Topics

Since one of the latest updates the WOL on the box at home is not working anymore.
Had no time to investigate, yet. Maybe someone is having troubles, too.

MAC and the target server is unchanged, he UI states the magic package was sent successfully. 

Since I am not sure if its a bug or feature this post, maybe others have seen it before:

I have some opnsense firewalls connected to the same /24 WAN subnet.

Firewall A: 212.x.x.1
Firewall B: 212.x.x.2
Router: 212.x.x.254

Code Select Expand



+------------------+
|     Router       |
|     212.x.x.254  |
+--------+---------+
         |
         |
         |
         |
         |             212.x.x.0./24  WAN
         +--------+-------------------------------+----------+
                  |                               |
                  |                               |
         +--------+---------+          +----------+---------+
         |    Firewall-A    |          |     Firewall B     |
         |     212.x.x.1    |          |     212.x.x.2      |
         +--------+---------+          +----------+---------+
                  |                               |
                  |   LAN A                       | LAN B
                  |                               |
                  |                               |
            +-----+-----+                   +-----+------+
            |    PC     |                   |    PC      |
            |    01     |                   |    02      |
            +-----------+                   +------------+



The availability from the LAN of Firewall A to the WAN Interface of Firewall B looks like this:



After doing a traffic capture on Firewall A and B I think I found the problem. Firewall B does not send the Traffic directly back to Firewall A.
The ARP traffic is sent to a combination of IP of Firewall A but with the MAC of Router. I reviewed the ARP table on Firewall B but there the entry was shown correctly.

We replaced hardware and reinstalled but problem persists with multiple installations and different firewalls on the same WAN interface.

For testing I changed:

net.inet.ip.redirect 1
net.inet.icmp.drop_redirect 0

-> no change.

Firewall->Settings->Advanced->Disable force gateway

-> no change

Can I check what "This Firewall" looks like?

Does it contain the IPV6 DHCP wan address?

The first box that I updated did not made the reboot due to a suricata pid that did not exit.

I verified that the upgrade was done and only the reboot was pending, killed the process with kill -9 <pid> and everyting booted up normal and seems to work fine.

On one of my opnSense boxes I am facing problems with some kind of DDOS attacks.
The system is running  19.7.4. in a stateless firewall configuration.
Two BGP uplinks are configured and working.

On one active uplink I see attacks from time to time that seem to use TCP Out-Of-Oder machanisms to generate load on the Firewall. The target addresses are sometimes not even existing but in my network range.

By blocking the network ranges or ips it is possible to handle them, but I am interessted if there are tweaks to the settings to optimize out of order package handling?

Do VHID Groups need to be unique for the complete firewall or just for interfaces.

Would it be possible to have VHID1 on WAN and LAN or should the VHID be unique system wide.

Today I want to share some example how upgrading your hardware can help to reduce problems.



This is how the load was reduced to "nothing" from a permanent load of 4-5 on an old Atom Box (1.8GHz Dualcore). The system is doing 30-40 IPsec Tunnels and OpenVPN connected to a 1Gb/s fibre connection.

It was known that the hardware was no longer capable of handling the traffic and got replaced now. Same configuration was applied and then modified for AES-NI.

The new box is built with a Xeon 3GHz Quadcore.

On one of my boxes the OpenVPN Service crashes from time to time with the following error message:

Cannot open TUN/TAP

Hallo zusammen,

nachdem es ja einige User im deutschsprachigen Raum gibt, möchte ich für 2020 ein Usertreffen zur Diskussion stellen. Ich nutze OPNsense privat wie beruflich. Sollte Interesse bestehen, kann ich Räumlichkeiten für Vorträge sowie Workshops anbieten. Vorab aber erstmal dieser Thread für ein Meinungsbild.

Es würde mich freuen euer Feedback zu folgenden Punkten zu bekommen:

Usertreffen? Ja/Nein

Was würdet ihr euch wünchen? Vorträge, Workshops, Austausch, Recording, ...

Würdet ihr euch selbst einbringen? Ja(wie), Nein

VG,

Dominik

Hi,

some plugins request more memory usage on one of my boxes.
Is there a "correct" way to adjust the max memory value or what php.ini file would be the correct one?

If the value is adjusted is it a persistent change or will it be overritten with system updates?

Regards,

Dominik

Hey,

is it possible to run a OPNsense box as router and firewall at the same time. At one hand I need to route traffic from one interface to the other without stateful processing.

Would it be enough to define rules with state "none" to turn of stateful processing if the rule hits?
I know it is possible to turn of pf completely, but that would mean I could not even protect the box itself?

To add some more backround, the box is doing BGP and forwards traffic to other routers. This traffic does not need filtering. In addition to that, I don't want to keep states for the forwarded traffic in my state table. Since the routing to that other router could go asynchronous, stateful rules could block traffic because no states for the connection are there. This is not what I want for that connection. 

On other interfaces or rules, the box should be able to filter.

Regards,

Dominik

Hey,

since there is a section for squid and proxy. Wouldn't it be nice to have an own section for all the custom plugins?

Maybe there could be a pined post at the top with an overview of all the plugins and their git repositories. This would make it easier to place bug reports and feature requests directly to the plugin developers?


Regards,

Dominik

Do others see that the inferface of 19.7.x became very slow?
Connecting, loggin in and changing views are much more slow with Firefox.
The same firewalls with Chrome work just perfect.

Regards,

Dominik

I am facing some problems when doing new VLAN and Interface assigments from time to time.

Do others see this behaviour, too?

When I assigne a new VLAN and a new interface I had to reboot to make it work properly. For example rules that point to "this firewall" alias or to new local adress didn't work unitl the reboot.

Are there some best practices how to implement central loggin with multiple firewalls using new syslog-ng?

I plan to setup a graylog instance for all loggs to be collected.

• 
  Are the loggs tagged with the hostnames of the machines so I can point multiple firewalls to one log-server and still be able to review them by hostname?
• If I have a HA-Cluster how are the loggs processed from both machines? Do they need to be configured by machine or is thet loggin switched as the secondary becommes active?

Regards,

Dominik

Maybe I have not seen that functionality, yet.

What I like to have is a place to download and review all the Logs.
At the moment I login over SSH and grep the log.

It would be more easy if the logs could be downloaded via click.
Maybe the current and a complete zip with all rotated logs.

Bei einem Telekom VDSL Anschluss sehe ich häufig Probleme mit dem Renew der IPv6 Adresse.
Manuell kurz Konfig nochmal speichern funktioniert allerdings.

Hat jemand ähnliches beobachtet?

Eingestellt ist:



Fehler im Log:

Is there a functionality that I don't know to restore a defined backup state of a firewall configuration if for example 30 seconds without a confirmation of a change is done.

The use case are changes that can lead to a not working configuration on a remote site. If I have a working configuration and want to make a change the change should be applied, but if the change does not work and it is not confirmed the firewall should role back to the working configuration automatically.

I am curious if more people whould have use of this kind of functionality?

Regards,

Dominik

I added two new carp interfaces on a HA-Cluster.

One virutal IP works as configured. The other one cant be configured on the second Firewall. The error message is: Interface specified for the virtual IP address .... does not exist. Skipping this VIP.

On both sides the interfaces are named the same. I deleted and added them and rebooted the firewalls but had no luck to get the virutal ip syncronized to the second firewall.

If i manually edit the entry on the second firewall I would be able to choose the correct interface but this is of course not peristent. With the next change on the main firewall the error is there again.

Any ideas how I could figure out what difference in the firewalls could be the root. Is the interface name used to identify the correct interface on the second firewall?

Regards,

Dominik

I am stumbling over a strange behaviour with one firewall with NAT and port forwarding.

I added an additional ip alias to an existing configuration. The firewall had only one ip before and some port forwarding NAT rules defined.

All these rules are applied to the new ip alias as well, this shouldn't because they are defined for the WAN address only.  This means on the new ip alias ip i can access the same port forwarding that was defined for my wan address. Thats wrong and should not be working.

If I now try to add a port forwarding for the new ip alias the traffic still is forwarded to the wrong internal IP.
Even if there is no rule for the new ip alias as destination traffic gets forwarded... that's not cool.

I upgraded to the latest 19.1.9 same behaviour.

Had someone faced a similar behaviour?