Topics

I use OPNsense behind a stateless firewall. I noticed that the source port randomization does not stick to the ephemeral port range (e. g. TCP 32768-65535) but seems to be using anything > 1024 (FreeBSD AFAIK uses 49152-65535 only).  So I was wondering if there is a possibility to set the port range that can be used as ephemeral port range in OPNsense or if I need to disable source port rewriting or open up the whole range (>1024) in the stateless firewall. Thanks for your input.

I installed OPNsense in a Proxmox VM to the best of my knowledge with nothing out of the ordinary (firewall, haproxy and ipsec). However, in this instance I face the issue that the `System: Firmware: Status` page takes forever to load. Well, that is not exactly true since after a reboot it actually loads very quickly and what I would describe as normally. Shortly after a reboot it takes minutes to load the page with this error showing in the logs:

Code Select Expand


configd.py Timeout (120) executing : firmware tiers


If I then proceed to clicking `Check for updates` it again takes very very very long to complete the check or just fail.

Code Select Expand


Fetching changelog information, please wait... fetch: transfer timed out (in the window itself)

Backend log:

Retrieve upgrade progress status (for minutes)

configd.py unable to sendback response [opnsense|||product_tier|||1 opnsense-devel|||product_tier|||1 os-acme-client|||product_tier|||3 os-acme-client-devel|||product_tier|||3 os-apcupsd|||product_tier|||3 os-apcupsd-devel...

view plugin tiers (last entry in the log)


For the rest the system feels fast and snappy and there are no other issues  I can think of/experience.

Does someone have an idea what might make configd.py time out?

I did reinstall the system as well but same issue.

I'm trying to setup IPsec vpn using EAP to authenticate. I tried to follow the guide here: https://wiki.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html but I run into some issues:

• The guide tells me to not select any "Backend for authentication" on "VPN: IPsec: Mobile Clients" however, the GUI does not allow this
• When trying to connect as user I have a "loading EAP_RADIUS method failed" in the logs and the auth request never hits the RADIUS server
• Of course I tested the RADIUS server conf

Does anyone have an idea?

I just configured an OPNsense firewall with a WAN interface behind another router. All ports are forwarded to the OPNsense.

I setup WireGuard with wg0 as Server (dial in) and an OpenVPN Server. Both interfaces come up and are running on their respective interface and ports.

However, I cannot connect to wg0 or OpenVPN as client. A packet capture on WAN shows my requests arriving but there is no reply. The weird thing is, that there is NOTHING in the firewall log. I started with allowing relevant ports on WAN (logging enabled) then allowing all on WAN (logging on) or allowing nothing at all. In all scenarios there is nothing in the firewall logs, nothing.

This is not the first OPNsense I setup but the first time I experience this behaviour. Any ideas?

I configured two S2S IPsec tunnels (policy). LAN and IPsec interface feature an allow all rule.

Both remote sites connect and clients in the remote LAN's successfully ping the firewall.

However, the firewall cannot ping any host nor the gateways or the remote sites. It seems like the tunnels are one way only. I looked at the routing table and was surprised to see that the remote LAN's (10.52.10.0/24, 10.62.10.0/24) are added to the default gateway (172.31.1.1).

Any idea where I could have gone wrong?

We would like to configure an IKEv2 RoadWarrior profile but miss some options from the GUI like

- eap_identity=%identity
- multiple leftsubnet entries

Is it best practice to just enaple IPsec in the GUI and put the rest of the config in ipsec.opnsense.d and strongswan.opnsense.d? Or is there a better way like overwriting/adding values to the generated config?

We moved from ESXi to Proxmox by restoring our config. We now experience issues with port forwarding. If we do a packet capture we can see

- the request hitting the WAN interface
- the request leaving the LAN interface to the target
- the request hitting the target
- the reply leaving the target for the sender

However, the reply never reaches the sender. There is nothing in the firewall logs whatsoever. We also deleted the port forwarding and tried to set it up again but to no avail. The gateways are correctly set on all devices and all other services work just fine.

Any help appreciated.

After upgrading to 21.5 the gateway setup on the IPsec interface as described in this manual

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html

does not work anymore. The error message is:

Code Select Expand

Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.

However, I have access to the remote network and all but I do need the gateway for the static route no?

My OPNsense sits behind two other routers. I have HAproxy installed and configured. I want to offer some services via WAN/router 1 and some via WAN/router 2.

• request hits router 1 or 2
• request is port forwarded to OPNsense/HAproxy
• HAproxy speaks to backend
• HAproxy's response is then forwarded to the client via the default gateway (router 1)!

Added difficulty: Router 2 sits in LAN and not on a separate WAN interface of the OPNsense.

How can I achieve that OPNsense sends response via correct gateway/router?

I was playing around with Fail2Ban and wanted to block IPs that fail to auth with a HAProxy backend server. So I created an external alias and Fail2Ban updates that alias. So far so good. However, when I add a firewall rule to block src=ips in alias nothing happens. I had a look at the log and it seems like running HAProxy on publicip:port completely bypasses the firewall. There is nothing in the firewall logs but HAProxy logs the connection. Is that correct?

So to work around this I would need HAProxy to bind to another IP and make a port forward from the public IP/interface?

We use MultiWAN in a failover config. When the main line becomes a bit unstable we repeatedly had the issue that the failover was flipping back and forth between the two WAN interfaces. Like WAN1 goes down for a couple of minutes, failover to WAN2, WAN1 is again good for a couple of minutes so back to WAN1 and so forth. Is there a way to delay this? Like if we failover to WAN2 I want to the system to stay put for at least 15 minutes on WAN2 no matter what before going back to WAN1? Can Alert Interval be used for this (couldn't find anything in the docs)?

I have the following setup:

Internet -> Speedport Router -> OPNsense -> Server

The Speedport cannot do static routes so this is a double NAT scenario. I port forward TCP 8443 from Internet to OPNsense in the Speedport and from WAN-Network to Server in the OPNsense.

The reply of a request to the server is by default subject to source port randomization and the Speedport would drop it.

I now added a rule to Outbound NAT setting static port for the traffic originating from the server (and the forwarded port) (1).

However, the source port was still subject to randomization.

I had to set the source address to the WAN address of the OPNsense (2).

Is this normal behaviour? I really would have expected it to work with the first rule and not the second.

Because my next question would be on how to disable port randomization for a whole VLAN (for SIP to work in double NAT environment) if the first rule does not work? Or is this just a specific behaviour if port forwarding is involved?

Thanks for enlightening me.

I run a mail server behind OPNsense. I have a simple port forward to the host which worked fine in 20.1.x. Now the clients receive a timeout. I did a packet capture and and the request hits the OPNsense just fine and it forwards it to the correct host. However, the reply (SYN) from the host hits the OPNsense which does not forward it to the client! It does not reach the WAN interface.

I tried deleting all port forwards, rebooting, re-creating them but to no avail. How to fix this?

I run the HAProxy plugin to do SSL termination for a Bitwarden_rs container and SSL passthrough for a MailStore server. So far the experience has been terrible. The first connection nearly ALWAYS fails with the following entries in the log:

haproxy[27090]: x.x.x.x:50621 [11/Aug/2020:10:12:05.146] https_tcp https_tcp/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0

Firefox doesn't work at all and other Browsers need a lot of reloads to start working. Contacting these servers internally, bypassing the proxy, works flawlessly.

I wonder if someone has had a similar experience or even a fix. Config is pretty basic, at least for MailStore, just a TCP frontend/backend that checks SNI and forwards accordingly.

Two weeks ago I upgraded an OPNsense installation from 19.7 to the latest 20.1.3. Since then printers cannot be found using Bonjour/mDNS anymore if they are in a different network. mDNS repeater plugin is installed and appears to be running fine (there is nothing in the logs that suggests otherwise) but the devices don't appear on the clients.

Any idea how to troubleshoot/fix this?

When default gateway switching/failover is active, is there a way to prevent non-WAN gateways from becoming active? We have 3 WAN gateways and some internal gateways for routing between networks. When all WAN interfaces are down, I don't want one of the internal gateways to become the default gateway. I guess I can solve this by disabling this feature in general and work with a gateway group but just wanting to know if it could be solved otherwise as well.

We upgraded an existing installation to 19.7.2 and since then OpenVPN does not work reliably if at all. As suggested in the migration guide we changed the interface to local and setup port forwards from our WAN interfaces to localhost with mixed results:

- tunnel is established but no traffic passes
- tunnel fails with tls handshake failed check your connection
- tunnel is established and everything works

We tried to switch between local interface and WAN interface itself as suggested in this topic (https://forum.opnsense.org/index.php?topic=5760.msg63101#msg63101) but we had no success. Any help appreciated.

We have installed OPNsense on a SuperMicro system with roughly the following setup:

- 1 WAN uplink via a cable modem (monitored via Google DNS)
- both local users and LDAP users (LDAP is cloud-based)
- 2 LAN ports with different subnets
- DHCP services
- OpenVPN RoadWarrior services
- S2S IPsec
- FreeRADIUS

We have the serious problem that if the WAN port get's disconnected or OPNsense thinks that the gateway is down then the system locks up completely, e. g.:

- It is impossible to logon to the firewall anymore (I understand that LDAP-auth must fail but local users should ALWAYS work)
- The WAN interface does not come up anymore, the gateway stays down

After a forced reboot there are even stranger issues:

- DHCP ranges get messed up (e. g. x.x.x.50-x.x.x.100 & x.x.x.150-x.x.x.200 becomes x.x.x.50-x.x.x.254 & x.x.x.150-x.x.x.200 causing the service to fail because of overlapping ranges)
- OpenVPN services show as down in the GUI but are actually running, they need to be killed in the console and then restarted in the GUI
- The gateway/WAN does not come up anymore. It shows extremely high latency etc. while the uplink is perfectly fine and any other machine (macOS, Windows-notebooks) works. One has to click madly to and through and hope that some action brings the gateway up again

What could be the cause of this? Is the external LDAP the problem? However, this should not have all the other mentioned side effects. Why does the gateway not come up anymore? Any help appreciated since this happens every couple of days and costs hours to get Internet working again.

We use an Internet connection that performs a kind of load balancing between a DSL and LTE connection. This all happens inside the providers router. We are therefore stuck with this router that can neither offer VPN services, VLANs nor can one setup static routes.

My goal is to have OPNsense running behind the ISP router offering VPN services etc. If I understand  correctly that rules out a "filtering-bridge" setup for OPNsense. Is there an alternative to avoid double-NAT?

Could I e. g. configure somthing like this?

- ISP router LAN 192.168.1.1
- Switch tags with VLAN 999
- OPNsense WAN 192.168.1.2
- OPNsense LAN 192.168.1.254
- Switch
- LAN 192.168.1.0/25

And then disable NAT and setup a gateway for 192.168.1.1? Does anyone run a similar setup?

We have the following setup:

- root ca
- intermediate ca for services
- intermediate ca for users

If we configure EAP-TTLS in the FreeRADIUS plugin we link the radius server cert (issued by intermediate ca for services) and the root ca which is supposed to validate trusted users (intermediate ca for users).

However, the plugin always puts the server cert chain in the file ca_opn instead of the linked ca file. Probably a bug in the script.