Topics

1

18.7 Legacy Series / Upgrade form OPNsense 18.1.13_1-amd64

« on: September 23, 2018, 06:04:14 pm »

Hi all, is it possible to backup the configuration of opnsense 18.1.x and restore it to a new 18.7?
Is there another way to upgrade to latest stable?

thank you

2

18.1 Legacy Series / Help configuring HA-proxy

« on: September 23, 2018, 05:59:50 pm »

Hi all, I'm running OPNsense 18.1.13_1-amd64.
I'm trying to configure HA proxy to server 2 webvers.
As of now, I care http to be working.
I'll take care of https later.

I already set up xa proxy and it's working but the web pages are incomplete: only html is loaded, no images, no css.

Before I flood this post wit many details, do you already know if that's a common configuration mistake?

The network schema is this:

Code: [Select]

router -> wan (192.168.179.2) | lan (192.168.178.3) -> webserver1 (192.168.178.15)
                                                    -> webserver2 (192.168.178.17)
The public ip is held by the router that forward all ports to opnsense.

Yhank you!

3

18.1 Legacy Series / Nat 1:1 and reflection from the same network

« on: May 11, 2018, 09:40:42 am »

Hi all, I already spoke about nat 1:1 and reflection in this topic but I have another specific problematic to solve.

Consider 3 lan netwroks:

192.168.2.0/24 (office pc)
192.168.3.0/24 (office pc)
192.168.6.0/24 (servers)

I have three servers on 192.168.6.0/24.
For each server I'm using nat 1:1

1.2.3.4 -> 192.168.6.38 (webserver)
1.2.3.5 -> 192.168.6.10 (mailserver 1)
1.2.3.6 -> 192.168.6.11 (mailserver 2)

192.168.6.38 is a webserver.
I've been adding a firewall rule on WAN interface, so that ports 80 and 443 can be reached from outside.
I've been adding 2 rule on LAN interface:
  from 192.168.2.0/24 to 192.168.6.0/24 Pass
  from 192.168.3.0/24 to 192.168.6.0/24 Pass
doing so I'm able to reach my services from office networks.

The only thing that doesn't work is, for example, to contact port 80 from network 192.168.6.0/24.

From the webserver itself

Code: [Select]

nmap  -p 80 1.2.3.4 -Pn
PORT   STATE    SERVICE
80/tcp filtered http
From the webserver to a mailserver

Code: [Select]

nmap -p 25 1.2.3.5 -Pn

Starting Nmap 6.47 ( http://nmap.org ) at 2018-05-11 09:38 CEST
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39478 > 1.2.3.5:25 S ttl=59 id=47236 iplen=44  seq=707988922 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39479 > 1.2.3.5:25 S ttl=40 id=38922 iplen=44  seq=707923387 win=1024 <mss 1460>
Nmap scan report for server.domain.com (1.2.3.5)
Host is up.
PORT   STATE    SERVICE
25/tcp filtered smtp
Suggestions?

4

18.1 Legacy Series / Problem with nat 1:1 reflection

« on: May 05, 2018, 03:05:32 pm »

Hi all, I have 2 webservers behind OPNsense 18.1.6-amd64:

(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)



I set nat reflection advanced options



I set a firewall rule on wan interface



The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,

Any suggestion?

5

18.1 Legacy Series / [SOLVED] Filter rule association: "Rule Nat" repeated 4 times

« on: April 29, 2018, 03:32:32 pm »

This really looks like a bug to me:

- create a firward rule.
  (it doesn't matter what you choose in "Filter rule association".
- click on the pencile to edit the forward rule and try to change the  "Filter rule association", you'll get this list:
  Pass
  Rule Nat
  Rule Nat
  Rule Nat
  Rule Nat

What do you think?

OPNsense 18.1.6-amd64

6

18.1 Legacy Series / Filter rule association: add unassociated filter rule

« on: April 29, 2018, 03:28:51 pm »

Hi, I created a port forward as test:
2222 -> 192.168.178.99:22
I chose "add unassociated filter rule".
I expected to find a rule in Firewall / Rules / Wan that I was able to edit but I see no related rule.
Is it a bug or am I misunderstanding the meaning?

Nontheless, If I click on the pencile to edite the "Nat / Port forward rule", the Filter rule association is "None".

Thank you.

OPNsense 18.1.6-amd64

7

18.1 Legacy Series / Filter rule association: Associated filter rule VS Pass

« on: April 29, 2018, 03:13:31 pm »

Hi all, if I redirect a port (Firewall / Nat / port forwarding) I have 3 choises.
In this topic I consider only two of them:

• Associated filter rule
• Pass

The first is the default.
It adds a rule in Firewall / Rule / Wan.
This rule can't be edit.
If I choose "Pass", no firewall rule will be checked.

I both cases, any request on the forwarded port will be accepted.
So, when is the case to prefeare "Associated filter rule" instead of "Pass"?

8

18.1 Legacy Series / Virtual IP / IP Alias netmask

« on: April 26, 2018, 05:50:07 pm »

This may be a trivial question:
Considering my LAN nic with ip 192.168.1.1/24, I create a new virtual ip of type (Mode 'IP Alias') 192.168.2.1.
Shall I set 24 or 32 as netmask?

9

18.1 Legacy Series / [SOLVED] WAN address explanation

« on: April 26, 2018, 12:55:09 pm »

I was expetcning that, when I set a nat tule and choose 'WAN address' as Destination, it will apply only for the ip I set in the WAN interface.
It seems it catches also the request of the other virtual ip.
Is that right?

10

18.1 Legacy Series / OpenVPN status connecting

« on: April 16, 2018, 02:47:35 pm »

Hi, I'm configuring a VPN peer to peer between OPNsense and Zeroshell.
On zeroshell side, everythin look ok:

Code: [Select]

14:37:50 TUN/TAP device VPN01 opened
14:37:50 Could not determine IPv4/IPv6 protocol. Using AF_INET
14:37:50 UDPv4 link local (bound): [AF_INET][undef]:1203
14:37:50 UDPv4 link remote: [AF_UNSPEC]
14:37:54 Peer Connection Initiated with [AF_INET]80.244.122.195:31378
14:37:54 Initialization Sequence Completed
14:37:55 Interface VPN01 is UP
but on OPNsense side, the status in waiting or connecting.
The logs shows that:

Code: [Select]

Apr 16 14:42:23 openvpn[92520]: Apr 16 14:42:23 openvpn[92520]: Inactivity timeout (--ping-restart), restarting
Apr 16 14:41:23 openvpn[92520]: UDP link remote: [AF_INET]ipServer:1203
Apr 16 14:41:23 openvpn[92520]: UDP link local (bound): [AF_INET]ipClient:0
Apr 16 14:41:23 openvpn[92520]: TCP/UDP: Preserving recently used remote address: [AF_INET]ipServer:1203
Apr 16 14:41:23 openvpn[92520]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc1 1500 1545 192.168.157.2 192.168.157.1 init
Apr 16 14:41:23 openvpn[92520]: /sbin/ifconfig ovpnc1 192.168.157.2 192.168.157.1 mtu 1500 netmask 255.255.255.255 up
Apr 16 14:41:23 openvpn[92520]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 16 14:41:23 openvpn[92520]: TUN/TAP device /dev/tun1 opened
Apr 16 14:41:23 openvpn[92520]: TUN/TAP device ovpnc1 exists previously, keep at program end
And i continues trying connecting.

Later I noticed on zeroshell log:

14:40:13    Peer Connection Initiated with [AF_INET]clinetIP:13648
14:41:23    Peer Connection Initiated with [AF_INET]clinetIP:10586
14:42:28    Peer Connection Initiated with [AF_INET]clinetIP:61929
14:43:33    Peer Connection Initiated with [AF_INET]clinetIP:12170
14:44:38    Peer Connection Initiated with [AF_INET]clinetIP:35118
14:45:43    Peer Connection Initiated with [AF_INET]clinetIP:32586

Any idea?

11

18.1 Legacy Series / [SOLVED] LAN routing

« on: April 16, 2018, 08:39:35 am »

Good Morning,
I have an OPNsense with a LAN interface with ip 192.168.2.254 and an ip alias: 192.168.3.250.
Dome computer are in the 192.168.2.0/24 network and some other are in the 192.168.3.0/24 network with the respective gateways.
OPNsense is also the primary DNS for those networks and I override the web server ip with 192.168.2.114.
The requests from network 192.168.3.0/24 towards 192.168.2.114

Code: [Select]

traceroute 192.168.2.114
traceroute to 192.168.2.114 (192.168.2.114), 30 hops max, 60 byte packets
 1  192.168.3.250 (192.168.3.250)  0.481 ms  0.497 ms  0.519 ms
 2  80.244.122.193 (80.244.122.193)  1.435 ms  1.679 ms  1.982 ms
 3  80.244.120.2 (80.244.120.2)  9.933 ms  10.081 ms  10.095 ms^C
Is there a way to forward/route the traffic of 192.168.3.0/24 to 192.168.2.0/24 and viceversa?

12

18.1 Legacy Series / OpenVPN Peet to peer: Authenticate/Decrypt packet error: packet HMAC authenticat

« on: April 11, 2018, 03:35:49 pm »

Hi all, I need some help configuring a VPN between OPNsense 18.1.6 and a zeroshell 3.8.1.
I get the error

Code: [Select]

Authenticate/Decrypt packet error: packet HMAC authentication failedAs 'Encryption algorithm' I'm using "BF-CBC (128 bit key bu default, 64 bit block)" that is the default OpenVPN alogorithm.
OPNsense it the client, Zeroshell is the server.
Zeroshell uses the default algorithm.

Do you know what may cause the above error?

Thank you.

13

18.1 Legacy Series / [RESOLVED] NAT of alias redirects to single port

« on: April 10, 2018, 10:17:35 am »

Hi all, I created a port alias named ZimbraProxyPorts to redirect them all to the internal ip.
I noticed that all ports are redirected to the 110 (the first one of the list).

grep ZimbraProxyPorts /tmp/rules.debug
ZimbraProxyPorts = "{ 110 143 993 995 80 443 }"
rdr pass on vtnet1 inet proto tcp from {any} to {(vtnet1)} port $ZimbraProxyPorts -> 192.168.178.4 port 110

Code: [Select]

OPNsense 18.1-amd64
FreeBSD 11.1-RELEASE-p6
OpenSSL 1.0.2n 7 Dec 2017

14

18.1 Legacy Series / Use floating rule to allow dns query on OPNsense

« on: April 09, 2018, 04:17:38 pm »

Hi All, I have an OPNsense 18.1 with 3 nic.
The first nic (re0) has 3 vlan assigned.
The other 2 nic (re1 and re2) are WAN interfaces used in a wan group for multi wan.

On every VLAN interface I have to add a rule to allow DNS query on OPNsense, as described in the documentation.

I wonder if there's a way to set a single floating rule for that.
I don't think it's possible because I have to set a specific ip in the 'Destination' filed and that ip is different for every vlan (es: 192.168.3.1; 192.168.4.1; 192.168.5.1).

But you may surprise me with something I don't know :-)

15

18.1 Legacy Series / Multi wan: system dns and monitoring ip

« on: March 29, 2018, 12:19:36 pm »

Hi, I was wondering if using the same ip for dns and monitoring ip may cause problems.
I ask this because I'm testing pfsense as well and there are concerns about routes and monitoring ip.
https://forum.pfsense.org/index.php?topic=145739.msg792964#msg792964

Setting a particular address for a monitor causes the system to static route it through a particular gateway. Setting one of the system DNS servers to a particular gateway also causes the system to static route it. If you are not careful, you can cause the monitor to flap between two gateways. From your description, it sounds possible you have encountered this problem.

I know OPNsense share very little with pfsense but the logic may be the same.