Messages

Hi,

you mention that you can ping some hosts in the Internet. What is not working then?

You also mention that during flushing the ARP cache the internet does not work... How long does that actually take? Normally it should be an action of a few milliseconds.

Maybe the issue is that your ISP router somehow glues the MAC address of your router? In that case you could fake the OPNsense's box's MAC address on the WAN port.

BR
Manuel

[Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?]

Hi,

the stunnel documentation and as well the GUI help on the plugin's configuration mention, that it's safest to bind stunnel to localhost only and use NAT to forward traffic to stunnel. On the other hand online help for NAT mentions that NAT should not be used as a security measure.

So my question would be:
Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?

Thanks and BR
Manuel

Hi,

I cannot confirm your problem on my OPNsense instance. It works for me.
Maybe your API key expired?

BR
Manuel

Hi,

there was already an issue reported for 20.1, but this seems still not to be resolved for 20.7: static routes which target into a routed IPsec interface (e.g. ipsec2000) keep disappearing. I can observe this on several OPNsense instances and did not really find a workaround, but manually pressing the "Apply" button in the routing configuration.

How to troubleshoot this? Which service is responsible for applying static routes?

Thanks and BR
Manuel

Hi,

I'm struggling with OpenVPN and a more or less simple CA hierarchy. My CA chain looks like this:

Code Select Expand


Root CA (external)
   +-- Server Certificate
   \-- Client Sub-CA (internal of OPNsense)
      +-- user1
      +-- user2
      \-- usern


All CAs are installed into OPNsense. As a "Peer Certificate Authority" I have configured the "Client Sub-CA", as this is the CA directly signing the user certificates. The OpenVPN "Server Certificate" is the Server Certificate, which is not signed by the same CA as the user certificates, but its ancestor.

When trying to connect to this OpenVPN server I receive an error of VERIFY ERROR: depth=1, error=unable to get issuer certificate: Client Sub-CA. So OpenVPN is complaining, that it cannot verify the configured "peer certificate authority". This is strange in some way, as I have configured this CA manually as a trusted certification authority, so why shall it's root be validated? :-\

Anyway, the solution to this is, simply adding the "Root CA" to the OpenVPN's certificate (/var/etc/openvpn/server1.ca), but my question is if it is a valid and intended behaviour, that OpenVPN questions my configured peer certificate authority.

Hey,

I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.

I think an example shows more than all the explanation:

LAN IP: 10.2.0.1/16 (re0)
IPsec tunnel to: 10.1.0.0/16 (via re2, WAN)
DNS override of dnsmasq: 10.1.1.1@10.2.0.1 (=Source IP: 10.2.0.1)
Route added by OPNsense: 10.1.1.1 255.255.255.255 via 10.2.0.1 re0

Host 10.2.1.8/16 wants to reach 10.1.1.1: sends IP packet to OPNsense 10.2.0.1 (IP dest=10.1.1.1, 10.2.0.1 is def. gw.); OPNsense responds with ICMP redirect to re0; 10.2.1.8 sends ARP request for 10.1.1.0 to its subnet (10.2.0.0/16), which obviously never gets answered.

BR
Manuel

Thanks, franco, that fixed the update!

Manuel

Hi,

just wanted to update a OPNsense 15.7.25-amd64 box to 16.1, but the update always fails at the same point:

Code Select Expand


root@detroid:~ # opnsense-update
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (70 candidates): 100%
Processing candidates (70 candidates): 100%
Checking integrity... done (3 conflicting)
Checking integrity... done (0 conflicting)
The following 63 package(s) will be affected (of 0 checked):

...

[6/63] Extracting ca_root_nss-3.22.2: 100%
[7/63] Deinstalling isc-dhcp42-relay-4.2.8...
[7/63] Deleting files for isc-dhcp42-relay-4.2.8:   0%/usr/local/lib/libpkg.so.3: Undefined symbol "openat"


BR,
Manuel

Hi,
if I understand your scenario correct, you don't need to configure any NAT for this setup (or do you use outbound NAT for any of the interfaces?). I guess that just some filter rules are blocking the connection. Could you post your active rules (e.g. Firewall: Diagnostics: pfInfo, Rules)?

I don't understand:

I think the issue is that the IP I am coming from is a 172.26.x.x address, which is unknown to Opensense, though its card is connected the same as every other device on network 1...

Is the IP 172.16.x.x actually part of the same subnet as network 2 (172.26.0.0/20)? What do you mean "connected the same as every other device"?

Hi,
do you use a static IP configuration on the WAN port or DHCP?

If you use DHCP: you can tune the timeout and retry intervals in the Interfaces setting page.
If you use a static IP: how's the behavior if you connect a different device than OPNsense? Maybe the 4G modem needs some time to start up?

Ab wann soll den die Plugin Schnittstelle kommen?

16.1

Wenn man scp verwenden möchte, geht das ja jetzt schon (man muss nur SSH aktivieren).

Ah, habe nicht gesehen, dass es ja sogar ein config backup gibt unter /conf/backup. :)

Vote für rsync/scp, da WebDAV auf den meisten UNIX Systemen einen extra Service erfordert.
Oder sonst: einfach lokal auf der Firewall ablegen und ein externes Skript soll das Backup abholen über welches Protokoll auch immer (HTTPS API, scp, rsync,...), dann wird dieser Service im Lifecycle von OPNsense gepflegt.

LG,
Manuel

top -HS does not show anything else :(

Code Select Expand

last pid: 40302;  load averages:  3.40,  3.19,  3.10                                                                        up 4+15:39:58  09:16:43
147 processes: 7 running, 124 sleeping, 16 waiting
CPU: 79.8% user,  0.0% nice, 20.0% system,  0.2% interrupt,  0.0% idle
Mem: 29M Active, 134M Inact, 251M Wired, 364K Cache, 360M Buf, 3501M Free
Swap:

  PID USERNAME   PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
92849 root        52    0   121M 30056K ppwait  1   1:03   3.17% php-cgi
   11 root       155 ki31     0K    32K RUN     1  36.3H   0.49% idle{idle: cpu1}
   12 root       -92    -     0K   256K WAIT    1  31:05   0.10% intr{irq261: re2}
47459 root        52    0 16972K  2452K wait    0   4:39   0.10% sh
33817 mf          20    0 21824K  3172K CPU1    1   0:00   0.10% top


CPU is utilized 80%, but no processes with high load are shown...

This time I have the CPU load on a different OPNsense box than the last time.

Push...

Facing the same issue, I've temporary solved it as follows:

• Create a gateway with the internal firewall IP (e.g. called "SELF")
• In the Settings: General section, where you configure the OPNsense DNS server, select the configured gateway as gateway to access the corresponding DNS server

It's not really a clean solution, since now each connection to the DNS server via the firewall (also access from within the LAN) will result in one loop-routing hop, which looks like:

Code (OPNsense: 10.2.0.1/16, remote DNS: 10.1.1.1, Ping from 10.2.1.0/24) Select Expand

% ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
From 10.2.0.1: icmp_seq=1 Redirect Host(New nexthop: 10.1.1.1)
From 10.2.0.1 icmp_seq=1 Redirect Host64 bytes from 10.1.1.1: icmp_seq=1 ttl=126 time=111 ms


Any other (clean) solutions?

Hi Franco,

Current it's still implemented like described above. I'll create a PR to address it.

BR,
Manuel