Topics

Hi all, is it possible to backup the configuration of opnsense 18.1.x and restore it to a new 18.7?
Is there another way to upgrade to latest stable?

thank you

[no images, no css]

Hi all, I'm running OPNsense 18.1.13_1-amd64.
I'm trying to configure HA proxy to server 2 webvers.
As of now, I care http to be working.
I'll take care of https later.

I already set up xa proxy and it's working but the web pages are incomplete: only html is loaded, no images, no css.

Before I flood this post wit many details, do you already know if that's a common configuration mistake?

The network schema is this:

Code Select Expand


router -> wan (192.168.179.2) | lan (192.168.178.3) -> webserver1 (192.168.178.15)
                                                    -> webserver2 (192.168.178.17)

The public ip is held by the router that forward all ports to opnsense.

Yhank you!

Hi all, I already spoke about nat 1:1 and reflection in this topic but I have another specific problematic to solve.

Consider 3 lan netwroks:

192.168.2.0/24 (office pc)
192.168.3.0/24 (office pc)
192.168.6.0/24 (servers)

I have three servers on 192.168.6.0/24.
For each server I'm using nat 1:1

1.2.3.4 -> 192.168.6.38 (webserver)
1.2.3.5 -> 192.168.6.10 (mailserver 1)
1.2.3.6 -> 192.168.6.11 (mailserver 2)

192.168.6.38 is a webserver.
I've been adding a firewall rule on WAN interface, so that ports 80 and 443 can be reached from outside.
I've been adding 2 rule on LAN interface:
  from 192.168.2.0/24 to 192.168.6.0/24 Pass
  from 192.168.3.0/24 to 192.168.6.0/24 Pass
doing so I'm able to reach my services from office networks.

The only thing that doesn't work is, for example, to contact port 80 from network 192.168.6.0/24.

From the webserver itself

Code Select Expand

nmap  -p 80 1.2.3.4 -Pn
PORT   STATE    SERVICE
80/tcp filtered http

From the webserver to a mailserver

Code Select Expand

nmap -p 25 1.2.3.5 -Pn

Starting Nmap 6.47 ( http://nmap.org ) at 2018-05-11 09:38 CEST
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39478 > 1.2.3.5:25 S ttl=59 id=47236 iplen=44  seq=707988922 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39479 > 1.2.3.5:25 S ttl=40 id=38922 iplen=44  seq=707923387 win=1024 <mss 1460>
Nmap scan report for server.domain.com (1.2.3.5)
Host is up.
PORT   STATE    SERVICE
25/tcp filtered smtp

Suggestions?

Hi all, I have 2 webservers behind OPNsense 18.1.6-amd64:

(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)



I set nat reflection advanced options



I set a firewall rule on wan interface



The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,

Any suggestion?

This really looks like a bug to me:

- create a firward rule.
  (it doesn't matter what you choose in "Filter rule association".
- click on the pencile to edit the forward rule and try to change the  "Filter rule association", you'll get this list:
  Pass
  Rule Nat
  Rule Nat
  Rule Nat
  Rule Nat

What do you think?

OPNsense 18.1.6-amd64

[bug]

Hi, I created a port forward as test:
2222 -> 192.168.178.99:22
I chose "add unassociated filter rule".
I expected to find a rule in Firewall / Rules / Wan that I was able to edit but I see no related rule.
Is it a bug or am I misunderstanding the meaning?

Nontheless, If I click on the pencile to edite the "Nat / Port forward rule", the Filter rule association is "None".

Thank you.

OPNsense 18.1.6-amd64

[This rule can't be edit.]

Hi all, if I redirect a port (Firewall / Nat / port forwarding) I have 3 choises.
In this topic I consider only two of them:

• Associated filter rule
• Pass

The first is the default.
It adds a rule in Firewall / Rule / Wan.
This rule can't be edit.
If I choose "Pass", no firewall rule will be checked.

I both cases, any request on the forwarded port will be accepted.
So, when is the case to prefeare "Associated filter rule" instead of "Pass"?

This may be a trivial question:
Considering my LAN nic with ip 192.168.1.1/24, I create a new virtual ip of type (Mode 'IP Alias') 192.168.2.1.
Shall I set 24 or 32 as netmask?

I was expetcning that, when I set a nat tule and choose 'WAN address' as Destination, it will apply only for the ip I set in the WAN interface.
It seems it catches also the request of the other virtual ip.
Is that right?

Hi, I'm configuring a VPN peer to peer between OPNsense and Zeroshell.
On zeroshell side, everythin look ok:

Code Select Expand

14:37:50 TUN/TAP device VPN01 opened
14:37:50 Could not determine IPv4/IPv6 protocol. Using AF_INET
14:37:50 UDPv4 link local (bound): [AF_INET][undef]:1203
14:37:50 UDPv4 link remote: [AF_UNSPEC]
14:37:54 Peer Connection Initiated with [AF_INET]80.244.122.195:31378
14:37:54 Initialization Sequence Completed
14:37:55 Interface VPN01 is UP

but on OPNsense side, the status in waiting or connecting.
The logs shows that:

Code Select Expand

Apr 16 14:42:23 openvpn[92520]: Apr 16 14:42:23 openvpn[92520]: Inactivity timeout (--ping-restart), restarting
Apr 16 14:41:23 openvpn[92520]: UDP link remote: [AF_INET]ipServer:1203
Apr 16 14:41:23 openvpn[92520]: UDP link local (bound): [AF_INET]ipClient:0
Apr 16 14:41:23 openvpn[92520]: TCP/UDP: Preserving recently used remote address: [AF_INET]ipServer:1203
Apr 16 14:41:23 openvpn[92520]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc1 1500 1545 192.168.157.2 192.168.157.1 init
Apr 16 14:41:23 openvpn[92520]: /sbin/ifconfig ovpnc1 192.168.157.2 192.168.157.1 mtu 1500 netmask 255.255.255.255 up
Apr 16 14:41:23 openvpn[92520]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 16 14:41:23 openvpn[92520]: TUN/TAP device /dev/tun1 opened
Apr 16 14:41:23 openvpn[92520]: TUN/TAP device ovpnc1 exists previously, keep at program end

And i continues trying connecting.

Later I noticed on zeroshell log:

14:40:13    Peer Connection Initiated with [AF_INET]clinetIP:13648
14:41:23    Peer Connection Initiated with [AF_INET]clinetIP:10586
14:42:28    Peer Connection Initiated with [AF_INET]clinetIP:61929
14:43:33    Peer Connection Initiated with [AF_INET]clinetIP:12170
14:44:38    Peer Connection Initiated with [AF_INET]clinetIP:35118
14:45:43    Peer Connection Initiated with [AF_INET]clinetIP:32586

Any idea?

Good Morning,
I have an OPNsense with a LAN interface with ip 192.168.2.254 and an ip alias: 192.168.3.250.
Dome computer are in the 192.168.2.0/24 network and some other are in the 192.168.3.0/24 network with the respective gateways.
OPNsense is also the primary DNS for those networks and I override the web server ip with 192.168.2.114.
The requests from network 192.168.3.0/24 towards 192.168.2.114

Code Select Expand

traceroute 192.168.2.114
traceroute to 192.168.2.114 (192.168.2.114), 30 hops max, 60 byte packets
1  192.168.3.250 (192.168.3.250)  0.481 ms  0.497 ms  0.519 ms
2  80.244.122.193 (80.244.122.193)  1.435 ms  1.679 ms  1.982 ms
3  80.244.120.2 (80.244.120.2)  9.933 ms  10.081 ms  10.095 ms^C

Is there a way to forward/route the traffic of 192.168.3.0/24 to 192.168.2.0/24 and viceversa?

Hi all, I need some help configuring a VPN between OPNsense 18.1.6 and a zeroshell 3.8.1.
I get the error

Code Select Expand

Authenticate/Decrypt packet error: packet HMAC authentication failed
As 'Encryption algorithm' I'm using "BF-CBC (128 bit key bu default, 64 bit block)" that is the default OpenVPN alogorithm.
OPNsense it the client, Zeroshell is the server.
Zeroshell uses the default algorithm.

Do you know what may cause the above error?

Thank you.

Hi all, I created a port alias named ZimbraProxyPorts to redirect them all to the internal ip.
I noticed that all ports are redirected to the 110 (the first one of the list).

grep ZimbraProxyPorts /tmp/rules.debug
ZimbraProxyPorts = "{ 110 143 993 995 80 443 }"
rdr pass on vtnet1 inet proto tcp from {any} to {(vtnet1)} port $ZimbraProxyPorts -> 192.168.178.4 port 110

Code Select Expand

OPNsense 18.1-amd64
FreeBSD 11.1-RELEASE-p6
OpenSSL 1.0.2n 7 Dec 2017

Hi All, I have an OPNsense 18.1 with 3 nic.
The first nic (re0) has 3 vlan assigned.
The other 2 nic (re1 and re2) are WAN interfaces used in a wan group for multi wan.

On every VLAN interface I have to add a rule to allow DNS query on OPNsense, as described in the documentation.

I wonder if there's a way to set a single floating rule for that.
I don't think it's possible because I have to set a specific ip in the 'Destination' filed and that ip is different for every vlan (es: 192.168.3.1; 192.168.4.1; 192.168.5.1).

But you may surprise me with something I don't know :-)

Hi, I was wondering if using the same ip for dns and monitoring ip may cause problems.
I ask this because I'm testing pfsense as well and there are concerns about routes and monitoring ip.
https://forum.pfsense.org/index.php?topic=145739.msg792964#msg792964

Setting a particular address for a monitor causes the system to static route it through a particular gateway. Setting one of the system DNS servers to a particular gateway also causes the system to static route it. If you are not careful, you can cause the monitor to flap between two gateways. From your description, it sounds possible you have encountered this problem.

I know OPNsense share very little with pfsense but the logic may be the same.

Hi all, I successfully configured multi wan.
Now I'm playing with it to check if it works as I expected, and guess what...it doesn't  :D

My gateway group is named 'wangrp' and has 2 gateways
isp1 Tier 1 (this is te default gw)
isp2 Tier 2

On system / gateways / all I set 'Mark Gateway as Down' on the the gw isp1.
I check my ip by 'dig +short @resolver1.opendns.com myip.opendns.com' and also by sites like ping.eu and I still see the isp1 public ip.

I was expecting to see isp2 public ip.

I remove the flag 'Mark Gateway as Down' and aplly changes and check the publick ip.
Now both gateways are up so I expect to exit with isp1 but checking the publick ip, I see isp2 ip.
The exact opposite.
on Gateway / Status they are both online.

I repeated the procedure disabling the the isp1 gw instead of marking it down.
This time the connection is correctly router through isp2 gw.
I re-enable isp1 gw but I still get routed through isp2 gw (Tier 2) instead of isp gw (Tier 1).
Note: I disabled Sticky Connection' on firewall advanced settings.

Am I missing something?

[why]

Followinf the documentation, at step 5:

Add a rule just above the default LAN allow rule to make sure traffic to and from the firewall on port 53 (DNS) is not going to be routed to the Gateway Group that we just defined.

I don't undestrand why it's wrong to use the gateway group for dns queries instead of the default gw.
Could you explain it?

Hi all, I have a fresh installed opnsense 18.1 serial.
I want to try to reset the password.
Reading the documentation

If the password for the system has been forgotten it can be reset easily with console access. Get to the physical console (Keyboard/Monitor, or Serial) and use option 3) to reset the WebGUI password.

Sound pretty easy but I see the login prompt instead of the menu the guide speaks about.

Hi, I just downloaded opnsense amd64 serial and flashed it on a usb pen drive.
I booted and alix and logged in 192.168.1.1 ad root opnsense.
I followed the wizard.
I changes the lan and wan ip address and the admin password.
I opned the web interface from the lan ip but I can't login with user 'admin' and my new password.
I repeated this two times.

Any idea?