OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of random1104 »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - random1104

Pages: [1] 2 3
1
Virtual private networks / Zerotier & NAT
« on: December 18, 2023, 05:49:09 pm »
Hello!,

I have OPNSense + Zerotier working with dual WAN.

WAN1: public IPv4 assigned to the FW (ISP1 doesn't care about IPv6)
WAN2: private IPv4 assigned to the FW, with NAT in the ONT + IPv6 assigned but no working (ISP2 doesn't know how to properly delegate IPv6). There's a 1:1 NAT to the firewall (that is as good as it gets with that ISP)

The issue I have is that I see several blocked connection attempts incoming on WAN2. It's super annoying because it fills-up the disk with filter log entries.

The only difference between WAN1 & WAN2 is that WAN2 is behind NAT. Is there any recommended configuration in that scenario?



2
General Discussion / Link local only
« on: December 15, 2023, 05:29:09 pm »
Hello!, what would be the correct procedure to setup a "link-local only" IPv6 interfaces?. If I choose Enabled+"static ip", I cannot save the configuration.

The usecase would be BGP peering with another network element.

3
General Discussion / DHCP & DNS updates
« on: October 25, 2023, 03:19:34 pm »
hello, for DHCP-v4, can you confirm "OPTION 12" is the one clients must send to properly update Unbound A/PTR updates?.

What would be the case for DHCP-v6 AAAA/PTR?.

also, I wonder if OPTION 81 is supported, per https://datatracker.ietf.org/doc/html/rfc4702#section-3.1

4
Hardware and Performance / Repeated reboot
« on: July 10, 2023, 09:50:58 pm »
Hello!,

I'm running OPNsense on a Lanner NCA-1010B. It keeps rebooting each 15min aprox, anybody can recommend how to pinpoint where is the issue?.

In the system logs, I can only see the fresh boot. Could it be power issues?, triggered by software?

From the logs:

tap9993: changing name to 'zta1ivkmolav2t3'
zta1ivkmolav2t3: link state changed to UP
arp: 10.1.1.105 moved from ac:07:5f:76:56:44 to 00:9e:c8:95:87:c4 on igb0_vlan100
---<<BOOT>>---
Copyright (c) 1992-2021 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.

5
High availability / Cluster & IPv6 Router advertisement
« on: June 15, 2023, 06:01:42 am »
Hello!,

I found this topic https://forum.opnsense.org/index.php?topic=25158.15

which seems to imply that there's already a recipe, but I fail to find the expected configuration. Do we use CARP with for IPv6 subnets + cluster?, or CARP is not needed and everything should work automagically?

6
High availability / MultiWAN & User experience
« on: June 08, 2023, 06:01:28 pm »
Hello!,

I've setup loadsharing Multiwan following the documentation, and I see that the user experience is really bad.

Two examples:

1- Connection stalls from time to time, and there are slow page loads.
2- Also, a web banking goes bonkers and resets the session every couple of minutes (it seems that different requests to different components from a single client goes through different interfaces: main site, vs CDN, etc)

The only decent experience is achieved with Active/standby WAN setup.

Is there any trick to load balance the outgoing connections per client and not per request?

7
Hardware and Performance / Serial installation - no keyboard
« on: May 31, 2023, 04:15:03 am »
Hello!, I'm trying to install OPNSense 22.7 on a Citrix SD-WAN 210 appliance. I can succesfully boot the serial installer, but as soon as the boot process finishes,I lose keyboard access:

Last messages:

---
Root file system: /dev/ufs/OPNsense_Install
Tue May 30 14:57:39 UTC 2023

*** OPNsense.localdomain: OPNsense 22.7 (amd64/OpenSSL) ***

 LAN (igb0)      -> v4: 192.168.1.1/24
 WAN (igb1)      ->

 HTTPS: SHA256 4B 3C 50 66 3C C4 80 31 F7 21 77 04 2A EE 62 9D
               E1 69 D7 33 0C AA 0D 51 B1 B8 8C 2B 93 A3 F1 2A
 SSH:   SHA256 qgZPLT2pCAWKzn/VScVQy4ruph8+IBwyWC1OU94BTBI (ECDSA)
 SSH:   SHA256 MgGCfkKgrg2L5r3hfTtLLPXzb068ZY/gKuofiLa1ni4 (ED25519)
 SSH:   SHA256 EXxxww7RA1VtqViOhl3WovKY98N4LxYAklpnGHDlo40 (RSA)
pw: no such user `installer'

Welcome!  OPNsense is running in live mode from install media.  Please
login as 'root' to continue in live mode, or as 'installer' to start the
installation.  Use the default or previously-imported root password for
both accounts.  Remote login via SSH is also enabled.

---

System is not frozen, I can see kernel messages when unplugging & replugging the USB keyboard.

Working  with GNU screen,and also with USB keyboard installed (device doesn't have a video output port).

Any tips?

8
Hardware and Performance / Raid1 with different device types
« on: May 29, 2023, 06:43:16 am »
Hello, I would like to install OPNsense in a Citrix SD-WAN 210 appliance. It supports both mSATA & SATADOM drives.

Currently it has installed a 60GB mSATA SSD disk and a 16GB SATADOM drive, I'll replace the SATADOM drive with a 64GB one

Do you see any cons running a mirror with those devices?

Original devices:

root@:/ # dmesg|grep ada
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <SATADOM-SH 3ME3 V2 S17411> ATA8-ACS SATA 3.x device
ada0: Serial Number BCA11807060531128
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada0: Command Queueing enabled
ada0: 15272MB (31277232 512 byte sectors)
ses0: pass0,ada0 in 'Slot 00', SATA Slot: scbus0 target 0
ada1 at ahcich7 bus 0 scbus1 target 0 lun 0
ada1: <mSATA mini 3ME4 L17606> ACS-3 ATA SATA 3.x device
ada1: Serial Number YCA11807260091067
ada1: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada1: Command Queueing enabled
ada1: 61057MB (125045424 512 byte sectors)
ses0: pass1,ada1 in 'Slot 07', SATA Slot: scbus1 target 0

9
Hardware and Performance / Freedom E28Q-L server/switch
« on: May 19, 2023, 06:29:55 am »
Hello, I'm wondering if OPNsense can make use of embedded switching chipset.

Freedom E28Q-L looks like a server with 40GbE embedded switch, originally run Illumus/Solaris and later was ported to Linux from what I heard.

Would be a monster firewall with OPNsense :)

Ref: https://www.pluribusnetworks.com/assets/PluribusFreedomE28Q-LSwitchDatasheet8-17-1.pdf

10
Hardware and Performance / Citrix SD-WAN appliances
« on: April 16, 2023, 05:25:07 am »
Hello, has anybody successfully installed OPNSense on a Citrix SD-WAN 210 appliance?, if that's the case, can you share your experience?

11
23.1 Legacy Series / Migration from OPNsense 20.1.9-i386
« on: April 11, 2023, 01:46:25 am »
Hello!,

I have a 32bits Atom machine running OPNsense 20.1.9-i386 which I would like to migrate to OPNsense 23.1.5_4-amd64. Would it be possible to install 23.1 on a new machine and restore a 20.1.9 backup?, or I would need to deploy 20.1.9 on AMD64 to restore the backup and start an staged upgrade to 23.1.x?

12
General Discussion / Automation of a firewall fleet
« on: April 08, 2023, 05:54:24 am »
Hello!,

What would be the recommended approach to automate the configuration of several OPNsense instances?.

I see there are some facilities built with Terraform, Ansible, Puppet.

Would need to automate configuration for:
- Zerotier
- BGP
- Firewall rules
- Firewall aliases
- QoS
- SNMP
- Interface assignment

13
Virtual private networks / Innernet
« on: March 24, 2023, 01:52:19 am »
Hello!, is there any way of running innernet client in OPNsense?

14
Hardware and Performance / Inexpensive hardware options
« on: March 19, 2023, 11:31:38 pm »
Hello!, I'm looking for inexpensive options to deploy some kind of intelligence in some branch offices.

It would do basic forwarding and firewall filtering, plus zerotier or tailscale/headscale to two main sites.

I've seen some interesting options (new hardware) from Qotom & Deciso, but being into tight budget I wonder if machines like Lanner NCA-1010B-ST1 could still get the job done without melting down (hardware needs to be reliable)

15
General Discussion / Firewall rules per user group
« on: March 15, 2023, 03:02:24 am »
Hello!,

Anybody ever tried to implement firewall rules per user group?. Defining rules just per machine IP is not practical for a large office installed base.

I was wondering if it could be implemented, for example, processing any user authentication service logs and mapping user to group to IP and modifying aliases to make permissions apply to the IP matched to the user.

If the alias member maximum is not too low, it could scale the addition to the list. On the other side, clean up could be an issue

Thoughts?

Pages: [1] 2 3
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2