Topics

1

22.7 Legacy Series / OpenVpn CRL problem

« on: October 12, 2022, 09:19:03 am »

After upgrade to 22.7, openvpn client don't connect if in openvpn server i specify internal CRL
This is error

TLS Error: TLS handshake failed   
TLS Error: TLS object -> incoming plaintext read error   
TLS_ERROR: BIO read tls_read_plaintext error   
OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed   
VERIFY ERROR: CRL not loaded

I have try to delete and recreate CRL, reboot opensense with no success... any idea?
Thanks

2

General Discussion / DHCPv6 and vendor-specific

« on: July 18, 2022, 08:23:32 pm »

I need to configure in dhcpv6 this options (cisco syntax)
is possible?

vendor-specific 9
  suboption 1 address x:x:x:x:x:x:x:x

I can't find vendor specific options in gui

3

Virtual private networks / Filter over ipsec

« on: March 04, 2022, 09:10:19 am »

Hi,
we have make a point to point ipsec tunnel, in my fw rule under ipsec i have an autogenerated rule  "IPsec internal host to host" with all ipv4/ipv6 permit for out packet.
I put this an rule with deny ip , direction in.

Remote site cannot ping my site. ok good
Now if i ping an ip to other site, opnsense make an row in state table, now remote site from this ip can ping me.
Why?
Thanks

4

General Discussion / Intra Fw connection drop after 30 sec

« on: September 27, 2020, 10:03:30 pm »

Hi,
i have 2 opnsense

Lan1->opnsense1->   
                                   wan router
Lan2->opnsense2->   

opnsense1 have a static route for lan2,destination  opnsense2
opnsense2 have a static route for lan1,destination  opnsense1

Hybrid outbound NAT rule generation
In opnsense1 i have a nonat to lan2
In opnsense2 i have a nonat to lan1

Firewal rule in opnsense2, permit ip from lan1

Gateway monitoring is disabled.
Block private network on wan, disabled

Now, communication from lan1 to lan2 and from lan2 to lan1 work correctly buf after after 30 seconds stop.
Is not asymmetric, but i have try "Bypass Firewall Rules for Traffic on Same Interface" with no success
I think is a state problem, but how to resolve?

When i connect from Lan1 to Lan2 (ssh from 172.30.0.164 to 172.30.2.10)
in opnsense 1 i have
all   tcp   172.30.0.164:59216 -> 172.30.2.10:22   SYN_SENT:CLOSED   
all   tcp   172.30.2.10:22 <- 172.30.0.164:59216   CLOSED:SYN_SENT

In opnsense2 i have

all   tcp   172.30.0.164:59216 -> 172.30.2.10:22   ESTABLISHED:ESTABLISHED   
all   tcp   172.30.2.10:22 <- 172.30.0.164:59216   ESTABLISHED:ESTABLISHED   

I have try to use policy routing instead static routing with same problem

My opnsense2 intercept syn sent, but syn reply is not intercepted (but is present and routed correctly)

Any ideas?
Thanks

5

General Discussion / IPSEC with two remote ip (primary/backup)

« on: September 12, 2020, 06:57:26 pm »

I need to setup my opn sense to make a isec vpn.
The remote firewall have two ip,primary and backup.
In gui i can set only one ip, how i can make this setup?
Thanks

6

General Discussion / How to block TOR

« on: August 20, 2020, 10:52:14 pm »

Hi,
i need to block TOR network,
there is an equivalent of pfblockng in opnsense?
Thanks

7

General Discussion / How to log vpn access

« on: August 14, 2020, 12:33:01 pm »

Hi,
i have setup a openvpn with 2fa and local auth.

1)I need to have a log of login/logout and login failure how to?
2)is possible to launch a command on login/logout?
is usefull to launch zabbix-send to remote log and monitoring access
3)is possibile to send snmp trap on login/logout/login failure?
Thanks

8

General Discussion / Very big problem to snapshot Opnsense

« on: August 13, 2020, 10:05:06 am »

Hi,
in my esxi7 when i make a snapshot opnsense to backup it with veeam, network stop working,
is very,very slow, my ping from network to opnsense is 1/2sec
Sometimes is slow only lan interface,sometimes only wan interface,sometimes both
To restore operation i need to reboot opnsense
I have try to install openvmtools with no success
top not show any persormance issue, interrupt is 100% free and cpu 0% of load

9

General Discussion / Change name of Qrcode

« on: August 12, 2020, 05:52:49 pm »

If i enable 2FA , in qrcode description i see
username@hostname
where hostname is the name of Opnsense.
I can change this description without change opnsense name?

10

Hardware and Performance / Slow 10Gb network on esxi7

« on: August 12, 2020, 03:12:01 pm »

Hi,
i migrate from pfsense to opnsense ,
in test a simple configuration,
two nic 10Gb , vmxnet3 driver ,
two vcpu (on amd 64core 2,5ghz)
2gb ram
only nat enabled,

with iperf i reach 3,5gbit on pfsense and 2,5gbit on opnsense.
with top ,i see a lower interrupt in pfsense (40% free) respect to opnsense (10% free).
i can modify something to speed up my fw?
I have test to enable and disable various offload in gui with no result.
Thanks