Topics

1

24.7 Production Series / Dashboards are not synced

« on: August 22, 2024, 07:43:42 pm »

Hi all,

Recently I have updated two CARP'ed firewalls from 24.1.10 release to  24.7.2 release and all seems to work ok except for dashboards. Dashboards are not sync'ed between master and backup node and this feature worked perfectly in release 24.1.10.

Is this a bug or do I need to accomplish some actions?

2

24.1 Legacy Series / Problem accessing webgui with two CARPed OPNsense firewalls

« on: April 15, 2024, 10:40:22 am »

Good morning,

I have configured two OPNsense firewalls in HA mode using CARP. These firewalls connect via IPsec tunnel to CheckPoint firewalls. Everything works correctly: the hosts behind the OPNsense firewalls are reachable from the hosts behind the Checkpoint firewalls and viceversa, etc.

But the problem comes when I try to manage these OPNsense firewalls from a computer behind CheckPoint firewalls. I can always access the master node but never the backup node (neither by ssh nor by webgui.). If I shut down the master node, I can access the node that was backup without any problems both via ssh and webgui.

I have enabled "Disable reply-to on WAN rules" but nothing. Analysing the traffic that arrives to the node that I cannot access, I can see how the ssh and webgui requests arrive and do so through the IPsec tunnel, but do not return.

What could be the problem with the backup node, is it a routing problem through the IPsec tunnel?

Many thanks for your help.

3

General Discussion / OPNsense as an internal firewall

« on: July 14, 2023, 01:43:57 pm »

Good morning,

Sorry to disturb with this, but I am totally lost. I am trying to setup an OPNsense firewall in my internal networks as an internal firewall. Exists another OpenBSD firewall acting as an external firewall.

To use OPNsense as internal firewall, I have disabled "Block private networks" and "Block bogon networks" options in WAN interface. Outbound NAT is disabled also. But two things happen:

- ALL traffic is accepted on WAN. It doesn't matter what rules I configure, all traffic is accepted. Always.
- Packets traversing the WAN interface are blocked back on the LAN interface.

An example (hn0 is the LAN interface):

 00:00:00.000000 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
 00:00:01.010020 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
 00:00:00.030043 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
 00:00:02.018105 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
 00:00:00.031078 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0

 And finally: if I disable the firewall completely with the command "pfctl -F all", everything works correctly (which makes me rule out a routing problem).

Any idea? My OPNsense firewall is release 23.1.11-amd64.

4

23.1 Legacy Series / Problem between OPNsense and Google Load Blancers

« on: June 15, 2023, 03:47:19 pm »

Hi all,

I have installed two OPNsense fws as a virtual machines in GCP. All it is working ok, except when I try to configure an external load balancer to use these fws in HA mode due to the impossibility to configure CARP in cloud providers.

I have configured this external load balancer to accomplish health-checks against OPNsense's web interface but always load balancer returns "timeout" and backend pools appears down (backends are OPNsense fws). I have configured rules in WAN interface to allow access from Google's health-check networks: 35.191.0.0/16,209.85.152.0/22,209.85.204.0/22 ... and nothing ... always is a timeout.

Due to this problem, I have installed an ubuntu vm with a nginx server to check my load balancer config and it works.

Arrived to this point I am completely lost ... Any ideas? What am I doing wrong?

5

High availability / Debugging HA sync config

« on: May 23, 2023, 06:28:40 pm »

Hi all,

I have two OPNsense firewalls with CARP configured (release 23.1.7_3-amd64). I have configured HA sync (only in MASTER node) and I've added a cronjob to sync every 5 min, but synchronization never occurs.

If I execute sync manually all works ok. Web gui is configured to listen on all interfaces.

Exists some log file where I can to debug this behaviour?

Thanks.

6

23.1 Legacy Series / Sync config between standalone opnsense firewalls

« on: May 16, 2023, 08:19:49 am »

Good morning,

Maybe it is a stupid question, but is it possible to sync some config options (like cronjobs, aliases, etc) using High Availabilty option without using CARP interfaces?

Many thanks for your help

7

20.7 Legacy Series / Loading pftables from files

« on: August 07, 2020, 03:50:51 pm »

Hi all,

 I have configured several pftables as external sources and I have scheduled several cronjobs to create/update these pftables and to store data in plain files. But how can I configure opnsense to read these files and insert data in the correct pftable every time fw start or restarts?

Thanks

8

20.7 Legacy Series / [SOLVED] There is no option to update system access settings in 20.7 release

« on: August 05, 2020, 04:16:16 pm »

Hi all,

 In previous releases when access servers are configured (LDAP or RADIUS), there was the option to leave the fallback on Local Database, like appears in OPNsense's docs: Step 5 - Update system access settings - https://docs.opnsense.org/manual/how-tos/user-ldap.html. It was the perfect choice for keeping administrators and operators authenticated locally and using an external user authentication mechanism to facilitate user management.

 But in 20.7 release there is not such option or is it located in anothe place? ... because I haven't found it.

Regards,

9

20.7 Legacy Series / Error using Microsoft Active Directory for authentication

« on: August 04, 2020, 04:39:45 pm »

HI all,

 Newly installed OPNSense 20.7 and AD auth is configured. Tester is ok and testing user auth is working, but when I login in web interface the following error appears:

"A problem was detected. Click here for more information."

 And error messages is:

System Information:
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
FreeBSD 12.1-RELEASE-p7-HBSD #0  427d53bc125(stable/20.7)-dirty: Sun Jul 26 05:51:42 CEST 2020     root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP amd64
OPNsense 20.7 3526fcaac
Plugins os-dyndns-1.22
Time Tue, 04 Aug 2020 14:37:43 +0000
OpenSSL 1.1.1g  21 Apr 2020
PHP 7.3.20
PHP Errors:
[04-Aug-2020 14:14:21 Etc/UTC] PHP Warning:  in_array() expects parameter 2 to be array, null given in /usr/local/www/system_authservers.php on line 756

 And I can not import groups and/or users. Is this a bug?

Regards.