Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - xupetas

Pages 1 2 3 4
#16
23.1 Legacy Series / Re: Issue with nat/portforward from openvpn connection since the upgrade
July 25, 2023, 11:31:24 AM
I think that its openvpn (binary) related. Tried the same configuration using wireguard and no issues were found.
I have been reading the changelog of the product and i do not see any breaking changes regarding hairpinning on the alerts... is anyone aware?
#17
23.1 Legacy Series / [SOLVED] Issue with nat/portforward from openvpn connection since the upgrade
July 25, 2023, 08:35:14 AM
Hello all,

I have this configuration, that was working before the upgrade:

PIA --> opnsense (openvpn) --> host.

PIA forwards a port into opnsense via a openvpn interface that get's natted (portforwared) to host.
Since the upgrade, i lost the ability to do a tcp connection from outside the PIA, thru opnsense, to the host on the port that it specified. I am able to exit the host via the pia tunnel without any issue

However i see traffic inside the host as coming from PIA, so it appears that something is working. Just not able to to a proper tcp connection /syn/synack.
There are rules allowing that all traffic from pia reach the host.

This is an extract of my unfiltered tcpdump. Code is reaching and appears to be leaving the host, thru openvpn into pia:

Code Select

07:28:32.892295 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.892326 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.893405 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.893455 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.893469 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.893499 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.894146 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.894180 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.894192 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.894216 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.894420 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.894451 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.894613 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.894632 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.895104 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.895126 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.897229 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.897284 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.897285 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.897370 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.897938 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.897993 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.898007 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.898040 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.899480 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.899526 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.899602 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.900198 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.900239 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.904513 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.904567 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.904615 IP host-95-237-116-82.retail.telecomitalia.it.61700 > 172.16.3.7.documentum: UDP, length 849
07:28:32.904627 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20
07:28:32.904692 IP 172.16.3.7.documentum > host-95-237-116-82.retail.telecomitalia.it.61700: UDP, length 20



This is an extract from a tcpdump from a tcp connection connecting from a public ip, into the front of the PIA vpn endpoint, on the port specified. It does reach the host vm, but is unable to do a proper tcp connection, and yes the port on the destination is listening and there is no local firewall on that particular host

Code Select


tcpdump: listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:29:50.612214 IP (tos 0x0, ttl 54, id 11967, offset 0, flags [DF], proto TCP (6), length 60)
    bing.unammed.isp.telecom.7960 > 172.16.3.7.documentum-s: Flags [S], cksum 0x00df (correct), seq 4120766767, win 64240, options [mss 1238,sackOK,TS val 205320036 ecr 0,nop,wscale 7], length 0
07:29:50.612456 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xe663), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46328494 ecr 205320036,nop,wscale 7], length 0
07:29:51.621210 IP (tos 0x0, ttl 54, id 11968, offset 0, flags [DF], proto TCP (6), length 60)
    bing.unammed.isp.telecom.7960 > 172.16.3.7.documentum-s: Flags [S], cksum 0xfcf4 (correct), seq 4120766767, win 64240, options [mss 1238,sackOK,TS val 205321038 ecr 0,nop,wscale 7], length 0
07:29:51.621271 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xe272), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46329503 ecr 205320036,nop,wscale 7], length 0
07:29:52.630136 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xde81), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46330512 ecr 205320036,nop,wscale 7], length 0
07:29:53.646538 IP (tos 0x0, ttl 54, id 11969, offset 0, flags [DF], proto TCP (6), length 60)
    bing.unammed.isp.telecom.7960 > 172.16.3.7.documentum-s: Flags [S], cksum 0xf514 (correct), seq 4120766767, win 64240, options [mss 1238,sackOK,TS val 205323054 ecr 0,nop,wscale 7], length 0
07:29:53.646565 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xda89), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46331528 ecr 205320036,nop,wscale 7], length 0
07:29:55.670131 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xd2a1), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46333552 ecr 205320036,nop,wscale 7], length 0
07:29:57.771595 IP (tos 0x0, ttl 54, id 11970, offset 0, flags [DF], proto TCP (6), length 60)
    bing.unammed.isp.telecom.7960 > 172.16.3.7.documentum-s: Flags [S], cksum 0xe4f4 (correct), seq 4120766767, win 64240, options [mss 1238,sackOK,TS val 205327182 ecr 0,nop,wscale 7], length 0
07:29:57.771636 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xca6c), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46335653 ecr 205320036,nop,wscale 7], length 0
07:30:01.910112 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.3.7.documentum-s > bing.unammed.isp.telecom.7960: Flags [S.], cksum 0x2ca3 (incorrect -> 0xba41), seq 2016981066, ack 4120766768, win 65160, options [mss 1460,sackOK,TS val 46339792 ecr 205320036,nop,wscale 7], length 0




What is wrong with this picture?
Was there any change that needs to be done to the openvpn client to allow this configuration? Or any mandatory new configuration on opnsense's interface to allow this again?

Thanks for your help
#18
22.1 Legacy Series / Re: Traffic intermittently stops flowing following upgrade to 22.1
March 02, 2022, 05:44:50 PM
I that issue with two itens:

Too much strict QOS rules.
My suricata gave the white smoke when i overloaded it with too many rules for the server i was on.
#19
21.7 Legacy Series / Re: Issue with Geoblock - Not working after system lost power.
October 25, 2021, 02:34:16 PM
Hello all,

Found it, i had a corrupted DB (.txt) file in /var/db/aliastables. I deleted it, re-run the comand and now it appears to be working.

I found it using the command:

# truss /usr/local/opnsense/scripts/filter/update_tables.py

In the logs the error appear as:

Command '/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 478, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.8/subprocess.py", line 364, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py' returned non-zero exit status 1.

I ran the trace on /usr/local/opnsense/scripts/filter/update_tables.py and found what db file was having issues.  It warned me of UTF8 not being able to read some file. Insde of truss i was able to see what file was.
#20
21.7 Legacy Series / [SOLVED]: Issue with Geoblock - Not working after system lost power.
October 25, 2021, 12:57:01 PM
Hello all,

I had a crash on a opnsense 21.7 (powerloss), and when it came back up the geoip alias was not working.

I've tried to see if the download/key for my geoip list was working, and it is:

root@XXXXX:/usr/local/opnsense/scripts/filter/lib # python3
Python 3.8.12 (default, Sep 20 2021, 23:00:57)
[Clang 8.0.1 (tags/RELEASE_801/final 366581)] on freebsd12
Type "help", "copyright", "credits" or "license" for more information.
>>> from geoip import download_geolite
>>> download_geolite()
{'address_count': 775784, 'file_count': 500, 'timestamp': '2021-10-19T09:47:50', 'locations_filename': 'GeoLite2-Country-Locations-en.csv', 'address_sources': {'IPv4': 'GeoLite2-Country-Blocks-IPv4.csv', 'IPv6': 'GeoLite2-Country-Blocks-IPv6.csv'}}
>>>


The list is active, but it does not work - tested with multiple IP's from a IP range that *is* included.
Also, i have enough table entries to acomodate the list:

# pfctl -sm | grep table-entries
table-entries hard limit 4000000000


Is there a way to see using pfctl that the alias is being loaded? The main simptom of this issue is that the list appears that is not being loaded and thus the rule is doing nothing.
#21
21.7 Legacy Series / Re: HA-Proxy - Not validating ACL correctly
September 29, 2021, 07:42:19 AM
Up!
#22
21.7 Legacy Series / HA-Proxy - Not validating ACL correctly
September 23, 2021, 10:30:11 AM
Hello all,

I have been experimenting on HA WSS and WS with HAproxy.
Since the webgui does not support the HA, i selected the pass-trought option and wrote this ACL:

acl is_upgrade hdr(connection) -i upgrade
acl is_websocket hdr(upgrade) -i websocket

However i cannot load it pass that page because it gives an error: text validation error

The ACL is correct. What am i missing?

Thanks for your help!
#23
21.7 Legacy Series / Re: Issues with API using example from docs.opnsense.org
July 30, 2021, 05:28:40 PM
Thanks!!

I am not a programmer, so i am trying to change a port on an alias. By any strech of luck do you have an example?
Again thanks for your reply!
#24
21.7 Legacy Series / Re: Issues with API using example from docs.opnsense.org
July 30, 2021, 02:16:43 PM
Hi Franco,

What non-utility endpoint? Can you please elaborate?

Thanks,
Nuno
#25
21.7 Legacy Series / Re: Issues with API using example from docs.opnsense.org
July 29, 2021, 02:30:20 PM
Oh... tks.

Is it slated on the roadmap for the foreseeable future?

Thanks again
#26
21.7 Legacy Series / Issues with API using example from docs.opnsense.org
July 29, 2021, 12:08:12 PM
Hello All,

Thanks for spending your time reading this.

I've been following the how to regarding the API interface for creating/modifying an Alias, that is located in https://docs.opnsense.org/manual/aliases.html.

Inside is stated that one can add an Alias like this:

curl \
  --header "Content-Type: application/json" \
  --basic \
  --user "key:secret" \
  --request POST \
  --insecure \
  --verbose \
  --data  '{"address":"10.0.0.2"}' \
  https://opnsense.firewall/api/firewall/alias_util/add/MyAlias

So, i've built my script like this:
curl \
  --header "Content-Type: application/json" \
  --basic \
  --user "XXXXX:YYYYYYY" \
  --request POST \
  --insecure \
  --verbose \
  --data  '{"Ports":"512"}' \
   https://172.16.0.20/api/firewall/alias_util/add/APP_FORWARD_PORTS

And i keep getting this error {"status":"failed"}.

I've tried to validate the script and credentials by using --data  '{"address":"10.0.0.2"}' for the address and it works perfectly.
So it appears that my issue is related do "Ports".
I tried the script with Ports, Port, port, ports and nothing works.

Also, if i try to list ports from the API Alias it will not display any ports even those that exist:

curl -k -u "XXXXXXX":"YYYYYY" https://172.16.0.20/api/firewall/alias_util/list/EXISTING_PORT

i get:

{
  "total": 0,
  "rowCount": -1,
  "current": 1,
  "rows": []
}

If i try to export, i see the ports via API.

What is the syntax i should use? I don't see the ports directive being used in the manual. Is it not supported?

Thanks for your help.


#27
19.7 Legacy Series / Re: Traffic Shapper - Bug on entering or modify IP's
October 18, 2019, 03:11:31 PM
Confirmed & solved!

Thanks!
#28
19.7 Legacy Series / [SOLVED] Traffic Shapper - Bug on entering or modify IP's
October 17, 2019, 05:33:09 PM
Hello,

I am having issues in editing my current TS config.
When i try to edit the IP on the rules section, or set it to any, the webgui deletes what i have added.
The behavior is the same if i create a new rule for TS.

This happens on chrome, firefox, and IE with or without incognito mode on.

What am i missing here?

PS: this server is part of a opncluster, i removed the config sync, and the issue remains on the other node as well, so i think we can rule out any issue with the config that might be causing this

Thanks,
Nuno
#29
19.7 Legacy Series / haproxy transparent
August 05, 2019, 05:29:31 PM
Hello all,

Does anyone know when this will be implemented on the main tree of opnsense:

https://forum.opnsense.org/index.php?topic=4609.0

It is quite wanted by a lot of people.

Thanks for a kick ass product!
#30
19.1 Legacy Series / IPSEC con selection fail.
June 06, 2019, 10:19:30 AM
Hello,

I think i might be doing something wrong here.

I have two ipsec phase 1 selections:

conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = %any
  right = %any
 
  leftid = con1@vpn
  ikelifetime = 1500000000s
  lifetime = 360000s
  rightsourceip = 172.16.8.0/24
  ike = aes128-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-pam
  leftsubnet = 0.0.0.0/0
  esp = aes128-sha1!
  auto = add

conn con2
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
  type = tunnel
  dpdaction = none
  left = %any
  right = %any
 
  leftid = con2@vpn
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 172.16.8.0/24
  ike = aes128-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-pam
  leftsubnet = 0.0.0.0/0
  esp = aes128-sha1!
  auto = add


Why does it then, select always CON1, with every possible option in the identifier section: Distinguished name, user distinguished name, ASN.1 dist. Name, KeyID tag

Error:

With shared secret for CON1:

charon: 11[CFG] <6> looking for XAuthInitPSK peer configs matching 10.0.1.1...X.X.XX.X[con1@vpn]
charon: 11[CFG] <6> selected peer config "con1"

With shared secret for CON2:

charon: 11[CFG] <6> looking for XAuthInitPSK peer configs matching 10.0.1.1...X.X.XX.X[con2@vpn]
charon: 11[CFG] <6> selected peer config "con1"

What am i doing wrong? Who does it defaults back to the con1 always?

Thanks for a ubber product!
Pages 1 2 3 4