Topics

There's been a few messages about this over the years but I haven't seen anyone actually say they've gotten it working. A TFTP proxy is part of the core BSD OS so it's just a matter of getting it configured and running.

Does anyone have a step-by-step guide that will let me access a remote TFTP server through an OPNSense box?

Having some issues getting this setup. If I use local authentication it works no problem. Using my configured LDAP server does not work; logs on the LDAP server indicate the router doesn't make a connection attempt. The only thing in the log files is this in /var/log/audit.log:

Oct 25 17:32:27 calgary audit[48186]: user mike failed authentication for ipsec on OPNsense\Auth\Services\IPsec via OPNsense\Auth\Local 
Oct 25 17:32:27 calgary audit[48186]: user mike could not authenticate for ipsec. [using OPNsense\Auth\Services\IPsec + OPNsense\Auth\Local] 

And this in /var/log/ipsec.log:

Oct 25 17:32:27 calgary charon[19217]: 07[IKE] <con4|9> XAuth pam_authenticate for 'mike' failed: System error 
Oct 25 17:32:27 calgary charon[19217]: 07[IKE] <con4|9> XAuth authentication of 'mike' failed 

Does anyone have any experience with this setup? Any way to enable some authentication debugging to see if it's working as expected? From the log entries I have, it seems like it's only using local.

I've done this loads of times on a pfSense without issue, thought I'd give OPNsense a try for a change, and am hitting a brick wall.

I've got an IPSec tunnel set up between my OPNsense router and a Cisco ASA. Tunnel is good, and users behind the router can reach hosts on the remote network without issue. The problem is traffic originating on the router itself, which does not get sent through the tunnel as it should. I've set up the requisite hack of a static route pointing to the LAN interface so the routing is good, but traffic gets dropped by the firewall for some reason. Naturally I have an allow all rule on the IPSec interface.

I've narrowed this down to the firewall because if I disable it with pfctl -d my traffic is sent without issue. Looking at the logs while trying to ping a host on the remote network, I noticed this:

The 96.51.x.x is my local WAN address, and 162.212.x.x is the tunnel endpoint. That traffic definitely should not be getting blocked. There's an automatically generated rule that should pass it:

Code Select Expand


pass out log on igb2 route-to (igb2 96.51.y.y) inet proto esp from any to 162.212.x.x keep state label "IPsec: NOC"
pass in log on igb2 reply-to (igb2 96.51.y.y) inet proto esp from 162.212..x.x to any keep state label "IPsec: NOC"


The fact that it's showing up as coming from the LAN interface is concerning. So I've put in floating rules to allow ESP traffic to and from the remote router but still the traffic originating from the local router does not pass.


Any thoughts on what could be causing this?