Topics

1

24.1 Legacy Series / Traffic forwarded to the default gateway when the configured ones are down

« on: March 31, 2024, 05:18:39 am »

Hi,

I've encountered a very disturbing OPNSense behaviour and I was wondering if it was an expected one.


On my Opnsense 24.1.3 firewall, I've configured multiples interface gateways. Some of this gateways are grouped together, from the page under System > Gateways > Group. I've one of this group destined to my DNS traffic, and containes 2 gateways but not the default one. I'm not sure that changes anything, but the gateways from this group are from OpenVPN connections. For the lisibility, let's name this group GW-DNS.

On the outbound NAT part, my DNS servers have NATs configurations for the gateways through GW-DNS, and the LAN they are from has a NAT conf through the default gateway. Also, I don't know if it's relevant, I've selected the "Manual outbound NAT rule generation" option.

On the firewall rules, I've one which allows traffic from my DNS servers to the ports 53 and 853 through the GW-DNS. This rule is a quick one, and is named "DNS VPN".
I've no other rule which allows traffic to this dest ports, and neither which allows traffic from this servers (or the whole LAN) to internet, outside of debian mirrors.

Usually with my Opnsense firewall, nat and gateways configuration, my DNS traffic reaches external DNS servers through the GW-DNS and the "DNS VPN" rule.

However, I've discovered that if all of the GW-DNS are down (they have a red color in System > Gateways > Group), the DNS traffic from my DNS servers will still be forwarded  to their destinations with the "DNS VPN" rule, but through the default gateway.


This behaviour feels like a buggy one, but I'm probably missing something. Can anyone help me understand it ?

2

High availability / Looking for information about the clustering and data replications

« on: May 07, 2022, 07:21:19 pm »

Hi !

After pushing my little PCEngine to the max use of its poor CPU, I've decided to build an other box from a PC. But, because currently I don't need to put an other firewall anywhere in my LAN and don't like to have hardware rusting in a closet, I though I could instead start to play with the OPNSense HA. However, there are some points I fail to understand :

1. What is the purpose of the PF sync ? Is it only for not breaking the user sessions when the failover starts ?
2. About the interfaces, as far as I understand this, I'll have to create them by hand on each boxes, right ?
3. If yes to the previous question, how does it work with VPN interfaces ? Would I have to also make the assignment by hand ?
4. About the replication, as I understand it, it's only from the main box to the slave box. Does it mean I can have specific rules and configurations on the slave box, and if they are, for example on dedicated interfaces (which don't exist on the main box), they will not be overwritten by the replication ?
5. How does work the setting replications with plugins ? For example, I have a telegraf supervision, FRR configurations, reverse proxy, few VPN (OpenVPN, Wireguard and Ikev2), etc.

The main thing with my new box is that it doesn't have at all the same hardware than the APU : it has less network interfaces, no wifi, and much more power, for running a suricata, zenarmor and other resource hungry services at the full speed of my internet connection.

3

22.1 Legacy Series / Can't install on a PCEngine APU4

« on: January 30, 2022, 03:07:47 pm »

Hi,

Since the 21.7 I'm unable to upgrade or install a new version of OPNSense on my APU 4. I thougth it was because of some changes on the HardenedBSD core, so I waited the version 22.1 for reinstalling my fw.

But with this version, I'm still unable to install it from a USB key with a serial image. After booting from the USB key, I have the usual log outputs until the network interfaces are turned on, then some errors about a missing GPT table at the end of the media and then nothing else happens.

However if I try to do the same with the version 21.1, it works fine. I still have the missing GPT header error, but the boot process continue and I can setup my fw.

Am I the only one with this problem ?