OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of vitaprimo »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - vitaprimo

Pages: [1] 2
1
General Discussion / Re: DCHP Option 121 or 249
« on: January 11, 2023, 11:37:57 pm »
Hey, sorry nobody replied earlier. This is why I can't switch fully to OPNsense, docu isn't great and you can't get help. :(

Anyway, if you're still looking for the answer; first I'd like to ask you if you added ALL ROUTES at once. But since It's unlikely I log in soon to check, I'll make some assumptions, if that's OK.

For option 121 you add additional routes, that I gather you already know. As I understand (and in my testing) you need to also add the default route at the end, and before the additional routes (at least on Windows' DHCP client and server) add the route for the local subnet, e.g; all your subnets are /24s, you have an L3 switch with an interface on each of your VLANs taking address .1 and spaced roughly /16 apart on the 10/12 range (so [skipped 10.0.0.1] 10.1.0.1, 10.2.0.1…10.15.0.1) and a router on the same subnets on address .2 that goes out to the Internet, your site-to-site tunnels, remote clients, etc. in other words, the default route.


Range:             10/12
(10.0.0.1-10.15.255.254)

Subnets:     10.1.0.0/24,
             10.2.0.0/24,
             10.3.0.0/24,
  (…)       10.15.0.0/24;

L3 switch:      10.1.0.1,
                10.2.0.1,
                10.3.0.1,
  (…)          10.15.0.1;

Router:         10.1.0.2,
                10.2.0.2,
                10.3.0.2,
  (…)          10.15.0.2;


So, for clients on the 9th VLAN, 10.9.0.0/24, you'd need the routes:


10.9.0.0/24   0.0.0.0     #see fig2
10.0.0.0/12  10.9.0.1
0.0.0.0/0    10.9.0.2


If the 9th VLAN has a second or third subnet directly accessible on the broadcast domain, for instance "10.9.1.0/24", you specify it as a local subnet. Clients would still need an address on the subnet, e.g; eth0=10.9.0.44/24,10.9.1.44/24. Option 121 would need to be:


10.9.0.0/24   0.0.0.0
10.9.1.0/24   0.0.0.0
10.0.0.0/12  10.9.0.1
0.0.0.0/0    10.9.0.2


You have to enter all the strings for all subnets concatenated in option 121. I don't know the syntax though. There was this website that did it for you (I did it on pfSense too) but I don't remember which was it. On Microsoft's DHCP server it looks like fig1, and though it looks easier, looks are deceiving: you need to enter the values in order—they can't be rearranged after the fact. It's been a while though, I might be forgetting something.

An alternative to this (if you goal is something like offloading the routing to a beefier, much faster device such as an L3 switch) is setting it up as the default gateway and use a transit network between it and your upstream router, and one or more static routes on the upstream router. So using the same example subnets, let's say you transit network is 10.16.0.0/24..or /30, whatever.

The switch keeps it .1 address, so does the router. On the switch you set up its default route to 10.16.0.2 corresponding to the router on the transit network just outside the 10/12 range. And your done on that side. Now on the router, you add a static route to 10/12 via 10.16.0.1. If it is a firewall, with per-interface ruleset such as pfSense or OPNsense, you'll add them all in a single interface. You may create network aliases for each of your networks, e.g; 10.9.0.0/24 alias "zone9" or "iscsi".

On OPNsense you can (temporarily) add the routes on console, for the example scenario:
Code: [Select]
route add 10.0.0.0/12 10.16.0.1
# test if the internal gateway (the switch in this case) is responding
ping 10.16.0.1
# then test with a host on the remote internal network
ping 10.9.0.77
# or one of the switch's internal interfaces
ping 10.9.0.1

And since your "LAN subnet" preset would not longer match, i.e; it would now match 10.16.0.0/24 while your real LAN is, and must be, on another range; 10/12. So if you're using the default ruleset, "allow anything from the LAN" the firewall will kick in dropping all traffic. For that you need to disable the firewall from the console so you can make your way to the GUI and add (1.) the static routes permanently and (2.) a new firewall rule or edit the existing LAN firewall rule to allow anything from anywhere to buy you some time while you create more targeted rules without being kick out every single change because each time you save something, even if you don't apply it, the firewall re-enables itself. So you need to disable it again, and again, and again…

Code: [Select]
#disable firewall
pfctl -d

Test from the inside out, from a host:
Code: [Select]
# the local gateway
ping 10.9.0.1
# the switch's gateway
ping 10.16.0.2
# the router/firewall's gateway or some public well-known host
ping 9.9.9.9

The transit network approach — and perhaps I should've started with that — will avoid asymmetric routing that can happen when you have more than one path between subnets. Since firewall like OPNsense are stateful, and routers like L3 switches aren't keeping states, data can flow one-way only and get block by the stateful firewall between subnets and by the built-in stateful firewall in most client OSes if NAT or a reverse proxy are in the way.

In regard to option I didn't know about it, or at least I didn't remember about it if I knew, but from Microsoft:
(…) Microsoft Classless Static Route Option (…) only difference is that Option Code 249 SHOULD be used instead of or in addition to Option Code 121.

So if it work when you add 249, it's because you're most likely overriding option 121. Also check out RFC 3442 just before "page 4"; 'Local Subnet Routes'.

I hope this helps OP or anybody in the forum looking for info. Because the documentation… OMG! I've tried setting up IKEv2 with RADIUS, the docs say to select no RADIUS server in the mobile client config and select it in the phase 1 instead, however, that isn't possible. For over a year I keep checking if there's any change with the new releases… none.

fig1:

fig2:


2
22.7 Legacy Series / Re: How do I paste multiple values in multi-value boxes?
« on: August 31, 2022, 10:54:38 pm »
COMMA!? I swear the list of characters and escaped characters I tried was much longer and that must've been the one character I didn't try! I'll stick to the spreadsheet, it's where I store most network-related data (MACs, DNS, domain stuff, DHCP, CPE hardcoded passwds…) anyway, it's perfect — thanks!

I got the copy button below some boxes BTW — which didn't make any sense since I couldn't paste — but now if I assume correctly there'd be a paste button if I copy from another of these fields. It makes sense now. Thanks again.




I was going to reply much earlier without checking first. Thankfully I reconsidered because of the new line bit. I had mentioned double new line earlier because I thought it was well-known a single new line didn't cut it. This made me a little dubious about pasting from a spreadsheet so I tried it, in five six browsers:


Firefox, Chromium, Chrome, Vivaldi, Edge and Safari

It didn't work. Fortunately, I'm more stubborn and determined than a Schnauzer mini trying to get a toy and I refused to believe I'd been advised wrong so I pasted that in an IDE and made the lines into a single string, pasted it in the first of six browsers peeking behind the IDE — Firefox — and it took it right away, formatted it nicely! So, in the end, it might take a little more work than not, but it's much more preferable than the alternative of entering each value individually.

I have currently 4 or 5 OPNsense firewalls, (none of then work as firewalls BTW, mostly pre- and post-DNS stuff), some of them require the same settings minus one (self), and then again for IPv6, so it's very easy to make mistakes. This is a huge life saver! Thanks!

3
22.7 Legacy Series / How do I paste multiple values in multi-value boxes?
« on: August 31, 2022, 05:07:38 am »
I'm trying to get around filling these boxes:


which are kind of a nightmare since they concatenate whatever you paste in.

I tried editing the file directly in the filesystem: in the example in the shot, BIND; but it turns own BIND doesn't read the config. The GUI seems to override the CLI.

Any idea how to filled this correctly to paste is enabled?

So far I've tried pasting the the line with [,],[;],[\],[\n\n](double new line space) and even [<br>]. Nothing seems to work.

Any ideas? :)

4
22.1 Legacy Series / Re: BIND won't start, "creating IPv4 interface" failure.
« on: July 21, 2022, 03:50:52 am »
I found it!

I SSHed in the router and looked for the BIND configuration files. When I found it, right after I opened it I noticed the error; the IPv6 query source still had the old prefix so naturally it didn't match. The logs specifically mention IPv4 addressing so it kind of threw me off. After I changed it, it immediately came back online! :D

Thanks anyway.

5
22.1 Legacy Series / BIND won't start, "creating IPv4 interface" failure.
« on: July 20, 2022, 10:12:13 am »
I use BIND as some sort of DNS router between AD domain controllers and in-box Unbound, both listen on :53. The firewall has two interfaces; Unbound works exclusively on one of them, BIND doesn't have the option to choose interface but it set to use the addresses from the other. It had been working great for a long time until I had to change the IPv6 prefix.

That is the only thing different since it stopped working, at least. No other changes have been made. The logs are very... not really useful. The addresses are available, one of each family to each resolver/nameserver, and they are all responding, I'm testing from another subnet; ruling out gateway issues in the process. The "firewall" is not really a firewall, it's in router-only mode, filtering+NAT off.

I composed a little screenshot collage to best illustrate things — you might need to pan around on a laptop display.

Here's the link in case there are issues showing it: https://i.imgur.com/jcyCsUv.png


Any ideas what's wrong?

6
21.7 Legacy Series / Why are multiple interfaces available for NAT?
« on: October 31, 2021, 02:33:21 am »
Why are there multiple simultaneous interfaces for NAT rules? Are group-type rules supposed to be a no-no —specially NAT rules— because they'd get no reply-to?

7
21.1 Legacy Series / Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)
« on: March 18, 2021, 04:02:41 pm »
Playing with the FreeRADIUS plugin I discovered it was accepting just about every device that would connect to the test wireless network configured with it for auth, or so I thought. As it turns out I had [absentmindedly] configured every possible setting I could use at some point, including remote MySQL database and LDAPS.

When I unchecked the LDAP boxes the devices stopped connecting to the MAC-based authenticated network. As that was sorted out a million questions replaced it though, like why isn't the FreeRADIUS plugin able to use the users synced from Active Directory (over secure LDAP). It'd be nice to use the built-in users with the same pasword and just augment their profiles with just the needed settings*. I also noticed that even while making its own LDAPS connection to the servers, it would still fail to authenticate supplicants requiring the more secure methods, like the tunnel within a tunnel PEAP, TTLS, all that.

I know that this is basically because LDAP is insecure so it doesn't work with the tunneled EAPs, but by that logic, shouldn't LDAPS work? It is encrypted so nothing is in the clear at any stage. Furthermore,  since the users are synced, the authentication is local anyway, therefore, it is secure.

Then there's the actual tunnels, IPsec, Is IPsec able to use the synced users for authentication or is it limited as well? It's got its own section for secrets, two actually, it already hints at No.

What packages/areas (first and/or third party) can use the local directory service fully besides the system's auth and the cert manager?

Thanks!


*: a little later I discovered this can't be done even with the manually addded users anyway. :( I tried settings IP addreses, routing info, VLANs... Only VLANs work. Thankfully this works great on pfSense's FreeRADIUS (where ironically LDAP, secure or not, ain't much of a success) and I can keep that only for my MAC-based auth which is much nicer to manage in either of the two firewalls than in AD Users and Computers or AD Administrative Center or Windows Admin Center.

8
Virtual private networks / How do I select global no auth source for IPsec?
« on: March 18, 2021, 03:08:31 pm »
Following the setup guide of the documentation it says to select no backend for the authentication. The problem is it won't let you do that:



If you leave the page whatever you saved in there is lost so the tunnel will get no network infrastructure info which  is all in there, DNS servers, domain name, addresses for the client...

Should leave the authentication source blank in the phase instead?

Thanks!

9
20.7 Legacy Series / Netflow receiving
« on: December 08, 2020, 03:26:52 am »
Can OPNsense receive Netflow data from external sources?

I added it as a Netflow collector on a vSphere Distributed Switch using the default port number it prepopulates (2056) and added a NAT rule to redirect to the prepopulated address as well, since it's 127.0.0.1. I figured otherwise it would not reach it.

I just did this, but so far I've seen no difference. OPNsense is a secondary firewall, it doesn't have a direct connection to anywhere on the network, it's only connected to an isolated virtual switch for which the only exit is through another firewall, any traffic/data should be fairly easy to spot.

Thanks. :)

10
20.7 Legacy Series / Re: Problem with NAT, firewall is blocking traffic
« on: September 28, 2020, 06:51:54 am »
...nevermind, it is not my config, I just discovered it will not work on directly connected interfaces either.

Why would you put out a product that can't handle the basics thought, it hurts perception. Now I'm officially done with OPNsense it's been a massive waste of time and loss of data. :/ Back to the boring but reliable pfSense.

11
20.7 Legacy Series / Re: Problem with NAT, firewall is blocking traffic
« on: September 28, 2020, 03:20:19 am »
[forgot the attachment!  ;D]

12
20.7 Legacy Series / Problem with NAT, firewall is blocking traffic
« on: September 28, 2020, 03:19:23 am »
[See the attached diagram]

[Ready?… OK. Last time I was told I should attrach screenshots or something :)]

Hey all,

What you're seeing there is a rough approximation of the network. I'm moving from another platform where the firewall was responsible for maintaining a site-to-site link to a remote firewall. The purpose of this is getting a static IPv4 address, which my ISP no longer offers.

Anyway, S2S works, there's full communication and I'm even collecting SNMP data from the interfaces on the remote site. The problem is that OPNsense doesn't let traffic go out. I located the states and only one side is established. subsequent states are waiting. The only thing I could come up with is allowing traffic out from the interface where the server is, but it makes no sense, there's should be no need to allow traffic out if there's a inbound rule/port-forward that should allow the server reply if requested.

The subnet where the server lives has rules to allow only traffic to RFC1918 and RFC1918v6 (a misnomer for my /48) networks and ICMP to everywhere. It has no specific blocks, none of the interfaces have. I skipped using the interface that's autodesginated as "LAN" by the setup wizard because it's sort of unclear if it blocks by default as secondary LANs do.

Where could I look for more information for this in the box? -- I already made basic troubleshooting, checked that the servers have a the correct gateway, that they can reach the Internet via the tunnel (allowing traffic temporarily) and locally and the other tunnel, firewall optimization is set to conservative. Everything checks out, I'm lost here. :/ The only thing I noticed is that latency  (gateway monitoring) is off the charts, about 400-550ms, it was never this high before. But, there is no packet loss and actually doing pings FROM a server reports something like 30-40ms.

13
20.7 Legacy Series / Re: How to import HAProxy's config file from elsewhere
« on: September 27, 2020, 05:25:28 am »
Hey guys thanks for answering. My email is down, actually I've been offline for several hours because I thought since I'm giving OPNsense try shot it should be a fair shot so I moved the servers network to a new VLAN--huge mistake, I had some hypervisor drama mixed with OSPF but I think the worst is over. The network changed so much I can't go back to pfSense now; the snapshot I took has been effectively obsoleted, so let's learn some stuff… :)

In the other platform I have two [public] ports like most setups would, port 80 is for some servers that actually need to run in port 80 like OCSP from my CA, the non-HTTPS version of a privacy policy site, all that, what doesn't match goes to a backend (the default backend) that in turn redirects to 443, this is normally done right in the frontend but doing it as a backend allows for more flexibility.

Then there's 443, traffic comes in and first SNI websites that are to painful to offload or have better performance only using their own termination are filtered out, the rest goes to 1 of 4 backends that loopback to different frontends listening internally in the loopback address (127.0.0.1) according to type of traffic, ADFS/private/strictCSP/relaxedCSP:
  • (first up) Active Directory Federation Services--very extremely picky server as it's not meant to be terminated outside but it can get expensive maintaining its certificates so it must be terminated outside for ACME certs,
  • (then) sites not meant to be available outside the network--some of those are further filtered by an alias, (then) Active Directory Federation Services--very extremely picky server,
  • (then) sites with super strict Content Security Policy headers and
  • (finally) the rest. send-proxy-v2 and accept-proxy directives are used in the fronends/backends to keep track of IP addresses across loops. There are are no default backends set in the second-stage secure frontends.

There's config in each fronend to redirect error traffic to specific static pages, for instance, if you hit a 503 instead of returning that, it'll return a 200 and instead show you a page that tells you you hit a 503. This was to prevent Cloudflare error pages taking over and fiddling with HAProxy error settings, but I'm not proxying through Cloudflare anymore so it's only for the nicer presentation. The code is a simple one line per error in the adv section, nothing fancy either.

On the backends there's nothing complicated, the most complex scenario I think is for a SEARX instance that limits requests, ADFS has some advanced code, and that's it.

It's ironic now it's the ideal time to set this up because things are "new" so to speak but at the same time things are broken, on fire, the dog is barking nonstop so there's no time to take a course on complicated UIs. ;D At least I should have the old proxy working again any minute now and it'll buy me some time. I didn't post pictures earlier since I was asking for a location, I didn't think they'd matter, sorry. I'm attaching them provided I can compress them enough, it's pretty tight in here and I can't host them right now! Irony!  ;D

14
20.7 Legacy Series / How to import HAProxy's config file from elsewhere
« on: September 26, 2020, 01:22:30 am »
I'm moving (again…) from pfSense to OPNsense. I've tried this several times in the past but it is HAProxy which is crucial for me the part that never lets me complete the migration. I've never been particuraly skilled at HAP in the but I've gotten a little better, I now knoww what stuff means and does and thought about giving it one last shot.

It didn't quite work out like planned… It's not that it's hard--I understand it now--it's just that the OPNsense UI breaks it in soo many steps for the sake of modularity (I assume) but it ends up more complicated than actually writing the config file uncommented from scratch.. That was exactly the thought that brought me here, to ask you guys if you by chance know where is it and if it's editable by hand (pasted and adapted accordingly in my case). I noticed ordinary things like the aliases are exported in serialized config files now.

It would be super helpful because then I would be able to use the official docu that I will likely need. using OPNsense's HAProxy I'm not sure I'll be able to set loopback backend to do it all with a single port like before. I've been dying for years to use the flexibility OPNsense offers with its bleeding edge (as firewalls go) plugin selection and unlocked pkg repos, contrary to pfSense, but it all becomes irrelevant if I need to keep the pf machine just for the proxy with extra NAT running  for the proxy with an extra NAT layer in addition to OPN's VM. :( I just need to know where the files are, FreeBSD is weird how it sort of follows Linux dir structure but with stacked on top of something even weirder like /var/db/etc <--Whatthef--that makes no sense! I can never find any "standard" UNIXy location in FreeBSD or macOS. :/

I'm rambling now. If you now about this please share! :D

15
20.7 Legacy Series / Editing aliases outside of OPNsense
« on: September 21, 2020, 04:48:34 pm »
I'm trying to return to OPNsense but my aliases have changed quite a bit  since the last time I tried using it. I got a backup from them that I uploaded into the firewall and downloaded again so I would get the newest format, from then my plan was going to use and IDE or something like that to edit quickly the alias list and reapply.

It was everything going fine until I noticed the JSON entries in the file appear to be serialized. No only that, this new value appears to some sort of key for the whole entry. And, because I am no dev, I understand zeropercent of what's going on. :)

Am I aware that I'd be at risk of losing all of my edits or maybe crashing the firewall if there's like some conversion to generate that serial if I enter something else arbitrary. I don't know if simply copying an existing serial will merge the source with the entries, half of the time I'm struggling just to escape JSON correctly„

Can the alias tables be edited outside of OPNsense anymore? If so, are there guidelines for it?

Thanks!

Pages: [1] 2
OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2