Messages

Well, he is a Member of FBIs Infragard Program.  Maybe he knows something we don't.

I'd ask him what he thinks.  I like criticism.  Its how I learn.
I've noticed that since I enabled hurricane electric IPV6 on that interface used by X-Box nothing from X-Box ever requests anything from upnp.  Everything seems to prefer IPV6 and there is no NAT involved.  Still waiting for skype to get a clue. 

As far as the fail, he could have been talking about me also...   Never can tell.  It wasn't directed. 

I get your anger.  I do.  My son likes security also.  He also loves STEAM )-:
Took me a while to figure out why I needed to replace my switchs.  I'm a slow learner.
It's the same reason why the rules in a firewall have interface tabs and not device tabs.
But sure - Not a problem.  I will just read along silently.  Should be interesting.   :)

I still don't understand why they would kick you for that?  Odd indeed. 

upnp can be enabled per interface.  These may be physical interfaces like the ports on the back of your opnsense or virtual interfaces + vlans.

You might need to spend $25 for a cheap managed switch if your opnsense only has 2 ports. 

Vlans can be difficult to conceptualize but you will get it if you try. 

Using tagged vlans is actually a great reason to use opnsense.  Powerful feature.

Lets say you decide to use VLANs, which would be smart (I was dumb).

You would just create virtual interfaces that equat to tagged vlans.  Then tag the ports on your switch according to what they connect to.  Then you can turn on upnp or not per virtual interface at your whim.  You can also firewall off the virtual interfaces from each other. 

BTW - Its already a feature. 

Toredo is often something that is resorted to when ports are closed and upnp is shut off or broken...

If upnp is a mild cold then toredo is the spanish flu. 

Teredo increases the attack surface by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which could otherwise be unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. Teredo tunnel encapsulation can mask the contents of the IPv6 data traffic from packet inspection, enabling the spread of both IPv6 and even some IPv4 malware.[3] US CERT has published a paper, on the risks of malware using IPv6 tunneling.[3] Teredo also exposes the IPv6 stack and the tunneling software to attacks should they have any remotely exploitable vulnerability.

The cure is worse than the sickness in this case.  Better to not break NAT and upnp.

An open port is an open port.  Doesn't matter how it gets to be open.

Now, if you have your entire network on 192.168.20.0/24 with upnp not active for that subnet

and then you have your xbox on 192.168.21.0/24 and you have upnp active for that, or you have some ports opened manually or its dmzed (its all just opened ports if you ask me)

and then your firewall rules are set to prevent xbox subnet from talking to other subnets you will be fine.

This assumes you don't have your xbox and everything else using the same dumb switch.

This is the way I do it.  I use upnp for the xbox myself. 

In my case the cat6 that goes to the switch that connects to the loft where all the gaming happens gets 1 interface on the back of the firewall/router.

The cat6 that goes to the rest of the computers in the house gets another interface on the back of the firewall/router.

The wireless gets its own interface on the back of the firewall/router.

And finally, my computer-illiterate tenant and her daughter gets her own interface...

If you don't have a bunch of ports on the back of your opnsense, you can use a managed switch with vlans to do the same thing. 

All these are segregated by firewall rules.  I like xbox to have upnp so that it works the way it should.  Not sure what a hacker could do with it isolated the way it is. 

There is a difference between imagined security and actual security.  You want security, isolate your xbox, any computer kids, wives, visitors, friends etc etc touch (because they will bring in malware) from your important computers and devices.  Don't hamstring your poor xbox's ability to forward ports it needs.

upnp works.
DMZ the xbox works.
Port forward every port for every game you may eve desire to play...   Works...
I don't think upnp is evil.  Put the xbox on an isolated subnet and run it with upnp. 

If I were you, I would use SSL/TLS authentication and no username / password.  Those settings are in the server setup.

Then I'd export the client again...   I hate typing passwords.

Be  careful at the point where you are making the cert and the ca.  There is a box that says "type".  Be sure to select server. 

Is that new or old cert.  Are these new that you just created?

Yep - Cert errors.

Be sure to create a proper CA.  I name mine VPN CA to avoid confusion.
Then use that CA to create a SERVER cert.  Not user cert.  I call mine something like VpnServerCert (to avoid confusion)

Make sure you fill in all the fields required for the certs.  Make crap up if you need to - I do.

Then go back to your VPN server and make sure its using your new server Cert and Shiny new CA

Then export it, and try again.

And read the very last lines of this thread.

https://forums.openvpn.net/viewtopic.php?t=21998

I think this is either a problem with the format of your cert on opnsense or just your ipad client being picky.

Any chance you can try a different client on ipad?

To make sure your config is correct, view it with wordpad in windows, gedit in linux or whatever amazingly expensive edit a Mac ships with...