Messages

[211]

I've resolved the issue. I think I may have found a bug that has been persistent for several versions. My current running opnsense is version 19.1 which is still dealing with this problem (will fix when I can stop all services).

I have been testing on a fully updated 19.7 which experienced the same error.

The problem was with my Aliases

Apparently, Alias names cannot be numbers only.
I named my Aliases according to the last octet of my usable static IP leases.

So my IP 10.10.10.211 > Alias name: 211

My logs showed there was a syntax error on line 20 of /tmp/rules.debug

Code Select Expand


[There were error(s) loading the rules: /tmp/rules.debug:52: syntax error - The line in question reads [52]:211 =]

The syntax appeared normal when comparing two Aliases (opnsense and 211 below):

Code Select Expand


table <opnsense> persist
opnsense = "<opnsense>"
table <211> persist
211 = "<211>"


As soon as I remove the numbers-only Aliases and restart all services - the firewall loads properly and port forwarding is working as expected. No syntax errors either.

I have not found anywhere that makes this notice in naming the Alias. Likewise, the GUI has no problem accepting the name.

I really need help, I've spent days working on this and I'm at wit's end.

I have a a /29 CIDR block of static IPs from my ISP.

Nothing I try will get any traffic forwarded through OPNsense to my LAN hosts using my Virtual IPs.
I have tried several suggestions found on the forums or elsewhere when searching for a solution.

From what I can tell, I've done everything right and OPNsense should be able to forward traffic using the Virtual IPs to LAN clients.

My setup:
WAN is configured with static IPv4 using first usable static IP from my ISP.
WAN is configured to use the Gateway of my /29 CIDR block of IPs and the Gateway is set to default.
Firewall > Virtual IPs > has my other usable static IPs configured.
LAN configured with 192.168.30.0/24 subnet.


Firewall: NAT: Port Forward:

Interface: WAN
Proto: TCP
Source: any
Source Ports: any
Destination: WAN address
Destination Port: HTTP
NAT IP: 192.168.30.100
NAT Ports: HTTP

Result: Success. I can reach the LAN server at 192.168.30.100 by accessing the IP assigned to my WAN interface.

My Virtual IP NAT: Port Forward rule:

Interface: WAN
Proto: TCP
Source: any
Source Ports: any
Destination: [Virtual IP]*
Desination Port: HTTP
NAT IP: 192.168.30.100
NAT Ports: HTTP

* Note on [Virtual IP]: I have attempted using an Alias using IP Alias for Host(s) with the Static/Virtual IP;
I have tried using the Virtual IP without the Alias;
I have tried using Single host or Network and defining the Virtual IP.

Result: Connection Refused

I can see traffic in the Logs calling the Virtual IP- but every request is refused.

I've also tested the LAN/HTTP host (192.168.30.100) and configured its network with one of my usable static IPs and NOT behind OPNsense.
Result: Success

Virtual IPs are pingable from WAN and LAN interfaces.

Code Select Expand


# /sbin/ping -S '192.168.30.1' -c '3' '[Virtual IP]'
PING [Virtual IP] ([Virtual IP]) from 192.168.30.1: 56 data bytes
64 bytes from [Virtual IP]: icmp_seq=0 ttl=64 time=0.172 ms
64 bytes from [Virtual IP]: icmp_seq=1 ttl=64 time=0.190 ms
64 bytes from [Virtual IP]: icmp_seq=2 ttl=64 time=0.123 ms

--- [Virtual IP] ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.123/0.162/0.190/0.028 ms


Ive tried only one rule for port 80/HTTP using only my Virtual IP;
and I've also tried different ports, all with the same results.
Only the WAN interface IP will port forward, and no joy for Virtual IPs.

I have not created any other firewall rules. Am I missing something?
Everything I have found concerning multiple Static IPs suggests my configuration should work.

So I changed the the NAT Outbound mode to manual and it caused all outbound traffic to stop.
It's as if my outbound rules are ignored completely.

I see several posts about Outbound NAT with no replies. If you think you can help me, please share your thoughts.
Thanks.

With my ISP I get a dynamic IP and I have also purchased several static IP addresses.
I noticed that gmail said it could not authenticate the sender and Microsoft is bouncing the mail entirely.

At first I thought it was only my SPF records. But, as I investigated I found out that all email is being sent through the WAN dynamic IP.

I have tried every way I can imagine to make the Outbound NAT work but I have had no success.
I have tried with Virtual IPs.. as well as working interface IPs that are assigned to ports.

Every change results in the WAN/dynamic IP being used.

My outbound NAT mode is: Hybrid outbound NAT rule generation
Any thoughts on what I might be missing to get this setup?

I have dozens of VPS connected. That's not really practical.


Its just happened again. This time I had left the console on the shell so it wasn't locked up and i was able to resolve the matter without rebooting.

My WAN port was down. Pings to the WAN gateway said host was down.
To restore I issued

Code Select Expand

ipconfig em9 down/up

I never touched anything physical and all devices that are bypassing opnsense have no connectivity problems. Something is up and im not sure how to resolve it

Recently my opnsense system has been intermittently crashing multiple times a day.

I am still able to access the web GUI through opnsense the LAN address but am unable to ping the WAN gateway.
If I bypass opnsense my other devices communicate with the WAN normally.
Opnsense console appears to be locked up (attachment) and I must reboot to restore connectivity until it occurs again.

That has been the case for a few days, but today it was slightly different wherein my LAN interface went down but the console remained up. I was able to restore connectivity by issuing (ifconfig em6 down/up).

I'm not sure what's going on. Right now I've bypassed opnsense on a few devices that need stable uptime which is of course not ideal

Any thoughts that might help me?

Is it possible to run OpenVPN ontop of OPNsense for internal connections only?

I currently have OPNsense behind a modem/router and setup as the DMZ.

So far it has worked well except that I would like to allow clients on the router above to be able to connect to OPNsense via OpenVPN.

The OpenVPN server is setup authenticating ONLY with clients that are on a different external IP.

When changing the FQDN to the OPNsense WAN interface IP, every attempt fails to connect.

I do not see any traffic on OPNsense logs indicating why it has failed.

Any suggestions to make this work?
Thanks for your time!

I preformed an upgrade and now my Dynamic DNS settings for Cloudflare fail.

Ive reverted back and it works again.

I have two systems with the same symptoms.
(1) OPNsense 18.1.13_1-amd64 -- Cloudflare works until updated
(2) Clean install using OPNsense-18.7-OpenSSL-dvd-amd64.iso -- Cloudflare works until updated

Cached IP shows 0.0.0.0 and does not update.
When researching the problem I only find old mentions at pfsense from years ago

Any thoughts?