Messages

Awesome!  Thanks for clearing that up.  After reviewing my firewall logs, it became quite obvious.  However still need to figure out why it's not forwarding routes.

You can now mark this as SOLVED thanks!

Roger thank, will do.  And should there be no local interface?  I am noticing as well in my firewall rules, that it's blocking almost all but ICMP traffic coming in over the IPSEC tunnel.

Also, I noticed that when I go into "Diagnostics" -> "OSPF" -> "Routing Table".

My remote IPSEC site does not show up in the list, only the locally connected route.

So as the title says, where should I be applying the Site-to-Site IPSEC Firewall rules?  Should I be assigning them to the "IPSEC" interface that gets created?  Or to the WAN interface?

Yup, they are, however none of the other firewalls/routers that are connected to the Shared network are receiving the routes.

No worries.  If you need some help, shoot me a PM.

Also the reason for the fault is because the IP address that OVH have assigned to your server, CANNOT be assigned to a VM within your server. :)

Refer to this Doco..

http://docs.ovh.ca/en/guides-network-bridging.html

Hi guys,

In out DC, we use OPNsense almost exclusively now.  With the exception for one server that runs our old Sophos UTM appliance.

We would like to decommission this, we can complete an Site-to-Site IPSEC tunnel.  And traffic flows behind the OPNsense firewall, its internal networks, and our branch site and it's internal networks.  But we have a separate OPNsense firewall as well that protects another network, which we use OSPF to publish routes between the two.

So the question is, how do we redistribute Site-to-Site IPSEC tunnel networks to the OSPF Areas?  Ive tried selecting Kernel Routes, Static Routes and Connected Routes as well for redistribution.

Ah I see.  Well with running OPNsense like this, you no longer need too.

But here's how you achieve it with OVH.

• Get a Fail-Over IP
• Assign Virutal MAC to Fail-Over IP
• Assign Virtual MAC to the Public Interface of your Firewall VM
• Create Private Network between Firewall VM and server(s)

Hi there,

Why are you using a 1:1 NAT?  If you were wanting to create layer of protection, creating a 1:1 NAT would only publish everything anyway.

I would recommend just using Port Forward if you are wanting to protect your server, as only ports that you specifically publish is available.

I use OVH as well, and have had no problems.

Hi guys,

We run ELK internally for all of our logging, and run Filebeat specifically on all our servers where possible.

Was wanting to know if we could potentially have Filebeats and Logstash included to export things like Suricata Eve logs and maybe Squid and other system logs into our ELK cluster directly?

At the moment we're just throwing SYSLOGs at it and are trying and working with those logs for the moment.  But itd be nice to have Filebeats and Logstash.

Has anyone else done this yet?

Hey guys,

Thanks to the both of you for that info.  I've switched back to OpenSSL for the time being, until LibreSSL catches up.

Resolves my issue!

Ah I see.  I'm using LibreSSL at the moment, so this problem that you mentioned is that with OpenSSL as well?

Hi guys,

So I've implemented OPNsense almost EVERYWHERE now, with only my core IPSEC VPN gateways to replace, once I figure out configuration patterns and passing dynamic routes.

Anyway, the issue that I'm having, is once I configure SSL interception, almost every site works fine, except for Google sites, or sites that use the Google CA.

I've attempted to use the unknown intermediate CA configuration to include additional certificates, but nothing seems to work, so thus I either don't visit Google, or don't enable SSL interception.

Has anyone else run into this problem when visiting SSL intercepted sites and received the UNKNOWN_CA_ERROR?

And how did you resolve the issue without disabling SSL interception.


TIA,
D