"
That's essentially it: After the 24.7.1 update, the Adguard plugin is visible, but refuses to start.
Any ideas?
Best e.
Any ideas?
Best e.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
23.7 Legacy Series / valid OPNsense admin Password not accepted anymore
October 29, 2023, 10:42:49 PM
Hi everybody,
on my OPNsense installation, the login of the administrator is not accepted anymore.
That's true for the web interface and for ssh.
Now for the funny part: I can log into my "observer"-account (limited permissions, essentially only sees logs and stats) via TOTP.
Then, I go to System -> Access -> Tester and test my admin password against the local database. It's giving me: "authenticated successfully".
OPNsense 23.7.6, ZFS, network time matches
Any clue what's going on? And even more important: What's the simplest way to gain access again?
If possible, I'd like to avoid the serial console, as it's a hassle to get to the machine and get it running.
Thanks!
-e-
on my OPNsense installation, the login of the administrator is not accepted anymore.
That's true for the web interface and for ssh.
Now for the funny part: I can log into my "observer"-account (limited permissions, essentially only sees logs and stats) via TOTP.
Then, I go to System -> Access -> Tester and test my admin password against the local database. It's giving me: "authenticated successfully".
OPNsense 23.7.6, ZFS, network time matches
Any clue what's going on? And even more important: What's the simplest way to gain access again?
If possible, I'd like to avoid the serial console, as it's a hassle to get to the machine and get it running.
Thanks!
-e-
#3
General Discussion / WAN /29 network; port fwd for intl. server coming in at specific IP address?
June 25, 2022, 04:24:14 PM
Hi,
my OPNsense 22.1.8 connects to the internet per WAN interface via a /29 network, fixed addresses.
Let's call the network 56.142.3.73/29, where 56.142.3.73 is the uplink gateway and 56.142.3.74 is the main external address for the gateway.
VPN connections enter via that address, (via DNS resolution of vpn.customer.com into 56.142.3.74)
Now I want to access a local server in that network externally. That server needs internal and external access.
Port forwarding for https seems to be the most obvious way to do it. I figured that out, but I can only connect via 56.142.3.74 (vpn.customer.com), but not via 56.142.3.75 (web.customer.com)
How can I set that up?
Am I missing something about a DMZ? (It seemed impractical to me, as the machine needs internal access for https, smb and ssh anyhow?)
The server runs Debian and has 2 physical interfaces (10G Ethernet)
The gateway has more than enough physical interfaces, but the COLT fiber connection obviously only one.
TIA
-e-
my OPNsense 22.1.8 connects to the internet per WAN interface via a /29 network, fixed addresses.
Let's call the network 56.142.3.73/29, where 56.142.3.73 is the uplink gateway and 56.142.3.74 is the main external address for the gateway.
VPN connections enter via that address, (via DNS resolution of vpn.customer.com into 56.142.3.74)
Now I want to access a local server in that network externally. That server needs internal and external access.
Port forwarding for https seems to be the most obvious way to do it. I figured that out, but I can only connect via 56.142.3.74 (vpn.customer.com), but not via 56.142.3.75 (web.customer.com)
How can I set that up?
Am I missing something about a DMZ? (It seemed impractical to me, as the machine needs internal access for https, smb and ssh anyhow?)
The server runs Debian and has 2 physical interfaces (10G Ethernet)
The gateway has more than enough physical interfaces, but the COLT fiber connection obviously only one.
TIA
-e-
#4
Virtual private networks / 2 IPsec VPNs on one OPENsense with different access to local machines
February 24, 2022, 05:09:01 PM
Hi,
I'm running an OPENsense 22.1 gateway that provides 2 VPN endpoints:
#1. IKEv2, EAP-MSCHAP, FreeRadius for my road warriors
#2. IKEv1, PSK, Site-to-Site for access to a Windows Remote Desktop Machine and it's ability to scan and print back into my local network.
ATM, my firewall rule is simple: Everything in my local Network is accessible from anybody who is allowed to access the VPNs. That was a good solution, as long as I only had VPN #1.
For VPN #2, I'd like to restrict the access to an IP range of 10.10.0.18 - 10.10.0.35 -> this is my local fixed range for my printers and scanners.
The OPENsense has a fixed external IP address that also resolves into a FQDN.
The remote endpoint gateway for VPN #2 has a fixed IP that also resolves into a FQDN.
Would it be sufficient to build a firewall rule and place it first into the parse order that declares the following:
,,All traffic coming from the Interface IPsec with origins from [fixed IP of VPN #2 remote endpoint] can access local network from 10.10.0.18 - 10.10.0.35"?
Is that possible/clever/simple?
Options?
In if advised: How exactly would that look like?
Thanks!
-cg-
I'm running an OPENsense 22.1 gateway that provides 2 VPN endpoints:
#1. IKEv2, EAP-MSCHAP, FreeRadius for my road warriors
#2. IKEv1, PSK, Site-to-Site for access to a Windows Remote Desktop Machine and it's ability to scan and print back into my local network.
ATM, my firewall rule is simple: Everything in my local Network is accessible from anybody who is allowed to access the VPNs. That was a good solution, as long as I only had VPN #1.
For VPN #2, I'd like to restrict the access to an IP range of 10.10.0.18 - 10.10.0.35 -> this is my local fixed range for my printers and scanners.
The OPENsense has a fixed external IP address that also resolves into a FQDN.
The remote endpoint gateway for VPN #2 has a fixed IP that also resolves into a FQDN.
Would it be sufficient to build a firewall rule and place it first into the parse order that declares the following:
,,All traffic coming from the Interface IPsec with origins from [fixed IP of VPN #2 remote endpoint] can access local network from 10.10.0.18 - 10.10.0.35"?
Is that possible/clever/simple?
Options?
In if advised: How exactly would that look like?
Thanks!
-cg-
#5
21.7 Legacy Series / IPsec IKEv2 rekey issue?
September 18, 2021, 07:45:10 PM
Hi,
I'm running 20 clients into a Scope7 under OPENsense 21.7.2, establishing individual IPsec IKEv2 Tunnels from individual sites via EAP/MSCHAPv2.
The Clients are configured via profiles, running under MacOS or iOS.
Everything is working well, but one problem remains: Every hour, the clients get disconnected.
As the default for rekeying is 3600 seconds, that's my natural first idea to look into.
The log seems to confirm my suspicions:
The lines: "failed to establish CHILD_SA, keeping IKE_SA; no acceptable proposal found" stand out.
Any ideas where to look? Can I enable PSK in the process?
THX!
atoll
I'm running 20 clients into a Scope7 under OPENsense 21.7.2, establishing individual IPsec IKEv2 Tunnels from individual sites via EAP/MSCHAPv2.
The Clients are configured via profiles, running under MacOS or iOS.
Everything is working well, but one problem remains: Every hour, the clients get disconnected.
As the default for rekeying is 3600 seconds, that's my natural first idea to look into.
The log seems to confirm my suspicions:
Quote2021-09-17T17:15:00 charon[65375] 13[IKE] <con1|260> sending DELETE for ESP CHILD_SA with SPI c5bac60c
2021-09-17T17:15:00 charon[65375] 13[IKE] <con1|260> failed to establish CHILD_SA, keeping IKE_SA
2021-09-17T17:15:00 charon[65375] 13[IKE] <con1|260> no acceptable proposal found
2021-09-17T17:15:00 charon[65375] 13[CFG] <con1|260> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
2021-09-17T17:15:00 charon[65375] 13[CFG] <con1|260> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2021-09-17T17:15:00 charon[65375] 13[ENC] <con1|260> parsed CREATE_CHILD_SA response 864 [ SA No TSi TSr ]
2021-09-17T17:15:00 charon[65375] 13[NET] <con1|260> received packet: from 93.195.52.31[4500] to 192.168.1.48[4500] (192 bytes)
2021-09-17T17:15:00 charon[65375] 13[NET] <con1|260> sending packet: from 192.168.1.48[4500] to 93.195.52.31[4500] (768 bytes)
2021-09-17T17:15:00 charon[65375] 13[ENC] <con1|260> generating CREATE_CHILD_SA request 864 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2021-09-17T17:15:00 charon[65375] 13[IKE] <con1|260> establishing CHILD_SA con1{147} reqid 1
2021-09-17T17:15:00 charon[65375] 11[KNL] creating rekey job for CHILD_SA ESP/0xc3269189/192.168.1.48[/size]
The lines: "failed to establish CHILD_SA, keeping IKE_SA; no acceptable proposal found" stand out.
Any ideas where to look? Can I enable PSK in the process?
THX!
atoll
Pages1
