Messages

1

18.7 Legacy Series / Re: dhcp relay on WAN

« on: February 19, 2019, 09:39:26 am »

After some wiresharking, digging and searching we found the problem.

If you enable the DHCP service on a (clients) interface the DHCP Relay service also starts at the interface behind which it will find the DHCP server. But in order to do that the firewall needs to know before hand where it can find the DHCP server.

Opnsense forwards DHCP discover pakkets with the IP address of the outgoing interface as source IP.
If Opnsense does not also start the DHCP Relay service on its outgoing interface it will forward DHCP Discover pakkets to the configured server. The DHCP server will respond with a DHCP Offer for the (client) network from which the pakket originally came. But Opnsense will not process the DHCP Offer on its outside interface and relay it back to the original (client) network.

The problem was fixed with a static route to the DHCP server over the WAN interface. Now Opnsense starts the DHCP Relay service on the interface for which you would like to enable DHCP Relaying AND the outside interface to process DHCP Offers.

2

18.7 Legacy Series / dhcp relay on WAN

« on: February 08, 2019, 12:13:38 pm »

We have a problem with DHCP relay over our WAN interface of a branch office in our network.

Our setup is 2 OPNsense firewalls/routers on 2 sites and site 1 is the upstream router for site 2. The internetbreakout is on site 1. Between site 1 and site 2 is 172.16.253.0/30 subnet and no NAT

 INTERNET <--> OPNsense1 <--> OPNsense2

On both sites we have DHCP server but we would like to turn off the DHCP server on site 2 and relay DHCP requests to the DHCP server on site 1. This is not possible because the DHCP server is behind the WAN interface of OPNsense2...

WHY??

3

Web Proxy Filtering and Caching / transparent proxy to other IP than 127.0.0.1

« on: February 07, 2019, 10:45:00 am »

Hi,

i'm trying to follow the webproxy setup.
Manually the webproxy works with manual settings to 3128 but now i want to change it to transparent.

My setup is:

client @ vlanX (10.80.24.0/24)
opnwebprxy  @ vlanY (10.80.25.32)

Through opngateway (10.80.5.1) i try to create a NAT rule to forward http & https to that 10.80.25.32.
The squid answers:

The following error was encountered while trying to retrieve the URL: /
Invalid URL
Some aspect of the requested URL is incorrect.
Some possible problems are:
Missing or incorrect access protocol (should be http:// or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed.


"Transparent" is already enabled on squid.
I did not enable the CA yet but im first testing it with a non-ssl site.


So: @
interface vlanX
ipv4tcp
source: vlanXnet
source-range: any any
dest: any
dest-range: http http
redirect: 10.80.25.32
target-port: 3128
enable nat-reflection
rule NAT

Moved the rules on the top as i've read this somewhere.

Any idea what i could be missing?

Thanks

4

18.1 Legacy Series / Re: upgrade problems

« on: August 27, 2018, 07:16:36 pm »

Wow.... after manually copying all my config to my other box i experienced the same.

I found that in de aliases is something wrong after deleting whole parts until i got it working.


Strange thing (i don't know yet) but it has to be a limit of aliases or a misplaced character.

Anyway i did not need those aliases anymore...

Happy user again  :-)

5

18.1 Legacy Series / Re: upgrade problems

« on: August 25, 2018, 11:26:43 pm »

Strange,

i took the day to rebuild the whole thing from scratch... having the same issue.
It is like i'm not understanding something..

The box itself has a WAN IP address through dhcp @ vlan34, it can download packages (like letsencrypt) but it does not function as the gateway for my assigned subnets.

It is checked as the default gateway, ip monitoring has been enabled & re-disabled.... no luck with this.

6

18.1 Legacy Series / Re: upgrade problems

« on: August 20, 2018, 07:39:36 pm »

Woops.... and then i pressed "update" to 18.7.1 .... broken again :-(

It was working though... at 18.7 :-(


Email says:

There were error(s) loading the rules: /tmp/rules.debug:153: macro '500' not defined - The line in question reads [153]: nat on re0_vlan34 inet from (re1:network) to any port $500 -> re0_vlan34:0 static-port # Automatic outbound rule

Should i maybe recreate the re0_vlan34  interface??

7

18.1 Legacy Series / Re: upgrade problems

« on: August 20, 2018, 07:25:05 pm »

Thanks!

Strange anyway :-)

8

18.1 Legacy Series / Re: upgrade problems

« on: August 11, 2018, 09:32:22 am »

Hi Franco, did you manage to find anything?

Thanks

9

18.1 Legacy Series / Re: upgrade problems

« on: August 07, 2018, 05:32:45 am »

Hi Franco,

did it come through this time?

10

18.1 Legacy Series / Re: upgrade problems

« on: August 04, 2018, 07:49:23 am »

I will give it another try with an alternative address :-)

11

18.1 Legacy Series / Re: upgrade problems

« on: July 30, 2018, 07:05:37 am »

Hi Franco,

were you able to have a look at it?

Regards,
Martijn

12

18.1 Legacy Series / Re: upgrade problems

« on: July 23, 2018, 08:13:07 am »

Hi Franco,

i've been searching in the file and, apart from my 500, 502, 50x vlan definitions i cannot find something odd.

If you could have a glance? Just attach it here online? 

Musch appreciated

13

18.1 Legacy Series / Re: upgrade problems

« on: July 19, 2018, 08:03:16 pm »

Errr, so i should find it in a alias-definition that does not exist anymore?

I will have a more detailed look between the rules and eventually the /tmp/rules.debug file.

Thanks

14

18.1 Legacy Series / Re: upgrade problems

« on: July 14, 2018, 06:02:29 pm »

Hi,

it is already a few months later.
Unfortunately, the error remains. Whatever i try, entire config or seperate compartmens (like vlan, interfaces, aliasses, firewallrules).


Whenever i import the old 17 config into the latest 18.1.6 it gives an error like this:

opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: /tmp/rules.debug:154: macro '500' not defined - The line in question reads [154]: nat on re0_vlan34 inet from (re1:network) to any port $500 -> re0_vlan34:0 static-port # Automatic outbound rule

RE1 is the default interface for mgmt, has an IP and 20 vlans (with each of them an IP).


I get cramp in my stumach thinking of manually defining the entire config (like going from pfsense to opnsense).

Any idea? Someone?

15

18.1 Legacy Series / Re: upgrade problems

« on: April 09, 2018, 07:41:26 pm »

Hi Franco,

re1:network is my mgmt subnet for native vlan0 comms. It has only ipv4 assigned.