OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Perun »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - Perun

Pages: 1 [2] 3
16
General Discussion / carp and ipv6
« on: September 13, 2018, 07:25:53 am »
Hi All,

I have ipv6 configured on my wan with ra to my lan. I use a second opnsense with carp for redundancy. It is ok to configure ipv6 on the second opnsense same as on the first?
I think dhcpv6 on wan is ok but what about RA -> lan?

Greetz

17
General Discussion / Multi WAN and ipv6
« on: September 11, 2018, 07:17:41 am »
Hi

I have 2 WAN uplinks (cable and vdsl). IPv4 does work as expected and cable ipv6 to... but I have problems with forwarding the IPv6 prefix on the VDSL uplink...

thats are my settings:

cable interface (german vodafone cable)
Code: [Select]
    <opt2>
      <if>igb0_vlan4</if>
      <descr>cable</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <blockbogons>1</blockbogons>
      <ipaddr>192.168.40.3</ipaddr>
      <subnet>24</subnet>
      <gateway>cable_gateway</gateway>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>1</dhcp6-ia-pd-len>
      <dhcp6prefixonly>1</dhcp6prefixonly>
      <dhcp6sendsolicit>1</dhcp6sendsolicit>
      <adv_dhcp6_debug>1</adv_dhcp6_debug>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>
      <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_id/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </opt2>

vdsl interface (german 1&1 vdsl)
Code: [Select]
    <opt3>
      <if>igb0_vlan14</if>
      <descr>vdsl</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <blockbogons>1</blockbogons>
      <ipaddr>192.168.140.3</ipaddr>
      <subnet>24</subnet>
      <gateway>vdsl_gateway</gateway>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>4</dhcp6-ia-pd-len>
      <dhcp6sendsolicit>1</dhcp6sendsolicit>
      <adv_dhcp6_debug>1</adv_dhcp6_debug>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>
      <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_id/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </opt3>

my first lan (should use cable for ipv6)
Code: [Select]
    <opt5>
      <if>igb1</if>
      <descr>lan</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.50.3</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>opt2</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
    </opt5>

my second lan (should use vdsl for ipv6)
Code: [Select]
    <opt1>
      <if>igb2</if>
      <descr>lan_media</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.150.3</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>opt3</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
    </opt1>

cat /var/etc/radvd.conf
Code: [Select]
# Automatically generated, do not edit
# Generated config for dhcp6 delegation from opt2 on opt5
interface igb1 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix 2a02:8109:9d40:476::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2a02:8109:9d40:476:20d:b9ff:fe4a:7499 { };
DNSSL chao5.int { };
};
# Generated config for dhcp6 delegation from opt3 on opt1
interface igb2 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
DNSSL chao5.int { };
};

here I'm missing something, there is no prefix on igb2... why?

cat /var/etc/dhcp6c_opt2.conf
Code: [Select]
interface igb0_vlan4 {
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt2_script.sh"; # we'd like some nameservers please
};
id-assoc pd 0 {
  prefix-interface igb1 {
    sla-id 0;
    sla-len 1;
  };
};

cat /var/etc/dhcp6c_opt3.conf
Code: [Select]
interface igb0_vlan14 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt3_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix-interface igb2 {
    sla-id 1;
    sla-len 4;
  };
};

There are 2 running dhcpd6c processes... it is normal?

in /var/log/dhcpd.log | grep dhcp6c I see this:
Code: [Select]
Sep 11 07:14:13 cerber dhcp6c[19870]: Sending Solicit
Sep 11 07:14:13 cerber dhcp6c[19870]: set client ID (len 14)
Sep 11 07:14:13 cerber dhcp6c[19870]: set identity association
Sep 11 07:14:13 cerber dhcp6c[19870]: set elapsed time (len 2)
Sep 11 07:14:13 cerber dhcp6c[19870]: set option request (len 4)
Sep 11 07:14:13 cerber dhcp6c[19870]: set IA_PD
Sep 11 07:14:13 cerber dhcp6c[19870]: send solicit to ff02::1:2%igb0_vlan14
Sep 11 07:14:13 cerber dhcp6c[19870]: reset a timer on igb0_vlan14, state=SOLICIT, timeo=13, retrans=110376
Sep 11 07:14:13 cerber dhcp6c[15879]: unexpected interface (9)

what can be the problem? what I'm doing wrong?

TiA

18
German - Deutsch / Performance über IPsec
« on: August 02, 2018, 11:46:25 am »
Hallo

ich möchte gerne meine Filme über einen IPsec Tunnel in meiner Ferienwohnung schauen.  Ich habe soweit den IPsec Tunnel hergestellt  und alles netzeitig tut soweit.

Leider ist die Performance nicht ausreichend um z.B. einen BR Film zu schauen. Ich mess die Bandbreite mit iperf zwischen den beiden Endpunkten und bekomme 32-35Mbit in eine Richtung und ca. 2Mbit ind die andere über den Tunnel.

Die Leitungen sind 100/40Mbit auf der Server Seite und 50/2Mbit auf der Client  Seite.
Also soweit so gut für IPsec über die Leitung. (Obwohl ich da von der apu2c4 sogar ein bisschen mehr erwarten würde)

Die 35Mbit sollten eigentlich vollkommen aussreichend sein für die BR's.

Leider stockt die BR und lässt sich so nicht schauen.
Ich habe bereits MSS Größe auf der opnsense Kiste eingestellt (1390 gemessen mit ping ohne Fragmentiereung warens 1402 möglich und dann für TCP 12 Byte abgezogen).

Den Tunnel bau ich mit ner Linux Kiste (strongswan) auf. Muss ich auch dort MSS einstellen?

Beide CPU's (opnsense und der Linux Box) sind entspannt bei der Übertragung.

An welchen "Schrauben" kann ich noch drehen um die Performance zu verbessern?

Greetz

19
German - Deutsch / WLAN Bereich mit openwrt erweitern...
« on: June 28, 2018, 12:14:47 pm »
Hallo,

ich möchte gerne meine beiden WLANs (normal und guest) mit einem openwrt Router erweitern. Dabei soll der openwrt Router 'doof' bleiben, sprich er soll nur das Netz erweitern und selber keine Dienste anbieten. DHCP/DNS etc etc soll alles aus der opnsense Box kommen.

Meine Struktur:

lan: 192.168.50.0/24 1 iface (VLAN5) an opnsense
lan_media: 192.168.150.0/24 2 iface (VLAN15) an opnsense
dmz_kabel: 192.168.40.0/24 3 iface (VLAN4) an opnsense
dmz_vdsl: 192.168.140.0/24 3 iface (VLAN14) an opnsense
wlan: 192.168.60.0/24 wlan iface
wlan_guests: 192.168.250.0/24 wlan iface

so jetzt wäre die Frage wie ich die Netze lan, lan_media, wlan und wlan_guest an openwrt dran machen kann. lan und lan_media ist easy weil ueber einen Kabel mit trunk (2 VLAN's) aber wie die WLAN Netze rüber bringen?

Sollte ich für wlan und wlan_guest ebenfalls ein VLAN konfigurieren und in den gemeinsamen Trunk rein packen oder ist gibts was einfacheres bzw bin ich da ganz falsch mit meinen Gedanken?

Vielen Dank im Voraus für eure Vorschläge!
Greetz

20
18.1 Legacy Series / unbound auto A records?
« on: May 24, 2018, 12:45:37 pm »
Hi

Unbound seems to add A records for opnsense host to config if I add new networks (2x new WLAN Net).
I've found these settings in hosts_entries.conf:

Code: [Select]
local-data-ptr: "192.168.60.3 cerber.chao5.int"
local-data: "cerber.chao5.int A 192.168.60.3"
local-data: "cerber A 192.168.60.3"
local-data: "cerber.chao5.int AAAA fe80::6f0:21ff:fe30:3765"
local-data: "cerber AAAA fe80::6f0:21ff:fe30:3765"
local-data-ptr: "192.168.250.3 cerber.chao5.int"
local-data: "cerber.chao5.int A 192.168.250.3"
local-data: "cerber A 192.168.250.3"
local-data: "cerber.chao5.int AAAA fe80::4f0:21ff:fe30:3765"
local-data: "cerber AAAA fe80::4f0:21ff:fe30:3765"
but I cant see them in "Host Override" in the WebUI.
Can I delete them without problems?

Greetz

21
German - Deutsch / automatische A records im DNS (unbound) entfernen
« on: May 18, 2018, 07:24:34 am »
Hi

irgendwie hat unbound automatisch A Records für meine opnsense Box angelegt. Habe letztens 2 WLAN's hinzugefügt und der Name der opnsense Box hat jetzt 2 A records in jeweiligem WLAN:

Code: [Select]
host cerber.chao5.int
cerber.chao5.int has address 192.168.60.3
cerber.chao5.int has address 192.168.250.3
cerber.chao5.int has IPv6 address fe80::6f0:21ff:fe30:3765
cerber.chao5.int has IPv6 address fe80::4f0:21ff:fe30:3765

Da ich aber interne DNS Server benutze und unbound nur zum cachen oder DNS 'umbiegen' würde ich die gerne weg haben... finde aber die Stelle nicht wo die definiert sind...
Kann jemand helfen? Kann man den Automatismus auch abschalten für die Zukunft?

Greetz

22
German - Deutsch / Cron Jobs weg
« on: May 18, 2018, 06:57:50 am »
Hi

irgendwie verschwinden immer irgendwann meine Cron Jobs die ich mit crontab -e definiert habe... Räumt opnsense da auf? Was kann ich tun damit die dort persistent bleiben?

Greetz

23
German - Deutsch / viele pinger Prozesse
« on: April 24, 2018, 07:16:12 am »
Hi

es laufen immer so 10 (pinger) (pinger) Prozesse auf meiner opnsense Box.
Ist das normal? Wozu sind die den?

Ich habe Probleme mit MultiWAN Config und apinger, könnte das die Ursache sein?

Greetz

24
German - Deutsch / Latency Problem bei Multi WAN Gateway Monitoring
« on: April 05, 2018, 12:53:51 pm »
Hi

ich habe ein seltsames Phänomen hier mit dem Monitoring von 2 Gateways (Multi WAN).

Ich pinge hinter den Gateways die DNS Server des jeweiligen ISP's. Manchmal sehe ich in der Status UI zu den Gateways richtig große Antwortzeiten (>10000ms) oder auch, dass die Gateways offline sind.
Wenn ich die gleichen Server von der Console aus anpinge, sieht alles ok aus.

Das einzige was dann hilft, ist das Monitoring für die Gateways abzuschalten, eine gewissen Zeit abwarten (so 10min) und wieder einzuschalten. Dann ist wieder alles ok.

Kennt jemand das Problem und vielleicht auch die Lösung dafür?

Greetz

25
18.1 Legacy Series / UGLY Bug? Squid cant be killed, host cant be rebooted
« on: February 24, 2018, 04:13:43 pm »
Hi

I have a problem with squid on 18.1.2_2
If I try to stop it I get these errors (see attachement).

then I cant kill squid process (not either with kill -9):

Code: [Select]
50587  -  D      26:09.05 (squid-1) -f /usr/local/etc/squid/squid.conf (squid)

only reboot helps, but I need to do power off/on because it hangs at shutdown with squid :(

Can someone confirm that it is a bug? Or do I have something wrong in my config?

Code: [Select]
#
# Automatic generated configuration for Squid.
# Do not edit this file manually.
#


# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

# Setup regular listeners configuration
http_port 192.168.50.3:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port 192.168.50.2:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

# setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M 12MB
sslcrtd_children 10

sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_options NO_TLSv1

# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

# configure bump
ssl_bump peek bump_step1 all
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3

sslproxy_cert_error deny all

acl ftp proto FTP
http_access allow ftp


# Setup ftp proxy

# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
acl localnet src 192.168.50.0/24 # Possible internal network (interfaces v4)
# Default allow for local-link and private networks
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# ACL lists

# ACL - Allow Subnets - User defined (subnets)
acl subnets src 192.168.50.0/24
acl subnets src 192.168.150.0/24
acl subnets src 192.168.55.0/24
acl subnets src 10.0.8.0/24
acl subnets src 127.0.0.1

# ACL - Remote fetched Blacklist (remoteblacklist)

# ACL - Block browser/user-agent - User defined (browser)

# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
acl SSL_ports port 443 # https
acl SSL_ports port 444 # https

# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
# ACL - Safe_ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# ICAP SETTINGS
# enable icap
icap_enable on
icap_default_options_ttl 60

# send user information to the icap server
adaptation_send_client_ip on
adaptation_send_username off
icap_client_username_encode off
icap_client_username_header X-Username

# preview
icap_preview_enable on
icap_preview_size 1024

# add the servers
icap_service response_mod respmod_precache icap://[::1]:1344/avscan
icap_service request_mod reqmod_precache icap://[::1]:1344/avscan


# Pre-auth plugins
include /usr/local/etc/squid/pre-auth/*.conf

# Authentication Settings








# Deny requests to certain unsafe ports
adaptation_access response_mod deny !Safe_ports
adaptation_access request_mod deny !Safe_ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
adaptation_access response_mod deny CONNECT !SSL_ports
adaptation_access request_mod deny CONNECT !SSL_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
http_access deny to_localhost


# Auth plugins
include /usr/local/etc/squid/auth/*.conf

#
# Access Permission configuration:
#
# Deny request from unauthorized clients

#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
http_access allow localnet

# ACL - localhost
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
http_access allow localhost

# ACL list (Allow) subnets
adaptation_access response_mod allow subnets
adaptation_access request_mod allow subnets
http_access allow subnets

# Deny all other access to this proxy
adaptation_access response_mod deny all
adaptation_access request_mod deny all
http_access deny all
# Post-auth plugins
include /usr/local/etc/squid/post-auth/*.conf

# Caching settings
cache_mem 256 MB
cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#


refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# Squid Options
# dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first
dns_v4_first on

access_log syslog:local4.info
# Disable cache store log
cache_store_log none
# URI hanlding with Whitespaces (default=strip)
uri_whitespace strip
# X-Forwarded header handling (default=on)
forwarded_for on
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
# Define visible hostname
visible_hostname cerber.chao5.int
# Define visible email
cache_mgr root@chao5.int

Greetz

26
18.1 Legacy Series / Bug? CARP and Bridge interface
« on: February 24, 2018, 10:53:01 am »
Hi,

there seems to be a problem/bug with CARP on bridge interfaces.

I get this message at boot: "Sorry but we could not find a required assigned ip address on the interface for the virtual IP" for the CARP on my bridge interface.

Code: [Select]
if (is_ipaddrv4($vip['subnet'])) {
        /* Ensure a IP on this interface exists prior to configuring CARP. */
        $ww_subnet_ip = find_interface_ip($realif);
        if (!is_ipaddrv4($ww_subnet_ip)) {
            file_notice("CARP", sprintf(gettext("Sorry but we could not find a required assigned ip address on the interface for the virtual IP address %s."), $vip['subnet']), "Firewall: Virtual IP", "");
            return;
        }

Could the CARP be 'to early' and the bridge doesnt have ip configured already?

Greetz

27
18.1 Legacy Series / Problems with CARP
« on: February 22, 2018, 07:10:53 am »
Hi

I have 2 opnsense installations - one on apu2c4 and one as xen vm (both with latest version 18.1.2)

I have some weird effects with CARP configuration. The hosts doesnt have 1:1 same interfaces but I use CARP only on these the are on both opnsense installations:

first:
Code: [Select]
<virtualip>
    <vip>
      <type>single</type>
      <subnet_bits>24</subnet_bits>
      <mode>carp</mode>
      <interface>opt2</interface>
      <descr>carp_cable</descr>
      <subnet>192.168.40.2</subnet>
      <vhid>40</vhid>
      <advskew>100</advskew>
      <advbase>30</advbase>
      <password>!c4rp!</password>
    </vip>
    <vip>
      <type>single</type>
      <subnet_bits>24</subnet_bits>
      <mode>carp</mode>
      <interface>opt5</interface>
      <descr>carp_lan_wlan</descr>
      <subnet>192.168.50.2</subnet>
      <vhid>50</vhid>
      <advskew>100</advskew>
      <advbase>30</advbase>
      <password>!c4rp!</password>
    </vip>
    <vip>
      <type>single</type>
      <subnet_bits>24</subnet_bits>
      <mode>carp</mode>
      <interface>opt3</interface>
      <descr>carp_vdsl</descr>
      <subnet>192.168.140.2</subnet>
      <vhid>140</vhid>
      <advskew>100</advskew>
      <advbase>30</advbase>
      <password>!c4rp!</password>
    </vip>
    <vip>
      <type>single</type>
      <subnet_bits>24</subnet_bits>
      <mode>carp</mode>
      <interface>opt1</interface>
      <descr>carp_lan_media</descr>
      <subnet>192.168.150.2</subnet>
      <vhid>150</vhid>
      <advskew>100</advskew>
      <advbase>30</advbase>
      <password>!c4rp!</password>
    </vip>
  </virtualip>

second:
Code: [Select]
<virtualip>
    <vip>
      <type>single</type>
      <subnet_bits>24</subnet_bits>
      <mode>carp</mode>
      <interface>wan</interface>
      <descr>carp_cable</descr>
      <subnet>192.168.40.2</subnet>
      <vhid>40</vhid>
      <advskew>200</advskew>
      <advbase>40</advbase>
      <password>!c4rp!</password>
    </vip>
    <vip>
      <type>single</type>
      <subnet_bits>24</subnet_bits>
      <mode>carp</mode>
      <interface>lan</interface>
      <descr>carp_lan_wlan</descr>
      <subnet>192.168.50.2</subnet>
      <vhid>50</vhid>
      <advskew>200</advskew>
      <advbase>40</advbase>
      <password>!c4rp!</password>
    </vip>
    <vip>
      <type>single</type>
      <subnet_bits>24</subnet_bits>
      <mode>carp</mode>
      <interface>opt1</interface>
      <descr>carp_vdsl</descr>
      <subnet>192.168.140.2</subnet>
      <vhid>140</vhid>
      <advskew>200</advskew>
      <advbase>40</advbase>
      <password>!c4rp!</password>
    </vip>
    <vip>
      <type>single</type>
      <subnet_bits>24</subnet_bits>
      <mode>carp</mode>
      <interface>opt2</interface>
      <descr>carp_lan_media</descr>
      <subnet>192.168.150.2</subnet>
      <vhid>150</vhid>
      <advskew>200</advskew>
      <advbase>40</advbase>
      <password>!c4rp!</password>
    </vip>
  </virtualip>

The first router should be ever a master if it is running.

Sometimes after a reboot some interfaces are master and some backup on first und second router... I need to disable/enable CARP and then it works... Is something wrong with this configuration?

TiA
Greetz

28
German - Deutsch / Squid Probleme
« on: February 19, 2018, 06:39:02 am »
Hallo

irgendwie seid paar Tagen habe ich Probleme mit Squid/ClamAV. Nach einer gewissen Zeit nach dem rebooten (unterschiedlich) stürzen beide Diesnte ClamAV und Squid. Bei dem Squid sehe ich eine Meldung wie "out of swap" oder so ähnlich.

Ich habe jetzt die RRD Graphen deaktiviert weil ich drüber gelesen habe, dass es bei so einem Fehler helfen kann. Aber dies ist nicht die Lösung.

Der Router ist ein apu2c4 und den Proxy betreibe ich mit eben Antivirus Scan (auch mit SSL Man in the middle) für 4 Personen im Haushalt. Dies sollte es auf jeden Fall abkönnen oder?

Greetz

29
German - Deutsch / IPsec VPN und Android Clients
« on: February 04, 2018, 11:10:08 pm »
Hallo

ich habe folgende Einstellungen für mobile clients:

Code: [Select]
conn con4
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = 192.168.40.3
  right = %any
  leftid = dync.chao5.net
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 192.168.250.0/24
  ike = aes256-sha256-modp2048s256!
  leftauth = pubkey
  rightauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-4.crt
  leftsendcert = always
  rightca = "/O=CHAO5.INT/CN=Certificate Authority/"
  rightsubnet = 192.168.250.0/24
  leftsubnet = 192.168.50.0/24
  esp = aes256-sha1-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048,aes192-sha1-modp2048,aes192-sha256-modp2048,aes192-sha384-m
odp2048,aes192-sha512-modp2048,aes128-sha1-modp2048,aes128-sha256-modp2048,aes128-sha384-modp2048,aes128-sha512-modp2048!
  auto = add

mit ähnlichen Settings tuen alle meine Tunnel zwischen linux Strongswan...

aber hier bekomme ich folgende Meldungen und kann es nicht wirklich zuordnen was da nicht stimmt:
Code: [Select]
Feb  4 23:09:33 cerber charon: 09[NET] received packet: from 31.17.57.154[61045] to 192.168.40.3[500] (660 bytes)
Feb  4 23:09:33 cerber charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb  4 23:09:33 cerber charon: 09[IKE] 31.17.57.154 is initiating an IKE_SA
Feb  4 23:09:33 cerber charon: 09[IKE] 31.17.57.154 is initiating an IKE_SA
Feb  4 23:09:33 cerber charon: 09[IKE] local host is behind NAT, sending keep alives
Feb  4 23:09:33 cerber charon: 09[IKE] remote host is behind NAT
Feb  4 23:09:33 cerber charon: 09[IKE] sending cert request for "O=CHAO5.INT, CN=Certificate Authority"
Feb  4 23:09:33 cerber charon: 09[IKE] sending cert request for "CN=Fake LE Intermediate X1"
Feb  4 23:09:33 cerber charon: 09[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Feb  4 23:09:33 cerber charon: 09[IKE] sending cert request for "C=DE, ST=Berlin, L=Berlin, O=chao5, E=perun@chao5.net, CN=internal-ca"
Feb  4 23:09:33 cerber charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb  4 23:09:33 cerber charon: 09[NET] sending packet: from 192.168.40.3[500] to 31.17.57.154[61045] (551 bytes)
Feb  4 23:09:34 cerber charon: 09[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb  4 23:09:34 cerber charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Feb  4 23:09:34 cerber charon: 09[ENC] received fragment #1 of 4, waiting for complete IKE message
Feb  4 23:09:34 cerber charon: 09[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb  4 23:09:34 cerber charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Feb  4 23:09:34 cerber charon: 09[ENC] received fragment #2 of 4, waiting for complete IKE message
Feb  4 23:09:34 cerber charon: 08[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (484 bytes)
Feb  4 23:09:34 cerber charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Feb  4 23:09:34 cerber charon: 08[ENC] received fragment #4 of 4, waiting for complete IKE message
Feb  4 23:09:34 cerber charon: 06[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb  4 23:09:34 cerber charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Feb  4 23:09:34 cerber charon: 06[ENC] received fragment #3 of 4, reassembling fragmented IKE message
Feb  4 23:09:34 cerber charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb  4 23:09:34 cerber charon: 06[IKE] received end entity cert "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb  4 23:09:34 cerber charon: 06[CFG] looking for peer configs matching 192.168.40.3[%any]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[CFG] selected peer config 'con4'
Feb  4 23:09:34 cerber charon: 06[CFG]   using certificate "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb  4 23:09:34 cerber charon: 06[CFG]   using trusted ca certificate "O=CHAO5.INT, CN=Certificate Authority"
Feb  4 23:09:34 cerber charon: 06[CFG] checking certificate status of "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb  4 23:09:34 cerber charon: 06[CFG]   requesting ocsp status from 'http://ipa-ca.chao5.int/ca/ocsp' ...
Feb  4 23:09:34 cerber charon: 06[LIB] unable to fetch from http://ipa-ca.chao5.int/ca/ocsp, no capable fetcher found
Feb  4 23:09:34 cerber charon: 06[CFG] ocsp request to http://ipa-ca.chao5.int/ca/ocsp failed
Feb  4 23:09:34 cerber charon: 06[CFG] ocsp check failed, fallback to crl
Feb  4 23:09:34 cerber charon: 06[CFG]   fetching crl from 'http://ipa-ca.chao5.int/ipa/crl/MasterCRL.bin' ...
Feb  4 23:09:34 cerber charon: 06[LIB] unable to fetch from http://ipa-ca.chao5.int/ipa/crl/MasterCRL.bin, no capable fetcher found
Feb  4 23:09:34 cerber charon: 06[CFG] crl fetching failed
Feb  4 23:09:34 cerber charon: 06[CFG] certificate status is not available
Feb  4 23:09:34 cerber charon: 06[CFG]   reached self-signed root ca with a path length of 0
Feb  4 23:09:34 cerber charon: 06[IKE] authentication of 'O=CHAO5.INT, CN=handy-marlena.vpn' with RSA_EMSA_PKCS1_SHA2_256 successful
Feb  4 23:09:34 cerber charon: 06[IKE] peer supports MOBIKE
Feb  4 23:09:34 cerber charon: 06[IKE] authentication of 'dync.chao5.net' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Feb  4 23:09:34 cerber charon: 06[IKE] IKE_SA con4[48] established between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[IKE] IKE_SA con4[48] established between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[IKE] scheduling reauthentication in 28135s
Feb  4 23:09:34 cerber charon: 06[IKE] maximum IKE_SA lifetime 28675s
Feb  4 23:09:34 cerber charon: 06[IKE] sending end entity cert "O=CHAO5.INT, CN=dync.chao5.net"
Feb  4 23:09:34 cerber charon: 06[IKE] peer requested virtual IP %any
Feb  4 23:09:34 cerber charon: 06[CFG] reassigning offline lease to 'O=CHAO5.INT, CN=handy-marlena.vpn'
Feb  4 23:09:34 cerber charon: 06[IKE] assigning virtual IP 192.168.250.1 to peer 'O=CHAO5.INT, CN=handy-marlena.vpn'
Feb  4 23:09:34 cerber charon: 06[IKE] CHILD_SA con4{52} established with SPIs c802b32d_i c9ec3747_o and TS 192.168.50.0/24 === 192.168.250.0/24
Feb  4 23:09:34 cerber charon: 06[IKE] CHILD_SA con4{52} established with SPIs c802b32d_i c9ec3747_o and TS 192.168.50.0/24 === 192.168.250.0/24
Feb  4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR SUBNET DNS DNS U_DEFDOM U_SPLITDNS U_PFS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb  4 23:09:34 cerber charon: 06[ENC] splitting IKE message with length of 1824 bytes into 2 fragments
Feb  4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb  4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb  4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (1236 bytes)
Feb  4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (660 bytes)
Feb  4 23:09:34 cerber charon: 06[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (80 bytes)
Feb  4 23:09:34 cerber charon: 06[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb  4 23:09:34 cerber charon: 06[IKE] received DELETE for IKE_SA con4[48]
Feb  4 23:09:34 cerber charon: 06[IKE] deleting IKE_SA con4[48] between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[IKE] deleting IKE_SA con4[48] between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb  4 23:09:34 cerber charon: 06[IKE] IKE_SA deleted
Feb  4 23:09:34 cerber charon: 06[IKE] IKE_SA deleted
Feb  4 23:09:34 cerber charon: 06[ENC] generating INFORMATIONAL response 2 [ ]
Feb  4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (80 bytes)
Feb  4 23:09:34 cerber charon: 06[CFG] lease 192.168.250.1 by 'O=CHAO5.INT, CN=handy-marlena.vpn' went offline

Kann jemand helfen? stehe irgendwie aufm Schlauch...

Greetz

30
German - Deutsch / Problem mit Web Proxy
« on: February 01, 2018, 03:48:44 pm »
Hi

ich habe einen transparenten Proxy für http und https eingerichtet. Dies tut gut so lange ich keine "Remote Access Control Lists" dazu schalte. Dann nämlich funktionieren fast keine https Seiten mehr (ein Fehler mit htst).
Ist es so normal? Habt ihr ein Tip für gute RACL's?

Greetz

Pages: 1 [2] 3
OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2