Topics

1

18.7 Legacy Series / mac flaps on catalyst

« on: January 09, 2019, 12:09:45 pm »

Hello again,

I've been running two OPNsense nodes with CARP configured for a while now and had to change the HP switch they are connected to for a Cisco Catalyst.
So no changes in the OPNsense config are made.

The switch constantly reports MAC flaps, and when I log in to the VIP address I keep getting logged out (as if the MAC address indeed keeps flipping).

What would be the way to tackle this issue?

*Jan  9 10:13:53.458: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.010e in vlan 883 is flapping between port Gi0/5 and port Gi0/4
*Jan  9 10:13:53.458: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.010d in vlan 883 is flapping between port Gi0/5 and port Gi0/4
*Jan  9 10:13:53.458: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.010f in vlan 883 is flapping between port Gi0/5 and port Gi0/4
*Jan  9 10:14:08.746: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.010e in vlan 883 is flapping between port Gi0/4 and port Gi0/5
*Jan  9 10:14:08.746: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.010d in vlan 883 is flapping between port Gi0/4 and port Gi0/5
*Jan  9 10:14:08.746: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.010c in vlan 883 is flapping between port Gi0/4 and port Gi0/5
*Jan  9 10:14:08.746: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.010f in vlan 883 is flapping between port Gi0/4 and port Gi0/5

2

General Discussion / Download old version

« on: September 17, 2018, 04:56:40 pm »

I'm managing an upgrade for a customer which is still on OPNsense 17.1.3-amd64 on a Deciso appliance.
Is there a place to download an old installer so we can test and rollback the upgrade?

3

18.7 Legacy Series / Set up NAT without round-robin

« on: September 16, 2018, 08:40:21 pm »

Hello there!

We was recently given a couple of OPNsense firewalls under management and have issues setting up NAT.
There is a corporate WAN (attached to the WAN interface) and a small network managed by external supplier (attached to the LAN interface).
There are 3 devices in the LAN which need to be accessible from any address on the WAN (via inbound NAT).
And the 3 devices are the only that are allowed to access the WAN (via outbound NAT).

We tried to set this up but inbound NAT doesn't seem to work.
Sometimes it does work inboud, on Device A, but not on the others.
Outbound NAT sometimes works, sometimes not. Driving us crazy :-)
When we replace the OPNsense with a very basic Sitecom consumer router, the NAT works fine! (for one IP, because it doesn't support multiple IPs)

I've been reading the forum a bit and perhaps I am running in to the round-robin behaviour which is described here, but not sure one must work around this.
https://forum.opnsense.org/index.php?topic=7132.0

It's important in our case that the addresses used by the NAT are fixed and not changed every now and then by OPNsense because this is blocked by the security devices all over the rest of the network.

Can somebody please describe how to create a simple inbound and outbound NAT rule including firewall rules (can be auto-created?) where WAN IP 10.x.x.42 is NATed to 172.x.x.10 and never ever uses another IP than these two?

Any other suggestions that might be the cause are also very welcome!

LAN addresses
Subnet /24
OPNsense VIP 172.x.x.1 (used as gateway by Device A,B,C)
OPNsense node A 172.x.x.2
OPNsense node B 172.x.x.3
Device A 172.x.x.10
Device B 172.x.x.11
Device C 172.x.x.12

WAN addresses
Subnet /26
Gateway 10.x.x.62
OPNsense cluster (VIP) 10.x.x.5
OPNsense node A 10.x.x.6
OPNsense node B 10.x.x.7
Device A (VIP) 10.x.x.42
Device B (VIP) 10.x.x.43
Device C (VIP) 10.x.x.44