Topics

1

22.7 Legacy Series / 22.7.7: IPsec Roadwarrior IKEv2 EAP fails

« on: November 15, 2022, 09:01:49 am »

I'm trying to setup IPsec vpn using EAP to authenticate. I tried to follow the guide here: https://wiki.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html but I run into some issues:

• The guide tells me to not select any "Backend for authentication" on "VPN: IPsec: Mobile Clients" however, the GUI does not allow this
• When trying to connect as user I have a "loading EAP_RADIUS method failed" in the logs and the auth request never hits the RADIUS server
• Of course I tested the RADIUS server conf

Does anyone have an idea?

2

21.7 Legacy Series / [SOLVED] WAN cannot connect

« on: February 02, 2022, 08:17:39 pm »

I just configured an OPNsense firewall with a WAN interface behind another router. All ports are forwarded to the OPNsense.

I setup WireGuard with wg0 as Server (dial in) and an OpenVPN Server. Both interfaces come up and are running on their respective interface and ports.

However, I cannot connect to wg0 or OpenVPN as client. A packet capture on WAN shows my requests arriving but there is no reply. The weird thing is, that there is NOTHING in the firewall log. I started with allowing relevant ports on WAN (logging enabled) then allowing all on WAN (logging on) or allowing nothing at all. In all scenarios there is nothing in the firewall logs, nothing.

This is not the first OPNsense I setup but the first time I experience this behaviour. Any ideas?

3

21.7 Legacy Series / [SOLVED] IPsec: remote network is routet through WAN-gateway

« on: December 11, 2021, 12:45:55 am »

I configured two S2S IPsec tunnels (policy). LAN and IPsec interface feature an allow all rule.

Both remote sites connect and clients in the remote LAN's successfully ping the firewall.

However, the firewall cannot ping any host nor the gateways or the remote sites. It seems like the tunnels are one way only. I looked at the routing table and was surprised to see that the remote LAN's (10.52.10.0/24, 10.62.10.0/24) are added to the default gateway (172.31.1.1).

Any idea where I could have gone wrong?

4

21.7 Legacy Series / Best practice adding a custom IPsec/StrongSWAN config?

« on: July 28, 2021, 12:20:02 pm »

We would like to configure an IKEv2 RoadWarrior profile but miss some options from the GUI like

- eap_identity=%identity
- multiple leftsubnet entries

Is it best practice to just enaple IPsec in the GUI and put the rest of the config in ipsec.opnsense.d and strongswan.opnsense.d? Or is there a better way like overwriting/adding values to the generated config?

5

21.1 Legacy Series / [SOLVED] After migration port forwarding does not work anymore

« on: July 09, 2021, 07:20:58 am »

We moved from ESXi to Proxmox by restoring our config. We now experience issues with port forwarding. If we do a packet capture we can see

- the request hitting the WAN interface
- the request leaving the LAN interface to the target
- the request hitting the target
- the reply leaving the target for the sender

However, the reply never reaches the sender. There is nothing in the firewall logs whatsoever. We also deleted the port forwarding and tried to set it up again but to no avail. The gateways are correctly set on all devices and all other services work just fine.

Any help appreciated.

6

21.1 Legacy Series / Gateway not working anymore in routed IPsec (Azure)

« on: April 30, 2021, 07:08:26 pm »

After upgrading to 21.5 the gateway setup on the IPsec interface as described in this manual

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html

does not work anymore. The error message is:

Code: [Select]

Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.
However, I have access to the remote network and all but I do need the gateway for the static route no?

7

20.7 Legacy Series / Routing: How to add custom reply-to to specific traffic on non-wan interface?

« on: January 11, 2021, 01:34:47 am »

My OPNsense sits behind two other routers. I have HAproxy installed and configured. I want to offer some services via WAN/router 1 and some via WAN/router 2.

• request hits router 1 or 2
• request is port forwarded to OPNsense/HAproxy
• HAproxy speaks to backend
• HAproxy's response is then forwarded to the client via the default gateway (router 1)!

Added difficulty: Router 2 sits in LAN and not on a separate WAN interface of the OPNsense.

How can I achieve that OPNsense sends response via correct gateway/router?

8

20.7 Legacy Series / [solved] HAProxy & Firewall

« on: September 27, 2020, 10:53:48 pm »

I was playing around with Fail2Ban and wanted to block IPs that fail to auth with a HAProxy backend server. So I created an external alias and Fail2Ban updates that alias. So far so good. However, when I add a firewall rule to block src=ips in alias nothing happens. I had a look at the log and it seems like running HAProxy on publicip:port completely bypasses the firewall. There is nothing in the firewall logs but HAProxy logs the connection. Is that correct?

So to work around this I would need HAProxy to bind to another IP and make a port forward from the public IP/interface?

9

20.7 Legacy Series / [SOLVED] MultiWAN: delay restoring of default WAN

« on: September 21, 2020, 10:12:47 pm »

We use MultiWAN in a failover config. When the main line becomes a bit unstable we repeatedly had the issue that the failover was flipping back and forth between the two WAN interfaces. Like WAN1 goes down for a couple of minutes, failover to WAN2, WAN1 is again good for a couple of minutes so back to WAN1 and so forth. Is there a way to delay this? Like if we failover to WAN2 I want to the system to stay put for at least 15 minutes on WAN2 no matter what before going back to WAN1? Can Alert Interval be used for this (couldn't find anything in the docs)?

10

20.7 Legacy Series / Am I misunderstanding "static port" (port randomization) wrongly?

« on: August 13, 2020, 10:47:18 pm »

I have the following setup:

Internet -> Speedport Router -> OPNsense -> Server

The Speedport cannot do static routes so this is a double NAT scenario. I port forward TCP 8443 from Internet to OPNsense in the Speedport and from WAN-Network to Server in the OPNsense.

The reply of a request to the server is by default subject to source port randomization and the Speedport would drop it.

I now added a rule to Outbound NAT setting static port for the traffic originating from the server (and the forwarded port) (1).

However, the source port was still subject to randomization.

I had to set the source address to the WAN address of the OPNsense (2).

Is this normal behaviour? I really would have expected it to work with the first rule and not the second.

Because my next question would be on how to disable port randomization for a whole VLAN (for SIP to work in double NAT environment) if the first rule does not work? Or is this just a specific behaviour if port forwarding is involved?

Thanks for enlightening me.

11

20.7 Legacy Series / [SOLVED] Can't get port forwarding to work anymore!

« on: August 12, 2020, 09:01:52 am »

I run a mail server behind OPNsense. I have a simple port forward to the host which worked fine in 20.1.x. Now the clients receive a timeout. I did a packet capture and and the request hits the OPNsense just fine and it forwards it to the correct host. However, the reply (SYN) from the host hits the OPNsense which does not forward it to the client! It does not reach the WAN interface.

I tried deleting all port forwards, rebooting, re-creating them but to no avail. How to fix this?

12

20.7 Legacy Series / [SOLVED] Problems with HAProxy plugin

« on: August 11, 2020, 10:17:44 am »

I run the HAProxy plugin to do SSL termination for a Bitwarden_rs container and SSL passthrough for a MailStore server. So far the experience has been terrible. The first connection nearly ALWAYS fails with the following entries in the log:

haproxy[27090]: x.x.x.x:50621 [11/Aug/2020:10:12:05.146] https_tcp https_tcp/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0

Firefox doesn't work at all and other Browsers need a lot of reloads to start working. Contacting these servers internally, bypassing the proxy, works flawlessly.

I wonder if someone has had a similar experience or even a fix. Config is pretty basic, at least for MailStore, just a TCP frontend/backend that checks SNI and forwards accordingly.

13

20.1 Legacy Series / mDNS stopped working since upgrading to 20.1.3

« on: April 04, 2020, 11:30:59 am »

Two weeks ago I upgraded an OPNsense installation from 19.7 to the latest 20.1.3. Since then printers cannot be found using Bonjour/mDNS anymore if they are in a different network. mDNS repeater plugin is installed and appears to be running fine (there is nothing in the logs that suggests otherwise) but the devices don't appear on the clients.

Any idea how to troubleshoot/fix this?

14

20.1 Legacy Series / Prevent non-WAN Gateways from becoming the active gateway

« on: February 02, 2020, 11:31:31 am »

When default gateway switching/failover is active, is there a way to prevent non-WAN gateways from becoming active? We have 3 WAN gateways and some internal gateways for routing between networks. When all WAN interfaces are down, I don't want one of the internal gateways to become the default gateway. I guess I can solve this by disabling this feature in general and work with a gateway group but just wanting to know if it could be solved otherwise as well.

15

19.7 Legacy Series / OpenVPN woes

« on: August 08, 2019, 10:37:01 am »

We upgraded an existing installation to 19.7.2 and since then OpenVPN does not work reliably if at all. As suggested in the migration guide we changed the interface to local and setup port forwards from our WAN interfaces to localhost with mixed results:

- tunnel is established but no traffic passes
- tunnel fails with tls handshake failed check your connection
- tunnel is established and everything works

We tried to switch between local interface and WAN interface itself as suggested in this topic (https://forum.opnsense.org/index.php?topic=5760.msg63101#msg63101) but we had no success. Any help appreciated.