Topics

Hi,

kann mal jemand schauen, ob das "normales" Verhalten ist ?
Nach meiner Logik, sollte es passen, da in den Comments der Eingabefelder steht, dass man den Usernamen und das PW auf dem Backup-Node nicht angeben soll. Ich finde es nur etwas verwirrend, dass die Backup-FW von einer Backup-FW redet, wo sie doch selbst eine ist...

Ich frage das übrigens um auszuschließen, dass ich meinem CARp Mist gebaut habe, da ich gerade noch in einem anderen Post mit IPSec & Carp zu tun habe...

Wäre also super, wenn mal jemand seinen Senf dazu geben könnte.
Danke

Hi,

wir betreiben die OPN als CARP-Cluster. Darüber hinaus ist unser Office mit einem anderen Standort über einen Site to Site Tunnel verbunden. Dieser läuft auch prima, nur das ich am zweiten Standort die Backup-Firewall über den Tunnel nicht erreichen kann.
Anfangs dachte ich, dass es eventuell eine Routing-Issue ist, mittlerweile vermute ich das Problem aber eher in IPSec. Ich vermute, dass die Backup-FW denkt, sie könnte ihre Pakete durch ihren eigenen Tunnel schicken, obwohl der Tunnel ja über die CARP-VIP bereits auf dem Master aufgebaut ist. Ich hoffe ich habe mich verständlich ausgedrückt. Hat jemand eine Idee wo ich mit dem Debuggen starten könnte um das Problem zu beheben ?

Ein Tipp wäre super. Danke!

MFG
Wayne

Hi,
hat es zufällig schon irgendjemand von euch geschafft, die OPN an eine Samba 4 AD via LDAP anzubinden ?
Leider scheitert dies bei mir kontinuierlich auf 17.7.11. Oder kann es sein, dass es einen Bug in dem "Authentication Container" gibt, sodass ich darüber nichts auswählen kann ? Wenn ich mit dem "Tester" die Verbindung überprüfe, dann ist diese erfolgreich.
Danke schonmal.
MFG

Hi,

I'm not really sure if I understand the concept of floating rules correctly. OPN has nothing regarding this topic in its documentantion, but PF states the following:

1) Filter traffic from the firewall itself
2) Filter traffic in the outbound direction (all other tabs are Inbound processing only)
3) Apply rules to multiple interfaces
4) Apply filtering in a "last match wins" way rather than "first match wins" (quick)
5) Apply traffic shaping to match traffic but not affect it's pass/block action

Is this exactly the same for OPN ?
The following things aren't really clear to me:

2) Till now, I filtered my outbound traffic from single VLANs from their interface tab in the rules menu. Is this the wrong approach ? For example: I created some port aliases with what I wanted to be permitted outbound and allowed this with a rule that inverted the RFC1918 to make it match on all destinations, but the private IP-address-range.

4) What should last match mean exactly ? Does it mean that if I would like to block traffic from LAN to 0.0.0.0 and if  this rule is followed by a rule, that for example just blocks traffic from LAN to a specific IP, then this rule will match and not the "block LAN to 0.0.0.0" rule ? Except that this example makes no real sense, for me this concept seems a bit strange.

If someone could clarify on this, I would be grateful.

Thanks.
Wayne

Hi,

I'm experiencing the following issue: My FW is up and the cluster nodes can see each other. Wenn for example I ping 10.1.1.10 which is node1s IP, i get no icmp reply, although the interface is up within the GUI and on the CLI. Furthermore the interface resides on a lag, that carries another 5 vlan interfaces. I can ping some of them, others not.

Since this seems to happen only on my master FW I think it might be something hardware related. I went to the logs in the GUI, but I wasn't able to find anything explaining the baviour.

Does anyone have some tips on how I can dig a little deeper on the CLI ? Since I'm a linux guy and not familiar with BSD, I just found the logs under /var/log/ but there is nothing that helps me in this case.

"dmesg" is not showing anything explaining this behaviour.

It would be nice if someone has some good advice on how to debug things like that.

Thank you.
Wayne

Hi,
ich würde gerne die Fritzbox komplett loswerden und meine public IP auf dem WAN der OPN haben.
Kann jemand ein gutes Modem empfehlen ? Oder gibt es irgendwo noch einen billo VDSL2 / Vectoring Router, den man als transparente Bridge betreiben kann ?
MFG
Wayne

Hi,

ich habe einen Bug im CaptivePortal auf Version OPNsense 17.7.5-amd64 entdeckt.
Ich hoffe das ich an dieser Stelle richtig bin, ansonsten melde ich ihn auch gerne woanders....

Wenn ich z.B. in den Feldern

Allowed addresses

und

Allowed MAC addresses

Geräte whitelisten will, dann wird dies nicht in die Konfiduration (/conf/config.xml) übernommen. Bisher habe ich es nur geschafft, das Captive Portal durch manuelles editieren der XML und anschliessenden Neustart dazu zu bringen die MAC und die IP zu schlucken.

Aktuell habe ich allerdings das Problem, dass ich ein weiteres Gerät whitelisten muss. Habe ich jetzt auch direkt mit vi in die XML geschrieben. Zuerst kommasepariert, dann mit Leerzeichen. Leider wird in beiden Fällen die zweite IP ignoriert und ei Whitelist greift nicht. Hat jemand vielleicht ne Idee, wie ich meiner OPN die zweite IP beibringe ?

MFG
Wayne

Does OPN drop invalid packets like XMAS and SYN+RST or SYN+FIN by default, or do I have to specify them with en explicit rule ?I'm talking about something similar like this (iptables)

IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Kind regards,
Wayne

Hi,

I want to use the OS-Detection feature in certain firewall-rules. Does anyone know what I need to choose for Android and iOS devices ?
And waht about Linux ? There is just "Linux" and variants like "Linux 3.0" and so on. Am I right to interprete, that just "linux" will match with all kernel versions, while for example "linux 3.0" only matches to kernel version 3 OS ?

I need to restrict acces from mobile devices and therefore search for any matching criteria to build a rule upon.

Kind regards,
Wayne

Hi,
is there any possibility to enable TLSv1.2 only on OPNsense ?
If i scan my Box with default crypto-settings it shows :

BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2

LUCKY13 (CVE-2013-0169)                   VULNERABLE, uses cipher block chaining (CBC) ciphers

By simply disabling any CBC-cipher, It would be possible to prevent LUCKY13-attacks, but where can I disable TLSv1.0 and TLSv1.1  completely ?

Thanks in advance.

Hi,
I'm experiencing a very strange behaviour: If I tell Netflow to listen on WAN, SYNC, VLAN1, VLAN2 and VLAN3, the presentation of insight is wrong. For example: If I select the interface VLAN1 it displayes the Sources of VLAN3.
Is there any way to fix this issue ?
I have 11 Interfaces in total, but opt1 (AMT) is not configured and 8 of 10 interfaces are vlans on a lagg-interface.
Any idea ?
Best regards,
Chris

Hi,
was ich in der Wiki nicht ganz verstehe: Muss ich wirklich zwangsweise TLS kaputt machen um den Webproxy auch auf 443 zu nutzen ? Funktionieren die Blacklists nicht mit TLS ? Zuerst muss doch einmal der TLS-Handshake gemacht werden und wenn da die Filterliste greift, kann ich den Zugriff doch verbieten. Oder habe ich da einen Denkfehler ?
MFG
Wayne

Hi,
some time ago I used Palo Altos PANOS and they had a very nice feature: One could define an application list that contains all permitted apps of the zone. After that, only this list got referenced in a firewall rule. with this aproach it was very easy to reduce large rulesets to a few rules, that made it easier to read. Is there something similar on OPNsense ?
Best regards,
Wayne.

Hi,
gibt es ein Möglichkeit, dass man auf dem Unbound den Zonentransfer von einem anderen Rechner erlaubt ?
In den Access-Lists habe ich zumindest keine Option gefunden die ich damit in Verbindung bringe...
Ein Tipp wäre cool.
MFG
Wayne

Hi,

I've some questions regarding IDS-Tuning and the setup itself. First of all: In the Wiki Suricata is only listening on WAN. Is this correct ? I mean, doesn't it make sense to make it listen on LAN or on LAN, too? From  my point of understanding if it listens on WAN, I only receive alerts that contain my public IP, but not the IP from a LAN-side host, that may be communicating with a C'n'C Server.
How do you manage this? Do you listen on both interfaces?

And what about the tuning process? Is there any good tutorial regarding OPN and Suricata? I googled this, but I didn't find anything like this. Only some youtube tutorials on PFsense and suricata, but on PF suricata seems to have a lot more features / views / menus...

My first idea was to enable IPS and switch the rules to alert only and then check if the rules match to my network, if the alerts are false positives a.s.o and then disable all the rules unneeded and later drop the true positives on drop.

I would appreciate if someone would share some ideas on this.

Best regards.
Wayne

Hi,
I just upgraded from 17.1.8 to 17.1.9 and I'm still struggling with the same weird OpenVPN issue:

I created a user with a user cert, signed by my own OpenVPN-CA which I created on the box itself.
Now, when i go to "VPN/OpenVPN/Client Export" I choose for example the user "vpu" to export an Archive for.
Just as I clicked on Archive-Download, I see, that OPNsense is offering me the cert for the wrong user.
This user-Archive is an arteifact of an already deleted user, whose cert is revoked and deleted.
It just seems, that OPNsense is enumerating something wrong. Is there a way to fix this issue ?
Or can I reset the WebGUI-Archive enumeration to existing Archives ?
Attached you'll find a screenshot of the issue.

Best regards,
Wayne

Hi.
I included the yoyo ad-and-tracker-blocking hosts-file to unbound, but
I don't really understand why this zone maps to 0.0.0.0 instead of 127.0.0.1.
Can someone please clarify ?
Is there any special benefit of doing so?
Is 0.0.0.0 faster, or slower as 127.0.0.1 ?
Best regards,
Wayne

Can anybody tell me, what's the meaning of these strange IPs in the attached screenshot of a CARP-packet?
Is this just for calculating a checksum? Or whats their purpose?
Does anybody else have IPs in there ?
Regards,
Wayne

Hi,

I'm experiencing very strange issue resulting in various splitbrains.
In most of the times, only WAN is switched over to the backup node.
When I try to resolve the splitbrain, I manually set the BACKUP-node to CARP MAINTENANCE MODE
and the MASTER holds all interfaces again. The strange thing is, that when I leave Maintenance Mode
on BACKUP, the BACKUP-node takes over the MASTER-role again.
Furthermore, after rebooting or after a failover, the BACKUP-Node remains
in the master-role, while the original MASTER is demoted to the backup-role.

I'm running a LACP-LAGG that consists of igb0 and igb1, that holds a couple of vlans.
My Switch is also configured to use LACP for the trunk.

Each VLAN is configured like this:

MASTER-Node   Virtual-IP   
10.x.x.10   10.x.x.1/24   vhid 12 , freq. 1 / 0
10.x.y.10   10.x.y.1/24   vhid 24 , freq. 1 / 0

BACKUP-Node   Virtual-IP
10.x.x.20   10.x.x.1/24   vhid 12 , freq. 1 / 100
10.x.y.20   10.x.y.1/24   vhid 14 , freq. 1 / 100


When I'm capturing carp-packets I see the following on the LAN-Side:

Capture output of the MASTER-Node:
09:09:53.869797 IP 10.x.x.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 14, prio 100, authtype none, intvl 1s, length 36
09:09:55.282945 IP 10.x.x.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 14, prio 100, authtype none, intvl 1s, length 36
09:09:56.696995 IP 10.x.x.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 14, prio 100, authtype none, intvl 1s, length 36

Capture output of the BACKUP-Node:
09:08:30.688149 IP 10.x.x.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 14, prio 100, authtype none, intvl 1s, length 36
09:08:32.116865 IP 10.x.x.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 14, prio 100, authtype none, intvl 1s, length 36
09:08:33.508241 IP 10.x.x.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 14, prio 100, authtype none, intvl 1s, length 36


On the WAN-Side it looks like this:

Capture output of the MASTER-Node:
09:11:38.102897 IP WAN_BACKUP_NODE_IP > 224.0.0.18: VRRPv2, Advertisement, vrid 12, prio 100, authtype none, intvl 1s, length 36
09:11:39.504055 IP WAN_BACKUP_NODE_IP > 224.0.0.18: VRRPv2, Advertisement, vrid 12, prio 100, authtype none, intvl 1s, length 36
09:11:40.929161 IP WAN_BACKUP_NODE_IP > 224.0.0.18: VRRPv2, Advertisement, vrid 12, prio 100, authtype none, intvl 1s, length 36

Capture output of the BACKUP-Node:
09:13:43.619491 IP WAN_BACKUP_NODE_IP > 224.0.0.18: VRRPv2, Advertisement, vrid 12, prio 100, authtype none, intvl 1s, length 36
09:13:45.039772 IP WAN_BACKUP_NODE_IP > 224.0.0.18: VRRPv2, Advertisement, vrid 12, prio 100, authtype none, intvl 1s, length 36
09:13:46.431278 IP WAN_BACKUP_NODE_IP > 224.0.0.18: VRRPv2, Advertisement, vrid 12, prio 100, authtype none, intvl 1s, length 36


Every Interface & VLAN has a rule to allow any traffic between the CARP-Nodes:

Action   Proto   Source         Port   Destination      Port   Gateway
Pass   IPv4 *    CARP_NODES_VLAN_X     *    CARP_NODES_VLAN_X    *    *    


My "High Availability Settings" are configured like this:

MASTER (172.x.y.y = Sync-Interface-IP)
Synchronize States      YES
Synchronize Interface      SYNC-Interface
Synchronize Peer IP      172.x.y.z
Synchronize Config to IP   172.x.y.z
Remote System Username      user_name
Remote System Password      password
Users and Groups      YES
...            YES
DNS Resolver         YES


BACKUP   (172.x.y.z = Sync-Interface-IP)
Synchronize States      YES
Synchronize Interface      SYNC-Interface
Synchronize Peer IP      172.x.y.y

I left all other Settings unchecked, since the help tells, that one should only sync
from the MASTER to the BACKUP node and not bi-directional. So I assume this is right.
Or am I wrong ?


In My logs I can only find the following entries:

Jun 23 19:03:21    kernel: carp: 12@lagg0_vlan40: MASTER -> BACKUP (more frequent advertisement received)
Jun 23 19:03:21    kernel: carp: 17@lagg0_vlan100: MASTER -> BACKUP (more frequent advertisement received)
Jun 23 19:03:21    kernel: carp: 19@lagg0_vlan20: MASTER -> BACKUP (more frequent advertisement received)
Jun 23 19:03:21    kernel: carp: 16@lagg0_vlan70: MASTER -> BACKUP (more frequent advertisement received)
Jun 23 19:03:21    kernel: carp: 15@lagg0_vlan60: MASTER -> BACKUP (more frequent advertisement received)
Jun 23 19:03:20    kernel: carp: 20@lagg0_vlan10: MASTER -> BACKUP (more frequent advertisement received)

To me everything seems like the BACKUP-node is advertising more frequent than the original MASTER and therefore becomes the master.

I also checked the settings on the shell to see, if there is some valuable information regarding carp. As you can see on the MASTER,
it got demoted:

   net.inet.carp.ifdown_demotion_factor: 240
   net.inet.carp.senderr_demotion_factor: 240
   net.inet.carp.demotion: 3120
   net.inet.carp.log: 1
   net.inet.carp.preempt: 1
   net.inet.carp.allow: 1
   net.pfsync.carp_demotion_factor: 240

While on the BACKUP-node it looks like this:

   net.inet.carp.ifdown_demotion_factor: 240
   net.inet.carp.senderr_demotion_factor: 240
   net.inet.carp.demotion: 0
   net.inet.carp.log: 1
   net.inet.carp.preempt: 1
   net.inet.carp.allow: 1
   net.pfsync.carp_demotion_factor: 240


Another strange thing is, that by invoking "ifconfig", all my vlans are in the carp group "groups: vlan",
while on my WAN-interface "igb5" no carp group is defined. May this be the reason for the split brains?
In some way this would explain, why the VLANs and WAN failover seperately. In a correctly working
HA-enviroment, i would expect the master to failover completely to the backup, if any of it's interfaces
goes down...

I'm experiencing this issue on 17.1.1, 17.1.4 and 17.1.8 and I really ran out of ideas on how to resolve it.
Is it possible that this is a bug in freebsd carp, or opnsense release?
Is someone experiencing similar issues?

Best regards,
Wayne

Hey,
what is the current stable release ? Is it 17.1.4 or is it 17.1.8 ?
I'm a bit confused, since one of my boxes is already on 17.1.8, while if I attempt to download an image, I'm offered version 17.1.4.
Thanks in advance.
Best regards,
Wayne