Topics

I've been monkeying around with monit trying to figure out how to do this but haven't had any luck yet.  I basically just want it to send an email anytime the configuration on the firewall has been changed, i.e a new rule is added, a rule is disabled/enabled, etc.

Does anyone know if this is possible?

So I'm kind of wondering what the IP Alias virtual IP is actually used for in a real world scenario and I'm wondering if it's for what I'm trying to do.

I have a Public IP space from my ISP, let's call it 192.168.1.1/27 for the sake of argument. Within that space, I have port forwarding setup and I've made firewall alias's to assign servers to Public IP's within that space. My connection with the ISP is a direct connection, meaning I'm not routing over some interim network to get to them, I just point at the gateway they gave me.

So if my primary firewall goes down, or I fail it over manually, will those port forwards still "just work", or is this where I would define the public IP of these servers as an "IP Alias" in the virtual IP's?

2 Opnsense firewalls with VIPs configured for the WAN interfaces and the backend VLANS. All VLANs live on the firewall and I'm trunking over a LAGG from a cisco switch. I can't seem to get CARP maintenance mode to do anything. I see the CARP demotion level increase to 240, but the primary firewall still shows as the master.

I was checking the traffic logs and I saw the IGMP traffic from the VLAN interface being blocked, so I made a rule to allow that but that didn't seem to help. I also globally disabled IGMP snooping on the cisco switch, but that had no effect either.

Just wondering if anyone else has run into this. If I disable CARP it seems to failover fine, and I've already tried recreating all the virtual IP's.  I also confirmed I can ping from the VLAN interface of 1 firewall to the same VLAN on the other firewall, so it doesn't seem to be a connectivity problem. 

Link to same post on reddit for screenshot purposes since attachments here are limited - https://www.reddit.com/r/OPNsenseFirewall/comments/zzt3mq/freeradius_and_ipsec_mobile_client/


I'm trying to use the FreeRADIUS plugin for an IPsec mobile client. Previously had the mobile client working with local accounts, but I need to do this for 400+ people so I figured why not use RADIUS?

So I have the FreeRADIUS plugin installed, which points to a windows domain controller that is sitting behind another firewall at another location. The 2 firewalls have a wireguard tunnel.

FreeRADIUS has LDAP enabled, just boring port 389 to test this out, and a client setup of 127.0.0.1. The RADIUS server in system > access > servers is also set as 127.0.0.1. When I use the tester, I see the port 389 traffic go across to the WG tunnel, and the tester shows the auth is successful.

However, when I try to do this with windows built-in VPN and connect to the IPsec mobile client on the same firewall that FreeRADIUS is running on, I get the following:

Code Select Expand


2022-12-30T23:33:11 Auth: (19) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [mo/<via Auth-Type = eap>] (from client test port 7 cli x.x.x.x[4500])

2022-12-30T23:33:11 Auth: (18) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [mo/<via Auth-Type = eap>] (from client test port 0 via TLS tunnel)

2022-12-30T23:31:26 Auth: (9) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [mo/<via Auth-Type = eap>] (from client test port 6 cli x.x.x.x[4500])

2022-12-30T23:31:26 Auth: (8) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [mo/<via Auth-Type = eap>] (from client test port 0 via TLS tunnel)


The firewall has a root CA made on OPNsense, and from that I issued 2 server certificates - 1 for the IPsec tunnel and 1 for FreeRADIUS. I read somewhere that the IPsec cert and the FreeRADIUS cert had to be the same cert to make this work, so I tried using the IPsec cert in both places but that didn't seem to help.

The client (virtual machine) that is trying to connect has the root CA installed in the "Trusted certificate authorities" in the computer certificates (not personal certificates). I did this when I was using local accounts on the firewall to connect to the IPsec mobile client connection and had it working.

I'm kind of at a loss. The tester says auth works. I see the traffic go over the tunnel. I can only assume return traffic isn't an issue since if it was I would think using the "Tester" wouldn't work either. The common name on both the IPsec cert and the RADIUS cert is the public DNS entry of the firewall.

I've tried PEAP, mschapv2, EAP-TTLS, but can't get any of those to work.  I'm hoping this is just something dumb I missed that someone can point out to me.

We have some new dell appliances with 2 SFP cards, 4 SFP+ ports total (2 per card). 10 interfaces total, with the other 6 being 1Gig RJ45.

All the RJ45 interfaces are being detected by OPNsense, but the SFP ports are not. Does anyone have any ideas as to why this would be? I confirmed the hardware shows in the IDRAC on the appliance.

I did read something about having to add sfxge_load="YES" to the /boot/loader.conf file, but that was for pfsense and I'm not sure if that applies here.

All the interfaces are broadcom. The SFP's specifically are: Broadcom 57412 Dual Port 10GbE SFP+ Adapter, PCIe Low Profile [540-BBVI] / 5100635

Thanks in advance.

I made a new VLAN for my LAGG and somehow, the anti-lockout rule under portforwarding is now on this interface.  This is just a sandbox VLAN for me to test things, so I definitely don't want it on there.  I know I can disable the anti-lockout rule all together but is there a way to move the interface for this?

Going to link to a reddit post since screenshots here are so limited.  If anyone has any ideas I'd appreciate it. 

https://www.reddit.com/r/OPNsenseFirewall/comments/xwigt7/cant_get_ha_to_come_up_but_carp_masterslave_works/

I'm planning to get a second firewall of the same hardware and doing HA but I'm a little confused about where the VIPs need to be.

There will be a single cisco switch running 2, 4 port LAGs to both firewalls.  All of the VLANs will pass over these LAGs.  The ISP connection will go to a switch and then from the switch to the firewall.

Standard HA setup seems pretty simple, but I'm wondering how I would do HA on the backend of the firewall with the LAGs and VLANs.  Would each VLAN need a VIP configured for it?  Or would that mess things up because the VLANs are running over LAGs?  If each VLAN does need a VIP should that be configured as a CARP VIP?

Thanks in advance.

I have 3 firewalls.  On one, I have multiple OpenVPN servers running, no issues.  On another, single OpenVPN instance running, no issues.  On the third, I can't seem to get it to work.

I keep seeing Could not determine IPv4/IPv6 protocol. Using AF_INET and TLS handshake errors in the OpenVPN logs.  On the dashboard of the firewall, under OpenVPN clients widget, I see the public IP of the location I'm trying to connect -from-, and no virtual IP.

I've compared the server settings with the other 2 firewalls and can't find a difference.  I've also deleted and recreated the CA, INT CA, Server and client certificates a handful of times now, and verified the associated firewall rules are identical for allowing the connection across all 3 firewalls.

Struggling to figure out why it works on the other two OPNSense firewalls but not this one. 

I run 3 firewalls at different locations and each has an OpenVPN server running.  On all of them the cert for the OpenVPN server has a SAN, and the SAN is the dynamic DNS entry for each site.  Everything works except 1 OpenVPN at 1 site, so I figured I'd just redo it all.

In redoing it, I noticed the SAN no longer shows up.  This used to work.  The OpenVPN servers were all setup like a year ago.  At one site I have several servers using SAN for their server certificates, all issued by the firewall at that site.  This seems to just be broken.  I can't get a SAN on any server cert generated by any of the 3 firewalls anymore.

I've enabled the proxy and have it setup as transparent with a CA.  Normal whitelist/blacklist works fine and I've confirmed the endpoint is going through the proxy as it should.

I'm trying to block personal gmail accounts and only allow corporate gsuite accounts.  Under forward proxy > advanced (see screenshot) there's an option to restrict GSuite, but I'm not sure how it works.  I tried googling it and didn't find much.

If I put say, the name of my local domain in there, I can't get to gmail.com at all.  In fact it seems anything I put in there blocks getting to gmail.com.  What I'm trying to do is just not allow logging into personal accounts but still allow corporate Gsuite accounts, which supposedly, I should be able to do with this option?

Just wondering if anyone has any idea how to get that to work, or maybe a different way to do it?

I found this https://redmine.pfsense.org/issues/11060?tab=history and it says you need to add a header, but I'm not seeing anything in the proxy GUI that would let me do that.

Thanks in advance

Has anyone else noticed that since the "Watchful Owl" update or whatever it was called, their dashboard shows high CPU temps?  I ssh'd and saw eastpect (zennarmor I believe) taking up most of the CPU.  Turned that off, but the temps didn't improve on the dashboard.  I also noticed PHP periodically spikes the CPU as well.

The dashboard never showed temps above 44 prior to the update.  Now it regularly hits in the 80's or 90's and sometimes stays there.  The hardware is a Qotom box so it's just one big heatsink.

I just noticed this.  The DHCP relay just doesn't seem to work anymore.  I'm currently on version OPNsense 22.1.2_1.  I noticed in the logs the traffic was hitting the "Block bogon rule".  I've had that rule enabled on all the internal interfaces since forever, but ok, I unchecked the box.  Then I see traffic in the firewall log coming from 0.0.0.0 port 68 to 255.255.255.255 port 57 on UDP...DHCP broadcast.  There wasn't a specific rule for this.  I never needed a specific rule for this before, but ok, made some rules.

It still isn't working.  I have about 6 or 7 subnets that all rely on the relay and I've tested each one.  Nothing seems to be able to get an IP address all of a sudden.  I update the firewall to the above version because I saw there was an update and figured it couldn't hurt. 

I don't have a lot of "in and out" with devices in my house so it's possible this has been broken for week since I update to "watchful owl" or whatever it's called and I'm just noticing it now.  I see the relay is generating logs, and I did some pcaps on the FW interface and I see it doing "DHCP Request", but nothing will get an address.

Anyone have any ideas?  I've made no changes to the network at all aside from the firewall upgrades. 

Does anyone know if Sensei plans on supporting tls 1.3?  I put a ticket in with sunny valley helpdesk asking this a month ago and I never received a response.

Thanks

So I've been having this issue for a while now, and I've just been dealing with it.  I googled it, found a few things, but can't seem to find an actual fix.

Every time I reboot the firewall, it hangs on "Stopping syslog_ng" and I can see on the monitor it's waiting to kill some PID.  It takes forever though, causing like 10 minute reboot times on the firewall.  I didn't have this issue in version 19 that I can remember, and it seems to be a known thing from what I'm reading?  Just wondering if anyone knows an actual fix for this. 

Thanks

Redirect gateway used to work prior to the latest update.  On October 17th I was out of town and in a hotel with unsecured WiFi and actually used this feature to get around that and confirmed that all of my traffic was routing over the tunnel.

Today I had a reason to use the VPN again and this has seemingly stopped.  Trying to browse to any website, or ping out to the internet with the redirect gateway option checked just doesn't seem to work.  I did a PCAP on the openvpn interface on the firewall and I do see the pings in the pcap, but there are no replies and web browsing just seems to time out. 

If I uncheck redirect gateway, then pinging out to the internet and web browsing is fine.  I have about 4 different OpenVPN servers running and they are all sharing the same behavior. 

Here's the routing table from a PC I was using while connected to a public WiFi while on the VPN with redirect gateway enabled:

Code Select Expand

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   10.128.128.128   10.140.249.135     40
          0.0.0.0        128.0.0.0        10.5.19.5        10.5.19.6    291
         10.0.0.0        255.0.0.0         On-link    10.140.249.135    296
         10.5.0.0      255.255.0.0        10.5.19.5        10.5.19.6    291
        10.5.19.0    255.255.255.0        10.5.19.5        10.5.19.6    291
        10.5.19.4  255.255.255.252         On-link         10.5.19.6    291
        10.5.19.6  255.255.255.255         On-link         10.5.19.6    291
        10.5.19.7  255.255.255.255         On-link         10.5.19.6    291
   10.140.249.135  255.255.255.255         On-link    10.140.249.135    296
   10.255.255.255  255.255.255.255         On-link    10.140.249.135    296
     73.61.103.19  255.255.255.255   10.128.128.128   10.140.249.135    296
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0        10.5.19.5        10.5.19.6    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         10.5.19.6    291
        224.0.0.0        240.0.0.0         On-link    10.140.249.135    296
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         10.5.19.6    291
  255.255.255.255  255.255.255.255         On-link    10.140.249.135    296

Not really sure why this stopped working.  I've made no firewall rule changes since I've been back from the vacation in October when it was working.  The only thing I've really done on the firewall since is to update to 20.7.4

So I did the latest update and since then I've had issues.  I did the update, then turned suricata on, and it kept killing my WAN link once a day, so ok, turned that back off, but now my firewall CPU keeps spiking.  If I look at top I see "php" and "php-cgi" keep spiking and hitting like 97%.

I reset the logs on the firewall, manually deleted all the suricata directories I could find, just stuff I found from trying to research this, but it's still doing it.  Anyone have any ideas?  My CPU graph in my network monitor used to idle at almost nothing and now it looks like a saw graph.  The web UI is lagging and downloads are painfully slow. 

So I've had LDAP configured for a while on the firewall, but I figured I should start using it to actually login instead of just using the local database.  My account is a member of the local admins group.  I RDP'd to a VM, logged into the fw as root, Settings | Admninistration | Authentication...I checked both domain controllers and the local database for a backup.  I tried to login with my local account, which has the same username and password as my domain admin account, and the page kind of blinks and just shows me the login screen again.  When I check the user section from the virtual machine using the root account, my account has been removed from the admin group...

The tester works fine for my account, as well as various other test user accounts I've made.  Anyone know why this thing is kicking me out of the admin group?

Oddly enough, if I change the account on the firewall to use a different password than my domain password, it logs in fine.  I'm assuming this is just using the local database and not AD auth though. 

I have 2 port LAG going from the fw to a cisco switch that has 6 Vlans running over it. All the .1's for the Vlans are on the firewall. I can't seem to get the firewall to advertise any of the Vlan networks over ospf.

I have a L3 LAG running from the firewall to the cisco switch, and that advertises fine. Just wondering what the deal is.

I'm currently using a QOTOM box which is mostly ok.  It NATS and routes at gig speeds which I get from the ISP, but it only has 6 NICS.  I'm looking for some recommendations on an appliance type box that would give me 8-12 NICs.  Not sure if it's better to buy something or just build a server with NIC cards but I'd like to keep the 1U formfactor or even 2U if possible.  I was looking at some stuff on this site

https://www.firewallhardware.it/en/ 

Mainly the following -  https://www.miniserver.it/firewall/power-utm/firewall-appliance-power-utm-aluminum.html

but it seems a bit pricey for what it is considering it's DDR3, does't seem to have ECC, etc.
Just wondering what people's recommendations are for a box with 8-12 NICs in a 1U or 2U form factor.
Thanks in advance