Topics

Hello,

I'm trying to setup a new rule at my firewall so it'll allow an specific host to scan all ports from other net.

The only problem I have is that, when the rule is already set and I launch a nmap like this:

nmap -Pn -sS -p- -T5 192.168.20.0/24

And then, the OPNsense state table collapses: I've set a max size of 815000, but if I launch three concurrent scans, it gets full. So what I want is to make a rule which allows the traffic to pass and prevents the firewall from storing every connection at the state table. I think I don't need that connections to be stored at the state table, as I don't need the firewall to perform NAT, the scans will only occur at internal networks.

I've tried different settings when creating a floating quick rule which affects to my "monitoring" interface:

• State Type as none
• State Type / NO pfsync activated
• TCP flags with "Any flags." checked

No matter what I set, the state table keeps getting full with the scans. How can I allow network scans without disabling my firewall?

Hello,

In a setup with two wan routers and one OPNsense firewall I've configured the two gateways with a gateway group to use the secondary gateway while the first one is down. The problem is that I don't want to configure just one firewall rule with that gateway group, I want the gateway group to be the default gateway for all rules, but there is not such option.

I tried configuring a route for all !RFC1918, but the gateway group does not appear in the gateway list. Which is the most correct and elegant way to set up this?

Thanks in advance ;)

Edit: Wow, I just realized I posted in the wrong section and I don't know how to move the post. Sorry.

Hi,

Since the last OPNsense update (yesterday), some things stopped working at my firewall.

First of all, I have an IPsec tunnel established with my other firewall (always updated at the same time, so they have always the same versions of software). Every connection from each of the clients can be routed through the IPsec tunnel, but not the firewall connections. Let's put an example:

Firewall A          <->    Firewall B
10.0.0.0/24                10.1.0.0/24

My firewall B IP is 10.1.0.1 and the DNS server is at 10.0.0.2. When I try to send things from 10.1.0.1 to 10.0.0.2, the packets are not reaching the destination. I've listenned at enc0 in both firewalls and this is the problem: at firewall B I see the packets going out but at firewall A I can't see those incoming packets (but I see the firewall B clients traffic). I've verified that I've got rules to allow all that traffic and I've set the necesary gateway and route at firewall B (if that wasn't done, I wouldn't see the outgoing packets at enc0). And this is the only IPsec tunnel enabled at each firewall (firewall A has another IPsec tunnel, but it's not enabled). This worked before the 17.7.2 update...

And also, I've got a lot of rules at my firewall. When I click apply rules (after modifying some firewall rule), a popup is displayed with the text "The settings have been applied and the rules are now reloading in the background.". But my rules are not reloaded in background. Before this update, I had a feature at the menu called "Filter reload", which I activated to force the application of the new rules, but now it doesn't appear at the menu. I have to log in through SSH and run "/usr/local/etc/rc.filter_configure". And then, rules are applied.

Does someone know how to fix these two things?

Regards.