Topics

1

Sensei / TLS 1.3 support

« on: May 28, 2021, 03:25:48 am »

Does anyone know if Sensei plans on supporting tls 1.3?  I put a ticket in with sunny valley helpdesk asking this a month ago and I never received a response.

Thanks

2

20.7 Legacy Series / Syslog_ng causing ridiculous boot times

« on: January 10, 2021, 02:35:34 am »

So I've been having this issue for a while now, and I've just been dealing with it.  I googled it, found a few things, but can't seem to find an actual fix.

Every time I reboot the firewall, it hangs on "Stopping syslog_ng" and I can see on the monitor it's waiting to kill some PID.  It takes forever though, causing like 10 minute reboot times on the firewall.  I didn't have this issue in version 19 that I can remember, and it seems to be a known thing from what I'm reading?  Just wondering if anyone knows an actual fix for this. 

Thanks

3

20.7 Legacy Series / OpenVPN Redirect Gateway not working anymore?

« on: November 20, 2020, 09:28:10 pm »

Redirect gateway used to work prior to the latest update.  On October 17th I was out of town and in a hotel with unsecured WiFi and actually used this feature to get around that and confirmed that all of my traffic was routing over the tunnel.

Today I had a reason to use the VPN again and this has seemingly stopped.  Trying to browse to any website, or ping out to the internet with the redirect gateway option checked just doesn't seem to work.  I did a PCAP on the openvpn interface on the firewall and I do see the pings in the pcap, but there are no replies and web browsing just seems to time out. 

If I uncheck redirect gateway, then pinging out to the internet and web browsing is fine.  I have about 4 different OpenVPN servers running and they are all sharing the same behavior. 

Here's the routing table from a PC I was using while connected to a public WiFi while on the VPN with redirect gateway enabled:

Code: [Select]

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   10.128.128.128   10.140.249.135     40
          0.0.0.0        128.0.0.0        10.5.19.5        10.5.19.6    291
         10.0.0.0        255.0.0.0         On-link    10.140.249.135    296
         10.5.0.0      255.255.0.0        10.5.19.5        10.5.19.6    291
        10.5.19.0    255.255.255.0        10.5.19.5        10.5.19.6    291
        10.5.19.4  255.255.255.252         On-link         10.5.19.6    291
        10.5.19.6  255.255.255.255         On-link         10.5.19.6    291
        10.5.19.7  255.255.255.255         On-link         10.5.19.6    291
   10.140.249.135  255.255.255.255         On-link    10.140.249.135    296
   10.255.255.255  255.255.255.255         On-link    10.140.249.135    296
     73.61.103.19  255.255.255.255   10.128.128.128   10.140.249.135    296
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0        10.5.19.5        10.5.19.6    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         10.5.19.6    291
        224.0.0.0        240.0.0.0         On-link    10.140.249.135    296
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         10.5.19.6    291
  255.255.255.255  255.255.255.255         On-link    10.140.249.135    296
Not really sure why this stopped working.  I've made no firewall rule changes since I've been back from the vacation in October when it was working.  The only thing I've really done on the firewall since is to update to 20.7.4

4

20.7 Legacy Series / PHP keeps spiking my CPU?

« on: November 03, 2020, 01:22:37 am »

So I did the latest update and since then I've had issues.  I did the update, then turned suricata on, and it kept killing my WAN link once a day, so ok, turned that back off, but now my firewall CPU keeps spiking.  If I look at top I see "php" and "php-cgi" keep spiking and hitting like 97%.

I reset the logs on the firewall, manually deleted all the suricata directories I could find, just stuff I found from trying to research this, but it's still doing it.  Anyone have any ideas?  My CPU graph in my network monitor used to idle at almost nothing and now it looks like a saw graph.  The web UI is lagging and downloads are painfully slow. 

5

20.7 Legacy Series / Trying to login with LDAP removes my account from the admin group

« on: October 09, 2020, 02:55:40 am »

So I've had LDAP configured for a while on the firewall, but I figured I should start using it to actually login instead of just using the local database.  My account is a member of the local admins group.  I RDP'd to a VM, logged into the fw as root, Settings | Admninistration | Authentication...I checked both domain controllers and the local database for a backup.  I tried to login with my local account, which has the same username and password as my domain admin account, and the page kind of blinks and just shows me the login screen again.  When I check the user section from the virtual machine using the root account, my account has been removed from the admin group...

The tester works fine for my account, as well as various other test user accounts I've made.  Anyone know why this thing is kicking me out of the admin group?

Oddly enough, if I change the account on the firewall to use a different password than my domain password, it logs in fine.  I'm assuming this is just using the local database and not AD auth though. 

6

20.7 Legacy Series / Does opnsense not let you put vlan's into ospf?

« on: September 22, 2020, 05:05:46 am »

I have 2 port LAG going from the fw to a cisco switch that has 6 Vlans running over it. All the .1's for the Vlans are on the firewall. I can't seem to get the firewall to advertise any of the Vlan networks over ospf.

I have a L3 LAG running from the firewall to the cisco switch, and that advertises fine. Just wondering what the deal is.

7

Hardware and Performance / New hardware?

« on: August 24, 2020, 06:45:20 pm »

I'm currently using a QOTOM box which is mostly ok.  It NATS and routes at gig speeds which I get from the ISP, but it only has 6 NICS.  I'm looking for some recommendations on an appliance type box that would give me 8-12 NICs.  Not sure if it's better to buy something or just build a server with NIC cards but I'd like to keep the 1U formfactor or even 2U if possible.  I was looking at some stuff on this site

 https://www.firewallhardware.it/en/ 

Mainly the following -  https://www.miniserver.it/firewall/power-utm/firewall-appliance-power-utm-aluminum.html

but it seems a bit pricey for what it is considering it's DDR3, does't seem to have ECC, etc.
Just wondering what people's recommendations are for a box with 8-12 NICs in a 1U or 2U form factor.
Thanks in advance

8

20.7 Legacy Series / Firewall locks up/stops passing traffic

« on: August 24, 2020, 03:50:07 pm »

I recently had to rebuild (reinstall) my Opnsense firewall and used config backups to get myself back where I was. I have 2 LAN interfaces that both go to a Cisco switch. The one interface periodically just goes down (no idea why), so the cisco switch will see the traffic on the interface stop and then add a default route to the secondary interface. This has worked fine in the past and via testing still works.

A little while ago though, and maybe 2 more times since I've reinstalled, I've noticed the firewall just dies. It's still powered on, but I cannot ssh to either LAN interface, or access the web gui on either interface, and all traffic out to the internet stops. I've tried going through the logs but I don't really see anything (I might not be looking correctly or in the right place).

When the firewall is running, everything works fine. Tunnels, sensei, no issues with anything really, it just seems to lock up every 2 or 3 days. Not sure if I should reinstall again or if someone can help me track down the issue.

Thanks.

9

20.7 Legacy Series / Wireguard only works for 1 tunnel

« on: August 18, 2020, 09:48:31 pm »

I was messing with sensei last night and long story short, I changed a config for that and bricked the firewall. Don't ask me how. I was able to restore from a backup config but then I noticed that the second wireguard site-to-site tunnel with my friend wasn't working. The first site-to-site seems to be fine, but not the second. I figured something got corrupted and said screw it and just reinstalled OPNsense...but somehow I'm still having the same problem.

It looks like the routes for the second tunnel just aren't being added...at all.

Code: [Select]

service wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
[#] rm -f /var/run/wireguard/wg1.sock
[#] resolvconf -d wg1
[#] wireguard-go wg0
INFO: (wg0) 2020/08/18 15:29:54 Starting wireguard-go version 0.0.20200320
[#] wg setconf wg0 /tmp/tmp.unP2p7nM/sh-np.10hwi8
Warning: AllowedIP has nonzero host part: 172.25.25.1/30
[#] ifconfig wg0 inet 172.25.25.1/30 172.25.25.1 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 172.25.25.0/30 -interface wg0
[#] route -q -n add -inet 10.33.0.0/16 -interface wg0
[+] Backgrounding route monitor
[#] wireguard-go wg1
INFO: (wg1) 2020/08/18 15:29:54 Starting wireguard-go version 0.0.20200320
[#] wg setconf wg1 /tmp/tmp.BYmvS7eI/sh-np.tuIqoO
[#] ifconfig wg1 inet 172.26.26.1/30 172.26.26.1 alias
[#] ifconfig wg1 mtu 1420
[#] ifconfig wg1 up
[#] resolvconf -a wg1 -x
[+] Backgrounding route monitor
I can see when I restart wireguard in the CLI that wg0 has "route -q -n add" etc, and wg1 which is the second tunnel does not. I can also see this in the GUI where I see the route to the first tunnel is there but the second is not.

I have no idea how or why this happened, or how to fix it. I'm extremely confused. Everything with the second tunnel seemed fine until the crash last night. I reinstalled the software, did the updates until I was running the latest, then restored from a backup I took last night after the first crash. Does anyone have any ideas why the second tunnel wouldn't be adding its routes?

I tried removing the second tunnel and starting from scratch. I also tried uninstalling and reinstalling wireguard but the issue is persisting through everything I throw at it. Idk how much harder I can hammer the thing aside from reinstalling opnsense completely, which I already did...unless somehow the issue carried over from the back up, but I did try reverting to an even older backup after I did the reinstall today and the issue was present still. I also tried cloning the second tunnel, but it seems like any tunnel I make after the one that actually is working has the same issue where it doesn't add the routes.

10

20.1 Legacy Series / More weirdness with rules

« on: April 22, 2020, 02:35:18 pm »

If I ping 4.2.2.2 from my office PC, I see the packets leave my WAN interface using the "Let anything out from firewall host itself" rule.  I'm really trying to make my own rules so this floating rule phases out.

I made a rule (screen shot attached) and implemented it.  Now if I ping 4.2.2.2 I see the traffic hitting the rule I made, but I stop getting icmp echo replies from the destination.  Almost seems like the state table isn't taken into consideration?

Anyone have any thoughts as to why that is? 

11

20.1 Legacy Series / Question about "let anything out from firewall host itself"

« on: April 18, 2020, 07:18:28 pm »

I have an interface configured on the firewall that is a separate network and it's mostly blocked off from reaching every other network.  I put a test windows virtual machine on this network and needed some rules so it could hit my domain controllers, etc.  I noticed though, that when I look at the logs, it's not hitting the rules I made.  The traffic is passing and all is working as expected, but it's hitting this "Let anything out from firewall host itself" rule....which I can't seem to find anywhere, instead of hitting the rule I made.

If I disable the rules I made to allow the traffic, the log clearly shows them hitting the deny rules I put below the allow rules.  Just curious why I'm not seeing the right rule label in the logs?

Thanks in advance

12

19.7 Legacy Series / (Solved) Can't see vlan traffic?

« on: November 25, 2019, 04:34:52 am »

I setup a vlan interface (vlan 30) on the firewall.  I have a core cisco switch and an "access" cisco switch connected to the firewall.  I made vlan 30 on the core switch, trunked to the interface on the firewall...that seems to be working fine.  I made another trunk to my VM host, spun up a VM and put it on vlan 30 with a static IP in that subnet.  I can ping out to the internet...everything seems fine...but when I check the firewall logs I can't see anything for vlan 30.

If I ping out to the internet, nothing in the logs.
Ping to a different internal subnet, nothing in the logs. 

I find this very odd.  I would think I would see something in the logs for the traffic hitting the new Vlan interface but I'm not...even though every seems to be working fine. 

Any thoughts or advice is appreciated.

13

19.7 Legacy Series / Trying to tighten up some rules

« on: November 08, 2019, 03:36:08 am »

So I have several subnets inside my LAN and right now, to get out to the interent, there are rules for each of the subnets on the LAN interface of the firewall that basically say - allow ipv4 out to anything.

I decided I wanted to try to tighten these up a bit, so I was trying to change the destination to my WAN interface (which I've named INET) and every time I try to do that, nothing on the subnet can get outside the LAN network. I've tried making the rule go in and out on the WAN interface, I've tried in and out on the LAN interface...I've tried a bunch of things, but it seems like regardless of what I do, nothing on my server subnet can get out to the internet. Here's some screenshots of what I tried last that isn't working.

I'm testing this by trying to ping continuously to 8.8.8.8 from one of the servers, and I can see it hitting the default deny rule, I'm just not sure why.

Thanks in advance for any advice

14

19.7 Legacy Series / SSH for non root account?

« on: October 20, 2019, 06:34:54 am »

I made an admin account for myself, but I can't use SSH to the firewall with it. I read this in another post somewhere:

Go to the user's properties page, under "Effective Privileges" click "+", select "Users - System - Shell account access" and apply. That should do it.

When I go to "Effective Privileges" I don't seem to have that option. Anyone know what's up? I tried filtering the privileges by "ssh" "user" etc. and I manually checked them but I'm missing something I guess.

15

19.7 Legacy Series / Using Opnsense as DHCP server

« on: October 19, 2019, 01:37:23 am »

So I would like to use the firewall as a DHCP and DNS server, but I figured I would do DHCP first. The topology looks like this

Opnsense Firewall

|

Core Cisco Switch

|

Cisco Access Switch

/ \

Everything else



So on the core switch, I made a test Vlan, with a SVI. IP address 10.5.9.1 255.255.255.0

The firewall connects to the core switch with a /30 - 10.5.97.0 255.255.255.252

I set the helper address on the SVI to be the IP of the LAN interface on the firewall, but I guess Opnsense doesn't like this because when I try to configure an "additional pool" on the LAN interface under DHCPv4, it says the network is outside the range of the interface.

So I guess my question is, is this not a thing? Do I need to do something weird with the Vlans or have the Vlans hosted on the firewall? I tried adding a new gateway to the LAN interface on the firewall within the test Vlan range but it didn't make a difference. I had assumed I could have Opnsense hand out IP's for whatever range I wanted over a single interface but it looks like I can't?

Thanks in advance