Messages

Hi,

I've 3 up links, A, B and C. A is my default gateway. I use policy based routing to direct LAN (and VLAN) traffic to one of these up links. This works as expected.

I've configured my IPSEC VPN to use the interface of up link C. Now I need the IPSEC VPN to use the gateway of up link C. To get this I need policy based routing entries for firewall local traffic (ESP, ISADMP, NAT-T). I can see auto generated rules on up link C for the IPSEC traffic with the gateway of up link C to be set as gateway. But what I found is that they do not get used.

When I do "ipsec up con1" and look at my up link A interface by tcpdump I see the ESP traffic on A instead of C.

When I initial IPSEC from the remote site I see the ESP packages arrive on C and the answers of OpnSense on A.

How to get this working?

TIA

both ...

Thanks, didn't help ...

Thanks, I will give this a try. I don't use the neither traffic sharper nor the captive portal and I probably never will.

Edit: I've tested this by now and it works! Thanks.

Now I've one minor problem left. On the default gateway everything works as expected but when I try to reach the public IPs of the two other up links the outgoing packages / replies get routet through the default gateway instead of the correct up link port. So the public IP's of the additional up links are not reachable from the internet.

How to fix this?

Any news her? Seems like I've a similar problem. I've tree dual stack up links. IPv4 works with NAT and policy based routs as expected but IPv6 policy based routes do not work for me. Local IPv6 communication between subnets delegated to the various up links works as expected. My IPv6 default gateway with static addresses. The two other links are PPoE connections. I want the IPv6 policy routers make use of these PPPoE links.

The generated rule looks like this:

Code Select Expand

pass in quick on lagg0_vlan202 inet6 from (lagg0_vlan202:network) to ! <LOCALv6> flags S/SA keep state label "USER_RULE""

I miss some thing like "route-to" ...

If found that the two PPPoE interfaces look different. pppoe0 has two fe80 addresses and the gateway entry also has a fe80 appendix. pppoe0 has only one fe80 address and the gateway entry does not have a fe80 appendix but "dynamic" is appended. The addresses ob both connections are static, not dynamic. Wen I switch to pppoe0 the generated rule looks like this:

Code Select Expand

pass in quick on lagg0_vlan202 route-to (pppoe0 fe80::2a0:a512:8c:43fe) inet6 from (lagg0_vlan202:network) to ! <LOCALv6> flags S/SA keep state label "USER_RULE"

Any news her? Seems like I've a similar problem. I've tree dual stack up links. IPv4 works with NAT and policy based routs as expected but IPv6 policy based routes do not work for me. Local IPv6 communication between subnets delegated to the various up links works as expected. My IPv6 default gateway with static addresses. The two other links are PPoE connections. I want the IPv6 policy routers make use of these PPPoE links.

The generated rule looks like this:

Code Select Expand

pass in quick on lagg0_vlan202 inet6 from (lagg0_vlan202:network) to ! <LOCALv6> flags S/SA keep state label "USER_RULE""

I miss some thing like "route-to" ...

Hi,

now, as I've gained some experience with OPNsense I plan to switch to HA. My current setup is no longer trivial by now. I've 3 up links. One static and two with PPPoE. I've also 5 internal links with LACP with a variety of VLANs and I make use of HAproxy. I need HA as the firewall not only manages the internet traffic. It als manages the complete internal communication. All my systems are dependent on the firewall.

What is the best approach in this environment to "switch" to HA? What about the PPPoE connections? How do they get handled? What is best practice. Right now I've read every thing about HA and CARP in the wiki.

TIA

Thanks. I've tried the following and for now it seems to work for me:

For the "Internet object" I've created an alias containing all RFC1918 addresses an my complete list of local IPv6 prefixes. When I negate it in rules I get what I want: No access to local systems but to the rest of the world.

One minor drawback of this is that this also matches the firewall external parts (between external router and the firewall) of my IPv6 prefixes but for my current use cases this is no show stopper.

The goal of this is to minimize the amount of necessary rules.

Hi,

I've a few comprehension questions about "pf" in general and with dual stack in particular.

• Is there a file containing the pf configuration in Opnsense like /etc/pf.conf in FreeBSSD?
• I found that I can create an alias containing IPv4 and IPv6 addresses and then use it in a IPv4+IPv6 rule. Is this correct?
• If 2. is correct: How does this work pf internally?

What I miss most is a real, generic "internet object" which addresse "all non local" traffic. I know the workaround with aliases but with more than one or two internal interfaces (12 in my case ...) it's real pain as I've to create an "internet" alias for every interface wich excludes all the others.

TIA

Fixed by trashing all my rules and recreating them. I don't know for sure what caused this but I suspect the deletation of the firewall rules generated by NAT port forwarding rules caused this in combination with switching the port forwarding rules to "pass" to make them work again ...

Hi,

ICMP with IPv4 from an do my WAN interfaces does not work for some reason. Any other traffic and ICMP via NAT from internal networks and ICMP with IPv6 on WAN interfaces works. The only thing that does not work ist ICMP IPv4 from an to firewall WAN interfaces. I've created a simple rule with just "Protocol: IPv4+6 ICMP". As I've multiple WAN interfaces I've tested with "ping -S WANIP TARGETIP" too. No success. When I ping the WAN interface I can see the ICMP echo requests with "tcpdump" but no replies. PFLOG does not show blocks.

How can I make ICMP with IPv4 on WAN interfaces work?

TIA

Thanks, works as expected and I can do some thin similar with my internal IPv6 nets.

Hi,

in my setup I've multiple interfaces, VLANs and up links. I'v a mail relay in a DMZ VLAN. The mail relay receives mails and forwards them to the internal mail server. So I've a rule which allows SMTP from the internet to the mail relay and one to allow SMTP from the mail relay to the internal server. For outgoing mail I've one rule to allow SMTP from the internal mail server to the mail relay. Pretty simple so far.

Now I need a rule which allows the mail relay to send mail to the internet but NOT to any other interfaces or VLANs. See my current SMTP rules attached. The first is the one to allow incoming mails but the second will IMHO allow SMTP to any destination even to hosts on other interfaces or VLANs.

What is best practice to design a rule or rule set to get this working as expected? An addition real mail relay on the firewall is no option as I want my mail relay to do the work.

TIA

https://github.com/opnsense/core/issues/3048

Hi,

I've an internal PKI and created an intermediate certificate for my Opnsense with:

Code Select Expand


X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA


and imported the root certificate and the intermediate certificate with the private key. When I try to issue a server or client certificate using the intermediate certificate I get:

Code Select Expand


The following input errors were detected:

openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value
openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value
openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value
openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value
openssl library returns: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


How to fix this?

TIA