Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - FingerlessGloves

#1
I recently created some new firewall rules in various interfaces, and when I go in to "Firewall: Diagnostics: Sessions or States". The rule that's it's telling for for various sessions or states, is mapped to the wrong rule. I assume it's parsing old rule numbers, but they've all been shifted around by me adding new rules.

For example it shows rules from other interfaces, that are not part of the traffic flow at all. EG traffic from the LAN is showing rule name from the DMZ interface, then it's just going directly out the WAN.

Anyone else getting this?


OPNsense 23.7.10_1-amd64
Intel Core i3-7100U CPU
#2
22.7 Legacy Series / Azure Routed Based IPSec rekey issue
September 23, 2022, 09:49:52 AM
Hi Guys,

I've configured a IPSec S2S tunnel to Azure and I'm having issues at rekey, I've double checked my settings and they all match what they should be set too. We have another IPSec tunnel with the same settings to another Firewall vendor and the settings work fine, so I know there's something not quite right on the OPNsense side.

I've noticed during the rekey I end up getting "integrity check failed" messages in the IPSec log of OPNsense.

I've got the tunnel setup using AES256-GCM for both phase1 and phase2. Luckily the tunnel restarts eventually and the tunnel comes backup for the lifetime of the SA's, then rekey happens fails and then restarts again after some "integrity check failed" messages. This courses about 2-3 minutes of no traffic to pass.

Has anyone get any experience using AES GCM with IPSec to Azure?

I shall attach my OPNsense settings, encase the issue is obvious to someone when they look at them.
#3
21.1 Legacy Series / NPTv6 only working one way
February 22, 2021, 08:25:40 PM
Hi Guys,

Anyone seen or got this issue, I believe its started since OPNsense 21.1 NPTv6 is only working in one direction.

I can ping6 and connect to IPv6 resources on a VM to the internet.
If I connect from the internet to the VM on the NPT address, traffic doesn't return.

Now I can see in the firewall logs traffic coming in and replying on the VM and then back out the WAN again, but the source IP for the traffic leaving the WAN is "fd37:c611:72fb:80::10", should this of been translated too "2001:41d0:800:aa:aa:aa:aa:aa" because it is "2001:41d0:800:aa:aa:aa:aa:aa" when the ping originates from the VM not the external host.

VM IP: fd37:c611:72fb:80::10/64
NPT Rule:    2001:41d0:800:aa:aa:aa:aa:aa/128 -> fd37:c611:72fb:80::10/128
WAN IP: 2001:41d0:800:aa::1/64





Is this a bug?

Jonny
#4
Hi Guys,

I'm not sure if this is a bug with reply-to or misconfiguration somewhere. I've had others doing this same setup and get the same issue, the traffic returns out of the WAN instead of back over the WireGuard tunnel.

The Setup

OPNsense 1 is in a DC with two public IPs say 51.51.51.1 and 51.51.51.10.
The WAN interface is 51.51.51.1, with a gateway of 51.51.51.254.
51.51.51.10 has been set as a Proxy ARP virtual IP on the WAN interface.
I have then created a WireGuard local on this OPNsense with the IP of 10.0.0.1, I then added a WireGuard peer of another OPNsense box (OPNsense 2). The AllowedIPs of this peer is just 51.51.51.10.
This WireGuard tunnel interface is named "WG_RoutedIP"
I have then created a WAN rule to allow any traffic to 51.51.51.10 to pass, and I also created a ANY to ANY rule on the WG_RoutedIP interface.

OPNsense 2 at home or office etc
WAN interface is 31.31.31.1 with gateway of 31.31.31.254
I have then created a WireGuard local on this OPNsense with the IP of 51.51.51.10, I have Disable Routes ticked and then a gateway of 51.51.51.254 set.
I then added a WireGuard peer of another OPNsense box (OPNsense 1). The AllowedIPs of this peer is 0.0.0.0/0.
This WireGuard tunnel interface is named "WAN_RoutedIP"
I have then create gateway on WAN_RoutedIP using 51.51.51.254 as the far gateway and corresponding NAT rule.

If you set a client to use this new routed IP WAN, as a gateway using a gateway policy rule, the traffic works and I can browse the internet fine as 51.51.51.10.

If you allow the HTTPS WebUI or do a port forward then try browse to 51.51.51.10 from a PC that's not be hide either OPNsense box, you can see the traffic go through OPNsense 1, then hit OPNsense 2. Client can not connect, so I then looked at the traffic going over the WAN of OPNsense 2 and I can see the return traffic is exiting out of the WAN not WAN_RoutedIP, so this would point to reply-to not being enabled but it is.

If I run pfctl -s all, I believe the reply-to rule is there if I'm looking at the right thing
```
pass out log route-to (vtnet0 31.31.31.254) inet from 31.31.31.1 to ! (vtnet0:network) flags S/SA keep state allow-opts label "2f613a9ac318a59b487c1251230f5a27"
pass out log route-to (wg1 51.51.51.254) inet from 51.51.51.10 to ! (wg0:network) flags S/SA keep state allow-opts label "6dd6ab373ac72f668fb2f29d408b0231"
```

Note: IPs have been changed to simplify the setup and show clear distinctions.

Hopefully someone knows what's going on here!

FingerlessGloves
#5
20.7 Legacy Series / Traffic Shaper DSCP values
November 30, 2020, 01:48:20 PM
Hi Guys,

I'm trying to setup DSCP for Teams traffic, but I need DSCP value 46, is Expedited Forwarding, what I'm after?

I believe it is but good to double check.

Screenshot of rule attached.
#6
Hi Guys,

I've written a python script for OPNsense that allows you to use WireGuard and PIA's Next Gen servers.
The script will make sure your PIA wireguard tunnel is up and will change server if required as well.

Please see my Github page for the guide and the script.

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

Any question just ask and any issues make an issue on Github.
#7
Hi Guys.

I've made this script for PIA and Wireguard, its nearly 100% working I've got one bug.

When the script gets run by OPNsense's cron, it'll error when I've got the script's portfowarding enabled. Then when I run the python script in the terminal it doesn't error and the exit code is 0.

So with the port forwarding for PIA, you need to refresh the port on the server every 15 minutes to keep it active, so the script will wait for 599 seconds to pass and then tell the API on the WireGuard server you still want that port.

When the 599 seconds has passed, that's when the error occurs on OPNsense, if I then run the script in the terminal it doesn't error, the timer is reset and OPNsense won't error running the script til the time is up again.

How would I go about trying to debug what out the script is getting when ran by OPNsense cron?
I'm after the stdout or stderr, if that's able to be logged by the cron?

Script action failed with Command '/conf/PIAWireguard.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 479, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/conf/PIAWireguard.py' returned non-zero exit status 1.

Code: https://github.com/FingerlessGlov3s/OPNsensePIAWireguard
#8
Hi Guys,

I think it would be good if we changed the layout of the Interface statistics, so when you've got lots of interfaces it doesn't go off the screen. Even with a 1440p screen its an issue. I've got another Firewall with twice as many interfaces as this and its even worse!

See attachment for screenshot.

Hopefully just need to change it so it lists interfaces per row instead of per column. (Transverse the Table)

Many Thanks

Jonny
#9
19.7 Legacy Series / Constant PHP errors with DYNDNS
November 24, 2019, 10:55:08 PM
Hi Guys.

I've been getting these PHP errors for DYNDNS for ages. I thought I'd wait good few updates, incase it was known and gets fixed but nothing as of yet.

I believe its something to do with my WAN interface getting a new IP while its trying to check my IP for update. I've submitted the log but I'm not sure where it goes or a link to it.

Using CloudFlare as the Service type. The reason you see the error twice in a row, is because their's two domains it updates.

[16-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 01:11:01 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 11:30:25 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 11:30:27 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 11:30:57 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 11:30:58 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 11:32:22 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 11:32:24 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 11:32:37 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[16-Nov-2019 11:32:38 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[17-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[17-Nov-2019 01:11:01 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[18-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[18-Nov-2019 01:11:01 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[19-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[19-Nov-2019 01:11:02 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[20-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[20-Nov-2019 01:11:02 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[20-Nov-2019 21:06:17 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[20-Nov-2019 21:06:19 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[20-Nov-2019 21:10:13 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[20-Nov-2019 21:10:14 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[20-Nov-2019 21:10:27 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[20-Nov-2019 21:10:29 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[21-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[21-Nov-2019 01:11:01 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[21-Nov-2019 22:45:12 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[21-Nov-2019 22:45:13 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[21-Nov-2019 22:45:28 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[21-Nov-2019 22:45:29 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[22-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[22-Nov-2019 01:11:01 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[22-Nov-2019 10:53:37 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[22-Nov-2019 10:53:39 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[22-Nov-2019 10:54:50 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[22-Nov-2019 10:54:51 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[23-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[23-Nov-2019 01:11:01 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[23-Nov-2019 22:10:53 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[23-Nov-2019 22:10:54 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[24-Nov-2019 01:11:00 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[24-Nov-2019 01:11:01 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[24-Nov-2019 18:23:09 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[24-Nov-2019 18:23:11 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[24-Nov-2019 18:23:24 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[24-Nov-2019 18:23:25 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[24-Nov-2019 18:23:28 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
[24-Nov-2019 18:23:30 Europe/London] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 739
#10
Show Virtual IP description when used in NAT pages.

It would be nice when viewing the NAT or Port forwarding rules, next to the Virtual IP was the description of the IP. As if you have any Virtual IPs, the description comes in handy.
#11
Hi,

After I updated from 19.7.4 to 19.7.5, the cicada theme's colours have changed in area's. Bits there were orange are now grey, which in some places makes the text hard to read.

See Screenshots

Meter bars were orange.
Some icons I'm sure were orange.
Navigating the menus highlight colour was orange.
Some links were orange.

EDIT: changing menu style the colours are correct, and highlights items in the menu are orange as they should be.

Jonny
#12
Hi Guys,

Anyone here experienced with setting up UPNP? I've setup Static NAT for the IP of the computer I want UPNP working on. I've turned on UPNP (See attachment for settings). I've also got IGMP snooping turned off on all my switchesds.

Is there something I'm missing, no games that use Peer to Peer are able to open a UPNP port. Cleared the states in the firewall too!

EDIT: Going in via Network and then properties on the "FreeBSD router", I can create a port forward, but for some reason games are unable to do this 🤨

EDIT2: Doing some research it could be related to IGDv2, that's if our version of miniupnpd, is compiled using that verison. I've read some games and programs, don't comply to the IGDv2 standards, so running miniupnpd is IGDv1 mode, gets them working. As I'm not sure if our upnpd is complied with v1 or v2.
Due to "force_igd_desc_v1" not being a usable setting in the config, I'm thinkings its v1, but would be nice if someone can confirm.

EDIT3: looking at the pkg info, it does indeed say v1 "UPNP_IGDV2     : off", so I wonder what the issue might be.

Jonny
#13
Hey,

Is the below error an actual error, does this need to be fixed? or is it ok to just leave it? (Don't really want the warning in the web interface if I can help it)

The rule does work but it generates this error time to time. I think its when the VPN drops or it has to reconnect for whatever reason, or when the VPN hasn't connected yet when OPN is booting.

07-23-19 20:18:13 [ There were error(s) loading the rules: /tmp/rules.debug:114: no translation address with matching address family found. - The line in question reads [114]: nat on ovpnc1 inet proto {tcp udp} from (ovpnc1:network) to {192.168.20.70} -> ovpnc1 port 1024:65535 # PIA Port Forward ]

Jonny
#14
Hi Guys,

If I change my LAN interface assignment from igb1 to igb1Vlan2

Will that break any configs? As I'm wanting to move the LAN to VLAN 2

I'll reboot OPNsense after changing it for good measure.
#15
Hi Guys,

I've been looking through my insights data and I think I've found a bug or something anyway?

So I've got my 192.168.20./24 network which is its own VLAN and interface set to access the internet via a VPN gateway.
Ipleak.net and any other IP service shows VPN's IP not my WAN IP. Which is good and how I want it.

The Firewall rule which allows the network access to the internet has the gateway set as the VPN gateway and has a local tag set "NO_WAN_EGRESS".

In the float rules I have a rule set so if it sees traffic exiting the WAN with the tag "NO_WAN_EGRESS" it drops the data. So if for some reason the VPN drops the traffic can't escape via the WAN interface.

When I look at my insights, I see traffic for 192.168.20.70 coming from my WAN interface. How is this possible?
I have no Port forwarding going to this network at all.

Attached you will see my NAT and an export some example reported traffic.
VPN_Network is alias of 192.168.20.0/24
Our_Network is alias of 192.168.20.0/24,192.168.10.0/24,192.168.2.0/24

Does anyone know why this is happening? looks to be a bug to me?

Jonny
#16
Hi Guys,

What's the best place to place a custom shell script in the OS?

I've create a script which gets me a port forwarded from PIA, but it has to run on OPNSense to do that.

I've currently got it placed in /conf/, but if there's a prefered location that would be great.

Also I've added a crontab record to /etc/crontab. Does that get reset by updates too?
#17
19.1 Legacy Series / API call to get Interface IP
March 20, 2019, 09:49:50 PM
Hi Guys,

I'm trying to get an IP address of an Interface, which is set by OpenVPN Client.

Is there an API call I can use to get list of interface's and their IP addresses or just the IP address of my ovpnc1 interface atleast.

Hopefully this is a quick answer for someone.

Jonny
#18
Hi Guys,

I've noticed my kern.random.harvest.mask is set to 65887, I've set it to 351 in tunables, pressed apply then rebooted, yet it still on 65887. I have no idea why. I can see variable set in /boot/loader.conf correctly.

It wasn't in tunables until I manually added it in.


But mask_symbolic doesn't match mask.
kern.random.harvest.mask_symbolic: PURE_RDRAND,[UMA],[FS_ATIME],SWI,[INTERRUPT],NET_NG,[NET_ETHER],NET_TUN,MOUSE,KEYBOARD,ATTACH,CACHED
kern.random.harvest.mask_bin: 000010000000101011111
kern.random.harvest.mask: 65887


Is it doing something weird like 65887=2^16+351 ??

Fresh install of OPNSense 19.1.4

Jonny
#19
19.1 Legacy Series / API for Aliases
March 08, 2019, 07:08:23 PM
Hi Guys,

I'm just reading up on what API's OPNSense has, I've read on the forums there's potentially a API for Aliases, but not one for Firewall rules (Due to the complexity).

Does OPNSense have API for Aliases? As I can't see anything on the API reference Docs.
I need to change an alias that will be used as a port number in a Firewall rule.

Jonny