Topics

31

18.1 Legacy Series / Multi WAN on 18.1

« on: January 30, 2018, 05:19:32 pm »

Hi guys,
i was curious if somebody has tested the 18.1 release with the multi wan.
we have two boxes running on multi wan with failover and I am being nerveus in updating them.
Thank you for your shared experience.

32

18.1 Legacy Series / Release 18.1 experience

« on: January 29, 2018, 09:31:00 pm »

Hi Guys,
Today I have installed the 18.1 on both VM and hardware the installation took a bit longer than usual but it succecd.
I can confirm everything is running fine even the Gui is faster and responding really fast.

a big thank you for this release and we are glad to be apart of the community of the safe software on earth.
 

33

17.7 Legacy Series / haproxy stops working 17.7.12

« on: January 27, 2018, 11:44:07 pm »

Dear all,
we had the haproxy for multiple http/https. however after we update the box to 17.7.12 we have noticed the https web servers are not working over the internet.
i have checked the value and everything is still there but the interface is a bit different as before.
somehow we can't get the haproxy started.
when i try to start it using the command line
version of haproxy is 2.2
`

Code: [Select]

``
root@firewall:~ # service haproxy restart
haproxy not running? (check /var/run/haproxy.pid).
[ALERT] 026/234026 (48491) : parsing [/usr/local/etc/haproxy.conf:59] : 'tcp-request content accept' : error detected in frontend '443' while parsing 'if' condition : no such ACL : '{req_ssl_hello_type'
[ALERT] 026/234026 (48491) : parsing [/usr/local/etc/haproxy.conf:62] : unknown keyword 'tcp_request' in 'frontend' section
[ALERT] 026/234026 (48491) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 026/234026 (48491) : Fatal errors found in configuration.
/usr/local/etc/rc.d/haproxy: WARNING: failed precmd routine for haproxy
root@firewall:~ #


Code: [Select]

HAProxy config contains critical errors
[ALERT] 027/000844 (7147) : parsing [/usr/local/etc/haproxy.conf:59] : 'tcp-request content accept' : error detected in frontend '443' while parsing 'if' condition : no such ACL : '{req_ssl_hello_type'
[ALERT] 027/000844 (7147) : parsing [/usr/local/etc/haproxy.conf:62] : unknown keyword 'tcp_request' in 'frontend' section
[ALERT] 027/000844 (7147) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 027/000844 (7147) : Fatal errors found in configuration.



34

18.1 Legacy Series / update not showing

« on: January 15, 2018, 09:41:23 pm »

Hi Guys
after trying to check for the update on the box it shows not update are
There are no updates available on the selected mirror.
on the screen it shows that the V 18.1.R2 is there.
has been this already been released ?
the current version is 17.7.11

on the SSH tried option 12 but it still shows my box is updated

Code: [Select]

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates, apply them,
and reboot if necessary.

Proceed with this action? [y/N]: y

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (5 candidates): ..... done
Processing candidates (5 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.

35

17.7 Legacy Series / Site to Site after OPNsense 17.7.9 does not route the traffic

« on: December 12, 2017, 11:16:06 pm »

Dear all,
Today i have updated two hardware OPNsense to the latest version.
OPNsense 17.7.9_9-amd64
however after the update i noticed the site to site VPN seems not to route the traffic from the Client to the server

Server= 192.168.4.1
Client = 10.10.20.3

From the server i can connect to the client 10.10.20.3 on the other side of the country however from the client i can't ping or connect to the server.
when i trace route the traffic from the client to the server its comes back with time out.

Code: [Select]

C:\>tracert 192.168.4.1

Tracing route to 192.168.4.1 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
Can someone please help to point me to the right direction ?

Thank you
  4     *

36

17.7 Legacy Series / DH Parameters Length question

« on: November 27, 2017, 04:02:09 pm »

Hi guys,
I am trying to understand the user of  DH Parameters Length on the VPN server and Key length (bits) on the certificate.
I see the Key length (bits) on the  certificate  has 4096 and 8192
and also the DH Parameters Length 4096 and 2048.
using the high number would affect the speed of the tunnel ?would provide a high encryption ?

37

17.7 Legacy Series / OPENVPN between hardware and Virtual

« on: November 23, 2017, 01:15:59 am »

Hi guys,
We need to configure openvpn site to site between two Opnsense Firewalls,
one is hardware and one is virtual, between the virtual Opnsense there is a ISP Modem which is the gateway of the virtual OPNsense and the ports are forwarded.
i've configured the tunnels already but its not comming up.
Can someone please adveis why ?


the log is as below when i restart the connection.

Code: [Select]

Nov 23 01:13:43 openvpn[58575]: UDPv4 link remote: [AF_UNSPEC]
Nov 23 01:13:43 openvpn[58575]: UDPv4 link local (bound): [AF_INET]56.77.88.990:10445
Nov 23 01:13:43 openvpn[58575]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Nov 23 01:13:43 openvpn[58575]: /usr/local/sbin/ovpn-linkup ovpns3 1500 1605 10.3.0.1 10.3.0.2 init
Nov 23 01:13:43 openvpn[58575]: /sbin/ifconfig ovpns3 10.3.0.1 10.3.0.2 mtu 1500 netmask 255.255.255.255 up
Nov 23 01:13:43 openvpn[58575]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 23 01:13:43 openvpn[58575]: TUN/TAP device /dev/tun3 opened
Nov 23 01:13:43 openvpn[58575]: TUN/TAP device ovpns3 exists previously, keep at program end
Nov 23 01:13:43 openvpn[58575]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 23 01:13:43 openvpn[58228]: library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10
Nov 23 01:13:43 openvpn[58228]: OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2017
Nov 23 01:13:43 openvpn[58228]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Nov 23 01:13:42 openvpn[35180]: SIGTERM[hard,] received, process exiting
Nov 23 01:13:41 openvpn[35180]: /usr/local/sbin/ovpn-linkdown ovpns3 1500 1605 10.3.0.1 10.3.0.2 init
Nov 23 01:13:41 openvpn[35180]: event_wait : Interrupted system call (code=4)
Nov 23 01:13:37 openvpn[79651]: UDPv4 link remote: [AF_UNSPEC]
Nov 23 01:13:37 openvpn[79651]: UDPv4 link local (bound): [AF_INET]56.77.88.990:10449
Nov 23 01:13:37 openvpn[79651]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Nov 23 01:13:37 openvpn[79651]: /usr/local/sbin/ovpn-linkup ovpns9 1500 1605 10.9.9.1 10.9.9.2 init
Nov 23 01:13:37 openvpn[79651]: /sbin/ifconfig ovpns9 10.9.9.1 10.9.9.2 mtu 1500 netmask 255.255.255.255 up
Nov 23 01:13:37 openvpn[79651]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 23 01:13:37 openvpn[79651]: TUN/TAP device /dev/tun9 opened
Nov 23 01:13:37 openvpn[79651]: TUN/TAP device ovpns9 exists previously, keep at program end
Nov 23 01:13:37 openvpn[79651]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 23 01:13:37 openvpn[79326]: library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10
Nov 23 01:13:37 openvpn[79326]: OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2017
Nov 23 01:13:37 openvpn[79326]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Nov 23 01:13:37 openvpn[57213]: SIGTERM[hard,] received, process exiting
Nov 23 01:13:36 openvpn[57213]: /usr/local/sbin/ovpn-linkdown ovpns9 1500 1605 10.9.9.1 10.9.9.2 init
Nov 23 01:13:36 openvpn[57213]: event_wait : Interrupted system call (code=4)

38

17.7 Legacy Series / Stragnge OPENVPN commands found

« on: November 23, 2017, 12:01:23 am »

Hi Guys,
on my OPENVPN.ovpn file I've found two strange commands

Code: [Select]

ping-exit 30
auth-nocache
ns-cert-type serverI've googled the auth-nocache appear to be a command to stop caching your password in the memory of the PC, but other commands I don't know what they are for.
I've exported a OPENVPN from a different OPNsense and I don't seem to find those commands on the .ovpn

Thank you

39

17.7 Legacy Series / OPENVPN verbosity levels

« on: November 11, 2017, 12:10:46 am »

Dear All,
I understand that verbosity levels are logging levels but using a high number would slow down the tunnel ?
as I undersand level 10 is Win32 registry debugging info and OpenSSL locks, does it means it will log everything which will cause a slow tunnel ?

this is a discussion thank you

40

17.7 Legacy Series / Port forwarding VIP

« on: October 29, 2017, 09:07:22 pm »

Dear All,
we have configured 3 virtual WAN IPS on the Firewall >> Virtual IP.

Now we want to forward PORT 443 to one of those Virtual IP.
I can't seem to find a way of doing this.
Can someone please advise how to do so ?
I've looked on the forum but can't seem to find post or a doc about this.
the currently configuration as next :
WAN1 is our default IP which is 1.1.1.1
Virtual IP are 1.1.1.2 / 1.1.1.3 /1.1.14
WAN 1 is default WAN for out production.
on the WAN1 ( 1.1.1.1)  we have port 443 forward to a internal server
now we have added 3 WAN IP dresses to the virtual IP.

on the NAT 1:1 we have created a rule
Interface WAN
Type BNAT
External Network 1.1.1.2/29
Source Any
Destination. Webserver 1 ( internal Server )


on the Firewall Rules WAN1
have created the rule below the original rule of port 443.

thank you

41

17.7 Legacy Series / Multi WAN

« on: October 25, 2017, 12:15:55 pm »

Dear All,
i have posted many times about multi WAN and no one have ever helped me.
i have configured the Multi WAN as following https://docs.opnsense.org/manual/how-tos/multiwan.html
internet does works, every time when the WAN1 or WAN2 down goes we have to reboot the firewall in order it will swap the Gateways.
Can someone please advise here why is this happening and what I am missing in the configurations ?

42

17.7 Legacy Series / virtual IP en Nat 1:1

« on: October 13, 2017, 12:26:40 am »

Dear All,
We are using Opnsense facing the Internet with 3 Virtual WAN IP. the below IP addresses are just a example.

4.100.23.9/13

so the WAN IP is 4.100.23.9
Virtual IP are 4.100.23.10,4.100.23.12 and 4.100.23.13

on the WAN we have NAT the ports to 443 and 80 to the exchange server which is behind the LAN
now we have added the Virtual IP as IP and WAN and created a NAT 1:1 to forward the IP 4.100.23.10 to the internet Filter which is on the LAN.

so on the internet side when we access the https://4.100.23.10 its opens the Exchange server which is behind the 4.100.23.9.

Can someone please advise how to get this correctly configured ?

43

17.7 Legacy Series / Intrusion Detection abuse.ch

« on: October 08, 2017, 08:31:22 pm »

Hi Guys,
I am on a hardware OPNsense 17.7.5-amd64 with a kill configuration 16GB Memory and I5/64 SSD disk.
when I enable the abuse.ch on the abuse.ch Intrusion Detection the speed drops from 900MB to 40MB.

is there is a way to get this tweaked ?

Thank you

44

17.7 Legacy Series / DNS forwarder issue appear to be load balancing after update

« on: October 02, 2017, 12:44:41 pm »

Hi guys
after updating the opnsense laste day I can't seem to browse to the internet.
I can ping 8.8.8.8 but not www.google.com

when I nslookup domains its does resolve with the ip.
is this a firewall issue?

Can someone please point me to the right directions ?

Thank you so much

45

17.7 Legacy Series / Multiple VLAN/Multiple WAN

« on: September 29, 2017, 08:37:55 pm »

Hi guys,
in our productions we have OPNsense with 6 NICS, and a switch 48 ports.
We have 8 IP we can use on the WAN side, and 4 VLANS. ( all 4 VLANS are created on the physical LAN 1)
We want to specify each VLAN with a physique IP as It.
has anyone done this before and there are no complications ?

Thank you