Topics

1

21.7 Legacy Series / **Solved** wireguard is selectivily routing traffic

« on: January 06, 2022, 09:59:46 pm »

I have wireguard setup and I thought it was working correctly but I am having some routing issues with one of the subnets in AllowedIPs. The 172.28.0.0/24 is causing me issues as wireguard seems to only be routing some of the IPs but not all of the IPs in that VLAN. All of the IPs can be pinged from inside the local net.

Here is what peer configs look like

Code: [Select]

[Interface]
Address = 10.30.0.2/32
PrivateKey = blank

[Peer]
PublicKey = tyQSYEh1ik4CarV9GjCqdCIdscwVkiSghXNoRa+sRFo=
AllowedIPs = 10.30.0.0/24,172.28.0.0/24
Endpoint = {IP}:28363
I just have allow all rules on both the wireguard and the VLAN interfaces. No floating rules or anything like that.

Anyone know what might be causing the selective routing?

2

Development and Code Review / Android management app

« on: April 28, 2021, 07:59:08 pm »

Hello,
I have been working on an Android app written in python using KivyMD. 

https://github.com/Red-Swingline/OPNsenseManager

I am modifying a custom app that I provided to my clients. This app intends to allow users to do common immediate actions and escalate as needed for help using the email option.

As the app is written now its capable of:

• Rule management (rules created with firewall plugin https://docs.opnsense.org/development/api/plugins/firewall.html)
  • Manually add rules by entering rule UUID and Description.
    • I opted for manual adding rules, as there may be rules created on the firewall that the end-user has no reason for messing with.
  • Manually deleting rules from the Admin tab.
    • This only removes rules from the local SQLite database
• VPN management
  • Enable/disable Wireguard client
  • (I might add other protocols if needed)
• Power
  • Reboot
• Admin
  • Add rules
  • Delete Rules (from local SQLite database)
  • Email Admin sends a fixed SOS email to a specified email address, aka the network admin. (Needs to be fixed

3

Development and Code Review / Firewall rules and API?

« on: March 20, 2021, 05:04:00 am »

I didn't see anything in API reference so I figured I would ask here.

Is it possible to enable or disable a firewall rule with an API call?

4

20.1 Legacy Series / Wireguard DNS issues.

« on: June 08, 2020, 02:57:28 pm »

I have wireguard setup as a client connecting to a remote server. Its working like 95% I seem to be having a issues with DNS, im not  sure if this is an unbound issue or a wireguard routing issue. I have tried two diffrent configs.

Config 1:
1. Wireguard connected to VPS
2. Create an interface for wiregurad called "WG"
3. Create outbound NAT rule
             interface: "WG"
             Source address: 10.0.0.0/24
4. 1.1.1.1 and 1.0.0.1 set as DNS in setting Gneral.
5. Unbound set to forwarding mode.
6. Create LAN rules to route a few things around the VPN out to WAN.

This config works but there are a few urls that dont reslove correctly, I have tested on the server side and everything resolves correctly.

Config 2:
1. Disable Routes under local config of wireguard
2. Set Gatway to 10.30.0.1
3. Create an interface for wiregurad called "WG"
4. Create new Gateway
          Name: "VPN"
          Interface: "WG"
          IP: "10.30.0.1
          Check "Far Gateway"         
4. Create LAN Rule for just a small test Aliases called "Desktop"
         Source: "Desktop"
         Gateway: "VPN"
5. 1.1.1.1 and 1.0.0.1 set as DNS in setting Gneral.
6. Unbound set to forwarding mode.

This results in routing "Desktop" traffic via "VPN" Gateway, all but it seems DNS, so nothing resloves. Ihave palyed with a few variations of each, with either little or no diffrence.

I have been tearing my hair out over this one for a few months, I have just been living with the 95% solution but I would like to figure out what I have configured incorrectly.

5

19.7 Legacy Series / Blocking traffic

« on: December 10, 2019, 10:04:21 am »

I have created an Aliases for my childrens devices I would like to create a rule to block their devices from accessing the WAN. What rules do I need to create to keep their devices from accessing the internet?

6

19.7 Legacy Series / schedule a reboot

« on: October 28, 2019, 03:28:58 pm »

Is there any way to schedule a reboot of opnsense?

7

19.7 Legacy Series / Wireguard as a VPN client?

« on: August 29, 2019, 04:05:19 pm »

I intend to use wireguard on my firewall as a replacement for my OpenVPN client. I have an existing VPS running wireguard that I use with my phones and tablets on the go. I am having issues getting the gateway setup and outbound rules to route my LAN traffic over the wireguard VPN.

On 19.7.2, I wasn't able to add a gateway for my WG interface. Post 19.7.3 upgrade all of the gateways I attempted to add now show up on the gateway list, but I can't enable them, and they show as defunct. I was able to delete all but 1 with the web interface the last needed to be removed with the config.xml

Is anyone having and issue like this?

8

19.7 Legacy Series / zerotier as a VPN

« on: August 23, 2019, 06:13:14 am »

My intent with zerotier is to use it as a replacement for OpenVPN. I have zerotier set up on a VPS and I am able to connect via a mobile app and the VPS is forwarding traffic as it should. I have zerotier setup on opnsense 19.7.2 and everything connects and I can ping that interface.

Where my issue is routing my outbound LAN traffic over the zerotier interface. What's the best way to route all outbound LAN traffic over zeroteir interface just like with OpenVPN?

9

Intrusion Detection and Prevention / Suricata enabled causes issues with remote locations

« on: April 13, 2019, 04:31:22 pm »

Short Version: I have Homesite and two remote locations all using OPNsense 19.1.6-amd64. All locations use PPPoE WAN, only want to enable Suricata on the home site. The remote sites connect through an OpenVPN server with xor patch, not a firewall server but on a separate VM on a VLAN. When Suricata IPS mode is enabled the remote sites seem to maintain a connection to VPN but no internet at either remote location LAN.


Long Version: I have three locations that are all using OPNsense 19.1.6-amd64 the Home location has the following networks.
    • PPPoE WAN
    • LAN
    • IOT VLAN
        ◦ OpenVPN server with xor patch running on an Ubuntu server on IOT VLAN this how my other two sites connect.
    • VPN Client
     
All LAN traffic with the exception of a few devices managed with aliases is routed through the VPN client. The IOT VLAN is on local ISP PPPoE WAN with the exception of the Ubuntu OpenVPN server which has a rule to use the VPN client as its gateway. 
     
Site two and three are identical and look like this
    • PPPoE WAN
    • LAN
    • VPN Client to site one.

Everything is working fine, but I would like to enable Suricata. Currently, I have the service enabled, but IPS mode disabled on IOT, LAN, VPN interfaces. With the following rule sets selected and set to Drop.

    • ET open/botcc
    • ET open/botcc.portgrouped
    • ET open/ciarmy
    • ET open/dshield
    • ET open/emerging-attack_response
    • ET open/emerging-current_events
    • ET open/emerging-dos
    • ET open/emerging-exploit
    • ET open/emerging-malware
    • ET open/emerging-mobile_malware
    • ET open/emerging-trojan
    • ET open/emerging-worm

When I enable IPS mode everything keeps working at the Homesite but site one and two immediately stop working unless I disconnect them from VPN. I can't keep IPS mode enabled long enough to see what might be causing the issue as phone calls start to come in as soon as I enable it.

Figured someone here might have run into something like this or know what my issue is. Could it be the patched VPN packets tripping Suricata to drop packets? Any advice?

I have posted this on opnsense forum but not much help yet.


Also here is a diagram of my network.

10

General Discussion / API for Firewal rule?

« on: October 28, 2018, 09:23:14 am »

Just wondering if this could be done with API enable/Disable firewall rule.

For exsample:

I have a rule that blocks all traffic for my kids devices when they are acting up. Just wondering If I could use the API to make a two button android app for my wife to enable/disable the rule when I'm not around?

11

18.7 Legacy Series / **SLOVED** 2FA issues

« on: October 10, 2018, 08:00:40 am »

So I followed the wiki on setting up google 2fa for logins. It works but only kind of, meaning that I can still log in with just password or with the 2fa added to the front of the password. Am I missing something here?

12

18.7 Legacy Series / SOLVED - Port forwarding issues?

« on: August 18, 2018, 04:12:52 pm »

I seem to be having some port forwarding issues. All but one of my port forwards stopped working when I moved to 18.7

Here is my setup

WAN (Static IP)
LAN 10.0.0.1/24
Ovpn 10.8.0.2

I have created an Alias that includes all of the IP addresses that I want to route around the VPN to the WAN. All other LAN traffic routes through the OpenVPN connection.

I have deleted all rules and port forwards that stopped working. For some reason, I have 3 rules for my Plex server (the working port forward) and at this point, I don't know which one is still working so I didn't delete any of them. 

Is anyone else having issues with port forwarding?

**UPDATE**

I had some extra time to troubleshoot this all I didn't was delete all port forwarding rules and redo them and it started working.

13

18.7 Legacy Series / OpenVPN client

« on: June 12, 2018, 06:34:44 pm »

I switched over to OPNsense from PFsense for the XOR OpenVPN support. I have always used my own VPN server, so it wasn't that big of a deal to set up the server with the xor patch get it up and running.

The problem comes with setting up OPNsense as the client, the connection status says connected, but none of the LAN traffic is being routed through the connection.  I am running in "Hybrid outbound NAT rule generation" and a couple of manual rules in the image attached. OpenVPN has also assigned to its own interface as well.

It seems like the rules are set, and it is still just pushing all LAN traffic over the PPPoE. I have been chasing my tail on this one for a couple of weeks. So any help would be much appreciated; I sure I'm overlooking something undeniably obvious. 

Code: [Select]

root@OPNsense:~ # pfctl -s nat
nat on ovpnc2 inet from 127.0.0.0/8 to any port = isakmp -> 10.8.0.2 port 1024:65535
nat on ovpnc2 inet from 10.0.0.0/24 to any -> 10.8.0.2 port 1024:65535
nat on pppoe1 inet from (igb1:network) to any port = isakmp -> XX.XX.XX.XX static-port
nat on pppoe1 inet from 127.0.0.0/8 to any port = isakmp -> XX.XX.XX.XX static-port
nat on pppoe1 inet from (igb1:network) to any -> XX.XX.XX.XX port 1024:65535
nat on pppoe1 inet from 127.0.0.0/8 to any -> XX.XX.XX.XX port 1024:65535
no rdr proto carp all
no rdr on igb1 proto tcp from any to (igb1) port = https
no rdr on igb1 proto tcp from any to (igb1) port = http
no rdr on igb1 proto tcp from any to (igb1) port = ssh
rdr on pppoe1 inet proto tcp from any to (pppoe1) port = 32400 -> 10.0.0.13 port 32400
rdr on pppoe1 inet proto udp from any to (pppoe1) port = 32400 -> 10.0.0.13 port 32400
rdr on pppoe1 inet proto tcp from any to (pppoe1) port = 3579 -> 10.0.0.56 port 3579
rdr on pppoe1 inet proto tcp from any to (pppoe1) port = 25568 -> 10.0.0.106 port 25568
rdr on pppoe1 inet proto udp from any to (pppoe1) port = 25568 -> 10.0.0.106 port 25568
rdr on pppoe1 inet proto tcp from any to (pppoe1) port = 4040 -> 10.0.0.41 port 4040
rdr on pppoe1 inet proto udp from any to (pppoe1) port = 4040 -> 10.0.0.41 port 4040
rdr on pppoe1 inet proto tcp from any to (pppoe1) port = 9090 -> 10.0.0.40 port 9090
rdr on pppoe1 inet proto udp from any to (pppoe1) port = 9090 -> 10.0.0.40 port 9090

14

General Discussion / IPSEC and VLAN

« on: May 08, 2018, 11:05:54 am »

I currently run pfSense but I have recently ran into a limitation of pfSense and I am looking for an alternative and I hope that Opnsense will be a good fix.

Because of some local changes regarding VPN usage, I am no longer able to utilise OpenVPN protocol. With my current setup, I route all LAN except a few devices in an alias over VPN.

Here is a diagram of my current network.




What I would like to do is:

• Create a VLAN 10.0.100.1 for Server VM(s)/Docker
• IPsec connection for LAN 10.0.0.1 covering unmanaged switch and AP(s)
• Allow LAN to VLAN traffic while connected to IPsec

Currently, pfSense is unable to accomplish this, is this something that I could achieve with Opnsense?