Messages

djGrr, what does that command do? Nevermind, I found it. Waiting for the latest updates to apply and will report back.

Thanks!

So I have OPNsense as a firewall between 2 VLANs. I have 2 Win 2012 R2 servers that since upgrading to 17.1 cannot communicate over Kereros, LDAP, etc. However SMB currently works fine, which is weird because they are all the same firewall rule (using aliases). I did packet traces on both servers and checked the logs on the firewall. Screenshot attached. You see the firewall logs passed traffic, which the receiving server gets, but the SYN ACK reply is lost.

In this test, I initiate port 88 traffic from server s1 to server lic1. lic1 receives the SYN, sends a SYN ACK. s1 does not receive the SYN ACK.

Any ideas? How do I verify if the firewall received the SYN ACK from lic1? Do you have a GUI tcpdump utility?


Here is the network details:

VLAN1: 192.168.1.0/24
OPNsense Interface: 192.168.1.1
Server s1: 192.168.1.220
Firewall disabled.
s1 default gateway: 192.168.1.254 but has a permanent route to 192.168.2.0/24 via 192.168.1.1, verified working with tracert.

VLAN2: 192.168.2.0/24
OPNSense Interface: 192.168.2.1
Server lic1: 192.168.2.230
Firewall disabled.
lic1 default route is 192.168.2.1

Thanks!

PS the image max attachment of 192kb is way too small; makes it hard to post multiple screenshots.

Franco, thanks again!

To make sure I am doing this right: I create the additional WAN IPs as Gateways? Then I use a firewall rule to route the traffic out that new gateway, correct?

Don't mean to hijack, but this is closely related: Is there any way to specify that certain traffic goes out certain WAN IPs?

For example, I often want to use a 2nd Public IP specifically for mail. How would I set it up so all outbound mail from my mail server IP is routed out the 2nd Public IP, but only mail? Note I would want all other traffic from the mail server to use the primary WAN IP.

In Sophos UTM this is easy - it's called Masquerading and Multipath. See screenshot. You can select a source Host or network or destination IP, network or Domain and select a Port or Port Group and direct the matching traffic outbound via a specific Public IP. It's Very flexible. I'd like to see similar in OPNsense ;)

Awesome! Thanks for the clarifications Franco!

So I have read the CARP how-to at https://docs.opnsense.org/manual/how-tos/carp.html and understand everything except:

1) If my ISP is only providing a /30 subnet (1 usable IP), what would be the proper way to configure the WAN side? I'd prefer to avoid double-natting the system...

2) If I am also setting up dual WAN, I assume I just create another VHID group for the 2nd WAN and also it would have to be a different subnet. From the example the WAN is 172.18.0.x/24 so following the example I'd make the 2nd WAN 172.18.1.x/24, correct?

3) Is there any way to make the CARP system Active/Active instead of Active/Passive?

Thanks!

See screenshot. I need to specify TCP, UDP, or Both in the Ports Alias for each port. Is there any way to do this? I do see I can set it in the firewall rule, however that's either inefficient (have to use up to 3 different rules and 3 different Alias') or it's less secure (specify both in the firewall rule).

Sophos UTM resolves this by allowing you to specify the TCP/UDP/Both in their "Network Group" which is similar to your Alias, but not everyone can afford a UTM.

Ok, so coming from pfSense I used the GUI log pages quite often to help identify firewall issues. Where do I find such logs in OPNsense? Am I missing it or are they not there yet?