Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - JRC

#1
The client is not able to finish the handshake and I cannot work out why.

I followed the instruction here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html and I have double and triple checked my settings and they match these settings, but I am unable to connect from any client, I am getting errors about the handshake not completing.

At this point I am at a loss as to what to do to get this working. I am not entirely sure what I need to post here to help work this out.

The interface I created in step 4(a) is called "Wireguard"

Outbound NAT Rule:
WAN Wireguard net * * * Interface address * NO Wireguard NAT Rule


WAN Rule:
  IPv4 UDP * * WAN address 51820 * * Open Wireguard Port

Wirguard Interface FW Rule:
    IPv4 * Wireguard net * * * * * Allow Traffic from Wireguard Clients

Normalization Rule:
WireGuard (Group), Wireguard any any Wireguard MSS Clamping IPv4

OpnSense V24.1.4


Any suggestions?


Also, some notes in the documentation:

  • The numbering referenced in the article is wrong. When the instruction reference step 5(a) it actually means 4(a) (I think), this made parsing it pretty difficult.
  • It would be nice if there were some more information about the keys and how to use them and/or how they relate to each other. Step 2 just tells you to insert a public key, and to go to step 7 (doesn't exist) in order to get info on how to generate said key.
  • Step 5a tells you to use the interface Wireguard (Group) instead of the interface you created in step 4(a). Is this correct? (I tried both, but things still don't work)
#2
It was working, then it stopped working, no changes were made on the opnSense box, the only thing that changes was the possible expiration of the self signed cert used for the webui, but I would expect that to give me a security error and not a time out. I get the same timeout when I try non-ssl traffic, but I believe that is to be expected.

As near as I can tell Lighttpd is running:


cat /var/log/lighttpd.log
Dec 21 18:24:06 OPNsense lighttpd[57191]: (server.c.2057) server stopped by UID = 0 PID = 64556
Dec 21 18:24:06 OPNsense lighttpd[44915]: (server.c.1551) server started (lighttpd/1.4.61)
Dec 21 18:34:33 OPNsense lighttpd[14335]: (server.c.1551) server started (lighttpd/1.4.61)
Dec 23 20:45:36 OPNsense lighttpd[14335]: (server.c.2057) server stopped by UID = 0 PID = 8414
Dec 23 20:45:36 OPNsense lighttpd[2156]: (server.c.1551) server started (lighttpd/1.4.61)
Feb 22 16:19:44 OPNsense lighttpd[8847]: (server.c.1551) server started (lighttpd/1.4.61)
May 12 20:21:31 OPNsense lighttpd[8847]: (server.c.2057) server stopped by UID = 0 PID = 24361
May 12 20:21:31 OPNsense lighttpd[30999]: (server.c.1551) server started (lighttpd/1.4.61)
May 12 20:33:02 OPNsense lighttpd[30999]: (server.c.2057) server stopped by UID = 0 PID = 1781
May 12 20:33:02 OPNsense lighttpd[14785]: (server.c.1551) server started (lighttpd/1.4.61)
May 12 20:40:55 OPNsense lighttpd[14785]: (server.c.2057) server stopped by UID = 0 PID = 31149
May 12 20:40:55 OPNsense lighttpd[40665]: (server.c.1551) server started (lighttpd/1.4.61)
May 12 20:55:12 OPNsense lighttpd[60294]: (server.c.2057) server stopped by UID = 0 PID = 96360
May 12 20:55:12 OPNsense lighttpd[8095]: (server.c.1551) server started (lighttpd/1.4.63)
May 12 21:02:27 OPNsense lighttpd[75562]: (server.c.1551) server started (lighttpd/1.4.63)



ps aux | grep light
root          75562    0.0  0.0   17684    6824  -  S    21:02    0:00.01 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
root          15614    0.0  0.0 1060888    3116  0  R+   21:07    0:00.00 grep light


I tried restarting lighttpd
configctl webgui restart

and when that did not work I ran:
configctl webgui restart renew

curl also times out, on from the local cli on the opnsense box aswell:



*** OPNsense.domain.tld: OPNsense 21.7.8 (amd64/OpenSSL) ***

LAN (lagg0)     -> v4: <lan_ip>/24
WAN (bce3)      -> v4/DHCP4: <public_ip>/23


curl https://<lan_ip>

curl: (28) Failed to connect to 192.168.2.1 port 443 after 75018 ms: Operation timed out


Not sure where to go from here. So any help would be greatly appreciated.

I am running 21.7.8, and plan to go to 22 as soon as I can get this fixed. Oh, and I can ssh in just fine, form a machine that has a firewall rule that allows all traffic to get to the opnsense box itself (again, this was all working not too long ago, before the cert expired).
#3
Zenarmor (Sensei) / Time base policy
December 04, 2021, 02:27:21 AM
I am trying to create a policy that restricts certain things during specific hours. Essentially disable certain sites and categories during homework time.

Here is how I have it set to block midnight to 4pm on Fridays and midnight to 6pm Su - Th and not enforced on Saturdays (see the attached image). There are a few blacklisted sites in this policy.

Well it is currently 514pm on Friday and yet this policy is in effect, and the real time log clearly shows that the site is being blocked by the policy that should not be enforced. If I disable the policy the blocking stops. So it is as if the Zenamor is simply ignoring my schedule for some reason.

Here is the log:

Block status Time Source hostname Source port Destination hostname Destination port Block message Interface VLAN Policy
Blocked 12/3/2021 17:22 <int IP> 53570 gateway.discord.gg 443 Blacklisted site access <kids_vlan> 0 Timed Blocking


discord.gg (not set as universal) is on the black list in the policy I call "Timed Blocking" which has the schedule setup as per the image attached. It's notable that the web and app controls are also enforced by this policy outside of the set schedule.

What is that I am doing wrong here?

EDIT: I confirmed that my opnSense is set to the correct timezone, and confirmed that the local time on the box is correct.

#4
So I went to install a plugin on my opnSense box, and got an error that I did not have enough free space, that I had -4Gb free.

The DF commend returns:

:/ % df -h
Filesystem                     Size    Used   Avail Capacity  Mounted on
/dev/ufs/OPNsense               50G     50G   -4.0G   109%    /
devfs                          1.0K    1.0K      0B   100%    /dev
tmpfs                          8.2G    564K    8.2G     0%    /tmp
devfs                          1.0K    1.0K      0B   100%    /var/dhcpd/dev
devfs                          1.0K    1.0K      0B   100%    /var/unbound/dev


So I am using more than 100% of the drive??

How do I clean this up?
#5
20.7 Legacy Series / How to Migrate to new hardware?
December 28, 2020, 03:07:33 AM
Hello everyone,

I am sure there is an easy answer to this, but I wanted to ask to make sure. I want to move my opnSense install from one machine to another (an intel based server, to a Dell R610) and I was wondering what the best way to migrate the setting over would be as the network cards would be different.

Currently I have a pair of NICs in a LAG for my LAN side of things and a single NIC for the internet side. I have several VLANs setup on the LAN side as well. The R610 has 4 NICs and I would like to have a similar setup there as well (though I may add the unused NIC to the LAGG and make it have 3 members, not sure yet).

So am I right in guessing that I need to:

1. Install opnSense on the R610
2. Back up the config from the Intel Server
3. Restore it to the R610
4. Do something with the network setup?

Or do I need to do the network interface setup, then restore the config?

Thanks in advance for the help!
#6
I am sure this is just my lack of understanding but I seem to have this odd situation where opnSense is ignoring an explicit allow rule, but if I toggle it to a deny rule, then it evaluates.

I have client 172.17.100.51, trying to talk to client 172.17.100.50. They are both on the same VLAN interface on opnSense.

This traffic is being denied by the default deny rule, so I went in and created a first match explicit allow rule. Any type of traffic from 51 -> 50 is set to be allowed, the rule is enabled and set to log.

OpnSense appears to completely ignore this rule, it never shows up in the live view, and the default deny rule blocks the traffic.

Here is where it gets odd. If I change the rule from pass to block and jump back to the live view the rule works, and I can see the traffic being blocked by that rule. Switch it back allow, and once again the default deny rule kicks in and traffic is blocked.

I have other allow rules on other VLAN interfaces that do work, so I am baffled by this. Any ideas on what I am doing wrong?
#7
General Discussion / opnSense and Nintendo switch
June 02, 2020, 02:48:29 AM
I have setup opnSense and I am having a hell of a time getting the switch to work reliably when connecting to other players (Animal Crossing is the game in question, don't really have any other online multiplayer games yet).

The switch is:

  • on it's own VLAN
  • wired into the network
  • being handed it's own static reserved IP from my DHCP/DNS server (not opnSense)
  • verified that it has the correct IP assigned to it
  • connected to the internet just fine (it can update software and passes all the internet tests)
  • on a VLAN interface that has the correct firewall rules to allow all traffic from it to the WAN interface, but to block any traffic from it to my other VLANs.
  • told to forget all wireless networks, so LAN connection is it's only option for a connection.
  • set to connect automatically
  • set to use an MTU of 1500

I did an internet test and got a NAT score of D. So I did the research and discovered that I need to set the opnSense box to a hybrid NAT setup, then create a rule for the switch with a static port (the setting of which are below). This took the score to a B. But I still cannot connect to other players. The game will connect to the internet, locate the other players send me over to them and then just before I land it will tell that there was an internet problem and disconnect.

So I did more research and discovered I can setup UPnP for that VLAN and that specific client, so I did that (setting used are below). Set that up to just work on the VLAN the switch is on, deny by default but allow ports 45000-65535 to be mapped to the switch IP. Rebooted the switch and tried again, still no luck (I also note that in the Status of the UPnP module no connection shows up).

I have no idea where to go from here, I am reasonably sure that the NAT rule is working and that this is not a firewall rule issue, though I am unsure of the PnP rule is working or not (it shows no sessions in the Status section).

Please help me before I end up throwing my 11yo out the window of moving car as she won't stop complaining about this issue.

My NAT rule is as follows:

  • Disabled: Unchecked
  • Do Not NAT: Unchecked
  • Interface: WAN
  • TP/IP Version: IPv4
  • Protocol: Any
  • Source Invert: Unchecked
  • Source Address: Nintendo switch (an alias to the switch's IP)
  • Source Port: Any
  • Destination Invert: Unchecked
  • Destination Address:Any
  • Destination Port: Any
  • Translation/Target: Interface Address
  • Log: Unchecked
  • Translation/port: Blank
  • Static port: Checked
  • Pool Options: Default

The remaining fields are all blank (Set Local Tag, Match Local Tag, No XMLRPC Sync and Desription).

The uPnP settings are:


  • Enabled: Checked
  • Allow UPnP Port Mapping: Checked
  • Allow NAT-PMP Port Mapping: Checked
  • External Interface: WAN
  • Interfaces: Vlan of the switch
  • Max Down: Blank
  • Max Up: Blank
  • Override WAN Address: Blank
  • Lot NAT-PMP: Checked (Where is this logged?)
  • Use System Time: Checked
  • Default Deny: Checked
  • Entry 1: allow 45000-65535 <switch IP> 45000-65525

Everything else is blank.

Physical layout is:

Internet ------- Netgear Cable Modem -------- opnSense (VLAN 197) -------- Cisco 3560x ---------- Switch

And if it is relevant, I am on Comcast, with there 1Gb/s internet service.
#8
Hi there,

I am running OPNsense 20.1.6-amd64 and have been working on segmenting my network into a some VLANs, everything is working great except for just one VLAN. For some reason I cannot get traffic to leave VLAN 50, even though the firewall rules are set up identically to other (working) vlans.

The rules look like this:

        IPv4 *   *   *   100_Servers net   *   *   *         
        IPv4 *   50_VoiceNetwork net   *   RFC1918    *   *   *   Block all private IP space      
        IPv4 *   50_VoiceNetwork net   *   *   *   *   *   Default allow LAN to any rule

The goal is for this VLAN to internet access, access to my server VLAN and no others, the RFC1918 Alias refers to the private ip space, it's to block traffic to other VLANs. This exact rule set works just fine on other VLANs, exactly as expected. But even when I disable the top 2 rules I still can't get traffic to leave the VLAN.

Nothing comes up in the firewall line view and I can ping other clients on the VLAN in question (but not the opnSense VLAN interface, or anything beyond it).

So I am completely stumped. I have gone through and checked and rechecked the VLAN setup, the interface setups etc and as near as I can tell it is identical to the others, but it just won't pass the traffic.

Any ideas on where else I can check to get an idea of what's going on here?

Thanks,