Messages

301

18.7 Legacy Series / Re: [SOLVED] 18.7.7: Opnsense errors after update

« on: November 14, 2018, 06:18:51 pm »

I'm seeing something similar - what do you mean by "repairing the database"

Under "Reporting --> Settings" you can find a button called "Repair netflow data". On my system repairing took long time (20 minutes and more). You can monitor the repair process and touched files in the system log (System --> Log Files --> General).

302

General Discussion / Re: Carrier Grade NAT (CGN) range to be separated from "Block private network" group

« on: November 11, 2018, 08:32:01 pm »

I think, the shared address space (100.64.0.0./10) does not belong to the private ones, so it should not be included there. My question is, what is the criteria for treating addresses as bogons?

303

General Discussion / Re: Carrier Grade NAT (CGN) range to be separated from "Block private network" group

« on: November 10, 2018, 12:53:47 pm »

In fact, the log message is confusing. Under which configuration (blocking bogon or private addresses) does this log message occur?

In general the address block is dedicated to ISPs, but in log files it should be described as "CGN shared address space (RFC 6598)" or similar.

304

18.7 Legacy Series / Re: 18.7.7: Opnsense errors after update

« on: November 09, 2018, 04:39:50 pm »

Forcing the update again using the console (opnsense-update -f) solved this issue. But now, starting all the services after reboot takes long time (up to 5 minutes) and flowd_aggregate dies in its startup phase.

Code: [Select]

flowd_aggregate.py: flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 151, in run aggregate_flowd(do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 80, in aggregate_flowd stream_agg_object.add(flow_record_cpy) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/interface.py", line 70, in add super(FlowInterfaceTotals, self).add(flow) File "/usr/local/opnsense/scripts/netflow/lib/aggregate.py", line 261, in add self._update_cur.execute(self._insert_stmt, flow) DatabaseError: database disk image is malformed

Edit: After repairing the database everything works fine again. Maybe, the database error was not raised during the update and occured longer time ago.

305

18.7 Legacy Series / [SOLVED] 18.7.7: Opnsense errors after update

« on: November 09, 2018, 03:45:22 pm »

After updating Opnsense (18.7.6 --> 18.7.7) and rebooting the system, Opnsense throws an error. Therefore several services are not able to start.

Code: [Select]

[09-Nov-2018 15:13:18 Europe/Berlin] PHP Fatal error:  Uncaught Error: Call to undefined function get_configured_interface_list() in /usr/local/etc/inc/plugins.inc.d/igmpproxy.inc:80
Stack trace:
#0 /usr/local/etc/inc/plugins.inc(213): igmpproxy_configure_do(true)
#1 /usr/local/etc/rc.bootup(118): plugins_configure('bootup', true)
#2 {main}
  thrown in /usr/local/etc/inc/plugins.inc.d/igmpproxy.inc on line 80


306

18.7 Legacy Series / Re: S/MIME Certificates with OPNsense

« on: October 29, 2018, 07:36:06 pm »

Hey schnipp, thanks for the answer.
Your first part was in fact what I had in mind, CRL is not important for a local solution, so yeah I would have chosen this quick and dirty method.

The second part never done that, what is it you mean exactly, derive a CA from the OPNsense CA, how should I go about doing this?
Don't worry I'll read about it some more and try figure it out anyway, though, this will be a project for the cold winter days, I'm somehow short on time at the moment.

I do understand in this case the leaf certificate needs the correct attributes to work as S/MIME certificate.

Greetings, mark

Do you use S/MIME certificates for external email communication? If this is the case, you should have a CRL for a better trust in your CA. A derived CA is also called an intermediate CA which itself signs another intermediate CA or leaf certificate (see here)

307

18.7 Legacy Series / Re: Does rsync create a security risk?

« on: October 29, 2018, 07:23:29 pm »

Yes it does. Rsync does not provide any security for data in transit. So, direct use over networks could be dangerous. You need to encapsulate data transfer into an encrypted channel for confidentiality and integrity (e.g. ssh or stunnel). Furthermore, keep proper authentication in mind.

308

18.7 Legacy Series / Re: S/MIME Certificates with OPNsense

« on: October 27, 2018, 12:20:35 pm »

You can export the CA and its private key for externally signing CSRs. But i cannot recommend this approach unless you know what you do. Keep in mind, you then have to manage two databases of serial numbers which you have to combine to one CRL in case of certificate issues.

The better way is to use an own CA or intermediate CA derived from your CA in Opnsense. For email encryption the leave certificate needs the correct attributes (e.g. key usage: signing, non repudiation, key encryption; extended key usage: email security [1.3.6.1.5.5.7.3.4])

309

General Discussion / Re: Multiple Roadwarrior IPSEC tunnels?

« on: October 27, 2018, 10:21:42 am »

That sounds good 

310

General Discussion / Re: Carrier Grade NAT (CGN) range to be separated from "Block private network" group

« on: October 27, 2018, 10:11:56 am »

Actually, 10/8 in its entirety is not considered to be private anymore, as according to RFC6598 CGN has been officially allocated to 100.64.0.0/10 (reference: https://tools.ietf.org/html/rfc6598)

The mentioned RFC does not touch the already as private registered networks. Regarding the similar looking networks the private one begins with 10 (10.0.0.0/8) whereas the shared address space begins with 100 (100.64.0.0/10). So there is no overlapping.

[...]CGN peers should be allowed to come through. Disabling the block of Private networks opens a possible security hole for spoofed IP attacks, while Blocking private networks blocks many hosts that are located behind the same ISP as my router.

By the way CGN does not always use this kind of addresses, it is only used in double NAT scenarios (e.g. Dual-Stack with non-public ip). Idea of the shared address space is to avoid conflicts with private networks at CPE. But if your sevice provider communicates with you via shared address space both addresses (CPE and AFTR) don't have to be blocked. But I think, there is no need to unblock the whole shared address space.

311

German - Deutsch / Re: [Siproxd & VOIP Support] Problem- und Lösungsthread

« on: October 16, 2018, 07:47:30 pm »

Funktioniert auch nicht 

Hast Du denn hinter der Opnsense mehrere SIP-Endgeräte, welche sich über NAT zum Registrar im Internet verbinden müssen? Falls nicht (z. B. nur eine Fritzbox im LAN), ist der Sipproxy nicht zwingend notwendig. Ich habe ihn bei mir wieder rausgenommen, funktioniert mit der Fritzbox 7490 sowie 1&1 einwandfrei

312

General Discussion / Re: Multiple Roadwarrior IPSEC tunnels?

« on: October 16, 2018, 07:43:10 pm »

So, I am back and added a second mobile connection using the link you mentioned. Afterwards I did some tests, the second connection and two mobile connections using the same virtual ip pool look fine and work in parallel.

But, I found one bug in the GUI. For the additional connection it is not possible to define a phase2 with a subnet which is already defined in the first mobile connection. The GUI shows the following error message during configuration (there is one small adaption of consistency check needed within the backend):

The following input errors were detected:
    Phase2 with this Local Network is already defined for mobile clients.

Regarding multiple mobile connections which needs to be distinguished the ike daemon gradually tests for a valid configuration (see log file excerpt)

Oct 16 19:26:01    charon: 15[CFG] <con1|8> switching to peer config 'con5'
Oct 16 19:26:01    charon: 15[CFG] <con1|8> selected peer config 'con1' inacceptable: non-matching authentication done
Oct 16 19:26:01    charon: 15[CFG] <con1|8> constraint requires public key authentication, but pre-shared key was used

We should keep in mind, that all clients of the same ip pool can communicate independent to their configured endpoint.

313

General Discussion / Re: Multiple Roadwarrior IPSEC tunnels?

« on: September 26, 2018, 08:38:26 pm »

Hi all,

FredTGB many thanks for performing tests with multiple strongswan configurations. When I am back from vacation I can do some additional tests, especially with multiple configurations using the same global address pool for roadwarrior connections. When I have done so far, I'll post the results here.

314

General Discussion / Re: Multiple Roadwarrior IPSEC tunnels?

« on: September 25, 2018, 08:48:32 pm »

Unfortunately, this does not help. Systems used as a roadwarrior need different authentication algorithms which is unique in phase1.

BTW, in phase1 I do not see any possibilities for multiple selection of encryption, hash and DH algorithm like in phase2. My Opnsense version is 18.7.3-amd64.

315

General Discussion / Re: Multiple Roadwarrior IPSEC tunnels?

« on: September 24, 2018, 08:08:36 pm »

Is there a chance to get the support of multiple roadwarrior configurations implemented in the GUI?