Topics

1

24.7 Production Series / Adguard not starting after Update

« on: August 10, 2024, 03:28:40 pm »

That's essentially it: After the 24.7.1 update, the Adguard plugin is visible, but refuses to start.

Any ideas?

Best e.

2

23.7 Legacy Series / valid OPNsense admin Password not accepted anymore

« on: October 29, 2023, 10:42:49 pm »

Hi everybody,

on my OPNsense installation, the login of the administrator is not accepted anymore.

That's true for the web interface and for ssh.

Now for the funny part: I can log into my "observer"-account (limited permissions, essentially only sees logs and stats) via TOTP.

Then, I go to System -> Access -> Tester and test my admin password against the local database. It's giving me: "authenticated successfully".

OPNsense 23.7.6, ZFS, network time matches

Any clue what's going on? And even more important: What's the simplest way to gain access again?

If possible, I'd like to avoid the serial console, as it's a hassle to get to the machine and get it running.

Thanks!

-e-

3

General Discussion / WAN /29 network; port fwd for intl. server coming in at specific IP address?

« on: June 25, 2022, 04:24:14 pm »

Hi,

my OPNsense 22.1.8 connects to the internet per WAN interface via a /29 network, fixed addresses.

Let‘s call the network 56.142.3.73/29, where 56.142.3.73 is the uplink gateway and 56.142.3.74 is the main external address for the gateway.

VPN connections enter via that address, (via DNS resolution of vpn.customer.com into 56.142.3.74)
Now I want to access a local server in that network externally. That server needs internal and external access.

Port forwarding for https seems to be the most obvious way to do it. I figured that out, but I can only connect via 56.142.3.74 (vpn.customer.com), but not via 56.142.3.75 (web.customer.com)

How can I set that up?

Am I missing something about a DMZ? (It seemed impractical to me, as the machine needs internal access for https, smb and ssh anyhow?)

The server runs Debian and has 2 physical interfaces (10G Ethernet)
The gateway has more than enough physical interfaces, but the COLT fiber connection obviously only one.

TIA

-e-

4

Virtual private networks / 2 IPsec VPNs on one OPENsense with different access to local machines

« on: February 24, 2022, 05:09:01 pm »

Hi,

I‘m running an OPENsense 22.1 gateway that provides 2 VPN endpoints:

#1. IKEv2, EAP-MSCHAP, FreeRadius for my road warriors
#2. IKEv1, PSK, Site-to-Site for access to a Windows Remote Desktop Machine and it‘s ability to scan and print back into my local network.

ATM, my firewall rule is simple: Everything in my local Network is accessible from anybody who is allowed to access the VPNs. That was a good solution, as long as I only had VPN #1.

For VPN #2, I‘d like to restrict the access to an IP range of 10.10.0.18 - 10.10.0.35 -> this is my local fixed range for my printers and scanners.

The OPENsense has a fixed external IP address that also resolves into a FQDN.
The remote endpoint gateway for VPN #2 has a fixed IP that also resolves into a FQDN.

Would it be sufficient to build a firewall rule and place it first into the parse order that declares the following:

„All traffic coming from the Interface IPsec with origins from [fixed IP of VPN #2 remote endpoint] can access local network from 10.10.0.18 - 10.10.0.35“?

Is that possible/clever/simple?
Options?

In if advised: How exactly would that look like?

Thanks!

-cg-

5

21.7 Legacy Series / IPsec IKEv2 rekey issue?

« on: September 18, 2021, 07:45:10 pm »

Hi,

I'm running 20 clients into a Scope7 under OPENsense 21.7.2, establishing individual IPsec IKEv2 Tunnels from individual sites via EAP/MSCHAPv2.

The Clients are configured via profiles, running under MacOS or iOS.

Everything is working well, but one problem remains: Every hour, the clients get disconnected.

As the default for rekeying is 3600 seconds, that's my natural first idea to look into.

The log seems to confirm my suspicions:

2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> sending DELETE for ESP CHILD_SA with SPI c5bac60c
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> failed to establish CHILD_SA, keeping IKE_SA
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> no acceptable proposal found
2021-09-17T17:15:00   charon[65375]   13[CFG] <con1|260> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
2021-09-17T17:15:00   charon[65375]   13[CFG] <con1|260> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2021-09-17T17:15:00   charon[65375]   13[ENC] <con1|260> parsed CREATE_CHILD_SA response 864 [ SA No TSi TSr ]
2021-09-17T17:15:00   charon[65375]   13[NET] <con1|260> received packet: from 93.195.52.31[4500] to 192.168.1.48[4500] (192 bytes)
2021-09-17T17:15:00   charon[65375]   13[NET] <con1|260> sending packet: from 192.168.1.48[4500] to 93.195.52.31[4500] (768 bytes)
2021-09-17T17:15:00   charon[65375]   13[ENC] <con1|260> generating CREATE_CHILD_SA request 864 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> establishing CHILD_SA con1{147} reqid 1
2021-09-17T17:15:00   charon[65375]   11[KNL] creating rekey job for CHILD_SA ESP/0xc3269189/192.168.1.48[/size]

The lines: "failed to establish CHILD_SA, keeping IKE_SA; no acceptable proposal found" stand out.

Any ideas where to look? Can I enable PSK in the process?

THX!

atoll