Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - mircsicz

Pages: [1] 2

19.1 Legacy Series / External User DB from LDAP not authenticating if user exists locally

« on: July 16, 2019, 05:49:19 pm »

Hi all,

I've added an LDAP server and can successfully test the passwd of a locally non existing user. But as soon as the user exists on the OPNsense local User-DB (even if I set a scrambled Passwd) I get the following error:

Hope one of you has hint?

19.1 Legacy Series / [SOLVED] Can't Upgrade from GUI nor Console

« on: May 23, 2019, 01:37:39 am »

I've just tried to check for upgrades and ran into issue's, first failure was:

Quote

Could not authenticate the selected mirror.

Then I google'd and found:
https://forum.opnsense.org/index.php?topic=12550.0

But checking on the console my cert.pem sized isn't 0.

Google'd again and found:
https://forum.opnsense.org/index.php?topic=4081.msg14836#msg14836

So I tried as follow's:

Code: [Select]

fetch https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz
file packagesite.txz

what I got was:

Code: [Select]

 packagesite.txz: HTML document, UTF-8 Unicode text

Using HTTPS I got this

Code: [Select]

fetch https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz
No server SSL certificate
fetch: https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz: Authentication error

So at this point I'm lost and hoping for hints...

EDIT:

tried once more after a reboot:

Quote

Updating OPNsense repository catalogue...
pkg-static: repository meta /var/db/pkg/OPNsense.meta has wrong version or wrong format
pkg-static: Repository OPNsense load error: meta cannot be loaded No such file or directory
Fetching meta.txz: 100% 5 KiB 4.7kB/s 00:01
pkg-static: No signature found
repository OPNsense has no meta file, using default settings
Fetching packagesite.txz: 100% 5 KiB 4.7kB/s 00:01
pkg-static: No signature found
Unable to update repository OPNsense
Error updating repositories!

19.1 Legacy Series / [SOLVED] 3CX Firewall Test fails even though Firewall > NAT > Outbound is Hybrid

« on: May 20, 2019, 06:05:51 pm »

Hi all,

I've read and followed those three thread's: https://forum.opnsense.org/index.php?topic=448.0 and https://forum.opnsense.org/index.php?topic=7299.msg32981#msg32981. Especially the last one has a very specific solution but sadly that does not help with the current version of 3CX

This is what the test tells:

This is what I've setup in OPNsense (BTW: 19.1.7)

This is the Forwardings:

Doesn't make a difference if I disable or enable those rule's...

And yes as this is Multi-WAN there's a rule to tell the 3CX to only use VDSL:

The Document supplied by 3CX neither isn't very supportive, it's just telling in detail why the test is correct: https://www.3cx.com/docs/firewall-checker/

So I'm kinda lost with this, and 3CX totally refuses any further support until firewall test gets "GREEN"

19.1 Legacy Series / ipsec routing problem after adding failover WAN

« on: April 04, 2019, 12:34:41 pm »

Hi hi,

I've got two APU based OPNsense's which are connected using Ipsec

After I've added MultiWAN with a failover config on location#1:

I modified the firewall rules like so:

But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!

BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24

Hope one of you spot's my failure...

19.1 Legacy Series / Traffic-Shaper: how to define a port range in a rule

« on: March 25, 2019, 12:04:16 pm »

I've setup shaping in another firewall, I cloned the settings from another machine.

On the clone source (which was setup while running 18.7) I could setup the rule entering a port list:

The target is now running 19.1.4 and doesn't any longer allow me to enter a list of ports:

Could some please tell me if this is intended, or if there's still a way to define several ports in one rule?

19.1 Legacy Series / Error during Upgrade from 19.1.2 to .4: can't use sudo nor reach the WebIF

« on: March 21, 2019, 05:25:56 pm »

Hi all,

just upgraded a bunch of machines using SSH. I've seen similar probs during 18.7 upgrades but never took the time to post...

Being dropped to such a limited shell I'm kinda lost, I can't use sudo or su, so I can't reboot the machine. And as the webinterface doesn't load through my usual SSH tunnel I can't even reboot from there!!! So pls help! :-(

If I remember correctly I didn't post when having that issue in 18.7 because back then I could use the webinterface.

18.7 Legacy Series / "This account is currently not available." Problem after Upgrade from 18.1.13_1

« on: September 26, 2018, 03:13:59 pm »

I'm aware of this Posting. And if there's no way around that issue I need to drive quite a few km's.

There's also an older Posting which describes how I did it when setting up the Router...

But how the f... could that working setting be destroyed during the upgrade path. For me it's a basic security setting to disable root and allow only key login to the other user's. That is how I run all my system's! And as I'm running more than two dozen OPNsense router's all over germany I'm now kind of afraid to upgrade them with a simple SSH login... Seem's I need to go to every single Webinterface and downgrade my security settings before I upgrade. Not good!

Greetz
Mircsicz

18.1 Legacy Series / using the configuration importer during installation

« on: June 23, 2018, 01:19:53 pm »

As I'm currently preparing a replacement router for a client I wanted to use the offered option during Installation:

Code: [Select]

Press any key to start the configuration importer: ..

But entering the USB Stick's device name only lead's me to an error message. If I google for that message I find this Topic. And additionally I found that, but none of those solve the issue by using the offer during install.

BTW: I'm using OPNsense-18.1.6-OpenSSL-serial-amd64.img

So if I enter the drive's dev name all I get is:

Code: [Select]

Press any key to start the configuration importer: ..

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)
<Verbatim STORE N GO 5.00>         at scbus2 target 0 lun 0 (pass1,da0)
<General USB Flash Disk 1.00>      at scbus3 target 0 lun 0 (pass2,da1)

Select device to import from (e.g. ada0) or leave blank to exit: da0

No known partition layout was found for 'da0'.

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)

So for this time I'll stick with the import through the WebGUI, but for the future I'ld love to have an USB-Stick at hand that I connect in next to the installer stick and have some Client config's on that...

So my question is how has the partition layout to be like, to be able to make a use of the offered import option?

18.1 Legacy Series / [SOLVED] Port Forward on 443 not working but 1443 to the same machine is fine

« on: June 03, 2018, 04:12:53 am »

Hi all,

I've got a weird situation on a freshly installed APU.

I forwarded HTTPS from an Exchange to enable ActiveSync but the nmap scan only show's the port as filtered. But my SSH HiPort and SMTP are working as expected. Exchange sends and receive's Mail as expected and I'm currently using the SSH Access to check the Router's WebIF...

Packet Capture on target's OPNsense doesn't get a single package and on my OPNsense all I get is SYN packages...

Now here comes the funny part: If I forward Exchange's 443 to 1443 I get to see the login page!

I hope one of you has a hint as I'm kind a lost here...

BTW: Aunty Google showd me that from the other pf based distri: https://forum.netgate.com/topic/121743/port-forwarding-http-and-https-dont-work-on-pfsense-2-4-0-sg2220/12 But this is a UnityMedia Business Line and they told me not to block any port... And as I'm on a UnityMedia Business connection to I could approve that by forwarding one of my internal HTTPS enabled host's and accessing it through LTE and another external device!

Code: [Select]

mircsicz@macbook-pro-wlan ~ $ nmap -sT -P0 -p443 3x.24.13.166
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-03 04:48 CEST
Nmap scan report for b2b-3x-24-13-166.unitymedia.biz (3x.24.13.166)
Host is up.

PORT    STATE    SERVICE
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
mircsicz@macbook-pro-wlan ~ $ nmap -sT -P0 -p1443 3x.24.13.166
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-03 04:49 CEST
Nmap scan report for b2b-3x-24-13-166.unitymedia.biz (3x.24.13.166)
Host is up (0.028s latency).

PORT     STATE SERVICE
1443/tcp open  ies-lm

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

18.1 Legacy Series / 18.1.6 IPsec with packet loss

« on: May 07, 2018, 12:35:32 pm »

I've a machine with a client for a home-office. That connection drop's packages from time to time. I've not had a report for issue's last week but today I got another report...

It's monitored through Zabbix so I've got some stat's:
https://snag.gy/VvMzN2.jpg

And this is what the log gave me:

Code: [Select]

May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI ce0e3334
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c9939946
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c62c0cf2
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI ce922c2b
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c6c5b97c
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space a

So what are those messages about?

I checked the Web-IF and saw that the tunnel had lot's of SPI's, so I manually stopped the tunnel and we had a call over the tunnel which only went silent for like 10 sec's... AWESOME!! When the tunnel was up again it was only the one expected SPI there...

Here's the log from the time when I diconnected the tunnel:
https://pastebin.com/m9VufWAU

So my question is how can I avoid that behaviour in the future?

18.1 Legacy Series / 18.1.7 not handing dhcp leases to Windows client's, Mac & Linux are fine

« on: May 07, 2018, 09:58:17 am »

We're having issue's with one router where Windows client's are not receiving their leases:

Code: [Select]

May 7 09:56:03	dhcpd: DHCPACK to 10.xx.yy.77 (80:fa:5b:57:11:18) via igb1
May 7 09:56:03	dhcpd: DHCPINFORM from 10.xx.yy.77 via igb1
May 7 09:56:03	dhcpd: DHCPACK on 10.xx.yy.77 to 80:fa:5b:57:11:18 via igb1
May 7 09:56:03	dhcpd: DHCPREQUEST for 10.xx.yy.77 (10.xx.yy.1) from 80:fa:5b:57:11:18 via igb1
May 7 09:56:03	dhcpd: DHCPOFFER on 10.xx.yy.77 to 80:fa:5b:57:11:18 via igb1
May 7 09:56:03	dhcpd: DHCPDISCOVER from 80:fa:5b:57:11:18 via igb1

Windows only get's himself a 169 IP and if reboot into Linux I see the same log entry but Linux set the correct IP. As this is over several Windows machines I don't have a clue what this is about...

17.7 Legacy Series / [SOLVED] Problem with NoIP Update on 17.7.12

« on: January 27, 2018, 12:36:42 pm »

On a newly installed machine (based on an APU1) I see the following issue:

Code: [Select]

opnsense: /services_dyndns_edit.php: Aborted IP detection: Failed to connect to checkip.dyndns.org port 80: Operation timed out

And I'm not sure why I saw the same message with this host too: dynupdate.no-ip.com Which BTW makes way more sense as I'm using NoIP...

And yes I'm aware of:
https://forum.opnsense.org/index.php?topic=4727.0
and
https://forum.opnsense.org/index.php?topic=4114.0

Greetz
Mircsicz

17.7 Legacy Series / can't boot nano on QSeven Atom

« on: January 15, 2018, 09:49:59 am »

I've an older Model of https://www.dsm-computer.de/products-solutions/products/systems/din-rail-pc/din-rail-pc-h1-a3.html which I'ld like to reuse as a router in the family...

I've flashed OPNsense-17.7.5-OpenSSL-nano-i386.img to a SD and successfully booted for the first time, assigned interface and so on. Then I rebooted and ended up with a unbootable system:

Quote

can't load kernel

was the message I was facing

I've tried tried to deal with it at the prompt. Been setting currdev & rootdev, even set it in loader.conf on SD directly. but that didn't change the behaviour...

Here are some screenshot's:

so loaddev and currdev show a different slice than lsdev, is that OK or the maybe the reason?

So if anyone has a clue why the hack it doesn't load the kernel I'ld be very grateful

17.1 Legacy Series / IPsec Firewall rule's tab gone after 17.1.2 upgrade

« on: February 25, 2017, 12:54:49 pm »

I've just upgraded from 17.1.2, I was hoping to get rid of this issue.

But instead I got another one:

I don't have the choice to create or modify rules on the IPsec interface any longer...

17.1 Legacy Series / Upgrade from 16.7.14: IPSEC Traffic showing up on WAN

« on: February 06, 2017, 09:35:50 pm »

As promised to franco here's my posting about the actual issue:

After Upgrading from 16.7.14 to 17.1 and getting the other two bugs out of the way I'm still hit by this one!

I'm running approx half a dozen APU's of which I've already upgraded two. Both are working as expected. But then there's one OPNsense Installation running as a KVM client, and that machine suffer's from the above mentioned bug. There's 5 S2S Tunnel's of which some have 2 or three L2's...

And all the traffic headed towards the machine's behind those Tunnel's is recognized on the WAN interface of the OPNsense. And the only cure to the issue is to allow Class-A Traffic and create a Firewall rule on the WAN Interface that allow's traffic from behind the IPSec tunnel to the local network...

And just now I realized all my SSH connections are slugish, I can connect but might be kicked after a few sec's!!!

So I'm hoping this get's fixed very soon

Pages: [1] 2