Topics

Dear All,
i hope someone can route me as i cannot route my VPN lol.
the situation as next, we have two WAN ( WAN1 / WAN2 ) see screenshot

WAN1 GW 192.168.30.254
WAN2 GW 192.168.1.254

i have created GW group with Trigger Level Packet Loss and Made WAN2 as tier1 and WAN1 as Tier 2
on the opnsense i have configured WAN1 as default GW

what i am trying to archieve is to have WAN1 route the VPN to the remote office and WAN2 to be as default internet on the office.
WAN2 is Fiber connectiong which is 200/200MB and want to keep using as main internet however WAN1 is a ADSL which is 10/2 we want it to use the VPN to RDP to the extern server.

the tunnel is i can access from the remote office back but from the office i cannot connect to the remote site.
my routing

Code Select Expand

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.30.254     UGS         em1
10.7.0.1           link#13            UH       ovpnc1
10.7.0.2           link#13            UHS         lo0
20.1.1.0/24        link#11            U      em0_vlan
20.1.1.1           link#11            UHS         lo0
30.0.0.0/24        link#12            U      em0_vlan
30.0.0.1           link#12            UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.1.0/24     link#3             U           em2
192.168.1.67       link#3             UHS         lo0
192.168.4.0/24     10.7.0.1           UGS      ovpnc1
192.168.24.0/24    link#1             U           em0
192.168.24.1       link#1             UHS         lo0
192.168.30.0/24    link#2             U           em1
192.168.30.10      link#2             UHS         lo0
192.168.99.0/24    10.7.0.1           UGS      ovpnc1


what am i doing wrong ?

Thank you
 

Dear all,
ive been searching for a  very long time for the solution to have openvpn routing over the WAN1 instead of default WAN2.Let's start from a very basic situation.

Office has two WAN ( WAN1 and WAN2). Office has been configured as Dual WAN , and WAN2 is the default WAN interface with it Gateway.
Remote Office withonly one WAN.
So we have created site to site openvpn from office to the remote office and the tunnel is up.
Remote Office is the OPENVPN server and Office with two is the Client.

Office ip info ( Client OPENVPN)
WAN1   192.168.30.20
WAN2    192.168.1.20   ( Default Gateway for the subnet)
LAN       192.168.24.0/24

Remote Office ( Server OPENVPN )
WAN1 ISP IP
LAN     192.168.99.0./24


the tunnel is up and running only from one side. so from the server side subnet 192.168.99.0/04 i can ping and connect to 192.168.24.0/24
but from the client side 192.168.24.0/24 i cannot connect to 192.168.99.0/24.

on the Client site OpenvVPN tunnel is reconfigured to use WAN1 as it Gateway.
i beleive this a routing issue on the Client site, so i want to tell the box when i wanna go to 192.168.99.0/24 please use WAN1 instead.

on the firewall>>> outbound Rules . i've created a Manual rules on the WAN1 sending a traffic to host 192.168.99.0/24 to use WAN1 but its not working.

What am i doing wrong ?

Thank you

Hi guys,
today one of our box did not update the ssl, the box is on the latest 19.1.6 and the error

Code Select Expand

[Fri Apr 26 13:43:30 CEST 2019] code='400'
[Fri Apr 26 13:43:30 CEST 2019] _ret='0'
[Fri Apr 26 13:43:29 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Fri Apr 26 13:43:29 CEST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4DMKwJeRXfLY-x9xS3kdr3DCv-dn7ArcFsVRRO63iY/15188266849'
[Fri Apr 26 13:43:29 CEST 2019] POST
[Fri Apr 26 13:43:29 CEST 2019] payload='{"resource": "challenge", "type": "", "keyAuthorization": "lJ_wTNXzdXDNMS1lgR4b0vl5f5DUQn7kppJvAS6AnX0.32so50xaPXcmog6OgZZYPYbheGhgZAvN-dlCiRtTScQ0"}'
[Fri Apr 26 13:43:29 CEST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4wJeRXfLY-x9xS543kdr3DCv-dn7ArcFsVRRO63iY/15188266849'
[Fri Apr 26 13:43:29 CEST 2019] Please check log file for more details: /var/log/acme.sh.log
[Fri Apr 26 13:43:29 CEST 2019] _on_issue_err
[Fri Apr 26 13:43:29 CEST 2019] skip dns.
[Fri Apr 26 13:43:29 CEST 2019] vlist='Firewall.gislaved.org#lJ_wTNXzdXDNMS1lgR4b0vl5f5DUMQn7kppJvACFS6AnX0.32so5xaPXcmog6OgZZYPYbheGhgZAvN-dlCiRtTScQ0#https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4wJeRXfLY-x9xS3kdr3DCv-dn7ArcFsVRRO63iY/15188266849#http-01#/var/etc/acme-client/challenges,'
[Fri Apr 26 13:43:29 CEST 2019] dnsadded
[Fri Apr 26 13:43:29 CEST 2019] _clearupdns
[Fri Apr 26 13:43:29 CEST 2019] No need to restore nginx, skip.
[Fri Apr 26 13:43:29 CEST 2019] pid

however older box has renew their certificate fine,

Dear all,
afterupdating the 19.1 my outbound is broke, i cannot conenct to the extern website, sometimes it does open the page but most of time it does not works, outgoing connection is blocked.

our intern connection to the FTP/SSH are blocked.
i've checked the outbound is Automatic outbound NAT rule generation (no manual rules can be used)
on the LAN we have any to any rules but nothing works.

Can someone please advies ?

Dear all,
Our scenario is as next

Internet >>>> OPNSENSE>>>>> SPAM FILTER >>>> MAIL SERVER
MAIL SERVER IS using spam filter as it smarthost to send out emails.
SPAM filter has it own VIP which configured on the virtual ip 20.344.55.56
Default WAN of the OPNSESNE is . 20.344.55.50
Outbount is automatically.
whenever we send out email using spam filter as smarthost of the mail server it still uses the Default WAN IP of the OPNsense 20.344.55.50.
i tried to change outbount from automatically to manually and created a rules for this

Code Select Expand

WAN1  summitgrid_relay  *  *  *  20.344.55.50 *   Outbound NAT Rule for Email Relay

the internet stops working. i thought the rules will remain created when i change from auto to manual.
also the email still delevered from the default opnsese ip and not spam filter.

Can someone please advies how to get this fixed ?

Thank you

Dear all,
We do have WAN1 Configured with Gateway up and running.
We have second WAN2 added as a physical interface.
We want to change our default WAN1 to be WAN2 as we wanna keep WAN1 for different service.

We do have one single Gateway.
can someone adviese how to do this ?

Dear all,
I have been struggling to route traffic and running between opnsense and pfsense.
Opnsense is running 17.7.8
Pfsense is running 2.4.4
both box are running openvpn version 2.4.6_3
the tunnel is up on both sides, the issue is we cannot connect from location A to B and otherway arround.
this issue is mostly if the tunnel or remote ip are differents but i've checked them like 100 time.

Can someone please advies me how to get ths routing correctly set up.

Thank you so much

Dear All,
Today we have updated one box ( physical box ) to OPNsense 18.7.7-amd64.
We were so Happy with the new IDS version.
however after enabling some of the app detection rules, the Inline Intrusion Prevention System keeps stoping from time to time and have to click on start to manually start it.
on the log File there is nothing there.

please see screenshots.

Thank you

Dear All,
I have a hardware box which is continue running on 90%/99% CPU which cause alot of pakket los on the WAN side.
I have checked the IO Operation
   

Code Select Expand

                 /0   /1   /2   /3   /4   /5   /6   /7   /8   /9   /10
     Load Average   ||||

          /0%  /10  /20  /30  /40  /50  /60  /70  /80  /90  /100
cpu  user|XXX
     nice|
   system|XX
interrupt|
     idle|XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

          /0%  /10  /20  /30  /40  /50  /60  /70  /80  /90  /100
ada0  MB/s
      tps|XXXX
pass0 MB/s
      tps|


and the interupt CPU usages

Code Select Expand

PID USERNAME    PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root        155 ki31     0K    32K RUN     1 158:26  91.77% [idle{idle: cpu1}]
   11 root        155 ki31     0K    32K RUN     0 160:42  79.55% [idle{idle: cpu0}]
10682 root         21    0   112M 22368K accept  1   0:04   2.05% /usr/local/bin/php-cgi
   12 root        -60    -     0K   400K CPU0    0   2:17   0.48% [intr{swi4: clock (0)}]
   12 root        -92    -     0K   400K WAIT    0   0:29   0.24% [intr{irq259: em1:rx0}]
88373 root         20    0 20076K  3804K CPU1    1   0:00   0.22% top -aSH
21352 root         20    0 49640K  8628K kqread  1   0:43   0.12% /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
  423 root         52    0   132M 32328K accept  0   0:20   0.08% /usr/local/bin/python2.7 /usr/local/opnsense/service/configd.py console{python2.7}
46510 root         20    0  1061M  6584K select  1   0:01   0.08% /usr/local/sbin/openvpn --config /var/etc/openvpn/client2.conf
   12 root        -92    -     0K   400K WAIT    0   0:05   0.05% [intr{irq262: em2:rx0}]
18706 root         20    0  1049M  2760K select  0   0:04   0.03% /usr/local/sbin/apinger -c /var/etc/apinger.conf
62443 root         20    0  1091M  6864K select  1   0:00   0.03% sshd: root@pts/0 (sshd)
   16 root        -16    -     0K    16K pftm    0   0:05   0.03% [pf purge]
   12 root        -92    -     0K   400K WAIT    1   0:03   0.03% [intr{irq260: em1:tx0}]
   17 root        -16    -     0K    16K -       1   0:03   0.01% [rand_harvestq]
  968 root         29    0 97112K 22380K select  1  46:15   0.01% /usr/local/bin/python2.7 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py
    4 root        -16    -     0K    32K -       1   0:05   0.01% [cam{doneq0}]
4692 root         20    0  1051M  3028K select  0   0:03   0.01% /usr/local/sbin/syslogd -s -c -c -P /var/run/syslog.pid -l /var/dhcpd/var/run/log -f /var/
85922 root         20    0  1051M  6124K select  0   0:02   0.01% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid{ntpd}
   12 root        -92    -     0K   400K WAIT    1   0:01   0.01% [intr{irq263: em2:tx0}]
29963 dhcpd        20    0 24732K  8788K select  1   0:01   0.01% /usr/local/sbin/dhcpd -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf
   12 root        -88    -     0K   400K WAIT    0   0:03   0.01% [intr{irq19: ahci0}]
    0 root         -4    -     0K   320K -       0   0:02   0.01% [kernel{/ trim}]
   18 root        -16    -     0K    48K psleep  1   0:00   0.00% [pagedaemon{pagedaemon}]
94464 root         20    0 38816K  5740K kqread  1   0:01   0.00% /usr/local/sbin/lighttpd -f /var/etc/lighttpd-acme-challenge.conf
14975 root         20    0  1053M  2824K bpf     1   0:01   0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
42547 root         20    0  1061M  6592K select  1   0:00   0.00% /usr/loc



The firewall is running just simple 2 firewall rules, any to any on the LAN and OPENVPN on the WAN nothing else.
i just wanna make sure we are not dealing with a faulty hardware.

Can someone please point me to the right directions to check ?

Thank you

Dear All,
We are designing a Datacenter and want to use OPN two hardware with failover senario.
We offerted 4 WAN IP with 1GB speed on each WAN
WAN1 .   1.1.1.1
WAN2 .   1.1.1.2
WAN3 .   1.1.1.3
WAn4 .   1.1.1.4

WAN1 and WAN2 will be connected on the main OPN hardware , WAN1 will be offering a VPN site to site and also VPN for users using two factor authentication. also will be the ip for the internet
WAN2 will be the mx records of the internal mail server.

i want to configure the second hardware WAN3/WAN4 as a failover in case the first hardware is down remote users will still be able to work.

Can someone please advies how to configure this ? i've read the HA CARPS can do the job but not sure if it does apply in my senario.

Thank you

Hi guys,
i dont know if this possible , the OPNsense will send a notification whenever there is a update or new release ?

Thank you

Hi Guys,

Another issue noticed. had a box with letsencrypt configured after the update this error keeps showing.

Please double-check the following contents to ensure you are comfortable submitting the following information.

Code Select Expand

System Information:
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
FreeBSD 11.1-RELEASE-p10  a6fa9599a(stable/18.1)
OPNsense 18.7.b_137-bc788f972 [18.1.8-ef579d069] OpenSSL 1.0.2o  27 Mar 2018 (amd64)
Plugins os-acme-client-1.14 os-theme-tukan-devel-0.2
Time Thu, 24 May 2018 22:10:59 +0200
PHP Errors:
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 177
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 250
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  SimpleXMLElement::attributes(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1103
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  log_cert_acme_status(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1103
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  log_cert_acme_status(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1112
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
[24-May-2018 20:42:55 Europe/Frankfurt] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122

Hi Guys,
Today we have updated to the OPNsense 18.7.b_137-amd64 hardware.
We have noticed that the phone is halting from time to time.

The firewall optimization to conservative
we have installed the os-siproxd as well.

anything to check why is this happening ?

Thank you

Hi Guys,
Today have updated 18.1.7 on a real hardware and so far it running fine.
i've noticed the CPU is not using that much -3% as before when we enable IDS.
thought i'd share this with you guys.


Chers julien

Hi Guys,
i have configured the spamhaus on the LAN side we have like 20 VLANS running. do i really have to create on each VLAN the firewall rule for the outgoing ?
all the VLANS are on the LAN living em0.

we have created the rules on the LAN side but not in the VLANS.

Code Select Expand

https://wiki.opnsense.org/manual/how-tos/edrop.html

Hi Guys,
last night we have updated one box from 17.7 to 18.6
however the flowd_aggregate   Insight Aggregator is not starting.

Code Select Expand

https://forum.opnsense.org/index.php?topic=3581.30
i have followed Franco instruction but its not working

Code Select Expand

No, just go to Reporting: Settings and reset the Netflow/Insight data from there.

also from time to time we get the below log on the firewall.

Code Select Expand

There were error(s) loading the rules: /tmp/rules.debug:15: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [15]: table <bogonsv6> persist file "/usr/local/etc/bogonsv6"
Any suggestions how to troubleshot this ?

Thank you

Hi Guys,
today i've done a Vulnerability test toward the appliance.
the result comes back with TCP timestamps
i know the risk is low,the attacker need to know how long your system is on.
is this something we can get fixed ? or need some tunable tricks ?
thank you

Hi Guys,
We are willing to block USA on the IDS.
Wenever we Block USA on the IDS the emails are originally from Office 365 and Outlook/Gmail stops arriving.
is there is a way to get those working with blocking USA ?

Hi Guys,
the release note of 18.1.6 shows the below message.  can someone please explain what happens exactly with the VIP and Multi-WAN ? we are using this on our firewall and didn't want to update untill stuff are clear to us. thank you

Code Select Expand

Three mentionable changes are included: We are switching back to single-source NAT on the primary IP instead of using all additional VIPs on the interface. The hardware-assisted VLAN capability check was removed from the system enabling e.g. XEN users to create VLANs. And the multi-WAN traffic shaping experience has been corrected for non-default interfaces within the scope of shared forwarding.

Hi guys,
I was wondering of this projet already exisit on the Opnsense or not.
https://www.fail2ban.org/wiki/index.php/Main_Page

I hope to have this in the near future.

Regards.
Julien