Messages

1

General Discussion / Re: Can ISC and KEA DHCP coexist?

« on: September 13, 2024, 04:22:59 pm »

I am a bit confused. is there a general “Disable ISC” option? I have now disabled the server for all interfaces below ISC and enabled kea. I also get an IP address, but apparently not from KEA, the log file + the lease overview remains empty.

2

General Discussion / Re: Can ISC and KEA DHCP coexist?

« on: September 13, 2024, 08:33:26 am »

Hi Franco,
even if ISC is deactivated on the interface and only KEA is listening?
Well, then I have to change all interfaces at once.

Many thanks for the quick answer!

3

General Discussion / Can ISC and KEA DHCP coexist?

« on: September 13, 2024, 08:23:14 am »

I have many VLANs where the classic ISC DHCP SErver does its job. Now I wanted to deactivate ISC and activate KEA in one VLAN as a test, but I can't get a DHCP lease. I don't see any errors in the log file and the KEA service starts. Do I have to disable ISC on all interfaces for it to work?

I have already configured the corresponding subnet in KEA and checked it three times. But after deactivating ISC and activating KEA on that specific VLAN, my client does not get a DHCP lease on the VLAN.

Thank you!

4

24.7 Production Series / Re: 24.7.1 openvpn SSL error cerificates are revoked

« on: August 26, 2024, 08:28:57 am »

No, my test instanz wont work with Peer Certificate Revocation List. At the moment I dont have any idea how to manage/fix this. I'm thinking about to renew all client certs with a new CA.

5

24.7 Production Series / Re: 24.7.1 openvpn SSL error cerificates are revoked

« on: August 16, 2024, 09:12:23 am »

They are note. Thats why I'm wondering what happened...
I will create a new instance (legacy) for testing with all the same settings as the other plus revokation list and try to figure out whats going on.

6

24.7 Production Series / 24.7.1 openvpn SSL error cerificates are revoked

« on: August 16, 2024, 08:58:42 am »

Hello,
A colleague installed the update from 24.7 to 24.7.1 during the night. It was this morning when I noticed that the OpenVPN connections can no longer be established. All certificates report "error=cerificate revoked".
We couldn't find any indication of why this was suddenly the case, so I set “Peer Certificate Revocation List = none” in the server instance. Since then the login has been working again.
We are still using the legacy OpenVPN server instances. Did I miss something critical in the changelog?

Code: [Select]

2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS Error: TLS handshake failed
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS Error: TLS handshake failed
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS Error: TLS handshake failed
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 OpenSSL: error:0A000086:SSL routines::certificate verify failed:

7

High availability / Re: HA on the same device

« on: June 13, 2024, 03:19:45 pm »

I was overthinking it. The simplest solution will indeed be to create a LAGG interface for failover or load balancing. Thank you!

8

High availability / HA on the same device

« on: June 13, 2024, 03:03:40 pm »

Hi!

I have several free SFP+ ports on my hardware. My goal is to secure my public IPs over two lines to the ISP Switch. However, an IP alias can only be assigned to one interface. How could I achieve this goal without using two Firewalls with CARP?
Thank you :-)

9

23.1 Legacy Series / Re: howto use livelog correctly

« on: October 26, 2023, 12:19:53 pm »

I think I have now understood how OPNSense thought of it.
first i disabled the default log rules:

Log packets matched from the default block rules put in the ruleset
Log packets matched from the default pass rules put in the ruleset
Log packets processed by automatic outbound NAT rules

So there are much(!!) less entries in the live log. And if I now activate "enable logging" in a firewall rule, it also appears in the live log.

Are there any best practices which rules should be logged by default?

10

23.1 Legacy Series / howto use livelog correctly

« on: October 26, 2023, 11:34:15 am »

Please help me to understand the live log correctly. I am having extreme problems looking up anything there for debugging purposes.  I mostly switch back to TCPDUMP.

For example I have a mailserver. I go into the livelog, enter the filter "src IP mailserver" or "dst IP mailserver" and nothing is displayed.
Neither my ping tests, nor the mails coming in, nor anything else.

At the same time, several mails per second go through this server, but I can't see anything in the livelog.

Do I need to check "enable logging" everywhere in the ruleset?

The mail server is in a DMZ, which means that all connections have to go through the firewall and therefore have to be visible in the livelog.

Maybe I have too many connections, so it can't show up in the livelog? I do not know exactly where I see the active connections, but the firewall has 32k active states.

don't get me wrong, when i run the livelog without filter, i see dozens of entries that change very quickly.

11

German - Deutsch / CARP richtig anwenden

« on: October 09, 2023, 02:28:56 pm »

Hallo,
ich bin gerade am grübeln, wie man bei folgendem Szenario richtig vorgeht.

Angenommen ich habe dutzende VLAN's und möchte nun eine zweite Firewall zwecks HA einbinden.
Muss ich denn jetzt auch für jedes VLAN eine separate CARP Adresse konfigurieren, oder genügt es, wenn ich auf einem Interface CARP konfiguriere, damit die Firewalls den Master/Slave aushandeln können, und für alle weiteren VLAN/Interfaces richte ich dann Virtuelle IP's ein?

In meinem Fall habe ich an die 50 VLAN's und kann mich ehrlich gesagt nicht damit anfreunden für jedes Interface eine extra CARP IP einzurichten.

Danke!

12

German - Deutsch / Werden "general Logs" nicht an den Logserver übertragen?

« on: October 18, 2022, 11:00:46 am »

Hallo Leute,
seit einiger Zeit übertrage ich die Logfiles schon an einen Loki Server. Nun will ich gerade ein bestimmtes Problem debuggen, wo die Fehlermeldungen hier auflaufen:

    System: Log Files: General

Aber jene Meldungen kann ich nicht via Loki finden, sämtliche anderen jedoch schon.
Ich habe nochmal kontrolliert und bei Logging destination sind alle Applications angehakt, außer filter (filterlog). Hat da jemand eine Idee zu?

Danke!

13

High availability / am I using CARP incorrectly?

« on: September 07, 2022, 10:52:38 am »

Hello,
I've been wondering for a while if I've been using CARP incorrectly for years and if I can't do better.

I have a lot of VLANs, currently around 80-100 I guess, mostly /29 networks for customer environments for security purposes.
Now I have also configured a CARP address for each VLAN, but is that really necessary?

Isn't it enough if I set up CARP only in the main network, for example, and set up a Virtual IP for all other interfaces/VLANs? As soon as a problem is detected in the main network, the master moves to the slave and with it all virtual IPs.

How would you do it?
Thank you!

14

High availability / Re: Packet Loss over all VLAN's (22.7.2 and 22.1.6)

« on: September 06, 2022, 04:33:12 pm »

I have found a defective switch component in my network. It was not easy, because 2 ports of an 8 port fiber optic module were defective and this was not visible in any log files. Here I had to use the exclusion method to approach the defect port by port.

15

High availability / Packet Loss over all VLAN's (22.7.2 and 22.1.6)

« on: August 31, 2022, 10:27:38 am »

I have a strange problem since Sunday.
Two hardware identical firewalls are working in HA mode with CARP. OPNsense 22.1.6. It works for years.

Since Sunday I have packet loss on all VLAN's. Both firewalls have problems to define the CARP master. As a first step I shut down the slave. The log then throws the same message across all CARP interfaces, the order is random (master firewall):

example:
carp: 60@ixl1_vlan141: BACKUP-> MASTER (master timed out)
carp: 60@ixl1_vlan141: MASTER -> INIT (hardware interface up)
carp: 60@ixl1_vlan141: INIT -> BACKUP (initialization complete)
carp: 60@ixi1_vlan141: BACKUP -> MASTER (master timed out)

and again: it is configured as master itself and its slave is offline. Base 3 and skew 0 is configured.

Next I updated the master to 22.7.2, because of a possible software bug. No success.
Then I replaced the Intel card with Mellanox. No success.
With the current version 22.7.2 the DHCP service also fails at some point and does not assign any more leases until the reboot.

Then I changed a VLAN CARP IP to the IP alias to exclude CARP - drops still follow.

Packet losses occur exclusively to the firewall, or across the VLANs. VLAN internally from host to host there are no losses.
It does'nt matter if the Master is the only one online, or the Slave, or both.
Does anyone have an idea what else I can do?