Topics

[disappear]

Hello!

I've built a 'transparent' firewall to allow access to all superLAN resources while preventing unexpected traffic to the subLAN clients. This generally works as expected except when trying to allow superLAN clients to subLAN resources.

Creating a firewall rule allowing opt0 80/TCP traffic successfully allows inbound TCP SYN to the server. However, the server's return SYN-ACK simply disappear inside OPNsense. 

As a workaround, to prevent the SYN-ACKs from disappearing, the opt0 80/TCP allow rule can have it's State Type changed to either none or synproxy. Why does the default keep state setting fail?

Moving the rule from the opt0 interface to the floating tab and leaving the default 'keep state' setting also works as expected.

I've hoping that the experts here can help me understand why these setting work or don't work. Thanks!


A few config details:

em0 -> opt0
em1 -> opt1
bridge0 (members opt0, opt1) -> bridge0

Firewall rule opt1 allow all.

net.link.bridge.pfil_local_phys == 1
net.link.bridge.pfil_member == 1
net.link.bridge.pfil_bridge == 0

Hello, All -

Is there a knob to fiddle that allows for the setting of the default interface to use for traffic sourced from the opnsense instance itself? I've poked around but can not seem to find one.

The problem: IPv6 traffic sourced from any of the WAN interface ips is dropped. IPv6 traffic sourced from the LAN ip is routed as expected. I do not (yet) have a root cause as to why traffic is dropped.

Thanks!

Is it possible to configure OPNsense to send TCP RST packets when the firewall state or NAT state table drops a session? For example, when expiration time arrives it'd be best that both sides of the connection to receive a TCP RST packets so they can release resources and/or generate useful error messages.

I recently attempted to lab a router-on-a-stick scenario.

Switch port 10, untagged vlan10, WAN/DHCP
Switch port 11, untagged vlan11, down
opnsense, tagged em1_vlan10, opt1
opnsense, tagged em1_vlan11, opt2
opnsense, untagged em0, lan

In this scenario, an internal packet capture on opt1 showed unbelievable amount of arp traffic on opt1 before an IP address was even assigned. Perhaps this is more than just undesirable. I've verified that the switch is not generating any traffic.

This seems like something worth troubleshooting. Thoughts?

When changing "User Authentication Source" at VPN: IPsec: Mobile Clients from Local Database to an LDAP Server, the strongswan service needs restarted.

The GUI prompts

The IPsec tunnel configuration has been changed.
You must apply the changes in order for them to take effect.

Upon clicking the "Apply Changes" button, nothing happens. The administrator must manually restart the strongswan. The expected behavior (based on the GUI prompt) is for the service to restart and the changes to be effective immediately.

Hello,

LDAP documentation suggests that a cloud import function can be used to bulk import users from LDAP into the local user table. Does that function still exists in OPNsense 16.7.12? I haven't been able to spot the cloud icon.

Thanks!

Hello,

I'm a bit perplexed. Perhaps someone can point me toward documentation.

I'm trying to block all TCP/25 traffic from transiting the WAN connection.

For the WAN firewall I set the following rule --
REJECT
Proto: TCP
Source: *
Port: *
Destination: *
Port: 25
Gateway: *

This properly rejects all incoming port tcp/25. It does not reject traffic from the LAN, OPT1, OPT2, or IPSEC interfaces. If I make rules on each LAN, OPT1, ... interface then it drops the incoming traffic. I can't seem to set any outgoing firewall rules.

Any pointers would be appreciated.

OPNsense 16.1.6-amd64   
WAN: 10.255.255.102/24 via DHCP(Gateway 10.255.255.1/24)
LAN: 192.168.1.1/24
OPT1: 10.255.255.110/24

WAN & OPT1 are on the same wire as my workstation, 10.255.225.254/24.

I could use some sanity checking. In the configuration above, I can ping and ssh to the WAN & OPT1 interfaces from the gateway but I'm unable to touch the WAN interface from my workstation. I can also ping from 10.255.255.102 to 10.255.225.254. Both 10.255.255.102 & 10.255.255.110 are in my arp table. The firewall rule for both WAN & OPT1 is: IPv4 * * * * *

Any ideas?

In an effort to help new users get the best possible performance, I think it would be beneficial to detect the CPU's capabilities. When an i386 instance is running on a x86_64 bit compatible CPU, it would be nice if something along the line of "64 bit CPU detected. Click here" would print in the CPU Type section of the dashboard.

Are VPN accelerator cards still a thing in the x86 firewall industry? Does OPNsnese support any such hardware?

Since the industry has depreciated the use of SSL (and packages such as openSSL have evolved to support TLS), I think it is important to replace all mentions of SSL with TLS or some combination of the acronyms such as "SSL/TLS" "TLS/SSL" or "TLS (SSL)".

The usage of terms that reflect the current technology should increase accessibility to the underlying concepts for users new to the technology.

Pages like system_advanced_admin.php should be the first to see the change.

Please consider expanding system certificate management to enable one-click generation and signing of TLS web-certs via the Let's Encrypt intuitive for the administration interface. The Certificate Authority is now widely trusted and many stable ACME clients exist. Of course, automated cert. replacement is also important.

Hello OPNsense community -

I'm dropping into the forum this weekend to introduce myself. I've been lurking since the m0n0.ch homepage posted a link to OPNsense. The work being done here seems sustainable. I hope to become a positive contributor to the community.

A little background about myself, my $DAYJOB is currently focused on customer facing network operations and support at a regional, diverse and high performance Internet network. Outside, I'm engaged in a number of projects ranging from volunteer wireless networks to medium-scale hospitality deployments. Projects like OPNsense support such diverse range of projects from virtual routing to site-wide NAT that I feel compelled to share my experience, if the community will accept the feedback loop. While I can offer little programing support, I can offer extensive QA and testing feedback. I'm also able to pickup some of the documentation role as needed.

I understand that many of the use case that I may envision or attempt may not be fully supported. What are the preferred platform to discuss potential bugs vs. non-supported configurations and to developing feature ideas into scoped feature requests?

- - Mitchell