Messages

136

19.7 Legacy Series / Re: Route OPENVPN Multi WAN

« on: August 12, 2019, 03:15:30 pm »

Have you checked on the remote site what incomming rules you have defined on the openvpn interface?

on the WAN Interface i have the incoming rules "allow "from both IP. WAN1 and WAN2
however it works when i have GW1 as default. i beleive the issue is not on the remote site as the remote site is operational.
and OPENVPN interface has allow any to any.

137

19.7 Legacy Series / Re: Route OPENVPN Multi WAN

« on: August 12, 2019, 02:39:38 pm »

Hi Julien,

beside your problem you shouldn't use 20.1.1.0/24 and 30.0.0.0/24 if that are not adresses assigned to you, they are from an official range. Only https://tools.ietf.org/html/rfc1918 networks should use for internal use with IPv4.

As you define what interface is used in the site-to-site vpn configuration this should not be handled by your routing configuration. If your site-to-site vpn is configured on WAN1 the connection should be initiated and run over that connection.

Correct me if you see the traffic running the wrong line but what you configure with gateway groups is fallback in the case one connection goes down. As far as I understand you want to achive a fixed load balancing?

If you can access the networks only from one side, check if you have incomming rules defined on the other side.
Outgoing traffic should work automatically, incomming rules need to be defined if I am not mistaken.

Check on both sides if you have incomming rules to the local network addresses or hosts on the OpenVPN interface.

Regards,

Dominik

Thank you for answer.
20.1.1.0/24,30.0.0./24 VLANS which are not included on the tunnel.
Site to site VPN is configured to use WAN1 ( see attached screenshot )
yes i am trying to use both WAN as failover , so when WAN2 is down the connection will switch on WAN1 that why the GW group. and also keep the OPENVPN runs on the WAN1.

138

19.7 Legacy Series / Route OPENVPN Multi WAN

« on: August 12, 2019, 01:31:59 pm »

Dear All,
i hope someone can route me as i cannot route my VPN lol.
the situation as next, we have two WAN ( WAN1 / WAN2 ) see screenshot

WAN1 GW 192.168.30.254
WAN2 GW 192.168.1.254

i have created GW group with Trigger Level Packet Loss and Made WAN2 as tier1 and WAN1 as Tier 2
on the opnsense i have configured WAN1 as default GW

what i am trying to archieve is to have WAN1 route the VPN to the remote office and WAN2 to be as default internet on the office.
WAN2 is Fiber connectiong which is 200/200MB and want to keep using as main internet however WAN1 is a ADSL which is 10/2 we want it to use the VPN to RDP to the extern server.

the tunnel is i can access from the remote office back but from the office i cannot connect to the remote site.
my routing

Code: [Select]

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.30.254     UGS         em1
10.7.0.1           link#13            UH       ovpnc1
10.7.0.2           link#13            UHS         lo0
20.1.1.0/24        link#11            U      em0_vlan
20.1.1.1           link#11            UHS         lo0
30.0.0.0/24        link#12            U      em0_vlan
30.0.0.1           link#12            UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.1.0/24     link#3             U           em2
192.168.1.67       link#3             UHS         lo0
192.168.4.0/24     10.7.0.1           UGS      ovpnc1
192.168.24.0/24    link#1             U           em0
192.168.24.1       link#1             UHS         lo0
192.168.30.0/24    link#2             U           em1
192.168.30.10      link#2             UHS         lo0
192.168.99.0/24    10.7.0.1           UGS      ovpnc1

what am i doing wrong ?

Thank you
 

139

19.7 Legacy Series / Site to Site openVPN DUAL WAN

« on: August 07, 2019, 02:07:03 pm »

Dear all,
ive been searching for a  very long time for the solution to have openvpn routing over the WAN1 instead of default WAN2.Let's start from a very basic situation.

Office has two WAN ( WAN1 and WAN2). Office has been configured as Dual WAN , and WAN2 is the default WAN interface with it Gateway.
Remote Office withonly one WAN.
So we have created site to site openvpn from office to the remote office and the tunnel is up.
Remote Office is the OPENVPN server and Office with two is the Client.

Office ip info ( Client OPENVPN)
WAN1   192.168.30.20
WAN2    192.168.1.20   ( Default Gateway for the subnet)
LAN       192.168.24.0/24

Remote Office ( Server OPENVPN )
WAN1 ISP IP
LAN     192.168.99.0./24


the tunnel is up and running only from one side. so from the server side subnet 192.168.99.0/04 i can ping and connect to 192.168.24.0/24
but from the client side 192.168.24.0/24 i cannot connect to 192.168.99.0/24.

on the Client site OpenvVPN tunnel is reconfigured to use WAN1 as it Gateway.
i beleive this a routing issue on the Client site, so i want to tell the box when i wanna go to 192.168.99.0/24 please use WAN1 instead.

on the firewall>>> outbound Rules . i've created a Manual rules on the WAN1 sending a traffic to host 192.168.99.0/24 to use WAN1 but its not working.

What am i doing wrong ?

Thank you

140

Tutorials and FAQs / Re: Site-to-Site WireGuard passing traffic only for certain IP range

« on: May 07, 2019, 03:26:57 am »

@walshen big thank you for this.
i managed to get this set up however everything is connect but the ping is not leaving Site A to B and the otherway arround.
on the liveview on both sides its shows green with default green rules let out anything from firewall host itself   
i cannot seem to find what i have done wrong ? services has been rebooted, firewalls booted twice but nothing happens

those are the results of the ping from the interface.

Code: [Select]

# /sbin/ping -c '10' '100.64.0.14'
PING 100.64.0.14 (100.64.0.14): 56 data bytes
36 bytes from 100.64.0.10: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 46d3   0 0000  01  01 aa3e 100.64.0.10  100.64.0.14

36 bytes from 100.64.0.10: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 05da   0 0000  01  01 eb37 100.64.0.10  100.64.0.14
Thank you for the great tutorial.

141

19.1 Legacy Series / SSL acme.sh not renewing

« on: April 26, 2019, 01:48:43 pm »

Hi guys,
today one of our box did not update the ssl, the box is on the latest 19.1.6 and the error

Code: [Select]

[Fri Apr 26 13:43:30 CEST 2019] code='400'
[Fri Apr 26 13:43:30 CEST 2019] _ret='0'
[Fri Apr 26 13:43:29 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Fri Apr 26 13:43:29 CEST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4DMKwJeRXfLY-x9xS3kdr3DCv-dn7ArcFsVRRO63iY/15188266849'
[Fri Apr 26 13:43:29 CEST 2019] POST
[Fri Apr 26 13:43:29 CEST 2019] payload='{"resource": "challenge", "type": "", "keyAuthorization": "lJ_wTNXzdXDNMS1lgR4b0vl5f5DUQn7kppJvAS6AnX0.32so50xaPXcmog6OgZZYPYbheGhgZAvN-dlCiRtTScQ0"}'
[Fri Apr 26 13:43:29 CEST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4wJeRXfLY-x9xS543kdr3DCv-dn7ArcFsVRRO63iY/15188266849'
[Fri Apr 26 13:43:29 CEST 2019] Please check log file for more details: /var/log/acme.sh.log
[Fri Apr 26 13:43:29 CEST 2019] _on_issue_err
[Fri Apr 26 13:43:29 CEST 2019] skip dns.
[Fri Apr 26 13:43:29 CEST 2019] vlist='Firewall.gislaved.org#lJ_wTNXzdXDNMS1lgR4b0vl5f5DUMQn7kppJvACFS6AnX0.32so5xaPXcmog6OgZZYPYbheGhgZAvN-dlCiRtTScQ0#https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4wJeRXfLY-x9xS3kdr3DCv-dn7ArcFsVRRO63iY/15188266849#http-01#/var/etc/acme-client/challenges,'
[Fri Apr 26 13:43:29 CEST 2019] dnsadded
[Fri Apr 26 13:43:29 CEST 2019] _clearupdns
[Fri Apr 26 13:43:29 CEST 2019] No need to restore nginx, skip.
[Fri Apr 26 13:43:29 CEST 2019] pid
however older box has renew their certificate fine,

142

19.1 Legacy Series / Re: cannot access host over vpn

« on: February 06, 2019, 12:42:34 pm »

Can you please explain more
Firewall rules
outbound rules

this is can help alot
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html

143

19.1 Legacy Series / Re: 19.1 development milestones

« on: February 06, 2019, 12:40:48 pm »

We'll address this in 19.1.1 tomorrow.


Cheers,
Franco

Thank you Franco,
Today updated 4 box and everything seems to be fine,
We have a 10GB WAN and its working fine, i am impressed with the IDS, i pick up 90% of my speed, morever before 40%.
great improvement thank you guys

144

19.1 Legacy Series / Re: Update from console to 19.1.r1 failed, no signature found

« on: February 06, 2019, 12:24:37 am »

Hi guys i am already on OPNsense 19.1-amd64

but it am getting thise error " Fetching packages-19.1.r1-OpenSSL-amd64.tar: .. failed, no signature found"

i know this related to etc/update/firmware but on the file i have no version there.

any suggestion which version i need on the firmware in order to get this fixed ?

145

19.1 Legacy Series / Re: Needed to force Realtek 8168's MTU after 19.1 Upgrade

« on: February 03, 2019, 03:50:03 pm »

This is your problem

https://github.com/opnsense/core/issues/3173

For now I'll place my follow-ups on the Github, where I have the same userid, because I assume some change has to be made either in code or a default config. If my case isn't isolated, I can't image the OPNsense install guide saying you have to do a dance with MTU settings before IPv6 or other stuff that relies on frame sizes like UDP streams from some cameras, VPN, etc work properly

i have read the post of john,
did i misunderstood it or there is a patch/update for this ?
i moved back to 18.7 and waiting for the confirmation to update.

146

19.1 Legacy Series / Re: 19.1 development milestones

« on: February 02, 2019, 08:36:24 pm »

After second Teamviewer session I'm guessing it's about Realtek NIC

https://forum.opnsense.org/index.php?topic=11425.0

the solution is thank you mimugmail

Code: [Select]

In Interface Config under DHCP, Client Config, Advanced, set:

supersede interface-mtu 0

in Option Modifiers

147

19.1 Legacy Series / Re: 19.1 development milestones

« on: February 01, 2019, 07:49:21 pm »

nah .. your outbound works fine google.nl works with different browser, the other page is also down at my side other stuff cannot be tested as nobody at home

i have reformated the box to 18.7 everything is working fine now
as discussed .xml file has been emailed to you

148

19.1 Legacy Series / Re: 19.1 development milestones

« on: February 01, 2019, 02:21:39 pm »

my outbound is broke, i cannot connect at all,
connection is to netflex/xbox/ps4/internet works and sometimes does not.

149

19.1 Legacy Series / outbound after update

« on: February 01, 2019, 02:20:38 pm »

Dear all,
afterupdating the 19.1 my outbound is broke, i cannot conenct to the extern website, sometimes it does open the page but most of time it does not works, outgoing connection is blocked.

our intern connection to the FTP/SSH are blocked.
i've checked the outbound is Automatic outbound NAT rule generation (no manual rules can be used)
on the LAN we have any to any rules but nothing works.

Can someone please advies ?

150

18.7 Legacy Series / Re: Manual Outbound Spam fitler

« on: January 22, 2019, 10:57:53 pm »

Hi Julien,

I have hybrid outbound NAT but with no manual rules related to the WAN interface. I also don't have any virtual IP's configured. I just pick a free public IP from the range assigned by my ISP.

For the 1:1 NAT's, I don't have any port forwarding. By definition all traffic from the internal IP to the external IP and vice versa will NAT on the strength of the 1:1 rule that ties them together. All I configure for each 1:1 is the firewall rules for the inbound traffic, since the WAN has default deny inbound, while the LAN has default allow outbound.

You may have overcomplicated things ;-)

Bart...

Hi Bart,
Thank you for your answer, without manual rules on the outbound it not working for us. i have to configure to configure the rule on the out with hybrid in order to get one IP working however the second one is not working even i have configure the same rules as the first 1:1.
outbound and inbound are not working.
are there some kind of limitation ?