway at 192.168.1.1 from the USB device at 192.168.6.0. I don't understand why this is so because the IPv4 rules on the LAN interface allow ALL sources (*). I've attached a screenshot so that's clear).

I am not sure if ALL sources includes packets with a source address from the 192.168.6.0/24 network or not??? This is a major point of confusion for me. I have searched in vain for anything in the OPNsense configuration GUI that would allow me to create or use this 192.168.6.0 network in a firewall rule. How is this done?... the 192.168.6.0/24 hosts are not directly connected to the OPNsense firewall - they are only connected to the Ubuntu host, and use its WiFi as the gateway to the 192.168.1.0/24 net.

Can someone explain what I need add to OPNsense to get Internet access for the USB device at 192.168.6.0/24? I've searched the OPNsense documentation, but found nothing relevant to this situation... but if I've missed something, I'd like to know that also.

3

General Discussion / SOLVED: Why no responses to ICMP from one subnet?

« on: July 28, 2020, 11:50:24 am »

NOTE: You won't find the solution here. Instead, look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553

I've just added an embedded device to my network that configures itself to use 192.168.6.0 network. The balance of my LAN is all on 192.168.1.0 and it has worked fine for years. I've added static routes in OPNsense to accomodate the new 192.168.6.0 subnet, and this seems to be working just fine - hosts on both subnets are able to connect to each other.

But I've run into what seems (to me) to be an odd problem - from a host on the 192.168.6.0 subnet I can ping hosts on the 192.168.1.0 subnet & all works fine. I can ping hosts on the Internet from 192.168.1.0 subnet as usual. However pinging hosts on the Internet from 192.168.6.0 subnet gets no reply. I suspect the firewall is blocking, but I don't find anything in the logs that helps isolate this (maybe I'm looking for the wrong things?). It seems that nothing from the 192.168.6.0 subnet is getting through - this based on failures to download webpages using `curl` with an IP address.

I have a "pass anything" rule on the LAN interface & use automatic outbound NAT generation rules. What could be blocking my replies originating in the 192.168.6.0 subnet?

4

General Discussion / DNS for OpenVPN users

« on: March 02, 2020, 06:48:10 am »

My OpenVPN setup is working well enough in OPNsense. The only niggle is that once I'm on the "LAN side" of the firewall, DNS does not work for any of the hosts on the local network. Outbound DNS seems to work OK for an external VPN user, but the only way I can reach my internal hosts is to look up the DHCP assignment table in OPNsense!

I'm currently using Dnsmasq, set to listen on Port 53. "Register DHCP leases" and "Register DHCP static mappings" boxes are ticked.

Also, the MDNS Repeater is enabled. This one looks suspect... A note says "At least two interfaces must be selected.", but I've only ticked the LAN interface.

Unbound DNS and OpenDNS are NOT enabled.

How should I configure DNS to provide OpenVPN users with reliable DNS for all hosts on the local network??

5

General Discussion / [OBE] Certificate Expiration - Alternatives to Starting Over?

« on: March 06, 2019, 07:26:11 pm »

My CA (cert. authority), OpenVPN cert and my user cert have all recently expired. As a consequence it seems, I can no longer connect to my OpenVPN server (a very bad thing). I am back in the office here for a few days, and hope to get everything repaired quickly.

I have read https://forum.opnsense.org/index.php?topic=5592.0 in this forum that the solution for this is to create a new CA and certs. However, it seems (based on this Q&A: https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal) that it is possible to renew a root CA, such that existing certs will become valid again.

Can anyone comment on this? Is it possible to "renew" without starting over?

6

General Discussion / [SOLVED] OpenVPN breaks after upgrade from 18 to 19

« on: March 03, 2019, 11:53:54 pm »

So I've been using v 18.X for some time. My OpenVPN server on OPNsense had always worked just fine with my `Viscosity` client. Recently, I upgraded OPNsense from v 18.X to v 19.X. Everything seems to work except my OpenVPN client refuses to connect.

And it's a "quick disconnect": as soon as the authentication is entered (userid + 2FA password), the client reports the connection as "down". I've double-checked my password, and my IP address (dynamic IP), and they're correct. The timing makes me wonder if the client config that I exported over a year ago is now deprecated in some way.

Any ideas? Did something change between v 18 and v 19 that would have broken an existing OpenVPN configuration?

7

General Discussion / DynamicDNS help request

« on: February 14, 2019, 06:46:51 am »

I've configured the DynamicDNS updater in OPNsense, but I want a "backup" solution.

Is there a way to have OPNsense send an email (or otherwise communicate) when the IP address on the WAN-side changes?

8

General Discussion / Testing the Dynamic DNS client in OPNsense

« on: February 03, 2019, 11:06:24 pm »

Is there any way to test that my OPNsense DynamicDNS client is working properly? Of course it will be tested eventually when my ISP changes it, but I may not have access to my firewall when that happens (I travel a lot).

Details follow:
I use OPNsense for a number of reasons. One of the features that is particularly important to me is the VPN feature as it allows me to connect to resources on my home network while I am away on travel (which is very frequently). My sw version is: OPNsense 19.1-amd64

Following is a summary of my network configuration:
My ISP provides a "cable modem" box. To use OPNsense, I configure this modem to operate in "bridge mode". In my network, the cable modem faces the Internet, my "WAN-side" OPNsense fw/vpn adapter is connected to the "LAN side" of the modem, and then my home network is connected to the LAN-side adapter of my OPNsense fw/vpn. Everything works reasonably well until my ISP decides to change things around. One of the things that they are changing more frequently now is the routable IP address assigned to my modem. I have decided that it is time to add Dynamic DNS.

Dynamic DNS to the rescue:
To that end, I've gotten an account at "freeDNS", and a hostname to use for my OPNsense fw/VPN server. I've also set up the Dynamic DNS service in the webGUI. AFAIK, things are working as they should, but I've learned over the years that assumptions often lead to failure and disappointment. And so I want to test my Dynamic DNS configuration to make sure it works as it should. This is where I need help: I can find nothing in the docs that describes a test procedure.

How to Verify Dynamic DNS is operating correctly?:
Of course I will get a test when my ISP eventually changes the IP address of my cable modem, but I may be out of the country when that happens. I'd like some way to verify that things are working properly now - while I am still in  position to make necessary changes. Any suggestions?

9

General Discussion / Where do "Notices" get filed?

« on: May 08, 2018, 01:48:26 am »

I have a rather awkward method that I must use for the time being to access OPNsense (Ref: https://forum.opnsense.org/index.php?topic=8623.0). When I visit the "Lobby" in OPNsense, I see there are a number of "Notices" (see attachment for screen shot), but I am not able to read the entire line.

Where can I find the full text of these Notices; i.e. are they in a log file?

10

General Discussion / Cannot connect to OPNsense firewall over VPN

« on: May 06, 2018, 05:50:43 pm »

[EDIT]: I've made some forward progress, so I'm updating this post.

I've got my OPNsense+OpenVPN configured, and **mostly** operational now, but there's one awfully annoying item that persists:

The remote LAN is in the US behind an OPNsense firewall that also serves as the LAN gateway, DNS and DHCP server. Its IP address on the LAN side is 192.168.1.1.

My local network is behind a P.O.S. Sky router in the UK, which was configured by someone else - I am using the network here as a guest - not as the admin, tho' I might be able to get a change made if it would help. The P.O.S. Sky router's LAN interface is also 192.168.1.1, but it does not respond to https:, only http.

I can reach all the active hosts on the remote LAN as long as I know its IP address. That's not a huge problem as it's a small network, but still - it would be nice if that worked. The exception to this is the one I really need to access: the OPNsense firewall at https://192.168.1.1  If I just connect to 192.168.1.1, I am connected to the P.O.S. Sky router. When I specify https://192.168.1.1, it simply refuses to make the connection (I assume due to the duplicity of the single IP address.

I'm currently working around this by making a remote desktop connection to a host on the remote network, and connecting from there, but that's awkward, and since it's a Windoze PC, it may fall over and die at any moment!

Can anyone tell me how to resolve this? I need access to the OPNsense firewall on the remote LAN - not the P.O.S. Sky router here on the local LAN.

11

18.1 Legacy Series / [SOLVED] Install issue with serial port image

« on: March 28, 2018, 07:23:21 pm »

I'm trying to install the latest distribution (OPNsense-18.1-OpenSSL-serial-amd64.img.bz2) on a PCEngines APU2. I am able to boot successfully from the USB I created using "Etcher". Everything seems to be going OK until immediately after I log in as “installer”. At that point, the data presented over the serial port (still configured at 115200, per OPNsense docs) is (virtually) illegible. At any rate it’s not displayed correctly.

Any ideas on what the issue might be?

FWIW, here's what I see at my serial terminal:

----------------------------------------------
|      Hello, this is OPNsense 18.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Lists:        https://lists.opnsense.org/  |        @@@@         @@@@
| Code:         https://github.com/opnsense  |         @@@@@@@@@@@@@@@
----------------------------------------------
.[1;24r.[m.[?7h.[?1h.=.[H.[J.[23B.[H.[23B.[HF10=Refresh Display.[4;47H@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[5;46H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[6;46H@@@@@.[6;71H@@@@@.[7;50H@@@@@.[7;67H@@@@@.[8;47H@@@@@@@@@@@       @@@@@@@@@@@.[9;52H\\\\\.[9;66H/////.[10;46H))))))))))))       (((((((((((.[11;52H/////.[11;66H\\\\\.[12;47H@@@@@@@@@@@       @@@@@@@@@@@.[13;50H@@@@@.[13;67H@@@@@.[14;46H@@@@@.[14;71H@@@@@.[15;46H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[16;47H@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.[8BWaiting for backend....[5;46H                 .[6;46H     .[B.     .[8;47H           .[B......     .[10;46H            .[B......     .[12;47H           .[13;50H     .[14;46H     .[B.....                 .[16;47H                .[20;19H.[5;19H.(0.[1mlqqqqqqqqqqqqu.(B OPNsense 18.1 .(0tqqqqqqqqqqqqqk.(B.[m.[6;19H.(0.[1mx.(B.[m.[6;62H.(0.[1mx.(B.[m.[7;19H.(0.[1mx.(B.[m Welcome to the OPNsense 18.1 installer!  .(0.[1mx.(B.[m.[8;19H.(0.[1mx.(B.[m.[8;62H.(0.[1mx.(B.[m.[9;19H.(0.[1mx.(B.[m Before we begin, you will be asked a     .(0.[1mx.(B.[m.[10;19H.(0.[1mx.(B.[m few questions so that this installation  .(0.[1mx.(B.[m.[11;19H.(0.[1mx.(B.[m environment can be set up to suit your   .(0.[1mx.(B.[m.[12;19H.(0.[1mx.(B.[m needs..[12;62H.(0.[1mx.(B.[m.[13;19H.(0.[1mx.(B.[m.[13;62H.(0.[1mx.(B.[m.[14;19H.(0.[1mx.(B.[m You will then be presented a menu of     .(0.[1mx.(B.[m.[15;19H.(0.[1mx.(B.[m items from which you may select to       .(0.[1mx.(B.[m.[16;19H.(0.[1mx.(B.[m install a new system, with or without    .(0.[1mx.(B.[m.[17;19H.(0.[1mx.(B.[m importing a previous configuration.      .(0.[1mx.(B.[m.[18;19H.(0.[1mx.(B.[m.[18;62H.(0.[1mx.(B.[m.[19;19H.(0.[1mx.(B.[m.[19;32H.(0.[1m.(B< Ok, let's go. >.[19;62H.(0x.(B.[m.[20;19H.(0.[1mmqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj.(B.[m
.[4B.(0.[1m.(B.[mSet up the installation environment and continue.[5A.[24;1H
.[?1l.>The installation was aborted.

12

Development and Code Review / API for Google's OTP

« on: March 24, 2018, 09:37:41 pm »

Odd question perhaps, and maybe not the correct forum, but here goes:

OPNsense has done a fabulous job of integrating Google's OTP service. I have a project that needs OTP authentication also. Until I looked into this, I thought that Google's OTP code was open source, and therefore generally available for such usage by a 3rd party. However, I've learned that it's no longer open source; Google has made it proprietary. And so I wonder how is it that the OPNsense project is able to continue using it?

Can someone provide a brief explanation, or better, point me toward documentation that explains it?

Thnx,
~S

13

18.1 Legacy Series / [SOLVED] Limited Port Number specification for firewall rules

« on: February 22, 2018, 12:19:10 pm »

It seems the form for adding a firewall rule limits one to the ports that are in the drop-down list. Is there a reason for this??

I'm setting up a 'backup' VPN server. I'd like to use port 1195 so I can run both VPN servers at the same time, but the form won't allow it. Is there a work-around, or is this a weird browser-specific thing, or... ??

~S

14

18.1 Legacy Series / Serial vs VGA version of AMD64 installers

« on: February 22, 2018, 01:36:54 am »

I've installed the vga-amd64 version of the current OPNsense distro. However, I do not get a login prompt on my console monitor after the system finishes booting. Otherwise, the installation works perfectly in all respects (afaik), I can access the GUI, etc. When I connect to the serial port however, I do see the login prompt there (and it does work).

Is this by design?

15

18.1 Legacy Series / Basic mDNS question

« on: February 16, 2018, 07:57:39 am »

My remote OpenVPN clients are all Macs (as in OS X). My LAN is an eclectic mix of Windows clients, a DC/server, NAS units, the odd Linux box, etc. I used Avahi some time ago on pfSense, and it seemed to work pretty well. I've read that Avahi is not available for OPNsense (and why), and that mDNS is a 'functional equivalent'. And so I've installed mDNS, and configured it to listen on the LAN and OpenVPN ports. However, after a few hours, I'm not seeing my Mac VPN client pick up any of the devices on my LAN that use Bonjour (other Macs, Time Capsule, etc).

One suspect: Under General Settings for Domain, the following caution appears, but its meaning is unclear to me:
"Do not use 'local' as a domain name. It will cause local hosts running mDNS (avahi, bonjour, etc.) to be unable to resolve local hosts not running mDNS. e.g. mycorp.com, home, office, private, etc."

My "local"/LAN domain is 'MyNet.local' - it's been this way for years, and would be a terrific pain to change.

Where would I begin looking to try to sort this out? Hey - I thought this was supposed to be "zero-configuration" networking