Messages

Also posting site's A and B server and client settings would help. Specifically:

Tunnel Network
IPv4 Local Network

Im assuming you are only using IPv4

Dear all,
I have been struggling to route traffic and running between opnsense and pfsense.
Opnsense is running 17.7.8
Pfsense is running 2.4.4
both box are running openvpn version 2.4.6_3
the tunnel is up on both sides, the issue is we cannot connect from location A to B and otherway arround.
this issue is mostly if the tunnel or remote ip are differents but i've checked them like 100 time.

Can someone please advies me how to get ths routing correctly set up.

Thank you so much

Firewall rule created on openvpn interface to allow traffic ?

[Firewall: NAT: Port Forward]

Please see https://forum.opnsense.org/index.php?topic=8710.msg39035#msg39035

I had actually already looked at that, but still wasn't working

I removed all the rules and reapplied the following settings only, any other setting under the Port Forward menu I left at their defaults (never even went into the advanced for Source)

Option
Firewall: NAT: Port Forward

Interface: WAN
TCP/IP Version: IPv4+IPv6
Destination: WAN address
Destination port range: from/to other 32400
Redirect target IP: PlexServer (or IP Address)
Redirect target port: other 32400
Description: Plex Remote Access
Nat reflection: Enable
Filter rule association: Pass

This now seems to be working, but will monitor it for the next 24/48 hours

If you are using unbond DNS remember to set custom options

Please see https://forum.opnsense.org/index.php?topic=8710.msg39035#msg39035

Are you using opnsense at both locations for dhcp and to register those dhcp leases to dns resolver?

Do both locations have separate domain names?

If so you can add a domain override on each router to allow the remote subnet to query their dns servers .

Example:
SITE A domain name is fries.local (192.168.2.1)
SITE B domain name is burger.local (192.168.3.1)

Site A pc needs to find a PC on Site B network by hostname. I can create dns record on site A or tell the router that any incoming query for domain burger.local send it to site B's dns server to resolve

You will also need to add custom DNS option

Here is a screenshot of how your rule should look. Source is any and destination is WAN. Destination port is plex port (default 32400). Redirect IP is you local plex server IP and redirect port is your local plex port (32400 default)

Im currently trying to delete the IDS Rule Updates CRON JOB but it will not delete. IDS is currently not enabled and the job in question is able disable. I get the prompt to "Remove Selected Item", i select yes, i do not get an error but the job will not delete. No errors in the log on issue

1. Correct pfBlockerNG is not available.
2. From what I understand, the GeoIP updates every day (Gurus correct me if I'm wrong).
       *Source: core/src/opnsense/scripts/filter/lib/alias.py (line 160)
3. All Aliases auto-update, pull information, or populate in the pfTables as soon as you click the Save button.
4. I've tested firehol alias and it's working fine for me.
       *Alias has similar settings like yours: https://www.screencast.com/t/YrEu7vG2iyQ2
              -Firehol alias using this URL: https://iplists.firehol.org/files/firehol_level1.netset
       *pfTables populated immediately after saving the alias: https://www.screencast.com/t/cpZvnqyaI
5. Yes, your firehol alias set for 1 day expiration will update every day.
6. You can force an update by editing the alias, make no changes, and click Save button.

Recommendations
1. Please check your Alias Names and Descriptions. It appears you have multiple typos that can make troubleshooting confusing when your configurations become more complex.
2. Please consider allowing access for a smaller group of aliases vs denying the entire world. This will make your tables smaller, easier to troubleshoot, use less RAM, better performance, etc.

Thank for the info. FIREHOL is working now. I can see offenders being blocked in the firewall logs

I read through a past post stating PFBLocker is not available but the same functionality can accomplished using the firewall alias

I created a couple alias to test



Added my firewall floating rules



Checked my firewall logs and everything except for my firehol which i will get to later. My question is how often does the GEOIP list get updated ? I do not see a interval setting stating how often the GEOIP list gets updated

And finally my firehol doesn't seem to be working. I've set the expiration to 1 day for this alias. Does this mean after a day it grabs the new list ? Additionally how do i force an update ?

i had the same issue after updating last night. I ended up bumping the Firewall Maximum Table Entries to 500,000 and rebooting. I can spare 500MB of RAM for this.

Is is possible to include pushover notifications with the release of 18.1 ?

I think you might have configured the proxy incorrectly. Are you using letsencrypt cert for ssl inspection? You cannot use letsencrypt for ssl inspection, you will need an internal CA or self signed cert. Please go through the proxy documentation once again.

Thank you,
Regards,
Bobby Thomas

Hmmm why can't i use a letsencrypt cert ? I know the documentations states using a  self signed cert however i wanted to bypass importing of that cert to my workstations by using a cert issued by letsencrypt thats tied to my dynamic dns by duckdns . As such it should be valid cert and not receive any warnings

ok getting several weird errors in my system.log

1st 

Code Select Expand

Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 0: ioport 0xc00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 1: ioport 0x1c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 2: ioport 0x2c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 3: ioport 0x3c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 4: ioport 0x4c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 5: ioport 0x5c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 6: ioport 0x6c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 7: ioport 0x7c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 8: ioport 0x8c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 9: ioport 0x9c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 10: ioport 0xac00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 11: ioport 0xbc00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 12: ioport 0xcc00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 13: ioport 0xdc00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 14: ioport 0xec00 alloc failed

Found this FreeBSD bug in regards to issue https://lists.freebsd.org/pipermail/freebsd-current/2014-October/052554.html

Second error

Code Select Expand

module_register_init: MOD_LOAD (vesa, 0xffffffff81149b90, 0) error 19

From what i was able to find this is a video driver issue which shouldn't affect my boot time.

I'll put it into production this weekend. I can live with the delayed boot time at this point

Maybe this is a console setting: System: Settings: Administration, choose "EFI" as primary console.


Cheers,
Franco

ok