Messages

556

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 24, 2016, 10:33:28 pm »

Thank you Franco for your answer.
I believe we needed to think twice before migrating to OPNsense. As the test went fine , but we didn't think about the Mac users and their AirPrint.
Its not about the design of the network, the design of the network is fine as it working fine with PFsense right now.
We been forced to take OPNsense firewall of the network.
I am continuing asking on this forum to understand the way how OPNsense works to either decide continue with it or not.
I appreciate every support you guys provided.

This is how it's working on Pfsense

The em1 ip is 192.168.1.0/24
VLAN10 is 10.10.10.0/24 VLAN20 20.20.20.0/24
I've configured the printer IP to use the em1 subnet and not the VLANS subnet.
IP is 192.168.1.100 and it detectable from VLANS and users can print.

whenever I try the same with OPNsense it doesn't work, the firewall rules are the same as OPNsense , from the WAN and LAN side.

I am willing to fix this without any package .
So having the users and the printers on the same VLAN would makes this works ?

557

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 23, 2016, 11:57:23 pm »

I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.

If you can provide me the way of doing this, I'll appreciate it really .
Monday I'll ask the user about the printer using the mens-responder, if this is still not working we can try your PI and avahi.
I am sure the Anahi is working fine with the pfsense
Can you advise how to install avahi and configure it on the OPNsense ?
I'll be great full on having this fixed for our customer.

558

16.1 Legacy Series / Re: [SOLVED] Update to 16.1.20

« on: July 23, 2016, 09:45:32 pm »

Hey Julien,

Any 16.1 can directly update to 16.1.20, which is a "critical section" in programming terms. Once there, people will presented with the EOL message and can choose to proceed to 16.7.

This is done solely to avoid 16.1 to upgrade directly into 16.7 without any warning.


Cheers,
Franco

Smart done Franco.
I'll be waiting to the test the 16.7
Till now I have no issue with the 16.7

559

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 23, 2016, 09:42:02 pm »

Just think about 1 possible connection as an example and think about what is all involved.
1. The printer sends out its propagation into its local subnet using mDNS
2. The proxy running on the firewall takes this information and sends it out into all other LAN's.
3. The mobile device takes this information (IP and service propagated) and then tries to connect to this IP and the port the service runs (eg. LPR or IPP)

So, if you have separated VLAN's with restricted traffic, you need to allow all those packets to get through the filters. That also means, that a printer with a dynamic IP isn't really a good idea, because you need pinholes through the firewall to allow this printer to be used from outside its network/VLAN. So either you have to open the firewall like "allow LPR from any to any" or you "allow LPR from any to <IP of printer>"  - and a changing IP of the printer will be a little pita.. ^^
I'm quite sure that your firewall is blocking to much. Check if
1. you see the Bonjour packets from other subnets and
2. you can connect to the printer service (IPP, LPR or whatever it offers)

Thank you for your answer,
The scenario is have 4 VLANS attached to the em1.
I've grouped the 4VLANS and em1 as one interface, so there is no block between the VLANS.
We have a similar situation on Pfsense and Cisco and it works fine, I understand Cisco is routing the traffic between the VLANS. But Pfsense is the same as OPNSENSE ? The traffic should be allow between the interfaces and VLANS ? No rules are needed because the allow any to any is on top of the VLANS.
Please correct me if I am wrong, I am just trying to understand this .

560

16.1 Legacy Series / Re: Update to 16.1.20

« on: July 23, 2016, 06:05:03 pm »

16.7 will be out on the 28th of July. The general notion being set by "16" for 2016 and "7" for July. The release date is also on the roadmap page:

https://opnsense.org/about/road-map/

The upgrade will be as usual, except for making sure you read the migration points and make a backup of your system and/or configuration just in case.

Since we had a release candidate series for the first time and 16.7-RC and 16.1 "merge" into 16.7 meant that once we've released 16.1.20 we had to temporarily disable the repositories so that 16.1.20 would not end up upgrading to 16.7-RC2 until 16.7 was out.

We'll do this slightly different for 17.1. We've learned something here. Though all is fine. Just wait till Thursday. We know this is exciting but bear with us.


Cheers,
Franco

This a good new Franco,
I'll waiting for the update , ill patch my Lab first before doing any productions updates. Had plenty of headache the last days .
So the update will go even from 16.1.18 ? And 16.1.20 is just to disable the repositories until the release is there?

561

16.1 Legacy Series / OPNSens RADIUS over Active directory authentication

« on: July 23, 2016, 02:36:32 pm »

We have like 20 Pfsense up and running at our Customers, some of them are Hardware and some virtual.
Important for us is the OPENVPN configuration " SSL+ Domain RADIUS authentication ".
We have configured the Ahutentication over the RADIUS using this document .
https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

Is there is a working way to get this imported to the new configuration ?
Does OPNSens support the same RADIUS over Active directory authentication ?

Thank you

562

16.1 Legacy Series / Re: Update to 16.1.20

« on: July 23, 2016, 02:26:05 pm »

As far as I can remember this is because otherwise you would upgrade to the release candidate version instead of stable.

I don't mind installing the RC, just have installed 4 OPNSENSE hardware last week, one MAC users Customer is pain in the ass with AirPrint .
If we install the RC, can we update to the release whenever it available ?
16.1.20 update can we use this command

Code: [Select]

pkg install -y opnsense-deve  to update to 16.7 ?

563

16.1 Legacy Series / Re: Update to 16.1.20

« on: July 23, 2016, 12:49:32 pm »

eeh, to me that's self-explanatory:

"This is the EOL announcement for the 16.1 series of OPNsense."

The 16.7 release date is currently 28.07.2016 iirc. So no need to panic :-D

Nobody is panicking .
We know about the release. We are just sharing any thing we noticed on the kernel.
So the developers should know about .

564

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 23, 2016, 12:39:51 pm »

Thank you zeitkind for your continue support.
Can you please point me where to open the ports ? I am blocking the RFC 1918 networks and Reserved/not assigned by IANA would that affect the AirPrint? I see the AirPrint users a RFC port 3927


Much appreciate it

565

16.1 Legacy Series / Re: Update to 16.1.20

« on: July 23, 2016, 12:37:50 pm »

Same here, please tell which button to press ;-)

I believe on the firmware we need to apply the default image openssl .
But we will wait for the developers to confirm.

566

16.1 Legacy Series / [SOLVED] Update to 16.1.20

« on: July 23, 2016, 12:00:52 pm »

Guys I got the below error after my update t0 16.1.20

Code: [Select]

Dearest user,

This is the EOL announcement for the 16.1 series of OPNsense. As such it will not receive any more updates, but the upgrade to the new 16.7 series is seamless, except for the following points:

•The FreeBSD version changes from 10.2 to 10.3, mainly for driver updates and general sanity. Due to kernel interface changes plugins or custom-built kernel modules may stop working. Reinstalling the offending packages from the firmware pages or recompiling custom additions against the stable/16.7 source branch will resolve this problem.
•Legacy VPN Servers for L2TP, PPPoE, and PPTP moved to plugins and need to be installed in order to still make use of them. Your configurations will persist, but may have to be adapted to adhere to the requirements of the MPD5 server daemon. The most important change is that your listening address needs to be a known address, preferably using a Virtual IP from the firewall settings.
•The PPTP server redirection mode has been removed. It can be emulated by the two following NAT port forward rules: From incoming WAN interface, redirect all traffic to PPTP server IP target for protocol GRE. From incoming WAN interface redirect all traffic to PPTP server IP target for protocol TCP, port 1723. Note that due to the design of GRE, only one server can be reached by incoming clients at any given time.
•The Maximum MSS option for VPN Networks moved to Firewall: Settings: Normalization, which can now be specified per interface and network.
•The Disable firewall scrub option was removed. All scrubbing (including MSS clamping) can now be disabled using the Disable interface scrub option under Firewall: Settings: Normalization
•The NAT+proxy reflection option was removed and will automatically switch to the more flexible firewall-based NAT.
•Due to lack of support in FreeBSD itself, the floating rules actions can no longer use match. The custom kernel patch that previously enabled selection of this behaviour has been removed.
•The Disable Negate rule on policy routing rules option is no longer available as automatic VPN skip rules for policy-based routing have been removed. If you want to skip your VPN, please add an explicit rule.
•The IPv6 over IPv4 tunneling option was removed. You can use a regular NAT rule to achieve the same result.


Please heed these points carefully before upgrading. Backup your configs, preview the new version via the live CD or in a virtual machine. Create snapshots. If all else fails, report back in the forums for assistance. You don't have to do this on your own. :)

Crafty Coyote, you've served us well.
Whenever I click on check update I get Repository problem.
Does this means we will get the 16.7 soon and 16.1 no supporting anymore ?

567

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 23, 2016, 11:49:16 am »

Do I have to do this every time the firewall has been rebooted ?

Do you mean run the the command again to add the interfaces to the mdns with the below command ?

mdns-repeater em0 em0_vlan20 em0_vlan10 em0_vlan30 em0_vlan40 em0_vlan60 -f

I just saw there 16.1.20 is this is ok to install ?

568

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 22, 2016, 09:34:32 am »

Thank you guys,
unfortunately the issue is not solved yet .
just had a iPad and i couldn't detect a printer to print with.
When I run the debug to check the log, I received the below.


root@firewall:~ # mdns-repeater -f
mDNS repeater (version 1.10)
Copyright (C) 2011 Darell Tan

usage: mdns-repeater [ -f ] <ifdev> ...

<ifdev> specifies an interface like "eth0"
packets received on an interface is repeated across all other specified interfac                                       es
maximum number of interfaces is 5

 flags:
        -f      runs in foreground for debugging
        -p      specifies the pid file path (default: /var/run/mdns-repeater.pid                                       )
        -h      shows this help

mdns-repeater: error: at least 2 interfaces must be specified
root@firewall:~ #

569

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 21, 2016, 07:42:38 pm »

Go to "Interfaces" > "Assignments". It should show you which interface is linked to which physical port.

LAN could be ethX or emX, VLAN interfaces usually have "_vlanXX" added to their host interface. So let's say you have LAN at eth0 and VLAN20, you would enter:

mdns-repeater eth0 eth0_vlan20

Thank you for your answer
The interface is em0 so I've linked all productions VLANS to the mans-repeart
mdns-repeater em0 em0_vlan20 em0_vlan10 em0_vlan30 em0_vlan40 em0_vlan60
The command doesn't shows up any error.
Does it means now the AirPrint should start working whenever the user is on of those VLANS ?

570

16.1 Legacy Series / Re: Routing apple Bonjour

« on: July 21, 2016, 09:51:35 am »

thank you guy,
The package is installed
 

Proceed with this action? [y/N]: y
Fetching mdns-repeater-1.10_2.txz: 100%   12 KiB  12.6kB/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Installing mdns-repeater-1.10_2...
[1/1] Extracting mdns-repeater-1.10_2: 100%
root@firewall:~ #

I have 3 LANS, one LAN is up with 5 VLANS.

mdns-repeater <interface 1>  how do I know which interface is the LAN1 ?
Or run the command :
Mans-repeater lan ?

When I run the command I get the below error r:
root@firewall:~ # mdns-repeater <interface 1>
Missing name for redirect.
root@firewall:~ #


thank you