Topics

1

23.7 Legacy Series / can I copy firewall rules to another machone

« on: January 19, 2024, 08:59:18 am »

I set up another opnsense firewall, this time as bridge.
Can I copy the existing firewall rules to the new machine?
I do NOT want to copy the complete configuration.

2

General Discussion / Udp packets not filtered

« on: November 17, 2019, 10:24:31 am »

I have had a recent problem when one of our servers was incorrectly configured for ntp, and then was abused for
NTP Amplification DDoS Attack.
Because it gets ntp broadcasts from the Lan, it does not need to receive ntp packets from the Internet.

I have created a firewall rule, which on the WAN side blocks all incoming ntp packets to this server's IP, udp port 123.

But when I use tcpdump on the server to see incoming udp packets port 123, I still see massive amounts of them.
It seem that the firewall rule does not work.

What could be going on here?

3

19.1 Legacy Series / How transfer config from 18.7 to different hardware running 19.1?

« on: February 11, 2019, 04:20:05 pm »

I am going to have a new firewall device running Opnsense 19.1

My current firewall runs 18.7 on different hardware. I do not dare to upgrade as I fear kernel panic after upgrade.
(has been discussed in a different thread).

How can I transfer the Opnsense configuration from the old hardware to the new hardware?

4

18.7 Legacy Series / Insight no longer shows anything after update from 18.7.8 to 18.7.10

« on: February 09, 2019, 06:10:24 pm »

Since the update to 18.7.10, Insight shows 'no data available'.
What happened?

How do I get the data display back?

5

18.7 Legacy Series / Can one revert from update if problems are found?

« on: December 13, 2018, 11:29:40 am »

I am rather new to Opnsense.
From my general experience with operating systems over more than 40 years, I have learned that it is wise not to update immediately when a new release is offered, like now with Opnsense 18.7.9.

In this context I wonder:
If one does an early update to a new release and finds a new problem, can one revert to the previous version?

6

General Discussion / [SOLVED] secondary IP address for WAN interface - how? (routing issue)

« on: December 04, 2018, 07:02:50 pm »

I need help to configure a new Opensense firewall for my special situation, which I describe below.

We own a C class IP range a.a.a.0/24 since many years and all devices in our company
network have public addresses from this range.
I have split it into two subnets:
  a.a.a.240/28  for the external network at colocation space
  a.a.a.0/25    for the internal company network
  (the range a.a.a.128 - 239 is currently unused)

In addition, we use a network 10.1.2.0/24 at the colocation space
for the remote-admin interfaces (RAC interfaces) on all Dell servers
and for VLAN access to the two switches

We also use the network 10.1.1.0/24 inside the web server farm.

Problem: how to reach the RAC-network 10.1.2.0/24 from the internal company network?

Up to now we used an older Cisco router 2621 on the place where now the Opensense firewall
will be placed. We use access list filter rules as firewall for the company network.
The outer interface of the Cisco router had two IPs assigned:
a.a.a.254
secondary 10.1.2.254

That way, it understood the routing automatically.

On opensense, apparently I cannot simply assign a secondary IP to the WAN

Colocation rack at provider
===========================

       ^  to Provider router + Internet
       | gateway IP a.a.a.253
       |
       |
       |           vlan: 10.1.2.2
   +---------------------------------------+
   | 24 port outer switch                  |-------------------+
   +---------------------------------------+                   |
     |                                                         |
     |                                 Subnet a.a.a.240/28     |
     |                                                         |
     |IP a.a.a.241 ..                  Subnet 10.1.2.0/24      |
     |aliases: a.a.a.242-245           for RAC card on each    |
+--------------------------------+     server and for vlan     |
| load balancer                  |     on switches             |
| and firewall for web servers   |                             |
| with iptables / RHEL 7         |----- RAC IP 10.1.2.200      |
+--------------------------------+                             |
           |10.1.1.254                                         |
           |                                                   |
           |IP 10.1.1.x                                        |
Web server farm of 7 servers --- RAC IP 10.1.2.201-207         |
                                                               |
                                                                |
                                                                |
                                                                |fiber
                                                                |leased line
                                                                |100 mbit
                                                                |
                                                                | 10 km
                                                                |
Server room at company HQ                                       |
=========================                                       |
                                                                |
                                             ethernet          |
                                    +--------------------------
                                    |
                                    |
                       ip a.a.a.254 | port 2 'WAN', secondary IP 10.1.2.254 is desired
                        +-----------------------------+
                        |  Opensense Firewall  os1    |
                        +-----------------------------+
                           | port 1 'LAN'
                           | ip a.a.a.62 as company gateway
                           | keep IP which is defined as gateway in many devices
                           |
                           |
                           internal network
                           subnet a.a.a.0/25

7

General Discussion / rwhod service?

« on: December 03, 2018, 09:26:54 pm »

Can I get a rwhod service running on Opensense?

I use the command ruptime to have a quick overview over a set of Linux machines, and it would be nice of the Opensense firewall machine would appear there as well.

8

General Discussion / real world IP addresses for firewall, or non-routable IPs ?

« on: November 20, 2018, 11:08:53 pm »

Hi
I have used a cisco router in the past as firewall, with access lists for the filter roules.
The router had a real world IP address for its internal lan interface.
That IP was then configures as gateway IP for other devices in the network.

Now I am about to set up an Opensense firewall.

Should I give the internal interface also a real world IP, so that I can name it gateway for other devices, or should I stick to the non-routable IPs like 192.168.x.x or 10.x.x.x for the opensense device?

I do not want to access the firewall itself from the outside, only from the inside.

9

Tutorials and FAQs / can I save Opensense configuration to text file, edit and reload it?

« on: November 20, 2018, 05:13:24 pm »

I am new to Opensense and am considering to set it up as Firewall using one of our spare servers.

I am familiar with iptables on Linux, and with filter rules as access lists in Cisco routers.

Up to now we used access list in Cisco routers as firewall.
There, I can save the configuration into a text file, or edit the configuration file off-line, and then
upload it to the router.

I am used to maintain firewall roules that way, and prefer that to a graphical interface.
Is this possible with Opensense, i.e. maintain configuration off-line and upload it, to replace the
existing configuration?