Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - lrosenman

Pages: 1 ... 7 8 [9] 10 11 ... 14

121

20.7 Legacy Series / Re: Why do I have NTP traffic to random IP's?

« on: July 31, 2020, 01:35:24 am »

The system defaults to OPNsense pool NTP servers. You really DO want NTP to do it's thing so that your system time is accurate and not drifting.

Time is CRITICAL for certificate and SSL validation.

attached is what my system is currently using.

122

20.1 Legacy Series / From the nits department....

« on: February 20, 2020, 04:06:07 am »

The description of the 20.1 forum says:

Feedback and questions for the 19.7 series

Just a minor nit

123

20.1 Legacy Series / Re: netgraph change: will https://github.com/aus/pfatt need adjustment?

« on: February 01, 2020, 02:25:53 am »

I wound up with having to add the file referenced as /boot/loader.conf.local and restoring my interface config to get all my vlans, et al, right.

Hopefully that survives the next major upgrade.

124

20.1 Legacy Series / netgraph change: will https://github.com/aus/pfatt need adjustment?

« on: January 30, 2020, 04:01:56 am »

Given that I *DEPEND* on the pfatt module to authorize my ONT, will the netgraph change called out in the release notes cause me grief?

thanks (I don't dare try it as I don't want to be knocked offline).

125

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 02:26:19 pm »

Bingo. I had screwed up which address was in which VPN. tcpdump on enc0 had me see the correct source address, and having added the correct 10.128* address to the local network gateway on Azure makes it work.

THANK YOU.

126

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 01:21:41 pm »

root@home-fw:~ # tcpdump -XX -vv -s 0 -i ipsec2000 dst host 10.64.0.4
tcpdump: listening on ipsec2000, link-type NULL (BSD loopback), capture size 262144 bytes

nothing (even for LAN->IPSEC traffic0

127

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 01:14:11 pm »

adding that does NOT change anything.

128

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 12:24:29 pm »

I've actually tried adding it, and no dice, FWIW.

129

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 12:10:36 pm »

the /32 is actually the gateway address:
https://www.lerctr.org/~ler/lng.png

I don't think we want it to appear twice.

130

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 11:52:58 am »

To be clear, the VPN Gateway I set up on the Azure side is a Route Based VPN.

I followed this guide:
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html

What do I need to add/use? or doesn't this work to have the fw use the tunnels itself?

131

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 11:37:27 am »

Azure (the destination) doesn't do policy based, and I don't want ALL the traffic to go via Azure.

132

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 11:32:13 am »

What are the *EXACT* settings on the phase 2 page.

This a route-based tunnel.

Thanks for any help.

133

General Discussion / Re: Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 10:12:20 am »

could you be more specific on adding the WAN/32 as a 2nd phase2 and can that appear in BOTH Tunnels?

I'm looking for the system itself (not just unbound) to be able to use stuff off the tunnels).

Specifics would be appreciated.

134

General Discussion / [SOLVED] Use an IPSEC connected DNS or LDAP server from the firewall itself

« on: September 04, 2019, 03:45:26 am »

I have the following setup:
|---> <VIA ipsec 172.20.0.0/16, reachable from the LAN>
<LAN 192.168.200.11/22> ----+
|---> <VIA ipsec 10.64.0.0/16, reachable from the LAN>

If I try to set the system to use 172.20.100.34 as a DNS server it doesn't get any response,
same with 10.64.0.4.

If I ping using -S 192.168.200.11 it all works.

What am I missing in the routing tables?

root@home-fw:~ # netstat -rn |more
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default 76.250.252.1 UGS ngeth0
10.64.0.0/16 10.128.0.2 UGS ipsec100
10.128.0.1 link#18 UHS lo0
10.128.0.2 ipsec1000 UHS ipsec100
10.128.0.3 link#19 UHS lo0
10.128.0.4 ipsec1000 UHS ipsec200
76.250.252.0/22 link#11 U ngeth0
76.250.255.117 link#11 UHS lo0
127.0.0.1 link#7 UH lo0
172.20.0.0/16 10.128.0.4 UGS ipsec200
172.31.0.0/16 10.128.0.4 UGS ipsec200
192.168.16.0/24 link#15 U em0_vlan
192.168.16.1 link#15 UHS lo0
192.168.17.0/24 link#16 U em0_vlan
192.168.17.1 link#16 UHS lo0
192.168.18.0/24 link#17 U em0_vlan
192.168.18.1 link#17 UHS lo0
192.168.40.0/24 link#12 U em0_vlan
192.168.40.1 link#12 UHS lo0
192.168.64.0/24 link#13 U em0_vlan
192.168.64.1 link#13 UHS lo0
192.168.192.0/24 link#14 U em0_vlan
192.168.192.1 link#14 UHS lo0
192.168.200.0/22 link#1 U em0
192.168.200.11 link#1 UHS lo0

135

19.7 Legacy Series / Re: Updated to 19.7.r_1, but upgrade wants to do it again :(

« on: July 10, 2019, 06:08:57 pm »

Ok. Just making sure it's not a bug

Pages: 1 ... 7 8 [9] 10 11 ... 14