Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Julien

#1
23.7 Legacy Series / Firewall Rule Question ( Resolved )
September 25, 2023, 12:46:49 PM
Hi there,

I'm in the process of uploading an ISO to a VMware server from the LAN to VLAN20. There are existing firewall rules allowing any-to-any traffic on both sides. However, I'm currently facing a firewall-related error on the screen. Your assistance in resolving this issue would be greatly appreciated.

Edite: issue is resolved and can be closed
#2
23.1 Legacy Series / Print over the vpn
July 29, 2023, 12:41:49 AM
Hello everyone,

We have set up a site-to-site Wireguard VPN to our datacenter. The LAN interface is configured to allow ports 443, 80, 53, and 9100 for printing Konica devices.

However, when the users attempt to print from the remote location to the office, it doesn't work. Printing only functions when we add the rule "any to any."

Could someone advise why this is happening and what I might be missing here? Thank you!
#3
23.1 Legacy Series / Disk is 109% full
July 10, 2023, 04:27:54 PM
Hi guys,
today we noticed the box is full %109.


/dev/gpt/rootfs 49G 49G -3.9G 109% /

devfs 1.0K 1.0K 0B 100% /dev

devfs 1.0K 1.0K 0B 100% /var/dhcpd/dev

devfs 1.0K 1.0K 0B 100% /var/unbound/dev

/usr/local/lib/python3.9 49G 49G -3.9G 109% /var/unbound/usr/local/lib/python3


i cannot seem to find the log that full up my disk.

can you please advise how to clean this up ?
#4
23.1 Legacy Series / Questions Regadring Subnets
May 29, 2023, 05:56:13 PM
Hi Guys,

i hope someone can point me to the right direction here.
we have from ISP and /29 Subnet which we have configured our WAN on
XX.XX.XX.XX/29 WAN1
we have added the other 8 IP to virtual IPS and it works fine.
with the second  subnet /29 we did the same add it to the Virtual IPS.
and add both gateways to the System: Gateways: Single

this week we got the 3th subnet to test for our 10GB up links with the same subnet.
when i tried to add the 3rd gateway its error out

The following input errors were detected:

The gateway address "X.XXX.X.X does not lie within one of the chosen interface's IPv4 subnets.


is this because the WAN is /29 and not /32 ?

your help is appreciate it.

thank you
#5
22.7 Legacy Series / 3 NAT not working
November 23, 2022, 07:31:12 PM
Hi guys,
i hope someone can help i cannot seems to get it working.
the situation is we have 2 servers needs to be accessed externally and we have one external IP.
we have a rule on the WAN to access this firewall on our port and from only IP ( Office IP ) which is working fine.
so i can access the firewall with it external IP without any issues.
when i enable the NAT rule internetally to the server 1 ( port 4505) the external access to the firewall stops.
when i enable second NAT only the one on the top works but the firewall access is still not working.

when i disable the NAT accessing the firewall start working.
ourooutboud is  "Automatic outbound NAT rule generation"

do i have to change it to hybrid and create the rules manually ?


i appreciate any feed back
#6
22.1 Legacy Series / Every hr reboot
January 15, 2022, 08:33:48 PM
Hi guys,
i have a box which rebooting it self like once a hr, i am not sure what the cause but this behaivor has started after ip updated to the 22.X release.
i am not sure where to look and what logs is relevant for this.

on System >> Logs >>> General i've found this logs but its related to the let's encrypt.

2022-01-15T20:29:01 Notice /update_tables.py resolving 8 hostnames (4 addresses) for Lets_Encrypt_FQDN took 0.15 seconds
2022-01-15T20:29:01 Error /update_tables.py The DNS query name does not exist: acme-staging.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:29:01 Error /update_tables.py The DNS query name does not exist: acme-v01.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:29:01 Notice /update_tables.py resolving 3 hostnames (3 addresses) for ATT_IP took 0.11 seconds
2022-01-15T20:24:01 Notice /update_tables.py resolving 8 hostnames (4 addresses) for Lets_Encrypt_FQDN took 0.18 seconds
2022-01-15T20:24:01 Error /update_tables.py The DNS query name does not exist: acme-staging.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:24:01 Error /update_tables.py The DNS query name does not exist: acme-v01.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:23:01 Notice /update_tables.py resolving 3 hostnames (3 addresses) for ATT_IP took 0.07 seconds
2022-01-15T20:18:02 Notice /update_tables.py resolving 8 hostnames (4 addresses) for Lets_Encrypt_FQDN took 0.22 seconds
2022-01-15T20:18:02 Error /update_tables.py The DNS query name does not exist: acme-staging.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:18:02 Error /update_tables.py The DNS query name does not exist: acme-v01.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:17:01 Notice /update_tables.py resolving 3 hostnames (3 addresses) for ATT_IP took 0.06 seconds
2022-01-15T20:13:01 Notice /update_tables.py resolving 8 hostnames (4 addresses) for Lets_Encrypt_FQDN took 0.23 seconds
2022-01-15T20:13:01 Error /update_tables.py The DNS query name does not exist: acme-staging.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:13:01 Error /update_tables.py The DNS query name does not exist: acme-v01.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:12:01 Notice /update_tables.py resolving 3 hostnames (3 addresses) for ATT_IP took 0.09 seconds
2022-01-15T20:07:01 Notice /update_tables.py resolving 8 hostnames (4 addresses) for Lets_Encrypt_FQDN took 0.20 seconds
2022-01-15T20:07:01 Error /update_tables.py The DNS query name does not exist: acme-staging.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:07:01 Error /update_tables.py The DNS query name does not exist: acme-v01.api.letsencrypt.org. [for Lets_Encrypt_FQDN]
2022-01-15T20:06:01 Notice /update_tables.py resolving 3 hostnames (3 addresses) for ATT_IP took 0.06 seconds


please advises where to look.

i appreciate it.

#7
Hi Guys.

Today is 18-12-2021 and i notice the Suricata is crashes and is not started the below log can show its been down for two days from 16 till 18.

2021-12-18T22:04:20 suricata[75736] [100742] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2021-12-16T22:27:08 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:60755 -> 1.1.1.1:53
2021-12-16T22:26:51 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:53952 -> 1.1.1.1:53
2021-12-16T22:26:47 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:63336 -> 1.1.1.1:53
2021-12-16T22:26:46 suricata[31322] [1:2029710:5] ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:55014 -> 1.1.1.1:53
2021-12-16T22:25:46 suricata[31322] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.4.5:54059 -> 1.1.1.1:53


the Audit log

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.7 (amd64/OpenSSL) at Sat Dec 18 22:13:32 CET 2021
>>> Check installed kernel version
Version 21.7.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***


***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.7.7 (amd64/OpenSSL) at Sat Dec 18 22:14:57 CET 2021
vulnxml file up-to-date
python37-3.7.11 is vulnerable:
  Python -- multiple vulnerabilities
  WWW: https://vuxml.FreeBSD.org/freebsd/0e561173-0fa9-11ec-a2fa-080027948c12.html

1 problem(s) in 1 installed package(s) found.
***DONE***




if i missed something please tell me so i can share.
i cannot seems to find the cause why is this happening.

Can someone please advise as i've been struggling with this for over 3 weeks now.

Thank you
#8
Intrusion Detection and Prevention / IDS New Policies
December 14, 2021, 04:20:35 PM
Hi Guys,
i would appreciate if someone can give a bit info about those new Policies on the new interface.
some idea how to would be appreciate it.

#9
21.7 Legacy Series / 21.7.6 DNS DOT stopped working
November 27, 2021, 07:14:50 PM
Hi Guys,
i was happy having Dot working for couple of weeks, after i updated today, i noticed it stops working.
after some reboot it seems the dns is working but its exttremly slow.

We have Domain controller, the Domain controller dns forwarder is the OPNsense.
i've NAT the DNS to the OPNSense on the LAN side.
this configuration has been working.

but for now its stopped .

i've looked on the log but nothing really is there to see why this behaivor happens.

i appreciate any feed back.


2021-11-27T19:21:06 unbound[47763] [47763:2] debug: process_response: new external response event
2021-11-27T19:21:06 unbound[47763] [47763:6] debug: cache memory msg=269840 rrset=289047 infra=15986 val=267448
2021-11-27T19:21:06 unbound[47763] [47763:3] debug: tcp error for address ip4 1.0.0.1 port 853 (len 16)
2021-11-27T19:21:06 unbound[47763] [47763:6] debug: cache memory msg=269840 rrset=289047 infra=15986 val=267448
2021-11-27T19:21:06 unbound[47763] [47763:5] info: 8RDd mod1 rep AMS-efz.ms-acdc.office.com. A IN
#10
Hi Guy,

i have configured the IDS, i havent seen any alert for long time.
today i was looking and found those two.

is this something i have to worry about it? change the alert to Drop?

Alert

ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body

Thank you
#11
Intrusion Detection and Prevention / 21.7.5 IDS error
November 20, 2021, 10:40:32 PM
Hi Guys,

i've been waiting to upate the box to 21.7.5 as i was worried the IDS would crashes. unfortunately i have to upate the box so the Suricada has been updated too.
after the upate Suricada has ping point plenty of errors on the log.

are the below error something i have to worry about ?


2021-11-20T22:35:59 suricata[26424] [100374] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
2021-11-20T22:35:59 suricata[26424] [101239] <Notice> -- opened netmap:em0/T from em0: 0x3e791c92300
2021-11-20T22:35:59 suricata[26424] [101239] <Notice> -- opened netmap:em0^ from em0^: 0x3e791c92000
2021-11-20T22:35:59 suricata[26424] [101230] <Notice> -- opened netmap:em0^ from em0^: 0x3e790a6d300
2021-11-20T22:35:59 suricata[26424] [101230] <Notice> -- opened netmap:em0/R from em0: 0x3e790a6d000
2021-11-20T22:35:41 suricata[26424] [100374] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2021-11-20T22:35:41 suricata[26424] [100374] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
2021-11-20T22:35:41 suricata[26424] [100374] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
2021-11-20T22:35:41 suricata[26424] [100374] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.certutilhttp' is checked but not set. Checked in 2833774 and 0 other sigs
2021-11-20T22:35:41 suricata[26424] [100374] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 2 other sigs
2021-11-20T22:35:41 suricata[26424] [100374] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 1 other sigs
2021-11-20T22:35:41 suricata[26424] [100374] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gadu.loggedin' is checked but not set. Checked in 2807836 and 0 other sigs
2021-11-20T22:35:41 suricata[26424] [100374] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
2021-11-20T22:35:37 suricata[16325] [100121] <Notice> -- This is Suricata version 6.0.3 RELEASE running in SYSTEM mode
2021-11-20T22:35:36 suricata[3667] [100451] <Notice> -- Stats for 'em0^': pkts: 5, drop: 0 (0.00%), invalid chksum: 0
2021-11-20T22:35:36 suricata[3667] [100451] <Notice> -- Stats for 'em0': pkts: 0, drop: 0 (nan%), invalid chksum: 0
2021-11-20T22:35:36 suricata[3667] [100451] <Notice> -- Signal Received. Stopping engine.
2021-11-20T22:35:36 suricata[3667] [100451] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.


Also i notice there is a new button has been added to the Intrusion detection "Policy"
is the new way how to configure it those days? are those different from the Administration / Rules  ?

Thank you
#12
Hi guys,
i previously had Dot working fine, the tutoriali i followed is this https://www.dnsknowledge.com/unbound/opnsense-set-up-and-configure-dns-over-tls-dot/

after the latest update the DoT seems stopped working, atleast the https://1.1.1.1/help shows its NO.

when i run

Quotetcpdump -i igb1853

it shows some 853 succecfull connections.
can someone please advies of the Dot behaivor has been changed on the latest release?

DNSLEAK shows my DNS is correct "see screenshot:.
the logs shows the Dot.

2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving azure.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving trafficmanager.net. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was nodata ANSWER
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for microsoft.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving microsoft.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was ANSWER
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was CNAME
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving teams.events.data.microsoft.com. A IN

what am i doing wrong?

Thank you
#13
Hi guys,
i hope someone can point me to the right directions, ive been using IDS for over 2 years,
last day we updated the box to the 21.1.7 sinds than Suricata keeps crashing with the below log.
it stops the service and have to start it manually


thank you

2021-06-21T01:34:42
suricata[35325]
[100280] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
 
2021-06-21T01:34:42
suricata[35325]
[101369] <Notice> -- opened netmap:em0/T from em0: 0x3e8cf080300
 
2021-06-21T01:34:42
suricata[35325]
[101369] <Notice> -- opened netmap:em0^ from em0^: 0x3e8cf080000
 
2021-06-21T01:34:42
suricata[35325]
[100225] <Notice> -- opened netmap:em0^ from em0^: 0x3e8ce0af300
 
2021-06-21T01:34:41
suricata[35325]
[100225] <Notice> -- opened netmap:em0/R from em0: 0x3e8ce0af000
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2820208 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.certutilhttp' is checked but not set. Checked in 2833774 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 2 other sigs
 
2021-06-21T01:33:13
suricata[21102]
[100286] <Notice> -- This is Suricata version 5.0.6 RELEASE running in SYSTEM mode
 
2021-06-20T03:01:09
suricata[29540]
[100253] <Notice> -- rule reload complete
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2820208 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.certutilhttp' is checked but not set. Checked in 2833774 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 2 other sigs
 
2021-06-20T03:00:08
suricata[29540]
[100253] <Notice> -- rule reload starting

#14
21.1 Legacy Series / ERR_SSL_PROTOCOL_ERROR GUI
January 30, 2021, 01:34:35 AM
Hi guys,
after updating one box I lost access to the gui as to the ssh.
the error keep showing ERR_SSL_PROTOCOL_ERROR
usually It was fixed with this command to reverse back opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart
but it appear it failed to revert to 20.7.6 on 21.1

hope someone has a idea how to restore the gui.

thank you
#15
General Discussion / LACP is not working
November 22, 2020, 12:30:48 AM
Dear all,
We have been using OPNsense for sometimes now, one our customer has two ISP switch Layer 3, each Switch provides 1GB NIC with 1Gbps speed to the opnsense
this configuration has been working excellent before with pfsense.
Switches are configured to do LACP on interfaces ( as I mentioned it been working for long ).

Switch 1 >>>> Port 1 >>>>> Pfsense Port 1 ( now is Opnsense )
Switch 2 >>>> Port 1 >>>>> Pfsense Port 2 ( now is opnsense)

Both switches are stacked and are Brocade ICX7250.

as I mentioned this config been working with pfsense for long time until we convince the customer to move to OPNsens.

the issue is:

We have created LAGG see attacked this LAG is em2 and em3 as LAN LAGG. so whenever we connect the cables to the switch the error pops on the console of the OPNS and keeps popping ups.

interface stopped distributing possible flapping


after I tried a pfsense installation clean installation and I create the LAGG everything works as expected.

Can someone please help clear things to me, is it the OPNsens? configuration ? what am I doing wrong?

appreciate any help/ideas.
#16
Intrusion Detection and Prevention / IDS OVER VPN
November 20, 2020, 02:27:56 AM
Dear All,

we have been using OPNsense for over 4 years, we have happy with it, and big thank you the developers for this great software.
I have a couple of concerns.

1- IDS/IPS enabled in the WAN.
we have IPS /IDS enabled on the WAN,i've attend a online training of suricata they advise to run the IDS/IPS on the LAN because OPNsense blocks anything on the WAN already.

we have site to site VPN from Office 1 to Office 2 when I apply the IDS/IPS on the LAN Interface I cannot connect using RDP/https/ ect... I even cannot ping.
on the IDS alert there is nothing there about those connections been blocked. when I switch to WAN stuff start working.

What am I doing wrong?

appreciate each support.
#17
20.7 Legacy Series / 2 Switch 1 WAN
November 02, 2020, 11:19:01 PM
Dear all,

i am trying to archive some setup and dont know how to do it.
the situation as next :
our ISP have two switch for us which configured to act as one. switches are layer 3.
We have one opnsense hardware behind "OPNsense A10 Dual Core SSD rack Gen2" a opnsense hardware which we are happy with.
So i want to have two WAN cables from each switch, so Switch 1 to WAN1 and Switch 2 to WAN2 and configure WAN1 and WAN2 as LACP.
is this even possible in opnsense ?

Thank you
#18
20.7 Legacy Series / Opnsense 20.X wont boot
September 06, 2020, 08:11:13 PM
Hi guys,
ive been fighting with a hardware box it doesn't wanna boot. i managed to get up to boot by doing the next

first command during the boot

set kern.vty=sc
boot

when it boot i disabled the option  Use the virtual terminal driver (vt) at System >> Settings >> Administration

my question is, would a update overight those settings of  Use the virtual terminal driver (vt) or not ?

Can i priciest those settings somehow at System: Settings: Tunables ?

Thank you

PS : i've installed the opnsense at a Sophos Hardware
#19
20.7 Legacy Series / GeoIP 20.7 solution
August 17, 2020, 03:56:15 PM
Hi Guys,

If your GEOIP seems not to works after the last uptate, the issue is easy and simple
your firewall Firewall Maximum Table Entries is Limited to 100k.
So Go to your firewall>>>Settings>>>Advanced and change the value of Firewall Maximum Table Entries to 200k and save.
i have mine at 400k as ive got a powerfull hardware.

after i've done that the GEOIP start working and loading IPS.
#20
Dear all,
couple of weeks i've strugeling on getting wireguard configured and working,
today i am going to explain how to do with screenshots.
Step 1, Go to plugin and install wireguard


Step 2
go to VPN >> Wireguard >>> and Enable it


Step 3
Go to VPN WireGuard Local, and create a Local connection.
Chose a tunnel IP.
please notte: do not enter private or public key, they will be generate automatically



Step 4
open the created local connection and save the public key / private key on a notepad you gonna need it.


Step 5
go to VPN >> Wireguard >>Endpoints and create a Endpoint " Endpoint is like a user", we will use Julien as my name for this Endpoint.


Step 6
Install Wireguard on Windows/Mac OSX, this methode works for both Windows and Mac OSX
after the installation Chose add tunnel and than Add a empty Tunnel


Step 7
copy the Public key from the Windows Client and save it at the Endpoint of the user as showed below on the picture




Step 8

Go To VPN >>> WireGuard>>> Local and add Julien to the Peer so the Endpoint would be permited to connect using the Peer " see screenshot"


Click Save, and Go back up General and Click on Save Again " see screenshot"


Step 9

Go to Interfaces >> Assigmenet and add WG0 " Wiregaurd" interface, Call it " Remote Users" or whatever you want.



PS: Dont change anything on the settings, leave it as it IPV4/IPV6 on NONE, Wireguard will take care of that part. after it done, restart wireguard service and you should see it will detect it new IP " see below picture.


Step 10,

Go to the Firewall >> Rules > And find the interface you created, mine call Remote Users and create a firewall looks like the one on the screenshot.


Go To Firewall >> Rules >> WAN and create incoming connections on the WAN Side.
PS: this rule is not restricted yet, when the connection is up you can restricted to ip/port/ect...




the Windows Client connection should looks like this.

[Interface]
Address = 10.171.1.2/31
PrivateKey = LaptopPrivKey
DNS = 10.10.1.20

[Peer]
PublicKey = OpnsensePUBLICkey
AllowedIPs = 0.0.0.0/0
Endpoint = my.ddns.example.com:51820


like this you should the connection is set up and active.



if you have a remote users using 4G/ UMTS connection maybe is smart though to use MTU

[Interface]
Address = 10.171.1.2/31
PrivateKey = LaptopPrivKey
MTU = 1380
DNS = 10.10.1.20

[Peer]
PublicKey = OpnsensePUBLICkey
AllowedIPs = 0.0.0.0/0
Endpoint = my.ddns.example.com:51820



I hope the Admin will PIN the post,

this week i will create a new tutorial how to do site to site using wireguard.