1
22.1 Legacy Series / Re: IP alias & virtual masks limited to IPv4-only? Want to add v6 ULA address.
« on: June 22, 2022, 09:51:37 pm »
Thanks for the quick reply; I'll try it later. Seems counter-intuitive, from a UI perspective.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
22.1 Legacy Series / IP alias & virtual masks limited to IPv4-only? Want to add v6 ULA address.
« on: June 22, 2022, 09:45:36 am »
Hey everyone. So I support a site that has nascent IPv6 support from its ISP via DHCPv6. Internally, we use a ULA to support internal traffic over our VPN, virtual machines, & local site systems. However, there is not presently an obvious way for me to have both a "tracked" IPv6 LAN address, as well as a static address for the ULA. Some other folks have suggested virtual IP, or IP alias; but as of 22.1, the only netmasks for those addresses are 32 or less, which means IPv4-only. 
Please advise. Thank you.
Please advise. Thank you.
3
General Discussion / Re: How to setup FreeRadius to bind to Windows AD with LDAP
« on: January 20, 2022, 11:46:26 am »
I ran into some weird stuff with tying that FreeRADIUS setup to IPsec. EAP-RADIUS doesn't seem to work with it authenticating against LDAP/AD.
https://forum.opnsense.org/index.php?topic=26429.0
https://forum.opnsense.org/index.php?topic=26429.0
4
21.7 Legacy Series / Difficulty getting IPSec EAP-RADIUS working on 21.7.7 with Windows 11
« on: January 20, 2022, 10:22:00 am »
Hey all. Using instructions from https://docs.opnsense.org/manual/how-tos/ipsec-road.html & https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html ; and a lot of trial-and-error with the cipher keys; I can connect my Windows 11 system to OPNsense. However, two issues remain....
1. I have FreeRADIUS set up to authenticate via LDAPS to an Active Directory server. However, while it authenticates in OPNsense, it gets password errors for VPN users. Making a local VPN user gets around this, but...
2. The client gets a subnet mask of 255.255.255.255. It's immediately unclear from the documentation if you need to use a dedicated IP range with a virtual IP, and/or routing rules to connect that to the LAN IP ranges (using IPv4 & IPv6 at the remote site).
I feel like this stuff may have been working before in the past, but maybe not now? Please advise. Thanks.
Added details....
1. Regarding the authentication issue, the error I see in the FreeRADIUS logs...
2. Regarding the routing issue, I did see this in the IPsec log...
3. Regarding IPsec connectivity & the tutorials given, the default set of Windows ciphers don't neatly overlap with it, and give inconsistent behavior; reporting this to Microsoft. The default working CIPHER for EAP-RADIUS, came out to be ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Microsoft report: https://aka.ms/AAfj0rb
is initiating an IKE_SA
initiating a Main Mode IKE_SA
1. I have FreeRADIUS set up to authenticate via LDAPS to an Active Directory server. However, while it authenticates in OPNsense, it gets password errors for VPN users. Making a local VPN user gets around this, but...
2. The client gets a subnet mask of 255.255.255.255. It's immediately unclear from the documentation if you need to use a dedicated IP range with a virtual IP, and/or routing rules to connect that to the LAN IP ranges (using IPv4 & IPv6 at the remote site).
I feel like this stuff may have been working before in the past, but maybe not now? Please advise. Thanks.
Added details....
1. Regarding the authentication issue, the error I see in the FreeRADIUS logs...
Quote
Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication)
2. Regarding the routing issue, I did see this in the IPsec log...
Quote
installing route failed: (VPN IPV6 ADDR)/128 via (WAN IPV4 GATEWAY) src (LAN IPV6 ADDR) dev em0
adding PF_ROUTE route failed
3. Regarding IPsec connectivity & the tutorials given, the default set of Windows ciphers don't neatly overlap with it, and give inconsistent behavior; reporting this to Microsoft. The default working CIPHER for EAP-RADIUS, came out to be ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Microsoft report: https://aka.ms/AAfj0rb
is initiating an IKE_SA
Quote
received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
initiating a Main Mode IKE_SA
Quote
received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
5
General Discussion / Re: How to setup FreeRadius to bind to Windows AD with LDAP
« on: January 16, 2022, 11:10:05 pm »
Hey all. As of 21.7 , this appears to be the required parameters for AD user search. The answers in this post helped me sort this out; thanks!
Code: [Select]
Bind User: CN=FreeRADIUS,CN=Managed Service Accounts,DC=AD,DC=EXAMPLE,DC=ORG
Base Domain: DC=AD,DC=EXAMPLE,DC=ORG
User Search: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
Group Search: (memberOf=CN=Users,DC=AD,DC=EXAMPLE,DC=ORG)
6
Hardware and Performance / Had an idea to use an ASRock 4X4 BOX-4800U for this, possibly as a VM.
« on: October 19, 2021, 01:13:18 am »
If you look up the spec for this online, it comes with an AMD APU that's rated for 1080P gaming @ 15W, and has both 1gbit and 2.5gbit Realtek NICs. Anyone use this kind of setup yet? Also pondering running it as a KVM host, with OPNsense as a VM; I've done that before on other systems. Thanks.
7
General Discussion / Looking for feedback from ZeroTier users
« on: August 10, 2020, 09:37:04 pm »
Hey all. I've used ZeroTier on OPNsense before, and as of last week, I work for them now! I'm trying to get some feedback on use and make folks aware of some additional support resources. It's especially awesome that it works in OPNsense since you can use it to create a cross-network appliance with other solutions.
Thanks!
- https://www.reddit.com/r/zerotier/comments/i4k5tu/what_are_you_using_zerotier_the_most_for_right/
- https://github.com/zerotier/ZeroTierOne/labels/BSD
Thanks!
8
16.1 Legacy Series / Easiest way to delete expired DHCP leases? Or feature request for that ability?
« on: February 06, 2016, 04:19:40 am »
It seems despite DHCP being set to have leases on a 6-12h period, I have a backlog of leases going back to August. Just updated to 16.1 from 15.7, so curious to see if there's a safe way to purge the old expired leases, or if a feature could be added to wipe out all expired or offline leases. Thanks!
9
15.7 Legacy Series / Re: [SOLVED] Weird hiccup with unbound DNS resolver in 15.7.7_1
« on: August 07, 2015, 08:55:23 pm »
Acknowledged that the fix is in. Thanks!!! 
10
15.7 Legacy Series / [SOLVED] Weird hiccup with unbound DNS resolver in 15.7.7_1
« on: August 06, 2015, 04:40:26 am »
Updated to 15.7.7_1 today, and had rebooted later on for a different reason. After coming back online, and changing some stuff in the DNS resolver config & restarting the service, an odd hiccup occurred. Started getting a lot of errors like the following, and the resolver service was stuck in down mode....
Aug 5 19:14:03 unbound: [1878:0] error: Error in SSL_CTX use_certificate_file crypto error:02001002:system library:fopen:No such file or directory
Aug 5 19:14:03 unbound: [1878:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem
Aug 5 19:11:50 unbound: [44668:0] fatal error: could not set up remote-control
Aug 5 19:11:50 unbound: [44668:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Aug 5 19:11:50 unbound: [44668:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Aug 5 19:11:50 unbound: [44668:0] error: Error in SSL_CTX use_certificate_file crypto error:02001002:system library:fopen:No such file or directory
Aug 5 19:11:50 unbound: [44668:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem
Doing some digging around, I was able to get it going again by using the SSH shell to do the following....
* chown unbound:wheel /var/unbound
* sudo -u unbound unbound-control-setup
* chown -R root:wheel /var/unbound
* unbound-control reload
The OS is running on an SSD, and I am using a "nano" build, so maybe this is some race condition?
Aug 5 19:14:03 unbound: [1878:0] error: Error in SSL_CTX use_certificate_file crypto error:02001002:system library:fopen:No such file or directory
Aug 5 19:14:03 unbound: [1878:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem
Aug 5 19:11:50 unbound: [44668:0] fatal error: could not set up remote-control
Aug 5 19:11:50 unbound: [44668:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Aug 5 19:11:50 unbound: [44668:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Aug 5 19:11:50 unbound: [44668:0] error: Error in SSL_CTX use_certificate_file crypto error:02001002:system library:fopen:No such file or directory
Aug 5 19:11:50 unbound: [44668:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem
Doing some digging around, I was able to get it going again by using the SSH shell to do the following....
* chown unbound:wheel /var/unbound
* sudo -u unbound unbound-control-setup
* chown -R root:wheel /var/unbound
* unbound-control reload
The OS is running on an SSD, and I am using a "nano" build, so maybe this is some race condition?
Pages: [1]