Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Ricardo

Pages: [1] 2

Tutorials and FAQs / Remote VPN access via android and windows client IPSEC

« on: February 10, 2021, 09:34:11 am »

Hello folks,

I tried to setup VPN remote access based on IPSEC.
I would like to use the following remote access clients:
- Android phone 9, using the google stock built-in ipsec client, but Strongswan is also accepted if absoletely mandatory due to stock google ipsec client defects
- Windows 10 (whatever version and edition), using the built-in MSFT ipsec client, I would rather avoid 3rd party ipsec client, unless it turns out the msft client is a junk

I already managed to setup site-2-site ipsec tunnel between 2 opnsense router, based on the guide I found on docs.opnsense.com (some more verbose guide would have been better, but thats the only 1 I managed to find, on youtube only pfsense videos are made, nothing useful based on opnsense). The site2site connection works more or less reliable, but because of the dynamic WAN IP, I had to hack a strongswan restart monit setup, otherwise the tunnel never comes up after a dynamic IP change, which the guides dont talk a single word, very disappointing.
But the remaijing step, the remote access, roadwarrior, android and windows scenarios are a big mess for me on docs.opnsense.com. Has anyone a better, more detailed, and EXPLAINED guide in this subject, not just 5 screenshots with 0 description? Or ipsec is a deadend for remote access on opnsense?

20.7 Legacy Series / IGMP proxy guide

« on: December 03, 2020, 09:24:23 am »

Hi folks, wondering if there is any 1st party or 3rd party explanation what exactly the os-igmp-proxy does, and how it works in Opnsense?
Unfortunately, docs.opnsense is not a help, I only found 1 single article about this topic: "Orange IPTV"

I am planning to route DLNA traffic across a VPN tunnel, and wondering if IGMP proxy is the way to do. But for that I would need some reading material to figure it out. Search in old threads on this forum revealed some 1-question 0-answer abandoned hope topics.

20.7 Legacy Series / NTP stuck in unsync state after 20.7.5

« on: November 24, 2020, 09:42:04 am »

Hi all, is it just me, or others have also ntp problem after 20.7.5? Both of my routers are unable to sync time via ntp.
I discovered it after upgrade to 20.7.5. Both worked fine in the past. Ntp log is not that helpful, firewall also seems to allow outbound NTP/UDP123, I dont recall changing anything related to NTP. Added multiple NTP servers (e.g. time.windows.com) but all behave the same way:

Unreach/Pending 162.159.200.1   .INIT.   16   u   -   64   0   0.000   +0.000   0.000

2020-11-24T09:25:03   ntpd[76735]   162.159.200.1 8011 81 mobilize assoc 25092
2020-11-24T09:25:03   ntpd[76735]   DNS pool.ntp.org -> 162.159.200.1
2020-11-24T09:25:03   ntpd[76735]   51.105.208.173 8011 81 mobilize assoc 25091
2020-11-24T09:25:03   ntpd[76735]   DNS time.windows.com -> 51.105.208.173
2020-11-24T09:25:03   ntpd[76735]   0.0.0.0 c016 06 restart
2020-11-24T09:25:03   ntpd[76735]   0.0.0.0 c012 02 freq_set kernel 49.289 PPM
2020-11-24T09:25:03   ntpd[76735]   kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
2020-11-24T09:25:03   ntpd[76735]   0.0.0.0 c01d 0d kern kernel time sync enabled
2020-11-24T09:25:03   ntpd[76735]   kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
2020-11-24T09:25:03   ntpd[76735]   148.6.0.1 8011 81 mobilize assoc 25090
2020-11-24T09:25:03   ntpd[76735]   Listening on routing socket on fd #31 for interface updates
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 10 pppoe0 85.238.77.125:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 9 pppoe0 [fe80::618d:21c:59ca:f801%8]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 8 pppoe0 [fe80::20d:b9ff:fe4b:b5c%8]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 7 lo0 127.0.0.1:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 6 lo0 [fe80::1%5]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 5 lo0 [::1]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 4 igb2 [fe80::20d:b9ff:fe4b:b5e%3]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 3 igb2 192.168.1.1:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 2 igb0 [fe80::20d:b9ff:fe4b:b5c%1]:123
2020-11-24T09:25:03   ntpd[76735]   Listen and drop on 1 v4wildcard 0.0.0.0:123
2020-11-24T09:25:03   ntpd[76735]   Listen and drop on 0 v6wildcard [::]:123
2020-11-24T09:25:03   ntpd[76735]   restrict: 'monitor' cannot be disabled while 'limited' is enabled
2020-11-24T09:25:03   ntpd[76735]   gps base set to 2020-08-23 (week 2120)
2020-11-24T09:25:03   ntpd[76735]   basedate set to 2020-08-20
2020-11-24T09:25:03   ntpd[76735]   proto: precision = 0.694 usec (-20)
2020-11-24T09:25:03   ntpd[82932]   ----------------------------------------------------
2020-11-24T09:25:03   ntpd[82932]   available at https://www.nwtime.org/support
2020-11-24T09:25:03   ntpd[82932]   corporation. Support and training for ntp-4 are
2020-11-24T09:25:03   ntpd[82932]   Inc. (NTF), a non-profit 501(c)(3) public-benefit
2020-11-24T09:25:03   ntpd[82932]   ntp-4 is maintained by Network Time Foundation,
2020-11-24T09:25:03   ntpd[82932]   ----------------------------------------------------
2020-11-24T09:25:03   ntpd[82932]   Command line: /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
2020-11-24T09:25:03   ntpd[82932]   ntpd 4.2.8p15@1.3728-o Tue Sep 1 03:15:17 UTC 2020 (1): Starting

20.7 Legacy Series / Ipsec Site-to-Site VPN goes down regularly

« on: November 18, 2020, 01:22:58 pm »

Hi folks,

I have 2 Opnsense routers, RouterA on SiteA, and RouterB on SiteB. Both RouterA and RouterB has dynamic WAN IP (both WAN is PPPoE), so I used 2x Dynamic DNS FQDN for the tunnel endpoint (instead of the temporary WAN IP address). I did the config based on this guide:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

I did every step like in the guide. The tunnel becomes UP. But after a couple of days, the tunnel usually breaks, and does not come up. I have to restart the IPSEC service on RouterA (I dont have access to RouterB as it is on a remote site with no qualified staff), and sometimes it restores the tunnel. Sometimes I have to restart Unbound, as it seems the problem may be with the DDNS FQDN<-->WAN IP mapping (as explained at the top the WAN IP is dynamic, the ISP changes the WAN IP after every reconnect, or after 2 weeks of WAN uptime).

The guide did not describe the additional parameters, but I have enabled the following Tunnel parameter:

Dynamic gateway    Allow any remote gateway to connect
Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or update time.

--> to be honest I dont understand whether this setting is really needed, or just introduce some decreased security by allowing literally ANYBODY to connect to this tunnel, the text is not that great to explain if its mandatory for local/remote dynamic tunnel endpoint or not.

The reference guide only says a short description about this scenario:

Site to site VPNs connect two locations with static public IP addresses and allow traffic to be routed between the two networks. This is most commonly used to connect an organization’s branch offices back to its main office, so branch users can access network resources in the main office.

I understand and acknowledge that during WAN IP change time period, there will be a DNS TTL-lenght outage in the tunnel, but this scenario can auto-recover from such tunnel endpoint update, or thats completely impossible with this setup?
I see similar things in the log on RouterA:

2020-11-18T13:03:03   charon[95260]   12[IKE] <con1|3> received AUTHENTICATION_FAILED notify error
2020-11-18T13:03:03   charon[95260]   12[ENC] <con1|3> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2020-11-18T13:03:03   charon[95260]   12[NET] <con1|3> received packet: from [ROUTER-B-WAN_IP][4500] to [ROUTER-A-WAN_IP][4500] (80 bytes)
2020-11-18T13:03:03   charon[95260]   12[NET] <con1|3> sending packet: from [ROUTER-A-WAN_IP][4500] to [ROUTER-B-WAN_IP][4500] (320 bytes)
2020-11-18T13:03:03   charon[95260]   12[ENC] <con1|3> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2020-11-18T13:03:03   charon[95260]   12[IKE] <con1|3> establishing CHILD_SA con1{4} reqid 1
2020-11-18T13:03:03   charon[95260]   12[IKE] <con1|3> authentication of '[ROUTER-A-WAN_IP]' (myself) with pre-shared key
2020-11-18T13:03:03   charon[95260]   12[CFG] <con1|3> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-11-18T13:03:03   charon[95260]   12[ENC] <con1|3> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2020-11-18T13:03:03   charon[95260]   12[NET] <con1|3> received packet: from [ROUTER-B-WAN_IP][500] to [ROUTER-A-WAN_IP][500] (472 bytes)
2020-11-18T13:03:02   charon[95260]   12[NET] <con1|3> sending packet: from [ROUTER-A-WAN_IP][500] to [ROUTER-B-WAN_IP][500] (464 bytes)
2020-11-18T13:03:02   charon[95260]   12[ENC] <con1|3> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2020-11-18T13:03:02   charon[95260]   12[IKE] <con1|3> initiating IKE_SA con1[3] to [ROUTER-B-WAN_IP]
2020-11-18T13:03:02   charon[95260]   14[KNL] creating acquire job for policy [ROUTER-A-WAN_IP]/32 === [ROUTER-B-WAN_IP]/32 with reqid {1}

If I try to trigger / force the tunnel establishment under IPSEC \ Status overview, I get the same results as seen in the log. After 1-2 days, the issue recovers by itself. But its difficult to troubleshoot the remote tunnel endpoint while I cannot reach it, so it would be really great if somebody can point to what is the basic mistake in my config.

20.7 Legacy Series / Query Intel igb NIC driver version

« on: November 08, 2020, 10:41:25 am »

This one seems no longer possible:
https://forum.opnsense.org/index.php?topic=9354.0

# sysctl -a | grep -E 'dev.(igb|ix|em).*.%desc

It no longer returns driver version, only the generic string:
"Intel(R) PRO/1000 Network Connection"

20.7 Legacy Series / Is RSS on igb missing in 20.7 because of Freebsd 12.1?

« on: November 03, 2020, 10:04:07 am »

I recently found the following bugreport in Freebsd 12.1:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249191

Is opnsense 20.7 affected?

20.7 Legacy Series / PCEngines APU2/APU3/APU4 running on 20.7

« on: August 04, 2020, 12:01:41 pm »

Hi folks!

I prepared this thread as a community contributed gathering place for anyone out there who is running Opnsense on any of the PCEngines APU2/3/4 boards. Since Opnsense 20.7 is a big jump from the old FreeBSD/HardenedBSD 11.x to the new FreeBSD/HardenesBSD 12.1, I expect many compatibility, driver, and performance issues. So I definitely resist upgrading. I let others share their experience first

- what Coreboot BIOS you are currently using? Did Core Performance Boot (CPB), the Watchdog, PCIE energy saving, AMDTEMP CPU temperature sensor driver, APULED driver, CPU sysctls gone after Coreboot upgrade, and other recent features broke anything in your firewall?
- are you planning to compare the speed benchmark before 20.7 upgrade and after 20.7 upgrade? E.g. WAN throughput, VPN throughput, OpenSSL -EVP (AES-NI) speed test etc.
- Any igb NIC driver issues observed? Manual sysctl / tuned config file entries?
- ECC functions properly with the new 12.1 BSD? How can you prove it really works?
- does the new 12.1 BSD firmware boot-time microcode update works now properly? How can you prove?
- dmidecode output under 12.1 BSD versus dmidecode under 11.x BSD shows correct ACPI entries, RAM ECC-capable flag(s), RAM module speed vs bus speed reporting discrepancy, etc?
- the infamous terrible PPPoE performance has any improvement, or still limited to 200-400 Mbit max on a 1Gbit fibre WAN + NAT + pf?

And any other issues that are not obvious catch, if you dont have a proper testing checklist after every upgrade performed ("it works for me fine after the update" is a clear sign of no checklist used).

Documentation and Translation / 20.7 final small typo in release notes

« on: August 03, 2020, 11:45:34 am »

Known issues and limitations:

o legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are longer available

Are NO longer available, im I right?

Hardware and Performance / Query SSD wear level under Opnsense

« on: June 19, 2020, 03:59:59 pm »

I have a small 16GB SSD running in the APU2 router, and I am concerned about how long does it live before wearing out. I have set up TMPFS for /var and /tmp, but some other services are writing lot of data to the /rootfs.

I checked SMARTmontools: it gives strange result

241 Lifetime_Writes_GiB 0x0012 100 100 000 Old_age Always - 157

That would mean 157 GB written? Thats unreallistic.

I installed Monit --> under system stats it shows written: 7,5 GB. But as far as I can understand, that only counts a single run of the operating system, when I reboot this value resets back to zero. Also I am not sure if it counts writes to /rootfs, does it exclude writes to the /var and /tmp partitions, which both are TMPFS, therfore they dont contribute to the wearing of the SSD? Cannot figure out what to do here...

20.1 Legacy Series / How to utilize most of the RAM in the router?

« on: June 16, 2020, 07:43:30 am »

Hi opnsense folks!
I want to utilize the most of the RAM sitting in my router, and mostly idle (the dashboard says 600MB of the 4096MB is utilized, the rest looks not used.
I set up tmpfs for /var and /tmp, but thats only minimal size of files.
I use unbound DNS to cache records in memory, but thats also very minimal amount.
I use maltrail, but due to the current setup, it stores its files not under /var or /tmp, but under /root, so its torturing the underlying ssd, and not the RAM.
I enabled netflow in the past, it consumed a significant amount of RAM, but the python scripts running in the background killed the already underpowered CPU as well, so I stopped it.
What other service(s) enabled would benefit from the plenty of available RAM, while keeping the CPU usage still low?

20.1 Legacy Series / Maltrail questions regarding disk usage

« on: April 03, 2020, 11:55:06 am »

Hello all,

tried to find answers for my questions on maltrail site (https://github.com/stamparm/maltrail ), but without success.

0) this is rather an improvement request: please make the password change for the admin maltrail account less painful, as it is currently via the main opnsense admin GUI

1) the maltrail creates their files under /.maltrail, and also writes to /root/var/log instead of /var. My /var and /tmp is on TMPFS to reduce the killing of the small SSD with constant log-related writes. Is there a plan to put maltrail pkg files under proper location, and utilize standard /var and /tmp for anything frequently written log files? I cannot really measure how much disk write traffic is generated to the rootfs due to maltrail writing their files there, MONIT most probably summarizes both true rootfs write traffic and tmpfs write traffic, so that can be misleading for me.

2) it seems memory usage has skyrocketed in the past days (uptime is currently around 1 month), even after I restarted the maltrail server service. Is there any way to see if the memory usage is "normal" or something is leaking memory / should I schedule a maintenance reboot of the whole router someday?

3) Can some maltrail threats marked manually to bypass, as those are false positives, and harmless? Due to the amount they are reported frequently and cause lot of noise.

In general, I am looking for some more in-depth tutorials, how to fine-tune maltrail. The official github page is talking about things from a different perspective, and dont help to solve the real-world questions one will ask about this software.

20.1 Legacy Series / Show log error

« on: March 05, 2020, 07:57:43 am »

Hello,
I tried to check the GENERAL log under Logging.

It stuck in "loading..." state. I checked BACKEND log, and I see the following:

configd.py: [a57cd679-67bc-4e18-b1f0-7973db58e4d9] Script action failed with Command '/usr/local/opnsense/scripts/systemhealth/queryLog.py --limit '-1' --offset '0' --filter '' --module 'core' --filename 'system'' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/systemhealth/queryLog.py --limit '-1' --offset '0' --filter '' --module 'core' --filename 'system'' returned non-zero exit status 1.

This looks chinese to me unfortunately. The /var/log/system.log dows exist, and contains valid log entries.
I had a power outage a week ago, the only thing I suspect that the filesystem may got damaged but not sure how to confirm this.

20.1 Legacy Series / Permanent VNSTAT database on MFS

« on: February 04, 2020, 03:30:04 pm »

Hello Opnsense folks,

https://forum.opnsense.org/index.php?topic=9503.msg48562#msg48562

is this something that we can expect to be supported? VNSTAT database to be kept across reboots, when /var is on MFS.

19.7 Legacy Series / Unbound custom parameters

« on: August 05, 2019, 03:33:10 pm »

I found in 19.7 under the Unbound settings that "Custom options" will be deprecated in the future. Can the team share the plans how the not-so-common parameters be still used if "custom options" input box will no longer be available?

Hardware and Performance / Hyperthreading is available in 19.1.x?

« on: July 10, 2019, 02:05:20 pm »

Hi all,

is hyperthreading (HTT) available in opnsense 19.1.x? The APU2 I have seems to have HTT capability as per the dmesg CPU feature flags:

CPU: AMD GX-412TC SOC (998.15-MHz K8-class CPU)
Origin="AuthenticAMD" Id=0x730f01 Family=0x16 Model=0x30 Stepping=1
Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT> -> see at the very end

FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s)

and sysctl machdep.hyperthreading_allowed: 1 allows it.

Still, I only see 4 physical CPU cores according to:

hw.ncpu: 4

Are there any settings in the OS that prohibit the usage of HTT? Or is this a coreboot BIOS defect?

Pages: [1] 2