Topics

1

21.1 Legacy Series / [solved] Traffic directed to wrong ARP address on WAN subnet

« on: February 10, 2021, 07:29:31 pm »

Since I am not sure if its a bug or feature this post, maybe others have seen it before:

I have some opnsense firewalls connected to the same /24 WAN subnet.

Firewall A: 212.x.x.1
Firewall B: 212.x.x.2
Router: 212.x.x.254

Code: [Select]


+------------------+
|     Router       |
|     212.x.x.254  |
+--------+---------+
         |
         |
         |
         |
         |             212.x.x.0./24  WAN
         +--------+-------------------------------+----------+
                  |                               |
                  |                               |
         +--------+---------+          +----------+---------+
         |    Firewall-A    |          |     Firewall B     |
         |     212.x.x.1    |          |     212.x.x.2      |
         +--------+---------+          +----------+---------+
                  |                               |
                  |   LAN A                       | LAN B
                  |                               |
                  |                               |
            +-----+-----+                   +-----+------+
            |    PC     |                   |    PC      |
            |    01     |                   |    02      |
            +-----------+                   +------------+


The availability from the LAN of Firewall A to the WAN Interface of Firewall B looks like this:



After doing a traffic capture on Firewall A and B I think I found the problem. Firewall B does not send the Traffic directly back to Firewall A.
The ARP traffic is sent to a combination of IP of Firewall A but with the MAC of Router. I reviewed the ARP table on Firewall B but there the entry was shown correctly.

We replaced hardware and reinstalled but problem persists with multiple installations and different firewalls on the same WAN interface.

For testing I changed:

net.inet.ip.redirect 1
net.inet.icmp.drop_redirect 0

-> no change.

Firewall->Settings->Advanced->Disable force gateway

-> no change

2

20.7 Legacy Series / Content of "This Firewall" Alias

« on: September 16, 2020, 07:30:00 pm »

Can I check what "This Firewall" looks like?

Does it contain the IPV6 DHCP wan address?

3

20.7 Legacy Series / Upgrade OPNsense 20.7.2 reboot fails due to suricata pid

« on: September 02, 2020, 07:00:24 pm »

The first box that I updated did not made the reboot due to a suricata pid that did not exit.

I verified that the upgrade was done and only the reboot was pending, killed the process with kill -9 <pid> and everyting booted up normal and seems to work fine.

4

19.7 Legacy Series / Handling of TCP out of Order Packages

« on: April 27, 2020, 01:06:44 pm »

On one of my opnSense boxes I am facing problems with some kind of DDOS attacks.
The system is running  19.7.4. in a stateless firewall configuration.
Two BGP uplinks are configured and working.

On one active uplink I see attacks from time to time that seem to use TCP Out-Of-Oder machanisms to generate load on the Firewall. The target addresses are sometimes not even existing but in my network range.

By blocking the network ranges or ips it is possible to handle them, but I am interessted if there are tweaks to the settings to optimize out of order package handling?

5

20.1 Legacy Series / CARP VHID Groups

« on: March 23, 2020, 08:37:50 pm »

Do VHID Groups need to be unique for the complete firewall or just for interfaces.

Would it be possible to have VHID1 on WAN and LAN or should the VHID be unique system wide.

6

Hardware and Performance / Some example how decent Hardware can help

« on: March 18, 2020, 11:07:24 am »

Today I want to share some example how upgrading your hardware can help to reduce problems.



This is how the load was reduced to "nothing" from a permanent load of 4-5 on an old Atom Box (1.8GHz Dualcore). The system is doing 30-40 IPsec Tunnels and OpenVPN connected to a 1Gb/s fibre connection.

It was known that the hardware was no longer capable of handling the traffic and got replaced now. Same configuration was applied and then modified for AES-NI.

The new box is built with a Xeon 3GHz Quadcore.

7

19.7 Legacy Series / OpenVPN services stopps worling. /dev/tun1 busy

« on: January 19, 2020, 08:38:54 pm »

On one of my boxes the OpenVPN Service crashes from time to time with the following error message:

Cannot open TUN/TAP

8

German - Deutsch / OPNsense Usertreffen 2020

« on: December 15, 2019, 10:41:26 pm »

Hallo zusammen,

nachdem es ja einige User im deutschsprachigen Raum gibt, möchte ich für 2020 ein Usertreffen zur Diskussion stellen. Ich nutze OPNsense privat wie beruflich. Sollte Interesse bestehen, kann ich Räumlichkeiten für Vorträge sowie Workshops anbieten. Vorab aber erstmal dieser Thread für ein Meinungsbild.

Es würde mich freuen euer Feedback zu folgenden Punkten zu bekommen:

Usertreffen? Ja/Nein

Was würdet ihr euch wünchen? Vorträge, Workshops, Austausch, Recording, ...

Würdet ihr euch selbst einbringen? Ja(wie), Nein

VG,

Dominik

9

19.7 Legacy Series / What is the "correct" way to adjust the php max memory used by lighttp andp php?

« on: September 13, 2019, 09:33:24 am »

Hi,

some plugins request more memory usage on one of my boxes.
Is there a "correct" way to adjust the max memory value or what php.ini file would be the correct one?

If the value is adjusted is it a persistent change or will it be overritten with system updates?

Regards,

Dominik

10

19.7 Legacy Series / Run OPNsense as router and firewall at the same time

« on: September 07, 2019, 12:57:02 am »

Hey,

is it possible to run a OPNsense box as router and firewall at the same time. At one hand I need to route traffic from one interface to the other without stateful processing.

Would it be enough to define rules with state "none" to turn of stateful processing if the rule hits?
I know it is possible to turn of pf completely, but that would mean I could not even protect the box itself?

To add some more backround, the box is doing BGP and forwards traffic to other routers. This traffic does not need filtering. In addition to that, I don't want to keep states for the forwarded traffic in my state table. Since the routing to that other router could go asynchronous, stateful rules could block traffic because no states for the connection are there. This is not what I want for that connection. 

On other interfaces or rules, the box should be able to filter.

Regards,

Dominik

11

General Discussion / Plugin section in the forum

« on: September 03, 2019, 10:41:31 am »

Hey,

since there is a section for squid and proxy. Wouldn't it be nice to have an own section for all the custom plugins?

Maybe there could be a pined post at the top with an overview of all the plugins and their git repositories. This would make it easier to place bug reports and feature requests directly to the plugin developers?


Regards,

Dominik

12

19.7 Legacy Series / [solved] Interface 19.7.x slow with Firefox. With Chrome same Firewall is fine.

« on: September 03, 2019, 12:58:42 am »

Do others see that the inferface of 19.7.x became very slow?
Connecting, loggin in and changing views are much more slow with Firefox.
The same firewalls with Chrome work just perfect.

Regards,

Dominik

13

19.7 Legacy Series / Interface assigments to VLAN don't work until reboot

« on: August 19, 2019, 11:42:31 am »

I am facing some problems when doing new VLAN and Interface assigments from time to time.

Do others see this behaviour, too?

When I assigne a new VLAN and a new interface I had to reboot to make it work properly. For example rules that point to "this firewall" alias or to new local adress didn't work unitl the reboot.

14

19.7 Legacy Series / Central logging with new syslog-ng targets

« on: August 16, 2019, 02:13:36 pm »

Are there some best practices how to implement central loggin with multiple firewalls using new syslog-ng?

I plan to setup a graylog instance for all loggs to be collected.

• Are the loggs tagged with the hostnames of the machines so I can point multiple firewalls to one log-server and still be able to review them by hostname?
• If I have a HA-Cluster how are the loggs processed from both machines? Do they need to be configured by machine or is thet loggin switched as the secondary becommes active?

Regards,

Dominik

15

Development and Code Review / Feature Idea: Download complete Logs button

« on: August 13, 2019, 09:40:04 pm »

Maybe I have not seen that functionality, yet.

What I like to have is a place to download and review all the Logs.
At the moment I login over SSH and grep the log.

It would be more easy if the logs could be downloaded via click.
Maybe the current and a complete zip with all rotated logs.