"port forward by using "other" and typing in ports and address works.
port forward by using alias in drop down hits default deny rule.
-removed them all and added them again. Working now.
No idea why things like this break.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
20.7 Legacy Series / Aliases don't work in port forwarding rules
August 05, 2020, 09:32:16 PMport forward by using "other" and typing in ports and address works.
port forward by using alias in drop down hits default deny rule.
-removed them all and added them again. Working now.
No idea why things like this break.
#2
20.7 Legacy Series / One issue after the next
August 04, 2020, 10:19:33 PM
Nat reflection - had huge issues (never resolved, can't remember version, there is a thread) for a very basic setup. I have no idea if this is fixed or what the issue was, nobody had any clue other than the standard "it works for me" answer.
Had VLAN tag issue after a firmware upgrade - could not get them resolved. Had to start from bare metal a year or so ago (19 to 20 I think)
Now
upnp - was working some versions ago - upgrade to some 20.something and it broke. Nothing changed in config. Finally got tired of "Moderate NAT" on xbox so set out this week to fix it.
Nothing worked other than ANOTHER bare metal install! BAM UPNP starts works. I very carefully added back every rule, interface, etc.
I was still on hyper-v and had no reason to be so decided to MOVE to bare metal.
MORE ISSUES - Config between hyper-v instance and bare metal are not compatible. hn# interfaces became igb# interfaces. I was able to get some stuff running, but not others. The config was a mess. So much for a backup.
Bare metal again!
This time 20.7 - i mean why not start fresh with latest, right?
Latest issue:
upnp is fixed but now IPVanish client will not work. Same f'ing settings as before and same f'ing settings that worked 72 hours ago on 12.1 bare metal.
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]
Then:
Found new bug - fiddling with settings turning on and off TLS Authentication to see error state change. And now turning it back on, will not allow me to paste in a TLS auth Key
I get:
The following input errors were detected:
The field 'TLS Authentication Key' does not appear to be valid
Given the error and the fact that I can't even change the key now, tells me that something is corrupt and not properly applying the encryption to either they key or tunnel.
I really want to like this firewall and keep coming back, but then suddenly remember why I left. It feels like anything more than simple LAN-->Internet is an exercise in frustration and updates are sure to break something every time.
Had VLAN tag issue after a firmware upgrade - could not get them resolved. Had to start from bare metal a year or so ago (19 to 20 I think)
Now
upnp - was working some versions ago - upgrade to some 20.something and it broke. Nothing changed in config. Finally got tired of "Moderate NAT" on xbox so set out this week to fix it.
Nothing worked other than ANOTHER bare metal install! BAM UPNP starts works. I very carefully added back every rule, interface, etc.
I was still on hyper-v and had no reason to be so decided to MOVE to bare metal.
MORE ISSUES - Config between hyper-v instance and bare metal are not compatible. hn# interfaces became igb# interfaces. I was able to get some stuff running, but not others. The config was a mess. So much for a backup.
Bare metal again!
This time 20.7 - i mean why not start fresh with latest, right?
Latest issue:
upnp is fixed but now IPVanish client will not work. Same f'ing settings as before and same f'ing settings that worked 72 hours ago on 12.1 bare metal.
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]
Then:
Found new bug - fiddling with settings turning on and off TLS Authentication to see error state change. And now turning it back on, will not allow me to paste in a TLS auth Key
I get:
The following input errors were detected:
The field 'TLS Authentication Key' does not appear to be valid
Given the error and the fact that I can't even change the key now, tells me that something is corrupt and not properly applying the encryption to either they key or tunnel.
I really want to like this firewall and keep coming back, but then suddenly remember why I left. It feels like anything more than simple LAN-->Internet is an exercise in frustration and updates are sure to break something every time.
#3
20.1 Legacy Series / NAT Reflection not working
April 15, 2020, 07:31:42 PM
I have seen this same issue (never resolved) come up for the better part of 2 years over multiple live version.
Can somebody in the know, please answer?
Simple setup
All NAT reflection options enabled
Port Forwarding for internal service set.
External --> Internal = working
Tested on several ports and internal hosts
Internal --> Reflection --> Internal = NOT WORKING
Nothing logged (I assume this is expected)
This IS NOT a DNS issue.
DNS resolves properly to external IP
Traffic via FQDN or IP results in site cannot be reached
I can ping the external IP from internal though...
This worked with the exact same settings in pfsense.
After reading 20 threads just like this ... somthing appears to be broken.
Please don't offer split DNS as a resolution. NAT reflection should be working.
Can somebody in the know, please answer?
Simple setup
All NAT reflection options enabled
Port Forwarding for internal service set.
External --> Internal = working
Tested on several ports and internal hosts
Internal --> Reflection --> Internal = NOT WORKING
Nothing logged (I assume this is expected)
This IS NOT a DNS issue.
DNS resolves properly to external IP
Traffic via FQDN or IP results in site cannot be reached
I can ping the external IP from internal though...
This worked with the exact same settings in pfsense.
After reading 20 threads just like this ... somthing appears to be broken.
Please don't offer split DNS as a resolution. NAT reflection should be working.
#4
General Discussion / Active Directory - SSO
September 28, 2018, 01:37:42 AM
As I mentioned in another thread, I am evaluating this platform as a replacement for my business customers.
My initial research shows that the only AD-sync that can be done is manually... While pfSense and most other enterprise platforms offer an AD sync option.
I saw a thread here with conversation between and end user and maybe Franco, where the value of an automatic or real-time sync was questioned...
Quite simply put - I do not know any SMB, mid or enterprise admin that wants to manually sync a firewall to AD every time a users is added or a security group or OU is changed.. let alone every time a user changes their AD credentials. That is insane! Unless I am missing something, that is the case here.
In most business networks, AD is used and AD credentials are reset regularly, most often by end users. If this firewall is used as the VPN concentrator, then user's will be constantly locked out until a resync is done or user's are manually added to the firewall....
Honest question (no disrespect meant to anybody). Is this an honest business product, or a fancy home firewall/router targeted at tech savvy bit twiddlers tired of DD-WRT or mad at pfSense for selling out?
My initial research shows that the only AD-sync that can be done is manually... While pfSense and most other enterprise platforms offer an AD sync option.
I saw a thread here with conversation between and end user and maybe Franco, where the value of an automatic or real-time sync was questioned...
Quite simply put - I do not know any SMB, mid or enterprise admin that wants to manually sync a firewall to AD every time a users is added or a security group or OU is changed.. let alone every time a user changes their AD credentials. That is insane! Unless I am missing something, that is the case here.
In most business networks, AD is used and AD credentials are reset regularly, most often by end users. If this firewall is used as the VPN concentrator, then user's will be constantly locked out until a resync is done or user's are manually added to the firewall....
Honest question (no disrespect meant to anybody). Is this an honest business product, or a fancy home firewall/router targeted at tech savvy bit twiddlers tired of DD-WRT or mad at pfSense for selling out?
#5
General Discussion / Hyper-V VLAN issues - please help
September 27, 2018, 03:59:41 PM
OPNsense 18.7.3-amd64
Hyper-V 2012R2 (CORE)
Intel quad port physical NIC
5 static public IPs - 1 assigned to WAN. 2 assigned to Virtual IPs
Port forwarding/NAT rules appear to be working.
Wireless APs - Ruckus R600 Unleashed
SSID1 - NO VLAN
SSID2 - Marked for VLAN20
Windows AD server set to DNS and DHCP
10.15.30.0/24 subnet
LAN works as expected, DHCP leases handed out, AD happy and healthy with DNS
SSID1 - working on LAN
First Attempt to construct VLAN:
2 Virtual NICs attached to OPNsense
HyperV-VNIC 1 - WAN
HyperV-VNIC 2 - LAN
Using PowerShell - set LAN VNIC to -trunked 20 and -nativevlanid 0
Physical switch ports all set to trunked
New OPNsense Interface "INT_VLAN20" Subnet 10.15.31.0/24 with address 10.15.31.254
New VLAN "VLAN20" parent interface HN1 (LAN)
Assignement LAN VLAN20 on HN1 "INT_VLAN20"
Added DHCP Server for INT_VLAN20 with scope x31.50 to x31.200
For a short time things were working - SSID2 was able to grab a x.x.31.x IP from DHCP and SSID1/LAN worked as expected.
Rebooted OPNsense and things broke. I tried for hours to get things working, including starting from scratch.
No Luck
Second Attempt:
Added additional VNIC to hyper-v
LAN NIC set back to untagged
New NIC set to access port=20
So HN3 = VLAN20 NIC now.
Parent interface for VLAN20 is HN3 and assigned accordingly.
Things are still not working...
Anybody willing to help - I am at a complete loss here and this should be fairly straight forward.
Hyper-V 2012R2 (CORE)
Intel quad port physical NIC
5 static public IPs - 1 assigned to WAN. 2 assigned to Virtual IPs
Port forwarding/NAT rules appear to be working.
Wireless APs - Ruckus R600 Unleashed
SSID1 - NO VLAN
SSID2 - Marked for VLAN20
Windows AD server set to DNS and DHCP
10.15.30.0/24 subnet
LAN works as expected, DHCP leases handed out, AD happy and healthy with DNS
SSID1 - working on LAN
First Attempt to construct VLAN:
2 Virtual NICs attached to OPNsense
HyperV-VNIC 1 - WAN
HyperV-VNIC 2 - LAN
Using PowerShell - set LAN VNIC to -trunked 20 and -nativevlanid 0
Physical switch ports all set to trunked
New OPNsense Interface "INT_VLAN20" Subnet 10.15.31.0/24 with address 10.15.31.254
New VLAN "VLAN20" parent interface HN1 (LAN)
Assignement LAN VLAN20 on HN1 "INT_VLAN20"
Added DHCP Server for INT_VLAN20 with scope x31.50 to x31.200
For a short time things were working - SSID2 was able to grab a x.x.31.x IP from DHCP and SSID1/LAN worked as expected.
Rebooted OPNsense and things broke. I tried for hours to get things working, including starting from scratch.
No Luck
Second Attempt:
Added additional VNIC to hyper-v
LAN NIC set back to untagged
New NIC set to access port=20
So HN3 = VLAN20 NIC now.
Parent interface for VLAN20 is HN3 and assigned accordingly.
Things are still not working...
Anybody willing to help - I am at a complete loss here and this should be fairly straight forward.
Pages1
