Topics

1

16.7 Legacy Series / Multi WAN - what am I missing here ?

« on: January 17, 2017, 05:54:53 pm »

Scratching my head here.

Setup Multi WAN with 2 x WAN connections as per the docs.

What I can't figure out is what to do with setting (or not) the default gateway on a WAN.

Clearly you can only set a default route on one connection or the other. But I presume (though it is not mentioned) that this should be disabled for both WAN connections in a Multi WAN setup.

OK, so no default gateway and we add a rule to forward all local traffic to the gateway group.

From Opnsense I can ping the gateway monitor IPs and they traceroute out via each WAN device correctly.

From Opnsense I can ping the DNS servers set by the WAN routers and they traceroute out via each WAN device correctly.

For the life of me what I cannot do is ping any other host. I just get "No route to host"

That kind of makes sense - there are routes set for the DNS IPs and for the gateway monitor IPs but no other traffic so the packets should be picked up by the firewall rule but nothing happens.

Nothing appears in the firewall logs.

You can see the routes set for the Googler DNS servers used as gateway monitor IPs and you can see the DNS servers set by the ADSL routers

Internet:
Destination        Gateway            Flags      Netif Expire
8.8.4.4            192.168.2.1        UGHS     vtnet3
8.8.8.8            192.168.1.1        UGHS     vtnet1
10.0.0.0/24        link#1             U        vtnet0
10.0.0.251         link#1             UHS         lo0
127.0.0.1          link#8             UH          lo0
192.168.1.0/24     link#2             U        vtnet1
192.168.1.11       link#2             UHS         lo0
192.168.2.0/24     link#4             U        vtnet3
192.168.2.11       link#4             UHS         lo0
208.67.220.220     192.168.2.1        UGHS     vtnet3
208.67.222.222     192.168.1.1        UGHS     vtnet1

A traceroute to any of those 4 IPs shows the packets go the right way. But everything else is not getting picked up by the firewall/gateway group

So what on earth have I missed ? Do I still need to set a default gateway ?

B. Rgds
John

2

16.7 Legacy Series / IPSEC ICMP

« on: January 06, 2017, 06:35:54 pm »

Back to playing again as I have resolved some ISP/IP issues :-)

I have run up a ipsec v2 connection to Libreswan.

I can seem to ping from the Libre end to the Opnsense box, but not the other way around.

I followed the Ipsec howto (excellent resource!) to remind myself of how to do this but stuck on this - I guess because I have missed a firewall rule somewhere.

I have the 3 basic rules set for each WAN device (so I can swap around as required - though I guess a floating rule may be better for this ?)

WAN rules. As per docs:

Protocol ESP
UDP Traffic on Port 500 (ISAKMP)
UDP Traffic on Port 4500 (NAT-T)

Ipsec rules. As per docs:

Enable all, Lan address.

The firewall seems to pass the packet out:

@57 pass out log route-to (vtnet 192.168.1.1) inet from 192.168.1.13 to ! 192.168.1.0/24 flags S/SA keep state allow-opts label "let out anything from the firewall host itself"

But nothing seems to come back. I can ping the same Libre box from another ipsec connected machine and ping both ways happily.

Note that as this is in testing at the minute Opnsense is a VM on Proxmox.
The WAN IP is DHCP from a router at 192.168.1.13 rather than a public IP
The LAN IP is 10.0.0.251
The Ipsec address is 192.168.97.1

From the Libre box I can ping Opnsense:
[root@test ~]# ping 10.0.0.251
PING 10.0.0.251 (10.0.0.251) 56(84) bytes of data.
64 bytes from 10.0.0.251: icmp_seq=1 ttl=64 time=51.5 ms

But a ping from Opnsense on 10.0.0.251 (which has a Ipsec IP Local IP 192.168.1.13) to 192.168.97.1 returns nothing

Sure I fixed this when I had it running before but I just can't remember what I did !

Any assistance appreciated - just need to ping both ways to test a few things !

B. Rgds
John

3

16.7 Legacy Series / arpresolve issues with bridged modem

« on: September 13, 2016, 06:22:45 pm »

Been trying to figure this out the last few days and just can't get it right.

I have both a Draytek 2820 modem/route and a Vigor 120 modem for testing (I have been using 2 x 2820s but was going to move to using the 120s)

I am trying to bridge a MPoA connection but whichever way I twist and turn I come up against a brick wall.

The opensense router has a "HP NC380T PCIe DP Multifunc Gig Server Adapter" dual NIC for the two WAN ports

I have the router in Multiwan mode. WAN 2 is disconnected for testing. WAN3 has a DHCP backup wifi ether connection and is in a gateway group that seems to be handling failover OK :-)

The logs show this for WAN1 :

arpresolve: can't allocate llinfo for 80.59.1.1 on bce0

There are numerous posts on this, but few answers... drivers, other issues...

This is similar https://forum.pfsense.org/index.php?topic=31753.0

Tried force adding a default GW

root@OPNsense:~ # route add default 80.59.216.193
route: writing to routing socket: Network is unreachable
add net default: gateway 80.59.216.193 fib 0: Network is unreachable

I have read various items on issues with bridging on the Drayteks e.g.:
http://www.draytek.com/en/faq/faq-connectivity/connectivity.wan/what-should-i-do-when-vigor-router-is-getting-the-message-arp-address-mismatch-in-syslog/

I have tried ip arp accept 1 and 3  to enable acceptance of incorrectly addressed ARP packets but this does not seem to work

Quite simply I am stuck. Opnense works fine if it uses standard DHCP from the ADSL router but then the WAN interfaces get a Private IP and not the proper WAN IP (which makes mess for ipsec)

Any suggestion s on trying to pin this issue down and try to sure it ?

I'd try another ADSL modem if I knew there was one that would work. Unfortunately I can't use Opnsense in production until I can sort this out :-(


B. Rgds
John

4

16.7 Legacy Series / NAt vs Firewall rule

« on: September 02, 2016, 05:06:20 pm »

Hi,

I'm trying to create some NAT Port forwards from the outside world to my server.

I have two main ADSL WAN connections

I can see in Firewall rules I can make a rule and select multiple interfaces for incoming traffic so I could create one rule that says 'For all incoming traffic for port 80 forward to 192.168.1.100'

But I believe I should really create a NAT Port Forward and for this it seems you can only pick one interface which means I need two rules for each port, one for WAN 1 and one for WAN 2. Is this correct or am I going mad or doing something wrong ?

I also wonder how this works with Multi WAN ?

B. Rgds
John

5

Development and Code Review / [SOLVED] Interface display order

« on: August 10, 2016, 04:21:23 pm »

Remember this when I played with earlier versions (https://github.com/opnsense/core/issues/199)

The first WAN interface is called 'wan' by the system with further interfaces then being called optx.

Despite being able to change the description of the interface the actual sort order does not change.

So for example in Firewall rules you get

WAN1   LAN   WAN2   WAN3   IPSEC

I found a solution was to manually rename and sort each interface in the <interfaces> in:

/conf/config.xml

I then renamed any references

e.g.

wan -> wan1
opt1 -> wan2
opt2 -> wan3

I then updated any relevant pages e.g. interfaces/gateways to resave and regenerate any configs e.g. firewall rules.

I now have nicely sorted interfaces everywhere :-) Only a small thing but looks SO much better and everything is more logical, and where you expect to find it.

It is better to do it as soon as you have assigned your interfaces and before you do any other configuration.

Not sure how to suggest fixing this - happy to create a bug if you think it is worth a NFR ?

B. Rgds
John

6

16.7 Legacy Series / Firewall rule logic

« on: August 10, 2016, 12:26:24 pm »

Been messing with firewall rules and some things don't quite make sense

If I create a Port Forward in the NAT section, it appears in the Firewall Rules section but cannot be edited from there. Is there any point, assuming that any rules created in NAT are just firewall rules, period? Or is there some difference somewhere that I have missed?

Wouldn't it just be simpler for me to create a Firewall rule and not bother using the Port Forward section or does a NAT rule do something different?

Under Port Forward rules you have 'Destination' and 'Redirect Target IP'. It isn't apparent what the difference is (there is no help text for 'Destination'). I presume that for a simple rule the Destination should just be the WAN address ?

It's probably all good if you know the system, but coming at it fairly blind it isn't that obvious !

B. Rgds
John

7

Development and Code Review / [SOLVED] How to add mc ?

« on: August 09, 2016, 12:36:02 pm »

One of my fave little packages for rooting about places is mc - midnight commander

Any ideas/suggestions on how to install/add it as a package ?

B. Rgds
John

8

16.7 Legacy Series / [SOLVED] sshd missing ?

« on: August 09, 2016, 12:23:32 pm »

Managed to get my box installed and updated to 16.7

I was looking for sshd to be able to shell in but can't see anything anywhere. Am I missing something ?

B. Rgds
John

9

16.7 Legacy Series / Install error 19 with virtual disk

« on: July 14, 2016, 05:55:56 pm »

Back to playing again

I am trying to install this on a SuperMicro 1U Atom machine with the install pointed to a virtual disk on the network.

This used to work fine on the 15.x series but the 16.7 fails

I can see that there are a lot of issues with this with FreeBSD online.

I've added a few screenshots for reference. Looks like the Virtual CD is assigned cd0 but when I try

cd9660:/dev/cd0

I get the error 19.

I have tried various permutations without success. Yes, I can probably install from a USB but for various reasons this is not always practical and would much prefer over the network installs.

Any advice appreciated.

B. Rgds
John

10

15.7 Legacy Series / VPN ipsec trunk

« on: October 18, 2015, 04:48:47 pm »

A feature I miss badly from my Draytek 3300s is VPN trunking over ipsec which gives automatic failover across my WAN links.

Is this possible in Opnsense ?

B. Rgds
John

11

Development and Code Review / [SOLVED] Building other tools

« on: May 17, 2015, 05:40:40 pm »

Can someone give me some tips on building other tools from the git repo ?

I am used to using mc for navigating around a file system and editing odd files.

I can see it is in the git https://github.com/opnsense/ports/tree/master/misc/mc but it doesn't seem there is a built package so wondered how one goes about building it from the source ?

Any help appreciated.

B. Rgds
John

12

15.1 Legacy Series / [SOLVED] DNS not working

« on: May 15, 2015, 10:30:54 pm »

Hmmm..... bit of a head scratch going on here with DNS failure

I have a static IP for my LAN connection on  192.168.10.251

WAN1 is a DHCP connection

The first time I set up the box DNS resolved and I applied the updates.

I decided to use the OpenDNS server addresses and added them under System Settings general (It seems you can only add one DNS server in the box per WAN connection which is a bit odd)

root@OPNsense:~ # cat /etc/resolv.conf
domain mydomain.net
nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 208.67.220.220

I enabled DNS Forwarder and left all the settings at default with Interfaces set to 'all'

If I try and ping a domain name from the command line I get

root@OPNsense:~ # ping www.demon.net
ping: cannot resolve www.demon.net: Host name lookup failure

If I ping by IP it work so it seems to be a resolution failure :

root@OPNsense:~ # ping 162.13.61.33
PING 162.13.61.33 (162.13.61.33): 56 data bytes
64 bytes from 162.13.61.33: icmp_seq=0 ttl=51 time=42.691 ms
64 bytes from 162.13.61.33: icmp_seq=1 ttl=51 time=53.306 ms


Any ideas on what I have messed up ?

B. Rgds
John

13

15.1 Legacy Series / [SOLVED] DMZ setup

« on: May 14, 2015, 06:14:29 pm »

Hi,

I have been testing Opnsense to replace a couple of Draytek 3300 Wan routers. I do like the system after I got used to things :-)

One thing I cannot see an easy answer for is how to set up a simple DMZ for my server. In the Draytek it is very easy - NAT / DMZ host and add an IP address, but I can't see an 'easy' setting for it in Opnsense - I checked the Wiki and had a search around but couldn't see any answers.

The server itself is viewable both internally from the LAN and externally from the WAN. Maybe I should harden that up a bit and just do port forwarding for the required ports ?

Anyone able to give me some advice please ?

B. Rgds
John