Messages

1

22.1 Legacy Series / Re: Issue with static IP configuration - cannot define static gateway

« on: August 24, 2022, 04:50:27 pm »

If it's not in any attached network it's not "near" either. I'd call this "far" enough.

Frankly, I don't want to debate semantics for the configuration you chose to apply. You seem to have your reasons for not having a gateway that is locally reachable so you need to configure it as such.


Cheers,
Franco

The gateway of course is on the same network - actually can be closer since it's directly linked -, and locally reachable !

As mentionned in my initial message:
  IP static: 192.168.1.1/24
  IP gateway: 192.168.1.254

And as I explained in my second message: "We have also been able to create the gateway without using "far", but it requires to Apply configuration first: so my guess is now the check is made on the "current" IP address and not the new one."

2

22.1 Legacy Series / Re: Issue with static IP configuration - cannot define static gateway

« on: June 10, 2022, 11:53:14 am »

That's a weird solution since the gateway is not "far", and that's a regression bug.

We have also been able to create the gateway without using "far", but it requires to Apply configuration first: so my guess is now the check is made on the "current" IP address and not the new one.

3

22.1 Legacy Series / Issue with static IP configuration - cannot define static gateway

« on: June 10, 2022, 11:32:49 am »

Hi

With the last version (22.1.8_1) we are facing a bug when trying to setup static IPv4 WAN.

We cannot add the gateway, the GUI always answer "The gateway address does not lie within one of the chosen interface's IPv4 subnets". Of course, it's not the case ! I tried with 192.168.1.1/24 and 192.168.1.254 as gateway.

I have noticed:
 - that an error 500 occurs on POST system_gateways_edit.php without any details (and no error repport)
 - the same bug occuring when IP has been saved and we try to setup gateway through System / Gateways
 - the only "workaround" is to enable "Far gateway"

Regards

4

22.1 Legacy Series / Re: VxLAN does not going up on start

« on: May 10, 2022, 11:36:11 am »

OK I see, thank your answer!

5

22.1 Legacy Series / Re: VxLAN does not going up on start

« on: May 09, 2022, 03:43:32 pm »

Anyone ?

6

22.1 Legacy Series / VxLAN does not going up on start

« on: April 15, 2022, 03:08:00 pm »

I have setup a VxLAN using Interfaces/Other Types/VxLAN on LAN IP: it works, but it does not going up on OPNsense startup. I have to go on the page and do "Apply" on every reboot.

How can I make the VxLAN automatically going up ?

7

21.1 Legacy Series / Mirror opnsense.c0urier.net : certificate expired

« on: July 15, 2021, 02:38:29 pm »

Hi

Let's encrypt certificate of opnsense.c0urier.net has expired on 13.07.2021...

Regards

8

General Discussion / Issue with opnsense.c0urier.net (Europe mirror / sweden)

« on: May 25, 2021, 12:45:00 pm »

Hi

The hostname cannot be resolved: https://dnschecker.org/#A/opnsense.c0urier.net

BR

9

General Discussion / Re: Central management

« on: April 25, 2021, 02:20:37 am »

I have sent you a PM

I will answer you for your PM, but for everyone else interested, we have created a page describing our solution:
  https://srbox.simplerezo.com/

The solution is internally used for production, and we are just starting Early Access for third parties.

How will be the communication between the centralized administration opnsense and the other opnsenses when I place a centralized device to internet?
Is there e.g. a cyclic polling of configuration possible or do I need a direct reachability from the central device to satelites or can I use a VPN wich is started from the satelite to the central instance?

I need that information too.
Can central administration be done without a public ip at the clients?

Our solution works without a Public IP and any exposed ports

10

21.1 Legacy Series / CloudFlare mirror issues

« on: April 22, 2021, 02:31:14 pm »

Hi

Since few days, a lot of package are broken when fetching them through CloudFlare:

Code: [Select]

[1/2] Fetching libsodium-1.0.18.txz: .......... done
pkg-static: cached package libsodium-1.0.18: size mismatch, fetching from remote
[2/2] Fetching libsodium-1.0.18.txz: .......... done
pkg-static: cached package libsodium-1.0.18: size mismatch, cannot continue
Consider running 'pkg update -f'
(wpa_supplicant.txz is also affected).

Changing mirror fix the issue, I just want to let you know about this.

Regards

Clement
SimpleRezo

11

General Discussion / Re: Central management

« on: January 19, 2021, 11:18:55 am »

We are managing more than 50+ OPNsense here, all around the world

So we have developped:
  - a central management solution (cloud)
  - a plugin (with some API extensions)
  - a Zabbix template

So with this, OPNSense is provisionned from our CMS:
  - custom settings (hostname, dns, plugins...)
  - authentication
  - firewall rules
  - autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
  - full supervision by Zabbix (including running services)
  - configuration/status (DHCP leases) access directly from our CMS
  - remote upgrade, with scheduling
  - alerts by email / slack : gateway status, services...
  - daily XML backuping

This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!

12

General Discussion / IPSec: working, but...

« on: January 18, 2021, 11:13:50 pm »

Hi

I have setup a IPSec using StrongSWAN between an OPNSense and FreeBSD (using StrongSWAN on both side):
  - peer A : OPNSense, IP_PubA, 192.168.148.254
  - peer B : FreeBSD, IP_PubB, 192.168.1.10

It works: no issue for networks clients on both side.

But I cannot access remote network from peer A or B, except when I specify the source.

Code: [Select]

peerA# ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
^C
--- 192.168.1.10 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Using tcpdump, i can see that's because, by default, the packet is using IP_PubA as source... so the packet is not using the tunnel (since it does not match the rules). So I tried:

Code: [Select]

peerA# ping -S 192.168.148.254 192.168.1.10
~$ ping -S 192.168.148.254 192.168.1.10
PING 192.168.1.10 (192.168.1.10) from 192.168.148.254: 56 data bytes
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=123.841 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=120.246 ms
^C
--- 192.168.1.10 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 120.246/122.044/123.841/1.797 ms

And of course, this is working.

How can I configure OPNSense to use it's private IP address as source (by default) when trying to communicate with the remote LAN? Or maybe I'm doing something wrong?

13

20.7 Legacy Series / Re: Unbound keeps stopping

« on: January 05, 2021, 12:57:33 pm »

=> https://forum.opnsense.org/index.php?topic=20516.0

14

20.7 Legacy Series / Update of zabbix-proxy package

« on: November 20, 2020, 03:50:28 pm »

Apparently there is an issue between Zabbix and Fping5:
https://www.zabbix.com/forum/zabbix-troubleshooting-and-problems/413476-simple-check-icmppingloss-is-always-0

Is it possible to upgrade Zabbix package to 5.0.5 (available on FreeBSD ports since 1 week) on OPNSense repo?

15

20.7 Legacy Series / Re: Zabbix agent issues from 20.7.2 -> 20.7.3

« on: September 25, 2020, 05:37:06 pm »

I can confirm the issue, we have upgraded 5 OPNsense, and 3 of them got the package zabbix4-agent altered (all the files gone).

Hotfix:

Code: [Select]

pkg upgrade -f zabbix4-agentAnd then you can start agent, from GUI using "Apply" button.