Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Julien

#21
19.7 Legacy Series / Route OPENVPN Multi WAN
August 12, 2019, 01:31:59 PM
Dear All,
i hope someone can route me as i cannot route my VPN lol.
the situation as next, we have two WAN ( WAN1 / WAN2 ) see screenshot

WAN1 GW 192.168.30.254
WAN2 GW 192.168.1.254

i have created GW group with Trigger Level Packet Loss and Made WAN2 as tier1 and WAN1 as Tier 2
on the opnsense i have configured WAN1 as default GW

what i am trying to archieve is to have WAN1 route the VPN to the remote office and WAN2 to be as default internet on the office.
WAN2 is Fiber connectiong which is 200/200MB and want to keep using as main internet however WAN1 is a ADSL which is 10/2 we want it to use the VPN to RDP to the extern server.

the tunnel is i can access from the remote office back but from the office i cannot connect to the remote site.
my routing
Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.30.254     UGS         em1
10.7.0.1           link#13            UH       ovpnc1
10.7.0.2           link#13            UHS         lo0
20.1.1.0/24        link#11            U      em0_vlan
20.1.1.1           link#11            UHS         lo0
30.0.0.0/24        link#12            U      em0_vlan
30.0.0.1           link#12            UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.1.0/24     link#3             U           em2
192.168.1.67       link#3             UHS         lo0
192.168.4.0/24     10.7.0.1           UGS      ovpnc1
192.168.24.0/24    link#1             U           em0
192.168.24.1       link#1             UHS         lo0
192.168.30.0/24    link#2             U           em1
192.168.30.10      link#2             UHS         lo0
192.168.99.0/24    10.7.0.1           UGS      ovpnc1


what am i doing wrong ?

Thank you
 
#22
19.7 Legacy Series / Site to Site openVPN DUAL WAN
August 07, 2019, 02:07:03 PM
Dear all,
ive been searching for a  very long time for the solution to have openvpn routing over the WAN1 instead of default WAN2.Let's start from a very basic situation.

Office has two WAN ( WAN1 and WAN2). Office has been configured as Dual WAN , and WAN2 is the default WAN interface with it Gateway.
Remote Office withonly one WAN.
So we have created site to site openvpn from office to the remote office and the tunnel is up.
Remote Office is the OPENVPN server and Office with two is the Client.

Office ip info ( Client OPENVPN)
WAN1   192.168.30.20
WAN2    192.168.1.20   ( Default Gateway for the subnet)
LAN       192.168.24.0/24

Remote Office ( Server OPENVPN )
WAN1 ISP IP
LAN     192.168.99.0./24


the tunnel is up and running only from one side. so from the server side subnet 192.168.99.0/04 i can ping and connect to 192.168.24.0/24
but from the client side 192.168.24.0/24 i cannot connect to 192.168.99.0/24.

on the Client site OpenvVPN tunnel is reconfigured to use WAN1 as it Gateway.
i beleive this a routing issue on the Client site, so i want to tell the box when i wanna go to 192.168.99.0/24 please use WAN1 instead.

on the firewall>>> outbound Rules . i've created a Manual rules on the WAN1 sending a traffic to host 192.168.99.0/24 to use WAN1 but its not working.

What am i doing wrong ?

Thank you
#23
19.1 Legacy Series / SSL acme.sh not renewing
April 26, 2019, 01:48:43 PM
Hi guys,
today one of our box did not update the ssl, the box is on the latest 19.1.6 and the error

[Fri Apr 26 13:43:30 CEST 2019] code='400'
[Fri Apr 26 13:43:30 CEST 2019] _ret='0'
[Fri Apr 26 13:43:29 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Fri Apr 26 13:43:29 CEST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4DMKwJeRXfLY-x9xS3kdr3DCv-dn7ArcFsVRRO63iY/15188266849'
[Fri Apr 26 13:43:29 CEST 2019] POST
[Fri Apr 26 13:43:29 CEST 2019] payload='{"resource": "challenge", "type": "", "keyAuthorization": "lJ_wTNXzdXDNMS1lgR4b0vl5f5DUQn7kppJvAS6AnX0.32so50xaPXcmog6OgZZYPYbheGhgZAvN-dlCiRtTScQ0"}'
[Fri Apr 26 13:43:29 CEST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4wJeRXfLY-x9xS543kdr3DCv-dn7ArcFsVRRO63iY/15188266849'
[Fri Apr 26 13:43:29 CEST 2019] Please check log file for more details: /var/log/acme.sh.log
[Fri Apr 26 13:43:29 CEST 2019] _on_issue_err
[Fri Apr 26 13:43:29 CEST 2019] skip dns.
[Fri Apr 26 13:43:29 CEST 2019] vlist='Firewall.gislaved.org#lJ_wTNXzdXDNMS1lgR4b0vl5f5DUMQn7kppJvACFS6AnX0.32so5xaPXcmog6OgZZYPYbheGhgZAvN-dlCiRtTScQ0#https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4wJeRXfLY-x9xS3kdr3DCv-dn7ArcFsVRRO63iY/15188266849#http-01#/var/etc/acme-client/challenges,'
[Fri Apr 26 13:43:29 CEST 2019] dnsadded
[Fri Apr 26 13:43:29 CEST 2019] _clearupdns
[Fri Apr 26 13:43:29 CEST 2019] No need to restore nginx, skip.
[Fri Apr 26 13:43:29 CEST 2019] pid


however older box has renew their certificate fine,
#24
19.1 Legacy Series / outbound after update
February 01, 2019, 02:20:38 PM
Dear all,
afterupdating the 19.1 my outbound is broke, i cannot conenct to the extern website, sometimes it does open the page but most of time it does not works, outgoing connection is blocked.

our intern connection to the FTP/SSH are blocked.
i've checked the outbound is Automatic outbound NAT rule generation (no manual rules can be used)
on the LAN we have any to any rules but nothing works.

Can someone please advies ?
#25
18.7 Legacy Series / Manual Outbound Spam fitler
January 20, 2019, 04:00:58 AM
Dear all,
Our scenario is as next

Internet >>>> OPNSENSE>>>>> SPAM FILTER >>>> MAIL SERVER
MAIL SERVER IS using spam filter as it smarthost to send out emails.
SPAM filter has it own VIP which configured on the virtual ip 20.344.55.56
Default WAN of the OPNSESNE is . 20.344.55.50
Outbount is automatically.
whenever we send out email using spam filter as smarthost of the mail server it still uses the Default WAN IP of the OPNsense 20.344.55.50.
i tried to change outbount from automatically to manually and created a rules for this

WAN1  summitgrid_relay  *  *  *  20.344.55.50 *   Outbound NAT Rule for Email Relay

the internet stops working. i thought the rules will remain created when i change from auto to manual.
also the email still delevered from the default opnsese ip and not spam filter.

Can someone please advies how to get this fixed ?

Thank you

#26
18.7 Legacy Series / Change Default IP
November 30, 2018, 01:07:28 AM
Dear all,
We do have WAN1 Configured with Gateway up and running.
We have second WAN2 added as a physical interface.
We want to change our default WAN1 to be WAN2 as we wanna keep WAN1 for different service.

We do have one single Gateway.
can someone adviese how to do this ?
#27
Dear all,
I have been struggling to route traffic and running between opnsense and pfsense.
Opnsense is running 17.7.8
Pfsense is running 2.4.4
both box are running openvpn version 2.4.6_3
the tunnel is up on both sides, the issue is we cannot connect from location A to B and otherway arround.
this issue is mostly if the tunnel or remote ip are differents but i've checked them like 100 time.

Can someone please advies me how to get ths routing correctly set up.

Thank you so much
#28
18.7 Legacy Series / IDS 18.7.7 keeps stoping
November 15, 2018, 11:42:55 PM
Dear All,
Today we have updated one box ( physical box ) to OPNsense 18.7.7-amd64.
We were so Happy with the new IDS version.
however after enabling some of the app detection rules, the Inline Intrusion Prevention System keeps stoping from time to time and have to click on start to manually start it.
on the log File there is nothing there.

please see screenshots.

Thank you
#29
18.7 Legacy Series / [SOLVED] CPU99%
July 21, 2018, 10:44:15 PM
Dear All,
I have a hardware box which is continue running on 90%/99% CPU which cause alot of pakket los on the WAN side.
I have checked the IO Operation
                    /0   /1   /2   /3   /4   /5   /6   /7   /8   /9   /10
     Load Average   ||||

          /0%  /10  /20  /30  /40  /50  /60  /70  /80  /90  /100
cpu  user|XXX
     nice|
   system|XX
interrupt|
     idle|XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

          /0%  /10  /20  /30  /40  /50  /60  /70  /80  /90  /100
ada0  MB/s
      tps|XXXX
pass0 MB/s
      tps|


and the interupt CPU usages

PID USERNAME    PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root        155 ki31     0K    32K RUN     1 158:26  91.77% [idle{idle: cpu1}]
   11 root        155 ki31     0K    32K RUN     0 160:42  79.55% [idle{idle: cpu0}]
10682 root         21    0   112M 22368K accept  1   0:04   2.05% /usr/local/bin/php-cgi
   12 root        -60    -     0K   400K CPU0    0   2:17   0.48% [intr{swi4: clock (0)}]
   12 root        -92    -     0K   400K WAIT    0   0:29   0.24% [intr{irq259: em1:rx0}]
88373 root         20    0 20076K  3804K CPU1    1   0:00   0.22% top -aSH
21352 root         20    0 49640K  8628K kqread  1   0:43   0.12% /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
  423 root         52    0   132M 32328K accept  0   0:20   0.08% /usr/local/bin/python2.7 /usr/local/opnsense/service/configd.py console{python2.7}
46510 root         20    0  1061M  6584K select  1   0:01   0.08% /usr/local/sbin/openvpn --config /var/etc/openvpn/client2.conf
   12 root        -92    -     0K   400K WAIT    0   0:05   0.05% [intr{irq262: em2:rx0}]
18706 root         20    0  1049M  2760K select  0   0:04   0.03% /usr/local/sbin/apinger -c /var/etc/apinger.conf
62443 root         20    0  1091M  6864K select  1   0:00   0.03% sshd: root@pts/0 (sshd)
   16 root        -16    -     0K    16K pftm    0   0:05   0.03% [pf purge]
   12 root        -92    -     0K   400K WAIT    1   0:03   0.03% [intr{irq260: em1:tx0}]
   17 root        -16    -     0K    16K -       1   0:03   0.01% [rand_harvestq]
  968 root         29    0 97112K 22380K select  1  46:15   0.01% /usr/local/bin/python2.7 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py
    4 root        -16    -     0K    32K -       1   0:05   0.01% [cam{doneq0}]
4692 root         20    0  1051M  3028K select  0   0:03   0.01% /usr/local/sbin/syslogd -s -c -c -P /var/run/syslog.pid -l /var/dhcpd/var/run/log -f /var/
85922 root         20    0  1051M  6124K select  0   0:02   0.01% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid{ntpd}
   12 root        -92    -     0K   400K WAIT    1   0:01   0.01% [intr{irq263: em2:tx0}]
29963 dhcpd        20    0 24732K  8788K select  1   0:01   0.01% /usr/local/sbin/dhcpd -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf
   12 root        -88    -     0K   400K WAIT    0   0:03   0.01% [intr{irq19: ahci0}]
    0 root         -4    -     0K   320K -       0   0:02   0.01% [kernel{/ trim}]
   18 root        -16    -     0K    48K psleep  1   0:00   0.00% [pagedaemon{pagedaemon}]
94464 root         20    0 38816K  5740K kqread  1   0:01   0.00% /usr/local/sbin/lighttpd -f /var/etc/lighttpd-acme-challenge.conf
14975 root         20    0  1053M  2824K bpf     1   0:01   0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
42547 root         20    0  1061M  6592K select  1   0:00   0.00% /usr/loc



The firewall is running just simple 2 firewall rules, any to any on the LAN and OPENVPN on the WAN nothing else.
i just wanna make sure we are not dealing with a faulty hardware.

Can someone please point me to the right directions to check ?

Thank you
#30
Dear All,
We are designing a Datacenter and want to use OPN two hardware with failover senario.
We offerted 4 WAN IP with 1GB speed on each WAN
WAN1 .   1.1.1.1
WAN2 .   1.1.1.2
WAN3 .   1.1.1.3
WAn4 .   1.1.1.4

WAN1 and WAN2 will be connected on the main OPN hardware , WAN1 will be offering a VPN site to site and also VPN for users using two factor authentication. also will be the ip for the internet
WAN2 will be the mx records of the internal mail server.

i want to configure the second hardware WAN3/WAN4 as a failover in case the first hardware is down remote users will still be able to work.

Can someone please advies how to configure this ? i've read the HA CARPS can do the job but not sure if it does apply in my senario.

Thank you
#31
18.7 Legacy Series / (Solved )notification on 18.7
July 07, 2018, 11:07:54 PM
Hi guys,
i dont know if this possible , the OPNsense will send a notification whenever there is a update or new release ?

Thank you
#32
18.7 Legacy Series / ACME letsencrypt error
May 24, 2018, 10:12:57 PM
Hi Guys,

Another issue noticed. had a box with letsencrypt configured after the update this error keeps showing.

Please double-check the following contents to ensure you are comfortable submitting the following information.

System Information:
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
FreeBSD 11.1-RELEASE-p10  a6fa9599a(stable/18.1)
OPNsense 18.7.b_137-bc788f972 [18.1.8-ef579d069] OpenSSL 1.0.2o  27 Mar 2018 (amd64)
Plugins os-acme-client-1.14 os-theme-tukan-devel-0.2
Time Thu, 24 May 2018 22:10:59 +0200
PHP Errors:
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 177
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 250
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  SimpleXMLElement::attributes(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1103
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  log_cert_acme_status(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1103
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  log_cert_acme_status(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1112
[24-May-2018 20:42:50 Europe/Frankfurt] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
[24-May-2018 20:42:55 Europe/Frankfurt] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122

#33
18.7 Legacy Series / VOIP Check
May 24, 2018, 04:02:09 PM
Hi Guys,
Today we have updated to the OPNsense 18.7.b_137-amd64 hardware.
We have noticed that the phone is halting from time to time.

The firewall optimization to conservative
we have installed the os-siproxd as well.

anything to check why is this happening ?

Thank you
#34
18.1 Legacy Series / 18.1.7 (installed)
May 05, 2018, 09:59:33 PM
Hi Guys,
Today have updated 18.1.7 on a real hardware and so far it running fine.
i've noticed the CPU is not using that much -3% as before when we enable IDS.
thought i'd share this with you guys.


Chers julien
#35
Hi Guys,
i have configured the spamhaus on the LAN side we have like 20 VLANS running. do i really have to create on each VLAN the firewall rule for the outgoing ?
all the VLANS are on the LAN living em0.

we have created the rules on the LAN side but not in the VLANS.

https://wiki.opnsense.org/manual/how-tos/edrop.html
#36
Hi Guys,
last night we have updated one box from 17.7 to 18.6
however the flowd_aggregate   Insight Aggregator is not starting.

https://forum.opnsense.org/index.php?topic=3581.30
i have followed Franco instruction but its not working
No, just go to Reporting: Settings and reset the Netflow/Insight data from there.

also from time to time we get the below log on the firewall.

There were error(s) loading the rules: /tmp/rules.debug:15: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [15]: table <bogonsv6> persist file "/usr/local/etc/bogonsv6"
Any suggestions how to troubleshot this ?

Thank you
#37
18.1 Legacy Series / Vulnerability test
April 25, 2018, 01:13:24 PM
Hi Guys,
today i've done a Vulnerability test toward the appliance.
the result comes back with TCP timestamps
i know the risk is low,the attacker need to know how long your system is on.
is this something we can get fixed ? or need some tunable tricks ?
thank you
#38
Hi Guys,
We are willing to block USA on the IDS.
Wenever we Block USA on the IDS the emails are originally from Office 365 and Outlook/Gmail stops arriving.
is there is a way to get those working with blocking USA ?
#39
18.1 Legacy Series / 18.1.6 question
April 09, 2018, 11:21:42 PM
Hi Guys,
the release note of 18.1.6 shows the below message.  can someone please explain what happens exactly with the VIP and Multi-WAN ? we are using this on our firewall and didn't want to update untill stuff are clear to us. thank you
Three mentionable changes are included: We are switching back to single-source NAT on the primary IP instead of using all additional VIPs on the interface. The hardware-assisted VLAN capability check was removed from the system enabling e.g. XEN users to create VLANs. And the multi-WAN traffic shaping experience has been corrected for non-default interfaces within the scope of shared forwarding.
#40
18.1 Legacy Series / Fail2ban in opnsense
March 27, 2018, 10:57:37 PM
Hi guys,
I was wondering of this projet already exisit on the Opnsense or not.
https://www.fail2ban.org/wiki/index.php/Main_Page

I hope to have this in the near future.

Regards.
Julien