Messages

Yes, you are absolutely right.
I must have suffered from some kind of brain fart.
I was imagining of all kinds complicated solutions when the real solution was ever so simple.

Thanks

Thanks bimbar

Maybe I have been overthinking it.
I guess it may actually be as simple as doing Virtual IP's (type Other) for the VLAN-DMZx networks and disable NAT for the networks as well?

Hi OpnSense-brains, sorry for the long post.

I am in the process of exchanging an old Cisco ASA for an OpnSense firewall. The most straight forward configuration and features are done and tested.
I do have at one obstacle that I need to address before I can make the switch, let me try and explain:
On our WAN-interface we have a /24 ip-address range, we have subnet'ed the wan range into 4 /26 networks.

Let's assume that our wan range is 193.234.129.0/24 - it's not.  Our current network looks like this:
193.234.129.1 ISP's router
193.234.129.2 (OUTSIDE-interface) our firewall
The first /26-address range is used for NAT'ing different services to some RFC1918 VLANs.

193.234.129.64/26 (VLAN-DMZ1), 193.234.129.128/26 (VLAN-DMZ2), 193.234.129.192/26 (VLAN-DMZ3)
Servers on the DMZ-networks have public IP-addresses. Access rules to internet is managed on the VLAN-DMZx interfaces, access to servers/services on the VLAN-DMZx networks from the internet is managed on the OUTSIDE-interface.

Some servers on the VLAN-DMZx networks must have access to servers on our RFC1918-networks, it may be an SQL-database, LDAP, Remote Desktop Host servers and what not.
Some servers on the VLAN-DMZx may for different reasons not be NAT'ed.

Is it possible to replicate the setup, with regards to the VLAN-DMZx-setup mentioned above, on OpnSense? If not, which way would you go about to solve the challenge?

Please advice

Best regards
Elfrom

[Ctrl - c]

I experience exactly the same problem.
I have to do the following after reboot "Ctrl - c" - [enter] - "exit" - [enter]
Running headless i do it blindfolded  8) ;D

Hi Mahesh
I think it can be of interest which NIC is connected to WAN and which is connected LAN.
I don't want to be picky but "no where near to 1Gpbs" is not an exact measure, what are we talking about?
Please note that the NetXtreme II BCM5716 is NOT based on an Intel chipset but rather a chipset from Broadcom.

As many details as possible will get you the best and fastest assistance.

In case anybody else is interested...
I have tested the latest version 0.12.1, it now respects the "device = someinterface"-setting in config.
"someinterface" is appended with an incrementing number.

I enabled an openvpn-server with no settings, just to have an interface for firewall rules, then enabled the "connect-script" as per reply #9 in this thread.

For SSL-certificate i used a certificate generated by the Lets Encrypt plugin, everything seems to be working perfectly.
It would be nice if it was implemented as a plugin. I guess it would be possible to use the radius settings already setup in OpnSense then? And backup would be in the normal firewall backup as well.

I see 0.12.1 has been available on ports for a month.
Testing this has to be a priority of mine for the coming week.
I really hope it can live up to the hype.

Apparently an updated version of ocserv has been released

Code Select Expand

* Version 0.12.0 (released 2018-04-22)
- Allow DTLS stream to come from different IP from TLS stream.
  There are situations where internet providers send the UDP
  stream from different IP (#61).
- Increased possibilities of allowed combinations of authentication
  methods (#108).
- Corrected regression since 0.11.8 with OTP authentication (#137).
- Added support for hostname-based virtual hosts, utilizing TLS
  SNI. With that change it is possible to configure multiple servers
  running over the same port (#133).
[b]- Rename the tun device on BSD systems which support SIOCSIFNAME
  ioctl.[/b]
- Correctly handle proxy-protocol's health commands. That eliminates
  few connection drops when proxy protocol is in use.
- Corrected crash on certain cases when proxy protocol is in use (#146).

Does  "- Rename the tun device on BSD systems which support SIOCSIFNAME
  ioctl." solve the issues that are preventing ocserv from functioning on OPNsense?

Yes, I upgraded 3 firewalls without a problem, all upgraded via the web interface.

If you look in "system" -> "log file". Do you see errors about interface(s) going down and up shortly after?

Hi Janne
I have experienced exactly the same issues on pfSense.
The solution, in my situation, was very simple. Change System:Settings:Firewall/NAT:Firewall Optimization Options from Normal to Conservative.

Hope this helps.

/Brian