Topics

Is there any way to use NPTv6 alongside PD, I had hoped to be able to use it in order to be able to failover to a secondary ISP but it looks like it expects you to manually set the prefixes to be translated.

Sadly I have no way of knowing what my V6 prefix will be for that wan as it's assigned by DHCPv6-PD and it tends not to be sticky either.

i3-6100T USFF machine 8gb ram, ~300Mbit connection.

Wan is a VLAN on em0
Lan is native
Various other VLANs.

Opnsense 21.7.7

Having Zenarmor installed even running in passive mode seemed to cause some weridness like connections hanging or being slow to establish.

Not sure if it's underpowered hardware or it gets upset at seeing the WAN vlans as well.

Only way to split the WAN and LAN interfaces would be to add a USB3 NIC.

Otherwise if you have a ZT network with 0.0.0.0/0 to make other devices route via opnsense it tries to add the route on opnsense itself which usually leads to the opnsense appliance being somewhat unreachable.

upgraded a Pair with one physical opnsense and one virtual from 18.7.6 i think it was to 18.7.10_3 and the now one of my Vlans can't ping out via the physical unit

its bce0_vlan101 so a broadcom NIC.

Oddly when I put the physical machine into carp maintenance mode and rebooted it I was able to ping it's IP address from one of the VM's on that Vlan, as soon as I took it out of maintenance mode and it took over the VIP I lost the ability for the VM to ping both the firewalls Real IP and the virtual ip.

At the moment I've left it in maintenance mode with the virtual secondary handling the traffic, one difference is the VM doesn't have Vlans where as the psychical does for the VM the Vlan tagging is done by the hypervisor so opt1,opt2.etc is just seen by opnsense as an additional nic

pfsense has a rather nice feature where you can tie FRR to the status of a CARP IP so it doesn't run unless the firewall is the master.

Allows you to do some nice things like only have the primary firewall participating in BGP and avoids stuff occasionally being accidentally routed via the secondary

Any chance of getting this in opnsense,

Both of my 18.7.1 firewalls were reporting "Could not find the repository on the selected mirror." until I changed the mirror from (default) to explictly setting one.

What's the format to make HAproxy listen on port 80/443 on an IPv6 address

It looks like the form only manages to accept either a host name on an Ipv4  :(

I have a Virtual opnsense running in unraid 6.4 with the network type set to e1000 (For some weird reason that interface goes awol when set to virtio) - anyway since upgrading to 18.1 s stuck going em0 watchdog timeout -- resetting.

It was working on 17.7

How do you get it to work with alias?

I've tried tabbing the field but that doesn't seem to work (firefox) and if I don't put an actual IP then it seems ha proxy gets upset.

I wanted to use an negative match on a list if IP's (I.e the rule says deny access to /wp-admin/ on the backend server but if it's one of those IP's on the trusted list the rule shouldn't fire)

If you try and create a nat rule that is destination port any redirect target port any you get the following error

Code Select Expand

The following input errors were detected:

    A valid redirect target port must be specified. It must be a port alias or integer between 1 and 65535.

I would take "any" to be 1-65535 in the case of proto tcp and/or udp.

Given Suricata tends not to play nice with virtIO nics and tends to be CPU heavy is there a way to use the HTTP/HTTPs threat rules with HAproxy instead?

Would be nice if possible as it's already acting as the front-end load balancer/proxy and decoding any incoming https  ;)

If you have an HA pair of firewalls but the interfaces don't match the wrong rules will sync

For instance firewall1 terminates a GRE tunnel that isn't HA (And I can't be bothered to fix that as it's not cricital) so the GRE interface is opt1 and the CARP interface is OPT2

Firewall 2 doesn't have this interface so the CARP interface is OPT1, which means it gets the firewall policy for the GRE tunnel rather than the one for the CARP interface.

Would be good if there was some way to manually pair them, or parse the name/description rather than assuming both firewalls are identical

Does it cause any issues if the Primary firewall in a HA pair was physical and the secondary was a VM?

Nothing of much importance behind them, just doing Nat for my lab/playground/personal servers environment

Is it possible to make HAproxy bind to an Ipv6 address?

It looks like HAproxy itself can support it but the validation for listen address in the frontend config doesn't understand IPv6 addresses.  :o

Edit:

NVM i'm being a prat and forgot to hit tab after typing the IP  ;)  :-[

Have 3 Opnsense firewalls connecting to a RouterOS device.

2 of them are a pair, the other is standalone (Different Network)

On the pair in HA/CARP the connection will drop and not re-establish (no phase2) unless I bounce the Primary of the Pair.

Peer is 0.0.0.0 with a Identifier set due to the remote end being a dynamic IP.

This worked when it was just a single firewall so I suspect the issue is around CARP/the VIP.

Nat rules are set so 500/4500 get's natted to the VIP going out and the VIP is set as the IP to use in the IPSEC settings, tried changing the identifier on the Opnsense end from "Interface Address" to manually set and then put in the VIP address.

Tried flushing the SA's on the RouterOS side and restarting strongswan on opnsense but it doesn't seem to help.

Code Select Expand

Aug 13 13:05:41 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:41 charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 13 13:05:41 charon: 11[IKE] sending cert request for "C=GB, ST=here, L=ssd, O=ssd, E=here@here.local, CN=internal-ca"
Aug 13 13:05:41 charon: 11[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:05:41 charon: 11[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:05:41 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:41 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:30 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:30 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:30 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:30 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:25 charon: 11[JOB] deleting half open IKE_SA with 81.108.xxx.xxx after timeout
Aug 13 13:05:25 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:25 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:25 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:25 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:20 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:20 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:20 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:20 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:18 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:18 charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 13 13:05:18 charon: 11[IKE] sending cert request for "C=GB, ST=here, L=ssd, O=ssd, E=here@here.local, CN=internal-ca"
Aug 13 13:05:18 charon: 11[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:05:18 charon: 11[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:05:18 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:18 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:10 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:10 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:10 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:10 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:05 charon: 11[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:05 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:05 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:05 charon: 11[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:05:03 charon: 13[JOB] deleting half open IKE_SA with 81.108.xxx.xxx after timeout
Aug 13 13:05:00 charon: 13[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:05:00 charon: 13[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:05:00 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:05:00 charon: 13[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:04:55 charon: 13[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:04:55 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 13 13:04:55 charon: 13[IKE] sending cert request for "C=GB, ST=here, L=ssd, O=ssd, E=here@here.local, CN=internal-ca"
Aug 13 13:04:55 charon: 13[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:04:55 charon: 13[IKE] 81.108.xxx.xxx is initiating an IKE_SA
Aug 13 13:04:55 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Aug 13 13:04:55 charon: 13[NET] received packet: from 81.108.xxx.xxx[4500] to 78.xxx.xxx.xxx[4500] (680 bytes)
Aug 13 13:04:45 charon: 13[NET] sending packet: from 78.xxx.xxx.xxx[4500] to 81.108.xxx.xxx[4500] (721 bytes)
Aug 13 13:04:45 charon: 13[IKE] received retransmit of request with ID 0, retransmitting response
Aug 13 13:04:45 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]

Edit:

Tried disabling NAT-T, no difference.

Did post this a while back for 16.7 but no one anwsered

Any chance of some kind of NDP proxying support since there are ISP/Datacentre providers out there that seem to think giving you a /64 in your wan interface is a valid way of providing IPv6.  They don't seem to consider that maybe people want to ROUTE stuff rather than just bridge stuff directly onto the hostile interface.

It makes using the IPv6 on a LAN interface or for something like OVPN rather painful. :-\

Something like
https://wiki.openwrt.org/doc/techref/odhcpd

https://github.com/DanielAdolfsson/ndppd

Should a Nat rule that's is applied as "Uplink1 Address" (where the interface is called Uplink1) apply just to the main address on that interface or to all IP Alias's on that interface as well.

Getting someone complaining they're not getting the expected response from a server, but the only nat rule for that server on that port has a src match on it so shouldn't be firing as he won't be coming from that source address.

There is one further down for anywhere but it's for "Uplink1 Address" but given the IPalias is an address on uplink1 I'm wondering if it's hitting that (otherwise I'd expect a straight drop)

Am I missing it or are route maps missing from the BGP/OSPF.etc?

Causes some nasty issues with Dynamic routing over VPN's if you can't block certain routes being advertised (E.g the IP that's the VPN endpoint)

Any plans to release an updated AWS AMI?

There is one in the community but I think it's was for 15.3 beta3 so it takes quite a bit of updating to get it to a current release.

It would be nice as most of the firewalls in amazon marketplace are very expensive commercial options, the closest thing to opnsense is a netgate version of pfSense (which is also paid)

I don't see any options to filter routes received via OSPF, am I missing a setting somewhere or has it not been implemented yet?