1576
18.1 Legacy Series / Re: NAT, port aliases, redirect not working after upgrade
« on: January 30, 2018, 06:44:45 pm »
So I've just bounced my 18.1.rc2 to 18.1_1 and all is working.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1577
18.1 Legacy Series / Re: NAT, port aliases, redirect not working after upgrade
« on: January 30, 2018, 06:01:54 pm »
Sadly there is only one way to prove it. My NAT and Aliases work on a fresh install.
I don't have time at this minute, but in a while I will compare my old 17.7.11 config to my 18.1.rc2 and see if there are any differences, I will also bounce my live firewall to 18.1 and see what happens... but as I said earlier, that needs to be after 17:30 GMT.
I don't have time at this minute, but in a while I will compare my old 17.7.11 config to my 18.1.rc2 and see if there are any differences, I will also bounce my live firewall to 18.1 and see what happens... but as I said earlier, that needs to be after 17:30 GMT.
1578
18.1 Legacy Series / Re: NAT, port aliases, redirect not working after upgrade
« on: January 30, 2018, 05:55:09 pm »
Try doing it with a fresh install and MANUALLY create the config. I know it's a PITA but see if that works, obviously something is not right, but I suspect its in converting the config.
1579
18.1 Legacy Series / Re: NAT, port aliases, redirect not working after upgrade
« on: January 30, 2018, 05:14:59 pm »
More than likely, I had issues when bouncing 17.7.11 to 18.1.rc1 & rc2.
I've drawn the conclusion that when doing a major upgrade for me it's best to do the configuration from scratch anyway. In the past, with pfS**** I've also had issues so now I just bite the bullet and get on with it.
I know it should not happen, but these things do, and I end up with less down time in the long run.
I got bitten by the ICMP - ICMP6 issue too, so there was a lot of swearing going on.
I've drawn the conclusion that when doing a major upgrade for me it's best to do the configuration from scratch anyway. In the past, with pfS**** I've also had issues so now I just bite the bullet and get on with it.
I know it should not happen, but these things do, and I end up with less down time in the long run.
I got bitten by the ICMP - ICMP6 issue too, so there was a lot of swearing going on.
1580
18.1 Legacy Series / Re: NAT, port aliases, redirect not working after upgrade
« on: January 30, 2018, 04:25:29 pm »
OK, I have just done a test with my 'TEST' unit, virgin 18.1
By default this unit had just the rules it comes with out of the box.
I created a port forward from the WAN to the LAN, forwarding ports 80,443,465 and 993, directing them at my laptop.
Then on my main machine I ran a piece of software called Hercules, if you do not know it then find it, it's a very useful tool, whatever, Hercules allows me to test by trying to connect on whatever port I specify to a given address.
I then ran wireshark on the laptop to see what was coming through the firewall.
I have to say, all the port forwards worked. I don't know what's going on with others, but on my test unit - perfect.
This was create the port alias(es) then create the port forward, apply.
Note, before someone says, I had to turn of the block private networks as the WAN network was 192.168.1.0
and the LAN network was 192.168.3.0 - but it worked.
By default this unit had just the rules it comes with out of the box.
I created a port forward from the WAN to the LAN, forwarding ports 80,443,465 and 993, directing them at my laptop.
Then on my main machine I ran a piece of software called Hercules, if you do not know it then find it, it's a very useful tool, whatever, Hercules allows me to test by trying to connect on whatever port I specify to a given address.
I then ran wireshark on the laptop to see what was coming through the firewall.
I have to say, all the port forwards worked. I don't know what's going on with others, but on my test unit - perfect.
This was create the port alias(es) then create the port forward, apply.
Note, before someone says, I had to turn of the block private networks as the WAN network was 192.168.1.0
and the LAN network was 192.168.3.0 - but it worked.
1581
18.1 Legacy Series / Re: NAT, port aliases, redirect not working after upgrade
« on: January 30, 2018, 03:11:36 pm »
I can check that but not until after 17:30 GMT, I cannot take opnsense down at the moment, I will get an ear bashing! 
1582
18.1 Legacy Series / Re: NAT, port aliases, redirect not working after upgrade
« on: January 30, 2018, 03:05:14 pm »
Port Aliases are working in my system using NAT. Still running 18.1.rc2.
So I have Binat rules as I have multiple external IP's. Create that and then create a WAN firewall rule any to my internal mail server with the ports that I have open 443,465 and 993 using a ports alias list and it works fine. I have just deleted the rules, checked that the ports were not accessible and then re-created them again, working fine.
So I have Binat rules as I have multiple external IP's. Create that and then create a WAN firewall rule any to my internal mail server with the ports that I have open 443,465 and 993 using a ports alias list and it works fine. I have just deleted the rules, checked that the ports were not accessible and then re-created them again, working fine.
1583
18.1 Legacy Series / Re: Upgrade 17.7.12_1>18.1 failure
« on: January 29, 2018, 11:48:44 pm »
I had the same problem with IPv6-ICMP during RC testing. It's been noted already that it's a PITA for those who are not aware of it. Either it needs alphabetically sorting so it sits next to ICMP or it gets auto detected depending on whether it's v4 or v6.
The message I posted in the RC threads does not seem to be around now, but those that hit this problem have my sympathy!
The message I posted in the RC threads does not seem to be around now, but those that hit this problem have my sympathy!
1584
18.1 Legacy Series / Re: Improvement suggestion - layout - rearrange (Links)
« on: January 29, 2018, 04:44:15 pm »
“You can please some of the people all of the time, you can please all of the people some of the time, but you can’t please all of the people all of the time”
Menu is fine by me.
Menu is fine by me.
1585
17.7 Legacy Series / Re: GeoIP Blocks All Traffic Instead of Per-Country Traffic
« on: January 28, 2018, 11:36:01 pm »
I use Spam Hero to handle all my inbound, takes the strain off my system, all the mx records point to them and they are not expensive. I use Geo Blocker for almost all countries except the ones I travel to most or need to have open. I've just found a quite useful list I've added as an alias, which is working well. it's in a straight text format so dead easy to import.
http://bl.plonkatronix.com/plonkatronixRBL.txt
Certainly stopped the 'plonker' who kept trying to get into my server.
http://bl.plonkatronix.com/plonkatronixRBL.txt
Certainly stopped the 'plonker' who kept trying to get into my server.
1586
General Discussion / Re: duplicating pfblockerng features
« on: January 28, 2018, 06:35:46 pm »
Hear's the saying, if you need the docs you shouldn't be playing.
Read them, tell yourself they are all wrong and then ask someone.
Read them, tell yourself they are all wrong and then ask someone.
1587
General Discussion / Re: duplicating pfblockerng features
« on: January 28, 2018, 04:27:07 pm »
Ah, but if the docs are all correct then it spoils the voyage of discovery.. 
1588
17.7 Legacy Series / Re: IPv6 Addresses Not Being Handed Out on LAN
« on: January 27, 2018, 05:27:33 pm »
[EDIT]Have you also tried this site to see what's happening: http://ipv6-test.com/
My goto site for ipv6 testing, but even that fails ICMP with a default windows 10 setup as it blocks ICMP in the windows firewall, you need to turn off the windows firewall to get a nearly perfect score, and a have a reverse DNS entry to score 20, my mail server does.
1589
17.7 Legacy Series / Re: IPv6 Addresses Not Being Handed Out on LAN
« on: January 27, 2018, 10:11:06 am »This is one of those "I have to see how it plays out."
The IPv6 tests at test-ipv6.com still fail. I haven't changed a single setting since earlier today. Meanwhile, my desktop passes all of the tests at test-ipv6.com but can't ping any IPv6 hosts (e.g., Google).
This is maddening!
it fails and it works??
1590
17.7 Legacy Series / Re: IPv6 Addresses Not Being Handed Out on LAN
« on: January 27, 2018, 10:08:47 am »
Multiple IPv6 addresses is the norm.
From that device do a tracert -6 www.google.com and see where it takes you.
From that device do a tracert -6 www.google.com and see where it takes you.