Messages

Hi all

In the last days, we want to exchange our Cisco ASA's with opnsense boxes, but we run in this issue. Our old configuration is a ASA5520 <-> ASA5540 with IPSec tunnel, the new are two opnsense boxes with these CPU's "AMD GX-412TC SOC (4 cores)" <-> "Intel(R) Xeon(R) CPU E3-1280 V2 @ 3.60GHz (8 cores)", but i don't think this is the problem, also with an IPSec tunnel.

On the location A is a VM who get a nightly backup from a VM in the location "B". Both are RHEL 7 VM's and we just switch the gateway from the ASAs to the opnSense Boxes. Routers (Cisco and Draytek), Lines, Switches on both locations are untouched.

The VM in the location B have also a public IP on the opnsense FW. So if we try to download a file from the web server or to a scp via the IPSec tunnel, we just get s hand full of KB/s (scp says "--stalled--"), via the public IP full speed. At the beginning the transfer is fast for a short moment, then it comes down very fast. But not all the time sometimes, it goes a bit longer fast before "stalled".

The tunnel on the ASA side was IPSecV1, on opnsense IPSecV2, both ESP etc.

gruss ivo

After some hours of research, we found the problem, but for us, it doesn't make sense:

- Firewall: NAT: One-to-One
- Two weeks ago, we replaced the internal IP addresses of all the NAT rules with predefined Aliases.
- We apply the configuration

This configuration runs fine up to last night, to this time, when the Let's Encrypt update script starts. The FW was never restarted during the last two weeks - I think we got also in trouble if we reboot the system in this time.

After some hours (Reset to Factory, Complete System Installation etc. - but always with the "last known good configuration", which wasn't...) we found a hint in the system.log:

Jul  2 17:31:18 xxxx-ch-xxx01-fw02 opnsense: /usr/local/etc/rc.bootup: New alert found: There were error(s) loading the rules: /tmp/rules.debug:98: invalid use of table <xxxx_ch_xxx01_bkp_sxn_bkp01> as the source address of a binat rule - The line in question reads [98]: binat on em0 from $xxxx_ch_xxx01_bkp_sxn_bkp01 to any -> ip.ip.ip.ip

After we replace all the aliases (like "xxxx_ch_xxx01_bkp_sxn_bkp01") with the IP's, the functionality was back.

Well, the question is, why aliases not work here, why the GUI accept it and why it's not happen as long no Let's Encrypt Update runns (or system reboot).

gruss ivo

Hi

Since today, our opnSense FW doesn't route the traffic to the inside servers. The only thing that happens last night was an update:

    7/2/17 00:03:21 11.2 95 KB (system): /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php made changes
    7/2/17 00:03:21 11.2 95 KB (system): /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php made changes
    7/2/17 00:03:21 11.2 95 KB (root): Updated Let's Encrypt SSL certificate: vpn2-zg.4synergy.com
    6/25/17 21:02:49 11.2 95 KB root@192.168.2.65: /firewall_rules.php made changes

I try to revert to the last config from 25.6., but without luck.

For example, we have an internal server with smtp and http from outside to inside (1.2.3.4 > 192.168.1.5), yesterday, the webmail respond on 1.2.3.4, today, the GUI from opnSense. No reaction from SMTP from outside. The same effect on all servers (about 8 oder 9 servers with different external and internal IP's)

On all external IP's from these servers all the ports from openSense respond (https, ssh etc.).

Any idea, it's a big problem at the moment...

gruss ivo

Salü Neggard

Why you install on the NAS when you have an OPNsense Firewall. Terminate the VPN on the Firewall and you can access to the whole subnet in the LAN side - NAS inclusive.

gruss ivo

Übrigens ab 17.1 funktioniert die Installation nun auch mit den externen USB3 Port's problemlos :)

Hi epoch

opnSense is basicly not an AP or an NTP server software - it's a firewall. For a firewall you need more than one physical ethernet interface, so couldn't implement it with a RPi. Or - you do it with VLAN's, but for this scenario, you need a managed switch and more knowledge about switching, subnets and VLAN's and last but not least, it's not physical separated and recommended.

From the price side, an easy solution with an APU.2C4 system board from PC Engines is also very cheap:
- apu2c4
- case1d2u
- ac12veur2
- a SD Card

ivo

Well, I just do an update to the latest firmware on two opnSense boxes (remote :( :( :(  ), same problem; It doesn't reconnect to the Internet with PPPoE. I think we had it also before, but we can connect via a backup line, but not so this time...

gruss ivo

Salü billwong

I don't think, that you can do this, because VTP is a special Layer2 protocol

gruss ivo

Salü Stefan

Das macht aus meiner Sicht eigentlich keinen Sinn, Du würdest die FW dann ja quasi als Switch einrichten.

Die VLAN's solltest Du auf einem Switch entsprechend verteilen und nicht auf der FW was mit bridgen versuchen.

Ich kann mir eigentlich auch kein Szenario vorstellen, welches dies voraussetzt.

gruss ivo

Salü Franco

If I can help in some cases, documentation, help or give access to a test environment, please tell me.

gruss ivo

Salü fatalfuuu

From the routing perspective, you need to add on the router 172.16.20.1 a new gateway "172.16.20.2" and a new route:
Destination network: 192.168.1.0/24
Gateway: 172.16.20.2 (created before)

On the Main Router you just have to add 172.16.20.1 as default gateway and allw the traffic the expected traffic

gruss ivo

...hab mich auch ein paar Minuten geärgert, dass Problem ist die externe USB3 Schnittstelle. Ich habe in unserer Bastelkiste dann sowas rausgesucht und an den internen USB Port angeschlossen, der noch USB2 ist:
http://www.conrad.com/ce/en/product/986280/USB-20-Adapter-1x-USB-20-connector-internal-8-pin-2x-USB-20-port-A-Grey-Goobay;jsessionid=20080DE901812D5E0B9F668FAD8B5D94.ASTPCEN31?ref=list

Neuer USB Stick angehängt und die Installation lief ohne Probleme durch, einfach F10 und den Stick auswählen und installieren, danach Deckel drauf und fertig :)

gruss ivo

Salü Franco

Thanks a lot for your answer. I found both of this article as well, but I hopping in the mean time there is a solution or a better workaround in place.

So, now, i'm a bit lost ... because one question is, why is the option NAT/BINAT Address available in the phase 2 configuration page?
And another question is, what we can do on our side, because we have some overlapping subnets. Patching or doing something behind the GUI is not really an option for us; pfSense hmmm... maybe... my stomach say no...

In the next weeks and months, it's not a problem to route all the overlapping subnets to the ASA who can handle this scenario, but anytime next year, we want to replace the boxes... And it would be nice to have a solution without boxes behind boxen :)

gruss ivo

Salü fatalfuuu

It's not clear what you really want to do. So you have two DSL modems, which both have Internet connectivity? Do you want a failover scenario, or want split some traffic?

gruss ivo

[Site A.80 VLAN:]

Hi Forum Members

I try to setup a "NAT before IPSec" connection between two new OPNsense boxes (just install OPNsense, setup the basics, nothing else) in our test environment. I found some comments about, but not an exact statement about does it work or not in the latest version, or a documentation about.

Anyway, I spend some hours to bring it to run, but without luck, here is our test setup:

Site A.80 VLAN: 80 on the em1 interface ("SiteA.80")
Site A.80 IP: 198.18.7.2/25
Site A.80 Test host: 198.18.7.99
Site A outside IP: 2.3.4.5

Site B.110 VLAN: 110 on the em1 interface ("SiteB.110")
Site B.110 IP: 198.18.8.2/25
Site B.110 Test host: 198.18.8.11
Site B outside IP: 3.4.5.6

Site B.110 should be reachable with 198.18.48.0/25 and vise versa, so if I do a ping 198.18.48.11 on the host with the IP 198.18.7.99, the host 198.18.8.11 should be answered.

As I have no luck with the setup, I take other two new boxes and I install pfSense, with the same parameters on phase2 and FW rules on OPNsense and it works. What I doing wrong on the OPNsense site?


VPN/IPSec/Tunnel Settings/Phase1 and Phase 2 proposal is like described at https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

Site A:
VPN/IPSec/Tunnel Settings/Phase2:

• General information/Mode: Tunnel IPv4
• Local Network/Type: Network
• Local Network/Address: 198.18.7.0/25
• NAT/BINAT/NAT Type: Auto
• NAT/BINAT/Type: Network
• NAT/BINAT/Address: 198.18.48.0/25
• Remote Network/Type: Network
• Remote Network/Address: 198.18.48.0/25

Firewall/Rules:

• Allow all traffic on the interface "SiteB.110" from source 198.18.8.0/25 to destination 198.18.48.0/25
• Allow all traffic on the interface "IPSec" from source 198.18.48.0/25 to destination 198.18.7.0/25

Site B:
VPN/IPSec/Tunnel Settings/Phase2:

• General information/Mode: Tunnel IPv4
• Local Network/Type: Network
• Local Network/Address: 198.18.8.0/25
• NAT/BINAT/NAT Type: Auto
• NAT/BINAT/Type: Network
• NAT/BINAT/Address: 198.18.48.0/25
• Remote Network/Type: Network
• Remote Network/Address: 198.18.48.0/25

Firewall/Rules:

• Allow all traffic on the interface "SiteB.110" from source 198.18.8.0/25 to destination 198.18.48.0/25
• Allow all traffic on the interface "IPSec" from source 198.18.48.0/25 to destination 198.18.8.0/25

Would be nice, to get a hint :)

gruss ivo