Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - alfemann

Pages1
#1
General Discussion / Block ICMP to/from interfaces
May 05, 2022, 12:45:25 PM
Hi - a general question that is puzzling me.
I have a (primary lan) setup on igb2 with 10.10.11.0/24 and Opnsense interface is 10.10.11.1
In addition - I have another network (guests) on igb3 - with ip 192.168.5.1/24 - opnsense is 192.168.5.1

Reflection is turned on btw, if that matters.

I want to prevent all/any client on the 10.10.11 - network from pinging 192.168.5.1
I have tried all combinations I can think of, but regardless of the rules I make in the firewall, the ping goes through....
Is there something mystical or special about the local IP that I haven't thought about ?
#2
20.7 Legacy Series / NUT diagnostics screen is blank
January 08, 2021, 03:44:50 PM
I have installed the NUT add-on, and configured an older APC Smart-PS 1000 RM to work with it in Standalone mode.
Wether I use SNMP or USB - the ups is listed if I do upsc -l
Also - the parameters are read and displayed (correctly) if I do upsc <upsname>.
So - far - as expected, as should be,and all seems ok, BUT - in Services->NUT->Diagnostics - the screen is just ... blank. And curl http://localhost/ui/nut/diagnostics gives nothing.

I saw nothing fishy in any logfile either ....

Is there some standard basic error I may have done ?

#3
20.7 Legacy Series / Hanging in first boot from USB
December 23, 2020, 10:41:26 AM
As my old Opnsense installation resides on a computer that is getting a bit old and tired, I purchased a new desktop PC and downloaded 20.7 to install. The problem is that the boot sequence stops right after some information about the video-card. The machine is then completely frozen, and has to be power-cycled.

Image is OPNsense-20.7-OpenSSL-vga-amd64.img.bz2
Installed to a 16G USB stick
Hardware : HP ProDesk 600 G5
-SFF
- Core i5 9500 / 3 GHz
- RAM 8 GB
- SSD 256 GB
- NVMe
- DVD-Writer
- UHD Graphics 630
- GigE

Attached is an image of where in the boot process it freezes.
Does anybody know what on earth this could be caused by ?
#4
General Discussion / Ping from firewall over IPSEC
January 10, 2019, 12:17:13 PM
I have a functioning IPSEC-tunnel up running on an OPNsense 17.7.4, and traffic between machines on either side is running perfectly.

I want to use an LDAP-server on the remote side of the IPSEC tunnel for authentication (for incoming openvpn roadwarrior clients). When I try to set this up as a server in OPNsense menu, there is no response from LDAP server. I then tried to ping the server from the OPNsense - no reply.
Doing ping or LDAP from any client on the LAN-side of the OPENsense - works fine.

What on earth could I be missing ??
#5
General Discussion / One-to-one NAT or just port forwarding
October 03, 2017, 09:30:29 PM
I have seen variations of this question, but I really cannot see that hey have been answered to a degree that I can understand how to set it up.

I have a /27 of public addresses say 199.199.199.34 .. .62
On the inside I use 10.10.10.0/24.

I have some servers running on the inside, and need to expose various ports on public IPs.
First off ; am I better off using Port forwarding, or one-to-one NAT and fw-rules ?
It seemed the port forwarding worked fine until I had 3-4 rules with some of the same ports (but on different public IPs of course) - then it just didnt work like I thought.

If I need to use one-to-one NAT - can someone please give me a blow-by-blow ? I cannot wrap my head around it.


#6
General Discussion / Is Proxy ARP the solution..?
September 30, 2017, 01:03:33 PM
Current firewall is getting old, and I am planning to switch it with a computer running OpnSense.
I have one issue that I cannot seem to find an answer to ;
Our LAN is 10.10.11.0/24 and we are connected to a service we use through IPSEC, and the remote network is 10.1.1.0/24.

Here is the snag : the old Sonicwall set aside a few addresses in the LAN-segment for road-warriors connecting with SSL-VPN - and the remote network only knows that 10.10.11.0/24 is available though the tunnel.
I want to use OpenVPN road warrior setup, but the setup requires a separate (virtual?) subnet for these connections - meaning roadwarriors will have addresses outside of the LAN. If I can't change or add the routing on the remote side - how can I either ;
a) assign roadwarriors IPs from the LAN-segment (ideally using DHCP-relay to another server) ?
b) make traffic from roadwarriors seem like it comes from LAN-IPs when they in fact do not.

My instinct tells me to look closer at ProxyARP, but I am not sure, and I cannot seem to find thorough docs on the subject.

Does anyone have ideas as to the solution, and does anyone know some good examples and documentation for proxy-arp ?

========
Alf
Pages1