Topics

1

20.7 Legacy Series / Routing: How to add custom reply-to to specific traffic on non-wan interface?

« on: January 11, 2021, 01:34:47 am »

My OPNsense sits behind two other routers. I have HAproxy installed and configured. I want to offer some services via WAN/router 1 and some via WAN/router 2.

• request hits router 1 or 2
• request is port forwarded to OPNsense/HAproxy
• HAproxy speaks to backend
• HAproxy's response is then forwarded to the client via the default gateway (router 1)!

Added difficulty: Router 2 sits in LAN and not on a separate WAN interface of the OPNsense.

How can I achieve that OPNsense sends response via correct gateway/router?

2

20.7 Legacy Series / [solved] HAProxy & Firewall

« on: September 27, 2020, 10:53:48 pm »

I was playing around with Fail2Ban and wanted to block IPs that fail to auth with a HAProxy backend server. So I created an external alias and Fail2Ban updates that alias. So far so good. However, when I add a firewall rule to block src=ips in alias nothing happens. I had a look at the log and it seems like running HAProxy on publicip:port completely bypasses the firewall. There is nothing in the firewall logs but HAProxy logs the connection. Is that correct?

So to work around this I would need HAProxy to bind to another IP and make a port forward from the public IP/interface?

3

20.7 Legacy Series / MultiWAN: delay restoring of default WAN

« on: September 21, 2020, 10:12:47 pm »

We use MultiWAN in a failover config. When the main line becomes a bit unstable we repeatedly had the issue that the failover was flipping back and forth between the two WAN interfaces. Like WAN1 goes down for a couple of minutes, failover to WAN2, WAN1 is again good for a couple of minutes so back to WAN1 and so forth. Is there a way to delay this? Like if we failover to WAN2 I want to the system to stay put for at least 15 minutes on WAN2 no matter what before going back to WAN1? Can Alert Interval be used for this (couldn't find anything in the docs)?

4

20.7 Legacy Series / Am I misunderstanding "static port" (port randomization) wrongly?

« on: August 13, 2020, 10:47:18 pm »

I have the following setup:

Internet -> Speedport Router -> OPNsense -> Server

The Speedport cannot do static routes so this is a double NAT scenario. I port forward TCP 8443 from Internet to OPNsense in the Speedport and from WAN-Network to Server in the OPNsense.

The reply of a request to the server is by default subject to source port randomization and the Speedport would drop it.

I now added a rule to Outbound NAT setting static port for the traffic originating from the server (and the forwarded port) (1).

However, the source port was still subject to randomization.

I had to set the source address to the WAN address of the OPNsense (2).

Is this normal behaviour? I really would have expected it to work with the first rule and not the second.

Because my next question would be on how to disable port randomization for a whole VLAN (for SIP to work in double NAT environment) if the first rule does not work? Or is this just a specific behaviour if port forwarding is involved?

Thanks for enlightening me.

5

20.7 Legacy Series / [SOLVED] Can't get port forwarding to work anymore!

« on: August 12, 2020, 09:01:52 am »

I run a mail server behind OPNsense. I have a simple port forward to the host which worked fine in 20.1.x. Now the clients receive a timeout. I did a packet capture and and the request hits the OPNsense just fine and it forwards it to the correct host. However, the reply (SYN) from the host hits the OPNsense which does not forward it to the client! It does not reach the WAN interface.

I tried deleting all port forwards, rebooting, re-creating them but to no avail. How to fix this?

6

20.7 Legacy Series / [SOLVED] Problems with HAProxy plugin

« on: August 11, 2020, 10:17:44 am »

I run the HAProxy plugin to do SSL termination for a Bitwarden_rs container and SSL passthrough for a MailStore server. So far the experience has been terrible. The first connection nearly ALWAYS fails with the following entries in the log:

haproxy[27090]: x.x.x.x:50621 [11/Aug/2020:10:12:05.146] https_tcp https_tcp/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0

Firefox doesn't work at all and other Browsers need a lot of reloads to start working. Contacting these servers internally, bypassing the proxy, works flawlessly.

I wonder if someone has had a similar experience or even a fix. Config is pretty basic, at least for MailStore, just a TCP frontend/backend that checks SNI and forwards accordingly.

7

20.1 Legacy Series / mDNS stopped working since upgrading to 20.1.3

« on: April 04, 2020, 11:30:59 am »

Two weeks ago I upgraded an OPNsense installation from 19.7 to the latest 20.1.3. Since then printers cannot be found using Bonjour/mDNS anymore if they are in a different network. mDNS repeater plugin is installed and appears to be running fine (there is nothing in the logs that suggests otherwise) but the devices don't appear on the clients.

Any idea how to troubleshoot/fix this?

8

20.1 Legacy Series / Prevent non-WAN Gateways from becoming the active gateway

« on: February 02, 2020, 11:31:31 am »

When default gateway switching/failover is active, is there a way to prevent non-WAN gateways from becoming active? We have 3 WAN gateways and some internal gateways for routing between networks. When all WAN interfaces are down, I don't want one of the internal gateways to become the default gateway. I guess I can solve this by disabling this feature in general and work with a gateway group but just wanting to know if it could be solved otherwise as well.

9

19.7 Legacy Series / OpenVPN woes

« on: August 08, 2019, 10:37:01 am »

We upgraded an existing installation to 19.7.2 and since then OpenVPN does not work reliably if at all. As suggested in the migration guide we changed the interface to local and setup port forwards from our WAN interfaces to localhost with mixed results:

- tunnel is established but no traffic passes
- tunnel fails with tls handshake failed check your connection
- tunnel is established and everything works

We tried to switch between local interface and WAN interface itself as suggested in this topic (https://forum.opnsense.org/index.php?topic=5760.msg63101#msg63101) but we had no success. Any help appreciated.

10

19.1 Legacy Series / [SOLVED] OPNsense locks up completely when WAN allegedly goes down

« on: March 27, 2019, 11:34:54 pm »

We have installed OPNsense on a SuperMicro system with roughly the following setup:

- 1 WAN uplink via a cable modem (monitored via Google DNS)
- both local users and LDAP users (LDAP is cloud-based)
- 2 LAN ports with different subnets
- DHCP services
- OpenVPN RoadWarrior services
- S2S IPsec
- FreeRADIUS

We have the serious problem that if the WAN port get's disconnected or OPNsense thinks that the gateway is down then the system locks up completely, e. g.:

- It is impossible to logon to the firewall anymore (I understand that LDAP-auth must fail but local users should ALWAYS work)
- The WAN interface does not come up anymore, the gateway stays down

After a forced reboot there are even stranger issues:

- DHCP ranges get messed up (e. g. x.x.x.50-x.x.x.100 & x.x.x.150-x.x.x.200 becomes x.x.x.50-x.x.x.254 & x.x.x.150-x.x.x.200 causing the service to fail because of overlapping ranges)
- OpenVPN services show as down in the GUI but are actually running, they need to be killed in the console and then restarted in the GUI
- The gateway/WAN does not come up anymore. It shows extremely high latency etc. while the uplink is perfectly fine and any other machine (macOS, Windows-notebooks) works. One has to click madly to and through and hope that some action brings the gateway up again

What could be the cause of this? Is the external LDAP the problem? However, this should not have all the other mentioned side effects. Why does the gateway not come up anymore? Any help appreciated since this happens every couple of days and costs hours to get Internet working again.

11

19.1 Legacy Series / [SOLVED] How to avoid double NAT?

« on: March 20, 2019, 12:56:32 pm »

We use an Internet connection that performs a kind of load balancing between a DSL and LTE connection. This all happens inside the providers router. We are therefore stuck with this router that can neither offer VPN services, VLANs nor can one setup static routes.

My goal is to have OPNsense running behind the ISP router offering VPN services etc. If I understand  correctly that rules out a "filtering-bridge" setup for OPNsense. Is there an alternative to avoid double-NAT?

Could I e. g. configure somthing like this?

- ISP router LAN 192.168.1.1
- Switch tags with VLAN 999
- OPNsense WAN 192.168.1.2
- OPNsense LAN 192.168.1.254
- Switch
- LAN 192.168.1.0/25

And then disable NAT and setup a gateway for 192.168.1.1? Does anyone run a similar setup?

12

19.1 Legacy Series / [SOLVED] PlugIn FreeRADIUS: wrong certifcates are generated

« on: March 14, 2019, 12:12:15 am »

We have the following setup:

- root ca
- intermediate ca for services
- intermediate ca for users

If we configure EAP-TTLS in the FreeRADIUS plugin we link the radius server cert (issued by intermediate ca for services) and the root ca which is supposed to validate trusted users (intermediate ca for users).

However, the plugin always puts the server cert chain in the file ca_opn instead of the linked ca file. Probably a bug in the script.

13

19.1 Legacy Series / [SOLVED] Firewall logging stopped, live view shows outdated entries only

« on: March 12, 2019, 09:40:26 pm »

Since yesterday and the upgrade to 19.1.3 my filter.log is not updated anymore. How can I get the firewall logging going again? All other logs run fine.

14

19.1 Legacy Series / [SOLVED] No routing since upgrade to 19.1.3

« on: March 12, 2019, 07:26:10 pm »

We upgraded to 19.1.3 yesterday and since then routing does not seem to work any more. LAN clients cannot access the Internet anymore despite of proper NAT-Outbound and Firewall-Rules. Also I cannot ping any LAN client anymore from my VPN connection (OpenVPN, all connections allowed to all networks).

What can I do to track down the cause of this? We upgraded just now to 19.1.4 but to no avail. Also all automatically generated WAN NATs seem to have disappeared.

15

19.1 Legacy Series / [SOLVED] Network: Intel 10Gbe interfaces of Xeon D-1500 do not show

« on: February 28, 2019, 12:23:35 pm »

We purchased a SuperMicro Board with an Intel Xeon D-1500 processor. Officially this processor is supported by FreeBSD. However, the two 10Gbe interfaces do not show in the OPNsense GUI. We tried to download the latest ixgbe drivers from Intel but to no avail. Since we are new to OPNsense we were wondering on how to troubleshoot this further. Does anyone have any tips and tricks for us?