Topics

1

General Discussion / Can ISC and KEA DHCP coexist?

« on: September 13, 2024, 08:23:14 am »

I have many VLANs where the classic ISC DHCP SErver does its job. Now I wanted to deactivate ISC and activate KEA in one VLAN as a test, but I can't get a DHCP lease. I don't see any errors in the log file and the KEA service starts. Do I have to disable ISC on all interfaces for it to work?

I have already configured the corresponding subnet in KEA and checked it three times. But after deactivating ISC and activating KEA on that specific VLAN, my client does not get a DHCP lease on the VLAN.

Thank you!

2

24.7 Production Series / 24.7.1 openvpn SSL error cerificates are revoked

« on: August 16, 2024, 08:58:42 am »

Hello,
A colleague installed the update from 24.7 to 24.7.1 during the night. It was this morning when I noticed that the OpenVPN connections can no longer be established. All certificates report "error=cerificate revoked".
We couldn't find any indication of why this was suddenly the case, so I set “Peer Certificate Revocation List = none” in the server instance. Since then the login has been working again.
We are still using the legacy OpenVPN server instances. Did I miss something critical in the changelog?

Code: [Select]

2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS Error: TLS handshake failed
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS Error: TLS handshake failed
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS Error: TLS handshake failed
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 OpenSSL: error:0A000086:SSL routines::certificate verify failed:

3

High availability / HA on the same device

« on: June 13, 2024, 03:03:40 pm »

Hi!

I have several free SFP+ ports on my hardware. My goal is to secure my public IPs over two lines to the ISP Switch. However, an IP alias can only be assigned to one interface. How could I achieve this goal without using two Firewalls with CARP?
Thank you :-)

4

23.1 Legacy Series / howto use livelog correctly

« on: October 26, 2023, 11:34:15 am »

Please help me to understand the live log correctly. I am having extreme problems looking up anything there for debugging purposes.  I mostly switch back to TCPDUMP.

For example I have a mailserver. I go into the livelog, enter the filter "src IP mailserver" or "dst IP mailserver" and nothing is displayed.
Neither my ping tests, nor the mails coming in, nor anything else.

At the same time, several mails per second go through this server, but I can't see anything in the livelog.

Do I need to check "enable logging" everywhere in the ruleset?

The mail server is in a DMZ, which means that all connections have to go through the firewall and therefore have to be visible in the livelog.

Maybe I have too many connections, so it can't show up in the livelog? I do not know exactly where I see the active connections, but the firewall has 32k active states.

don't get me wrong, when i run the livelog without filter, i see dozens of entries that change very quickly.

5

German - Deutsch / CARP richtig anwenden

« on: October 09, 2023, 02:28:56 pm »

Hallo,
ich bin gerade am grübeln, wie man bei folgendem Szenario richtig vorgeht.

Angenommen ich habe dutzende VLAN's und möchte nun eine zweite Firewall zwecks HA einbinden.
Muss ich denn jetzt auch für jedes VLAN eine separate CARP Adresse konfigurieren, oder genügt es, wenn ich auf einem Interface CARP konfiguriere, damit die Firewalls den Master/Slave aushandeln können, und für alle weiteren VLAN/Interfaces richte ich dann Virtuelle IP's ein?

In meinem Fall habe ich an die 50 VLAN's und kann mich ehrlich gesagt nicht damit anfreunden für jedes Interface eine extra CARP IP einzurichten.

Danke!

6

German - Deutsch / Werden "general Logs" nicht an den Logserver übertragen?

« on: October 18, 2022, 11:00:46 am »

Hallo Leute,
seit einiger Zeit übertrage ich die Logfiles schon an einen Loki Server. Nun will ich gerade ein bestimmtes Problem debuggen, wo die Fehlermeldungen hier auflaufen:

    System: Log Files: General

Aber jene Meldungen kann ich nicht via Loki finden, sämtliche anderen jedoch schon.
Ich habe nochmal kontrolliert und bei Logging destination sind alle Applications angehakt, außer filter (filterlog). Hat da jemand eine Idee zu?

Danke!

7

High availability / am I using CARP incorrectly?

« on: September 07, 2022, 10:52:38 am »

Hello,
I've been wondering for a while if I've been using CARP incorrectly for years and if I can't do better.

I have a lot of VLANs, currently around 80-100 I guess, mostly /29 networks for customer environments for security purposes.
Now I have also configured a CARP address for each VLAN, but is that really necessary?

Isn't it enough if I set up CARP only in the main network, for example, and set up a Virtual IP for all other interfaces/VLANs? As soon as a problem is detected in the main network, the master moves to the slave and with it all virtual IPs.

How would you do it?
Thank you!

8

High availability / Packet Loss over all VLAN's (22.7.2 and 22.1.6)

« on: August 31, 2022, 10:27:38 am »

I have a strange problem since Sunday.
Two hardware identical firewalls are working in HA mode with CARP. OPNsense 22.1.6. It works for years.

Since Sunday I have packet loss on all VLAN's. Both firewalls have problems to define the CARP master. As a first step I shut down the slave. The log then throws the same message across all CARP interfaces, the order is random (master firewall):

example:
carp: 60@ixl1_vlan141: BACKUP-> MASTER (master timed out)
carp: 60@ixl1_vlan141: MASTER -> INIT (hardware interface up)
carp: 60@ixl1_vlan141: INIT -> BACKUP (initialization complete)
carp: 60@ixi1_vlan141: BACKUP -> MASTER (master timed out)

and again: it is configured as master itself and its slave is offline. Base 3 and skew 0 is configured.

Next I updated the master to 22.7.2, because of a possible software bug. No success.
Then I replaced the Intel card with Mellanox. No success.
With the current version 22.7.2 the DHCP service also fails at some point and does not assign any more leases until the reboot.

Then I changed a VLAN CARP IP to the IP alias to exclude CARP - drops still follow.

Packet losses occur exclusively to the firewall, or across the VLANs. VLAN internally from host to host there are no losses.
It does'nt matter if the Master is the only one online, or the Slave, or both.
Does anyone have an idea what else I can do?

9

Zenarmor (Sensei) / is there a live log?

« on: May 27, 2022, 08:41:39 am »

Hi,
we have not too long ago installed Zenarmor in the community edition for testing. We have left everything mostly on default settings and only the "Block Malware Activity" filter active.

Now we have noticed that sporadic network traffic between VLANs does not work properly. After a while it turned out that it was Zenarmor that was blocking the traffic. However, it was not directly obvious to us. I had looked under reports for threats and blocks, but did not see anything suspicious.

Long story short: is there a livelog where you can see blocking states directly?

Thank You!

10

High availability / Master suddenly switches to slave (v22.1.6)

« on: April 27, 2022, 04:49:26 pm »

Hello, I have recently the problem that my master without warning becomes the backup server, and the slave to the master. I still can't find a clue why this happens, but in the logfile for each interface is the following entry:

2022-04-27T16:06:18 Error opnsense /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "VLAN146 (10.27.146.250) (89@ixl1_vlan146)" has resumed the state "BACKUP" for vhid 89

I can't find any other hint in the log indicating any error.

The only difference between master and slave is that the master is running a zenarmor. can this be the cause?

EDIT: is there a way to configure a threshold like lets say "wait 5 seconds until change master/slave"?

11

Zenarmor (Sensei) / High RAM Usage

« on: April 11, 2022, 12:57:03 pm »

Hi,
I'm testing Zenarmor since a couple of Days (free version) and as I logged into my Opnsense Dashboard this morning I saw, that the 75% of my RAM was used, , still growing (25Gig of 32Gig).

My first task was to restart Zenarmor and it freed ~10Gig. I'm Using the latest Version of Zenarmor and it is configured to act in Passive Mode (Reporting Only). What could be a reason?

Zenarmors statistics says, that I have 1200 unique local devices (don't realy believe that). Is my Memory not enough for that?

Are there any other things that I can check?

Thank you!

12

22.1 Legacy Series / 22.1.2_1 IPsec online but no traffic

« on: March 04, 2022, 09:37:04 pm »

Hi,
i updated today from latest 21.x to 22.1.2_1 and i'm facing a problem now, that 3 of ~13 IPSec tunnels are not correctly online. They are connected but i dont get traffic through it.

The Logile does not work any more, even for openvpn. "No results found!". so i have trouble to debug this.

does anyone know something about that?

sidenote: the new ipsec overview with the P1+P2.. mh i dont really like it

Thank you!

edit: ovpn logfile is working again, but not for ipsec
edit2: found out that i have to change the loglevel view..
edit3:

there is nothing special to find in the log, everything seems to be okay, but it is not

13

21.7 Legacy Series / I don't understand Firewall's Live Log

« on: February 18, 2022, 01:11:56 pm »

Hello,
I do not understand the live log. I see all sorts of information there, but when I specifically want to investigate a case for which there is a firewall rule, I don't see it.

Inside the rule there is a check mark "Log packets that are handled by this rule". For example, if I ping this server that is noted in the rule, it doesn't show up in the livelog. Why not?

I can put in a simple rule "icmp allow to server IP 1.2.3.4", I set the checkbox and look in the live log if it is being tracked. I start my ping (works) and watch the log but no entry to be found.

I keep running into this problem so the live log has never given me any benefit to date. I have then always used tcpdump on the console.

Am I missing something fundamental? It also doesn't matter which filter I use, i.e. whether I search for source , destination or "address", I don't see what I need.

Thank you for your time

Edit: is there an option to log every thing? I mean my log destination is a RAM disk with 30Gigs free space. Time Range? usually never needed the last past hours, only the time "now"

14

21.7 Legacy Series / Firewall Groups and individual rules

« on: January 19, 2022, 04:02:06 pm »

Hi!
I have many VLANs and most of them only need a default ruleset like "allow DNS, forbid private networks, allow internet". I thought that you can pretty well slay with firewall groups and not create the same rule sets over and over again. But what do I do if one of these VLANs needs an additional rule? Do I have to take it out of the firewall group and build individual rules again?

Thanks!

15

21.7 Legacy Series / Firewall Live log doesn't show everything

« on: January 14, 2022, 11:36:34 am »

Hello,
I have a question about the firewall Livelog. Should this really show everything?
I am debugging an OpenVPN Site2Site issue, but I don't see the connection attempts in the live log. Not even when the filter is set to "address", "Src", or "Dst". In the OpenVPN log I see all connection attempts, but why not in the firewall live log?

Thanks!