Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - davide

Pages1
#1
Virtual private networks / IPSEC tunnel goes UP without explicit firewall RULES on the WAN
July 20, 2025, 06:16:27 PM
OPNSense version 25.1.7_2-amd64

I created an IPSEC tunnel (legacy).

I didn't make the rules (I forgot about them) on the WAN (ESP / UDP port 500 / UDP port 4500).

The tunnel goes UP.
How is this possibile?

Reading the documentation, the rules need to be created: https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

Any suggestion will be appreciated.
#2
24.7, 24.10 Legacy Series / HAPROXY Status is showd stopped in System: High Availability: Status
August 29, 2024, 01:00:13 PM
In System: High Availability: Status
HaProxy Status show stopped

HaProxy is regularly running

#3
24.1, 24.4 Legacy Series / OpenVPN Data Channel Offload (DCO)
March 26, 2024, 04:39:37 PM
Does version 24.1 supports OpenVPN Data Channel Offload (DCO) ?
#4
23.7 Legacy Series / OpenVPN version 3 (split-dns problem)
November 29, 2023, 04:13:32 PM
It seems that only OpenVPN 3 correctly implements split-dns.

Is there some plans to implement OpennVPN 3 in OPNSense?
#5
23.1 Legacy Series / Netork aliases /32 seems not working
July 27, 2023, 04:46:31 PM
If I use network alias 31.33.34.35/32 packet for host 31.33.34.35 are blocked.

If I use host alias 31.33.34.35 packet for host 31.33.34.35 pass.

It is correct?

Thank you
#6
23.1 Legacy Series / IPSEC Policy Base Routing
July 07, 2023, 11:53:30 AM
I'm using OPNsense 23.1.

Creating a new IPSEC tunnel default to Policy Based Routing ([Install Policy] is cheched by default].

So I don't find any route in the routing table.

It works, but what I can't understand is how local network reach remote network without routes.
Where I can monitor the routes from local to remote?

How can an IP packet that start from a local host reach the remote host if on the firewall there is no route?

It works, but I don't understand why  :)

Sorry for the confusion, any help will be appreciated.
#7
23.1 Legacy Series / OPNsense High Availability setup with PPPoE
April 18, 2023, 11:27:30 AM
Anyone has some news about setup OPNSense High Availability (CARP) setup and a PPPoE connection?

Any suggestion is welcome :-)
#8
20.1 Legacy Series / Block access to IP that resolve to a specific domain
March 16, 2020, 04:08:10 PM
I need to block Teamviewer.
I read https://community.teamviewer.com/t5/Knowledge-Base/Which-ports-are-used-by-TeamViewer/ta-p/4139

All teamviewer IP have PTR records that resolve to *.teamviewer.com.

I wish to create an alias that is tru for all IP with a PTR record that resolver to *.teamviewer.com

Can I do this?

Thank you very much

#9
19.7 Legacy Series / "LAN Net" internal Alias
August 19, 2019, 11:32:15 AM
I setup the interface LAN for the network 192.168.250.0/24 and I give IP address 192.168.250.1 to the LAN interface.

Then I added a CARP IP address 10.10.0.1/24 to the LAN interface.

Does internal Alias "LAN Net" comprises both 192.168.250.0/24 and 10.10.0.0/24 subnets?

#10
19.7 Legacy Series / "LAN net" in firewall rules for interface with multiple subnets
August 12, 2019, 07:58:08 PM
I configured the LAN interface with multiple CARP IP coming from different subnet (192.168.250.1/24 and 10.100.0.1/27).

Instead of adding two rules (one with source 192.168.250.0/24 and the other with source 10.100.0.0/27), adding only one rule with source "LAN net" works but I wish to know if there is an explanation of how "LAN net" is constructed.

Thank you
#11
19.7 Legacy Series / Explain me what adding VHID for every IP would make the CARP traffic very noisy
August 12, 2019, 04:43:26 PM
Please,
someone can explain me what exactly means "adding a VHID for every IP would make the CARP traffic very noisy"

Thank you very much.
#12
19.7 Legacy Series / Routing problems with HA and multiple subnets on the same LAN interface
August 12, 2019, 04:33:52 PM
Hello,
I had to configure LAN interface with multiple CARP from different subnets.

I also have 2 box in HA.

Box 1:
LAN address = 192.168.250.253
CARP address = 192.168.250.1
CARP address = 10.254.0.1

Box 2:
LAN address = 192.168.250.252
CARP address = 192.168.250.1
CARP address = 10.254.0.1


When I try to ping from a machine with ip address 10.254.0.27 to 192.168.250.253 all works

When I try to ping from a machine with ip address 10.254.0.27 to 192.168.250.252 don't works

I can't understand why.
If I tracert to 192.168.250.252 destination is reached with no hops.
If I tracert to 192.168.250.253 I get the first hops and then request timeout


C:\>tracert -d 192.168.250.253
Traccia instradamento verso 192.168.250.253 su un massimo di 30 punti di passaggio
1    <1 ms    <1 ms    <1 ms  192.168.250.253

C:\>tracert -d 192.168.250.252
Traccia instradamento verso 192.168.250.252 su un massimo di 30 punti di passaggio
1    <1 ms    <1 ms    <1 ms  10.254.0.1
2      *            *           *        richiesta scaduta

If I try to inspect traffic on 192.168.250.252 with tcpdump I only see the traffic IN but no reply from 192.168.250.252

root@opn02:~ # tcpdump -n host 10.254.0.27 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:30:58.480436 IP 10.254.0.27 > 192.168.250.252: ICMP echo request, id 33, seq 63230, length 72


It seems that box 2 don't know how to come back. Is this a problem with multiple CARP subnets on the same interface?

Any suggestion?
Pages1