Messages

1906

General Discussion / Re: ROUTE and Captive Portal

« on: November 11, 2016, 11:33:47 am »

Hi Littleboy,

The access point can be on the same network as the OPNsense LAN port, it doesn't really matter how the clients connect to the firewall over layer 2.

You can use the firewall for DHCP to ensure clients have OPNsense as their default route out to the internet, or you can have an internal DHCP server to do the same.

Bart...

1907

16.7 Legacy Series / Re: No access or communication for servers beyond the firewall

« on: November 10, 2016, 07:17:48 pm »

If your firewall interface is accessible from the WAN, you may have the LAN and WAN interfaces mixed up. OPNsense's web interface should only be accessible on the LAN interface. As Bill said, having it accessible from the internet is a bad idea.

For safety, keep the WAN interface down and ensure that you can reach the web configuration from internal clients on a RFC 1918 range using the LAN interface. Then enable the WAN connection and confirm you can ping 8.8.8.8 from the firewall and internal clients before setting up port forwarding.

Bart...

1908

16.7 Legacy Series / Re: No access or communication for servers beyond the firewall

« on: November 10, 2016, 06:25:14 pm »

Any reason why you're not using DNAT for the internal hosts? If the reason is name resolution, look at split DNS.

Bart...

1909

General Discussion / Re: DNS filtering instead of using Squid

« on: November 09, 2016, 03:04:04 pm »

You may want to consider OpenDNS to filter access in combination with Squid.

https://www.kirkg.us/posts/using-opendns-with-opnsense/

Bart...

1910

General Discussion / Re: isp modem reboot = no internet

« on: November 08, 2016, 02:58:23 pm »

Is your gateway monitor running when you bounce the modem?

You can set an OpenVPN client to disabled and enable it when you need it.

Bart...

1911

16.7 Legacy Series / Re: OpenVPN connections keep dropping

« on: November 08, 2016, 02:41:19 pm »

Yes, I agree that you need to consider downtime to swap interfaces. Not an awful lot you can do safely while in production without having a fail-over firewall, either through CARP or secondary routing by your clients.

Any mileage in creating a pre-production environment?

Bart...

1912

16.7 Legacy Series / Re: OpenVPN connections keep dropping

« on: November 07, 2016, 04:57:15 pm »

Is your host up to 5.5 U3? Have you tried vmxnet3 (if_vmx in FreeBSD) instead? Are you using the official VMware tools, or open-vm-tools?

You could also try VMDirectPath I/O for the WAN connection, if the host has some spare NICs.

Bart...

1913

16.7 Legacy Series / Re: OpenVPN connections keep dropping

« on: November 07, 2016, 12:13:45 pm »

You either have a very beefy piece of hardware to use a Xeon, or you are running OPNsense as a VM. Do you have more platform details please? There are some hypervisor/NIC model/NIC driver combos that have issues with OPNsense and its underlying FreeBSD OS.

Bart...

1914

General Discussion / Re: static Route

« on: November 05, 2016, 05:26:47 pm »

Typo perhaps? You have .6 in your post from yesterday and .16 in your routing table.

If you're sure your routing is correct both ways, run traffic capture on OPNsense and ping both ways.

Bart...

1915

General Discussion / Re: External access to opnsense GUI

« on: November 05, 2016, 11:02:09 am »

If those IP's are not on a WAN, don't use the WAN interface to connect to them (use an OPT interface). If they are on the public internet, you open up attacks through source IP spoofing.

As mentioned in this thread, firewalls risk being compromised if traffic is mixed. In a high security environment you would separate production traffic from firewall management traffic by VLAN.

Bart...

1916

General Discussion / Re: static Route

« on: November 05, 2016, 10:51:04 am »

What about the static routes on router1?

Bart...

1917

General Discussion / Re: static Route

« on: November 04, 2016, 11:18:48 pm »

System, Routes, All, Add Route

Bart...

1918

16.7 Legacy Series / Re: OpenVPN connections keep dropping

« on: November 04, 2016, 06:18:00 pm »

50 concurrent users may cause some load. What hardware are you using? Any crypto off-load in the CPU or otherwise?

Bart...

1919

16.7 Legacy Series / Re: more confusion about VPN routing

« on: November 04, 2016, 06:16:00 pm »

If a VPN user has a source IP from the firewall, then the firewall is applying NAT

Bart...

1920

16.7 Legacy Series / Re: Update 16.7.6 to 16.7.7 needs reboot

« on: October 27, 2016, 11:16:34 pm »

Hi Andreas,

Shameless plug; I wrote a script that checks OPNsense for updates and sends you an email if any are available. The email will state when the update involves a reboot.

https://forum.opnsense.org/index.php?topic=2032.0

Bart...