Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - andreab

#16
Hi,

I'm on 18.1.4 but I have not seen any progress regarding my situation.
My routing table still looks exactly the same as before, and I experience the same problems as before.

A couple of things I've noticed with the VPN on (and therefore with no connectivity):
1) checking the firewall log I can see that my ping to the google DNS servers (8.8.8.8) is allowed, but since I get no response, I assume the "reply" messages are blocked on the way back;
2) if I am pinging something (eg 8.8.8.8) while I enable the VPN, the ping keeps working - so something is blocking new connections, but not already established ones.

Regards,
Andrea

#17
Hi,

Just to give everyone an update on this - I have patched OPNsense to the latest (18.1.3) but the issues reported in my previous comment (#29) still remain a problem.

Let me know if you experience anything different please.

Regards,
Andrea
#18
Hi,

Here is my situation with this issue.

I'm fully updated on 18.1.2_2.

I followed this how-to when I was still on 17.7.something (one of the latest ones, in case that matters).

The only thing I did different is "Step 8, the Manual outbound NAT generation" bit, as the only way to keep the automated and manual rules in place at the same time is by using the "hybrid" setting.
Of course I also tried to use manual but it does not make any difference.

In my setup I want to have all traffic coming from a VLAN (10.55.59.0/24) to be routed through the OpenVPN connection, while untagged traffic coming from 10.55.55.0/24 will reach the internet directly.

The correct gateway for the network is 10.55.50.1, while the gateway for the OpenVPN connection is something like 46.246.85.1.

Problem #1
When OpenVPN is connected to its server, 10.55.59.0/24 correctly goes on the internet through the encrypted tunnel, but unfortunately 10.55.55.0/24 has no Internet access whatsoever (tested with something like "ping 8.8.8.8" or curl).

If it helps understanding, checking the routes I can see this:

% netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          46.246.85.1        UGS      ovpnc1
default            10.55.50.1         UGS        igb0
10.55.50.0/24      link#1             U          igb0
10.55.50.1         00:e0:4c:65:25:da  UHS        igb0
10.55.50.2         link#1             UHS         lo0
10.55.55.0/24      link#2             U          igb1
10.55.55.1         link#2             UHS         lo0
10.55.59.0/24      link#14            U      igb1_vla
10.55.59.1         link#14            UHS         lo0
10.55.60.0/24      link#3             U          igb2
10.55.60.1         link#3             UHS         lo0
10.55.61.0/24      link#10            U      igb2_vla
10.55.61.1         link#10            UHS         lo0
10.55.62.0/24      link#11            U      igb2_vla
10.55.62.1         link#11            UHS         lo0
46.246.85.0/27     46.246.85.1        UGS      ovpnc1
46.246.85.1        link#9             UH       ovpnc1
46.246.85.21       link#9             UHS         lo0
84.200.69.80       00:e0:4c:65:25:dd  UHS        igb3
84.200.70.40       00:e0:4c:65:25:dd  UHS        igb3
127.0.0.1          link#6             UH          lo0
128.0.0.0/1        46.246.85.1        UGS      ovpnc1
178.73.195.98/32   10.55.50.1         UGS        igb0
192.168.5.0/24     link#4             U          igb3
192.168.5.1        00:e0:4c:65:25:dd  UHS        igb3
192.168.5.131      link#4             UHS         lo0
192.168.17.0/24    192.168.5.1        UGS        igb3
192.168.20.0/24    192.168.5.1        UGS        igb3
192.168.40.0/24    192.168.5.1        UGS        igb3

Problem #2
ovpnc1 has higher priority than igb0, so the router itself goes on the internet through OpenVPN, and I don't want that.


Any tips on debugging the current issues will be appreciated.


Regards,
Andrea
#19
oh yeah, I can see that now... :-/
The intros are useful, particularly when you don't know HAProxy very well.

Thanks so much for the prompt response!

Regards,
Andrea
#20
Hi,

I run Opnsense 17.7, I've just enabled the HAProxy plugin but I can't seem to find a way to add servers to get started.
See image attached.

According to the documentation (https://docs.opnsense.org/manual/how-tos/haproxy.html) there should be a '+' sign to use in order to add servers.
Could anyone kindly point out what I am missing?

Regards,
Andrea
#21
Hi!

I had to fiddle a bit to get this to work but I think I nailed it. :-)

Franco - thank you for your explanation, it's been the best I could find so far.

I want to extend a bit on what I did exactly in case that might help someone else in my situation.


1) I created my internal self-signed CA (under System: Trust: Authorities).
2) Then under "System: Trust: Certificates" I "Create an internal Certificate" selecting "Server Certificate" as Type, and selecting the CA created at step 1)
3) I've exported the CA certificate created at step 1) into my Linux system but that was not enough, as Firefox seems to use a separate store for the CA, so I had to import it into Firefox too separately.
4) Switched the SSL certificate used for HTTPS under "System: Settings: Administration" to the newly created at step 2), and save.


Hope it helps.

Regards,
Andrea