Topics

The OPNsense Documentation is excellent around Gateway groups / Multi WAN and I was able to follow this in a test environment on my new DEC675 unit without any issues.
This test involves 2 DHCP WAN connections.
In the real world I'll be using a UK vDSL connection (PPPoE) as WAN and a Robustel 4G/LTE router as WAN2.
As soon as I change the WAN from DHCP to to use PPoE, the failover no longer works.
I can get internet connection using the PPoE configuration but what's strange is that when I look under System>Gateways>Single I see a new gateway called "WAN_GW" which is marked as active and is using IPv6 and I'm not using IPv6 anywhere.  I'm not sure if this is causing the issues as it seems to take priority over the actual WAN gateway that is also listed.

Has anybody managed to setup PPoE as part of a GW Failover group succesfully?
I'm using a brand new DEC675 appliance from Deciso and OPNsense Business Edition Version 22.10.2

[87]

We have some NAT Rules on our OPNsense firewall to redirect CCTV browser traffic to the correct NVR depending on the port used.

E.G. 1.2.3.4:8087 redirects to internal IP 10.0.0.1:80 & 1.2.3.4:8088 redirects to internal 10.0.0.2:80

This works fine externally, but when somebody with a laptop comes into the office and plugs into the network, the shortcut they have to the CCTV system in their browser no longer works.
They get a generic error "This site can't be reached [sitename.co.uk] took too long to respond.

I can't work out a way to get around this, please could somebody help me?

Thanks

Hi,
I've spent hours perfecting my new Firewall setup for a Live customer over the weekend and was testing VPN Connectivity for Road Warriors last night using LDAP and all was working perfectly.

I've come to finish off this morning and I can't login to the OPNsense firewall anymore!

I think it might be because I changed the Authentication Server to the LDAP Connection BUT I though that as long as I didn't check "Disable integrated authentication" I would still be able to login using the local root account, but I can't.

I can't SSH to it and teh Web interface just says "Wrong username or password."

PLEASE HELP!

I'm currently completely locked out

I have some equipment setup in a colocation cabinet in a local datacentre as per the diagram attached.
We can access everything we need to currently, but we want to add a set of Virtual Machines that have their own network behind their own managed OPNsense Firewall, independent of everything else.
We want to use a spare external IP address just for this network, so that in the example in my diagram, Unused External IP address *.*.*.164 will go straight through our firewall cluster (1) to the Virtual Firewall on XCP-NG Host1 (2) so we can access the resources behind it in that network (3).
I managed to get an isolated host on vLAN30 to be accessible from outside by NAT port forwarding RDP (don't worry just to test, it's not live) as shown in the diagram as "Windows VM 10.30.0.12" on XCP-NG Host3.
To achieve this:
•   I setup a vLAN ID (30) on my physical OPNSense Firewalls,
•   Created an Interface called "Test_Network" using vLAN ID30 on the LAN Physical Interface with IP Address 10.30.0.1,
•   Created a NAT Port Forward rule that allows RDP from my external IP address to the Virtual WAN IP address of the Windows VM.
•   Tagged this vLAN on all physical switch ports
•   Created a pool network on XCP-NG using vLAN ID30
•   Attached this network to my test Windows VM on one of the hosts
This works fine and my test VM is assigned an IP address from the external OPNsense firewall and has access to the internet but cannot see anything else on any other network, which is what I want, but it shares my main external IP and I have to have a rule to allow on our physical firewall,
I just can't work out how to do this instead to recognise a specific external IP address as the Destination on the Physical Firewall and so pass all traffic through to the second Virtual firewall on the XCP-NG host to manage it.
I feel like I'm close but can't quite get over the finishing line.
Any help greatly appreciated.

Hi,

We have had shockingly bad service and support from OVHcloud in the UK, who are hosting a managed Bare Metal server for one of our biggest customers.

We are looking into providing this service to our customers ourselves in future by using a set of 3 XCP-NG Servers in a HA cluster with Shared Storage (SAN), Stacked Switches and Resiliency wherever we can (multiple PSU etc) in a local co-location Data Centre.

The weakest area in expertise for me is the Router/Firewall area. 
I want to use set of 2 x OPNsense Hardware Firewalls in a HA Cluster to provide protection and connectivity for each customer.

Each customer will have a different WAN IP.

Can you offer any advice on how best to set this up or any tips or gotcha's to be aware of that you can point out to help?  I have no experience yet of using multiple WAN IP's with OPNsense.

I was also thinking of having this Hardware HA cluster, then having a Virtual OPNsense firewall instance for each customer too but my concern is that when I've virtualised OPNsense before, IPSEC VPN Performance has been very poor one way.

Any advice would be greatly appreciated.
Thanks in advance for your time.

Hi,
I think this should be a simple one but I'm struggling to find the answer myself.

I created a new admin user some time ago and disabled the root user as per the good practice guides I read.
I've just had to login to the console for the first time since then and could not.
I had to re-enable the root user in the web interface and then I could login to teh console using that account.
I then compared the 2 accounts and the only difference I could see was the "Login Shell" value for root was "/usr/local/sbin/opnsense-shell" and my new admin user was set to "/sbin/nolongin", but the only other options in the drop down are "/bin/csh", "/bin/sh" and "/bin/tcsh".
I tried "/bin/sh" which allowed me to login but I couldn't see the usual menu.
If I type SU and put in my password, I get "Sorry"

To clarify this user is a member of teh admins group and the Systems > Settings > Administration Secure Shell Login Groups are set to Wheel, Admins.

[Access DeniedYou don't have permission to access "http://website.com/" on this server.Reference #18.6c35068.1625333775.25f6e6e9]

I'm using OPNsense 21.4.1-amd64, FreeBSD 12.1-RELEASE-p16-HBSD, OpenSSL 1.1.1k 25 Mar 2021

The Web Proxy service is Disabled, but on some websites I try and access, I get this error message:

Access Denied
You don't have permission to access "http://website.com/" on this server.
Reference #18.6c35068.1625333775.25f6e6e9

I can only replicate this behaviour when using a proxy on another computer, which is why I think it has something to do with the proxy.

Also googling the error suggests that the fix is to disable any proxy service.

To further back this up, I started a premium Proxy trial and setup the proxy on 2 different servers and both could not access these sites either, showing the same error.

I tried enabling the proxy and disabling again on OPNsense, but it makes no difference.

There are quite a few sites we've identified now that are used on a day to day basis for the business but I've been using this one to test as it displays identical behaviour:  https://tui.co.uk

Can anybody help with this please?

We're suddenly getting error messages on multiple sites like this:

Access Denied
You don't have permission to access "http://[website]" on this server.
Reference #18.95fc645f.1625146667.36443df4

I did some googling and found it could be an Akamai blocking list, but the lookup tool will not work on my server:

https://www.akamai.com/us/en/clientrep-lookup/

If we have been blocked by them, their website says they cannot unblock us it is down to the sites using their list to ask them to unblock our address.

We are not aware of doing anything wrong but cannot access multiple site form our RDP servers now as a result.
If we are being blocked, we need to be able to use an external proxy or something so we can still access these sites.  Is this possible and if so how and who would you recommend?

We're desperate here as we can't access sites used for everyday business.

Any help greatly appreciated.
Thanks!

Hi all,

I'm struggling a bit with a VPN between my site and a Data Center.

The VPN is rock solid but using iperf3 I can see that when a machine at the DC is acting as the iperf3 server, and a machine at the site is the client, we get a speed reading of around 8Mbps.

When we revers this and use the Data Center machine as a client, we get a speed reading of around 82Mbps.

I've tried changing MTU sizes but it doesn't seem to help.

Please could you help me get to the bottom of this?

Thanks

Hi,

We have a specific email domain we send to on a regular basis that will only accept TLS SMTP connections and as such has it's own SMTP SEND and RECEIVE Connectors.

Our Exchange Server has been communicating with this domain perfectly for many years.

We have recently moved the Exchange Server (Virtual Machine) from the office into a Data Center and it is now behind an OPNsense firewall.

This is the only change we have made, the server was simply shutdown, moved and powered up again, it even has the same IP settings.

Since the move, we are getting intermittent rejections as the server has failed to negotiate a TLS encrypted session.

I could really do with some help on where to start trying to diagnose this as I can't see anything wrong and nothing else has changed. 

The recipient's IT team have told me this:

"This NDR usually occurs when the connecting mail servers fail to offer a certificate for the TLS handshake and attempts to communicate in plain text. We requires and force the use of TLS encryption, and any connecting mail server that is not capable of using TLS encryption will be rejected in this manner.

The external influence of proxies can also produce a similar issue. Cisco Firewalls with 'Mail Inspect" enabled are a good example of this."

Can anybody offer any assistance with this?

Thanks in advance
Scott

Hi,

My customer has 2 mail services on 1 server, I have migrated them from an on-premises Hyper-V infrastructure to a new UK Data Centre Hyper-V infrastructure so they now have a different External IP address.

I have changed the IP address associated with the MX record for 1 service but cannot change the other.

I have an IPSEC VPN between the 2 sites and I can get email to service 2 as it is forwarded using NAT on the Customer Site router, but we cannot send as the mail goes out using the new address.

Is there any way on the OPNsense router in the DC, to force SMTP traffic out for email service 2 over the VPN so goes out using the old IP address?

If not, can I force ALL SMTP traffic out over the VPN so they both use the old IP address?

Network Diagram attached.

Hi,

I'm trying to setup an LDAP server in OPNsense to use for VPN Authentication.
When I click on "Select" in the "Authentication containers" section, there are no results returned in the selection window that eventually is returned.

To prove the settings and credentials I'm using are correct, I installed AD Explorer on a local machine and a remote machine connected by an IPsec tunnel on the OPNsense router and I could access AD using LDAP fine.

I have an Windows 2008R2 AD Server locally, behind a DrayTek 3900 firewall/router, connected through an IPsec VPN Tunnel to the Datacentre with a VM running OPNsense and a test server on the LAN side of the OPNsense server.

The test server can access AD using LDAP through the IPSec tunnel between the DrayTek and the OPNsense router.
The OPNsense router itself doesn't seem to be able to access AD using LDAP.

Please can anybody help me work out what's going wrong?

I have an IPsec tunnel that is showing as up and connected but I can't ping devices on either side from the opposite side or from the OpnSense firewall itself to either side.

I set off a continuous ping on both sides and had a look at the firewall live view and filtered by SRC IP and it shows nothing no matter which machine I try it from on either side of the connection.

Please can somebody help me?
Thanks

I tried to find a guide on how to setup an IPSEC VPN between a DrayTek Vigor 3900 and OpnSense but couldn't find one anywhere.

I eventually worked it out and got it working which is great (if anybody wants to know how I did it, just let me know), BUT then I realised that the DrayTek has 2 x Subnets that both need to be accessible from clients on the other side of the OpnSense firewall.

I found this guide on the DrayTek website: https://www.draytek.com/support/knowledge-base/5428#linux

If you look at "Case 2: Vigor3900 has two local networks while the VPN Peer has one" This is Exactly my scenario.
I've followed this guide but I can only connect to devices on the first subnet and not the second.

The only thing I think of is, could it be because of the security used on the IPSEC tunnel as in the images on the page the connections are green and mine are purple, which means they are IKEv2 Tunnels?

This is my setup (IP's Changed)

DataCentre
Make/Model   OpnSense Business Edition
LAN Address   10.0.3.0
LAN Subnet Mask   255.255.255.0
Router IP Address   10.0.3.1
Public IP Address   1.1.1.1
VPN Profile Name   IN_Site_1
Call Direction   IN
IKE   IKEv2
   
   Site 1
Make/Model   DrayTek Vigor 3900
LAN Address   10.0.1.0 & 10.0.2.0
LAN Subnet Mask   255.255.255.0
Router IP Address   10.0.1.1
Public IP Address   2.2.2.2
VPN Profile Name   Out_DataCentre
Call Direction   Out
IKE   IKEv2

Result, Tunnel up and I can ping devices on 10.0.1.0 from 10.0.3.0, I can ping devices on 10.0.3.0 from devices on 10.0.1.0, I cannot ping devices on 10.0.2.0 from 10.0.3.0 and vice versa.

Can anybody help?
Thanks

Hi all,
I'm a brand new user and loving learning the OpnSense product so I can start to introduce it to my customers, especially those I'm migrating to the cloud that need a virtual appliance.

I have setup an OpnSense Business Edition Firewall and followed the excellent documentation to setup an OpenVPN server using TOTP Authentication and I can connect my test client with no issues.

Once Connected though, I need to be able to access the LAN based servers in the datacentre so have tried testing using ping.

My setup is:
OPNsense 20.1.9-amd64
OpenVPN Tunnel Network: 10.99.0.0/24
LAN: 192.168.123.0/24

I've connected using OpenVPN Connect and run a continuous ping from my laptop (assigned the address 10.99.0.6) to 192.168.123.10 and I get "Request Timed Out"
I've had a look at the firewall logs, live view, and filtered to show source ip = 10.99.0.6 and I can see that the
ping is being blocked by the "Default deny rule" (see attachment 1)
I've tried to find where this is and how to disable it so I can continue testing connectivity between the datacentre, openvpn users and the remote sites.

I've clicked on the "i" symbol next to it which gives more info, but as a newbie, I'm not sure how to overcome this stumbling block. (see attachment 2)

Please could somebody help me?

Thanks in advance
Scott