Topics

Is somebody using the pagekite client on OPNsense? I will be looking soon into running it on my OPNsense boxes and thought asking if someobdy has already some experience with it on OPNsense.
-> https://pagekite.net/

Hi

Summary of my setup and the problem that I am facing with NAT reflection:
igb2      : WAN
igb1      : multiple VLANs
igb1_vlan2: VLAN 2
igb1_vlan3: VLAN 3 -> used in bridge0
igb1_vlan4: VLAN 4
igb0      : no VLANs
bridge0   : igb0, igb1_vlan3

I have a HTTPS server sitting behind the bridge0 and have a NAT port forward rule:
Interface: WAN
Destination port range: HTTPS
Redirect target IP: 192.168.232.100 (IP on igb1_vlan2)
NAT reflection: Use system default

Firewall: Settings: Advanced: Network Address Translation
Reflection for port forwards: enabled
Reflection for 1:1: enabled
Automatic outbound NAT for Reflection: enabled

The NAT rule works fine from WAN side. But NOT from the internal network on bridge0, it gets blocked:
action: block
dir: in
dst: 192.168.232.100
dstport: 443
interface: bridge0
label: default deny / state violation rule

If I add manually a firewall rule on the bridge0 interface to allow the traffic, it works:
action: pass
interface: bridge0
direction: in
destination: 192.168.232.100
destination port range: 443

I would expect that OPNsense would create that rule automatically based on the NAT reflection? May it be a problem with the bridge+VLAN interface?

Thanks for any hint in the right direction
KoS

Hi

I have an Alix APU with 3 ports.

• One port is for WAN
• One port is connected to a Switch where I have multiple VLANs, but where I can also have untagged traffic on it.
• One port should be bridge into one of the VLANs

To make the setup more flexible, I have bridged all VLANs and am assiging IP adress only to the bridge interfaces.

So the current configuration looks like this:

Code Select Expand

igb0
igb1 -> LAN
igb1_untag
igb1_vlan2
igb1_vlan3
igb1_vlan4
igb1_vlan5
igb1_vlan6
igb2 -> WAN

bridge0 = OpenVPN_Server_1, igb0, igb1_vlan3
bridge1 = igb1_vlan4
bridge2 = igb1_vlan2
bridge3 = igb1_vlan5
bridge4 = igb1_vlan6
bridge5 = OpenVPN_Server_2, igb1_untag


I have a DHCP server on each of the bridge interfaces. If I connect a device at the switch on a port of e.g. VLAN2, I can successfully receive an IP address via DHCP. But neither can I ping the router, nor do I see any traffic coming in on that bridge interface (tcpdump). Neither can I get any traffic out from the router on that bridge. I have checked the firewall rules, but as don't even see that the packets would get blocked, it seems the problem must be somewhere else. Is my setup with the bridge & vlans wrong? Shall I do it somehow else to get to my desired result? Any idea where I shall start debugging?

If I connect a device on an "untagged" port of the switch, I end up successfully on bridge5 and can access the router & the internet.

FYI, the OpenVPN_Server_1 and 2 are in TAP mode, as I need to have the full traffic (including broadcast) via the VPN.

I have two USB sticks: one with the installer, and one with a configuration back (GPT, FAT32, /conf/config.xml).

I can successfully boot up the installer from the 1st USB stick on an alix apu2 board. Unfortunately the 2nd stick doesn't show up neither in the opnsense-importer, nor if i check manually with geom disk list or camcontrol devlist.

When I connect the 2nd stick, it shows me in the terminal that an USB device got attached:

Code Select Expand

ugen0.3: <SanDisk Ultra USB 3.0> at usbus0
umass1 on uhub1
umass1: <SanDisk Ultra USB 3.0, class 0/0, rev 3.00/1.00, addr 2> on usbus0
umass1:  SCSI over Bulk-Only; quirks = 0xc100
umass1:3:1: Attached to scbus3


Any idea what I am doing wrong? I suppose at that "level" (geom disk list) it does NOT depend if it is MBR/GPT and what kind of filesystem.

(FYI, the installed SSD and the installer USB stick show up as devices ada0 and da0)

As the GeoIP from MaxMind needs registration the IPFire team has built their own location database, called IPFire Location. Maybe that could be of use for OPNsense too as some kind of collaborative approach?
--> https://blog.ipfire.org/post/a-new-location-database-for-the-internet
Not sure about the internals of the IPFire location approach and if/how it could be integrated into OPNsense.

[update and reload firewall aliases]

I see that there are many cron jobs available in the configuration and was wondering which of them I need to add/activate.

E.g. there is a update and reload firewall aliases cron job available. I have configured some URL Table (IPs) firewall aliases and have set a refresh frequency. As far as I can see from the log files of my web server where the aliases are being downloaded, they are being downloaded in regular intervals, even without having a cron job update and reload firewall aliases added in the cron job list.

How do I know which cron jobs i need to add and which are anyways "somehow" being executed in the background?

Thanks for clarification.

[client-connect]

Dear All

I am migrating my routers (alix boxes running voyage linux) to OPNsense. I have custom client-connect and client-disconnect scripts for my OpenVPN servers. Is there a way to configure them on OPNsense too? I have found the following two threads, which are unanswered:
https://forum.opnsense.org/index.php?topic=16298.msg74458#msg74458
https://forum.opnsense.org/index.php?topic=16296.msg74453#msg74453

I have not digged into the configuration files that are being created, but I assume the the two commands are really already occupied and I could not override them via the Advanced config option (which seems to be deprecated anyways)? Should I manually create the config files on the system itself or what is the best approach for such a custom OpenVPN server?

Kind regards
KoS

I have upgraded a box via the GUI to 20.7.1 (from 20.7). The upgrade seems to finish fine (see upgrade.png), but when i reboot the device I get a "not a bootable disk" error (see unbootable.png).

Any idea what could have went wrong? FYI: The device is using ZFS (installed via FreeBSD 12.1 plain installation + opnsense-bootstrap) and it is an APU board. I didn't expect that the upgrade touches the boot code in any way. FYI: the upgrade from 20.1 to 20.7 failed the same way, but I had thought that was some other issues and reinstalled it from scratch. (Just the ZFS install is a bit a pain as it takes extra steps to first install freebsd and then the bootstrap...all via serial console).

greets
KoS

Hi

I have been using voyage linux (read-only debian-based system) for deploying many firewalls in the past. To make that process easier and repeatable, I have customized the system the way I needed it and than crated an image that I could re-deploy. I had a simple script that writes the image on a new disk and customizes e.g. the hostname.

Is there a similar process that I could use for OPNsense? fyi, I will deploy it always to the same storage (type & size) and use it on the same hardware (APU boards). Who are you doing this? Has somebody written a script for that?

Kind regards
KoS

Hi

When I restore a configuration to a "vanilla" OPNsense box, what is the best way to install any missing packages?

I see that a feature for this is in progress (https://forum.opnsense.org/index.php?topic=10068.15 and https://github.com/opnsense/core/issues/1663) but this seems to be planned for the future 20.7 release.

Kind regards
KoS