Topics

121

General Discussion / Backup of OPNsense

« on: April 14, 2023, 06:47:18 pm »

Hello all,

I am building virtual OPNsense firewalls for a client and was wondering if there are any better tools out there to backup OPNsense, other than the Google method. While the Google method is ok for my personal firewall it does not fly for my client.

Thanks,
Steve

122

High availability / High Availability with Two OPNsense Virtual Firewalls

« on: April 13, 2023, 05:36:27 pm »

Hello all,

Is there a good document that details the steps to make two OPNsense vms highly available?

Thanks,
Steve

123

General Discussion / OPNsense VM and Primary NIC

« on: April 12, 2023, 10:41:55 pm »

In VMware there is the ability to assign the primary NIC. Please see the attached screenshot. In OPNsense the LAN interface is the important interface, since all services run using the IP of the LAN interface. Do I need to assign the primary NIC to what would be my LAN interface on the vm or does that not matter to OPNsense?

124

General Discussion / OPNsense - vCD Install

« on: April 11, 2023, 04:39:13 pm »

Hello all,

I am installing OPNsense on a VMware vCD implementation. When I run the OPNsense install it blows up bc it looks for an EFI partition. On this vCD I only can do BIOS based installs. How do I change the default to BIOS, so this does not keep blowing up?

Thanks,
Steve

125

General Discussion / VLAN Config

« on: March 28, 2023, 06:13:48 pm »

Hello all,

I am somewhat new to the world of vlans and trying to do some segregation on my home network. I am in the midst of building a new firewall to do this and having some trouble getting vlans to work.

Right now I have a trunk connection from my main switch to a small switch in my lab. It is trunking vlan 1 only. Attached to my lab switch I have my new firewall and a PC. Right now the default LAN interface is connected and it is set to 192.168.1.2. My PC is connected as 192.168.1.3. MY PC's port on the switch is set to untagged and the LAN interface is also set to untagged. I can connect to the new firewall's GUI and have also set an upstream gateway to my current firewall, so I can get updates and access to the Internet.

Now I have enabled OPT1 on the new firewall, and configured vlan01 on the interface. Vlan01 has a static address of 192.168.1.4, and should not interfere with the LAN interface, as I disconnect the cable on the LAN interface and connect it to the OPT1 interface. I go into my lab switch and configure the switch port attached to the OPT1 interface as tagged. The PC remains as untagged. I try to ping vlan01(192.168.1.4) and I get no response.

What am I doing wrong?? I cannot for the life of me get vlan01 to respond back to me. I checked and made sure I have a rule on the new vlan that lets all traffic in/out, so I do not believe its that.

Thanks,
Steve

126

General Discussion / Bootup Screen Info

« on: March 28, 2023, 04:32:35 pm »

Hello all,

When the OPNsense firewall boots up it obviously scrolls through alot of information. What log holds this info, as I would like to review it.

Thanks,
Steve

127

General Discussion / Creating a Virtual OPNsense Firewall

« on: February 02, 2023, 09:47:20 pm »

Hello all,

I am in the process of trying to build a virtual OPNsense firewall, on my VMware virtualization server. I get thru the boot and when in the installer I get the following error msg when trying to begin the install on the disk partition I have assigned to the vm configuration. I have no idea why I am getting stuck on the GPT/UEFI part. What am I missing?

Thanks,
Steve

128

Hardware and Performance / Pi-Hole to OPNsense

« on: September 18, 2022, 05:11:06 pm »

Hello all,

I have my Pi-Hole setup and its working well. What I am seeing in Pi-Hole is a message regarding DNS packet size to OPNsense: reducing DNS packet size for nameserver 192.168.1.1 to 1232.

Do I need to change anything on the OPNsense side to allow for 4K DNS packet size?

Thanks,
Steve

129

Virtual private networks / IPsec VPN Issues - Help!

« on: September 13, 2022, 08:56:25 pm »

Hello all,

I would love to be able to setup a remote session with a VPN guru, to go over my IPsec setup. I cannot get traffic moving and so my phase 2 tunnels go down. I know its got to be a simple thing I am not doing right but for the life of me I cannot figure it out.

Can someone assist?

Steve

130

Virtual private networks / IPsec VPN Phase 2 Question

« on: August 29, 2022, 04:30:36 pm »

Ok a stupid newbie question I think...

In my phase 2 configuration I have configured the remote subnet as a single host address. Is this wrong and I should be specifying the full subnet? Please see attached screen shot.

131

Virtual private networks / VPN Ruleset

« on: August 19, 2022, 03:05:17 pm »

Hello all,

I have a S2S VPN up and running on my OPNsense firewall, along with 4 phase 2 tunnels. What I am confused about is what rule do I need that will allow traffic to pass across this VPN. Any examples?

Thanks,
Steve

132

Virtual private networks / PRF - Phase 1

« on: August 10, 2022, 04:11:20 am »

Hello all,

New to IPSec VPNs and trying to setup a S2S VPN from my OPNsense device to a Cisco ASA on the other side. The network engineer handling the Cisco side says I am missing PRF in phase 1, but I do not see any option for PRF. Can you point me in the right direction?

Thanks,
Steve

133

General Discussion / Acme Plugin

« on: June 11, 2022, 07:05:35 pm »

Hello all,

I want to take the next step in locking things down by using the Acme plugin to generate certs for various internal devices on my network. For example I have a Synology NAS that I would like to open up to the outside world, for the purpose of backing photos I take with my mobile phone. I can use the self signed cert from Synology but that is not completely secure.

In deploying the Acme plugin and generating the certs I would like to solve two problems:

1) End to end security from client to host
2) Getting rid of the "Not Secure" message when accessing secured devices internally

Is this possible?

Thanks,
Steve

134

General Discussion / DDClient and Acme Plugins

« on: June 06, 2022, 05:27:27 pm »

Hello all,

I recently tried both the DDclilent and Acme plugins. While they worked I have made some changes on my internal network, so I deinstalled both of them. I plan to reinstall them when I have my network changes done. With that said is there any file cleanup I need to do, via the cli, to ensure there are no tidbits left behind?

Thanks,
Steve

135

General Discussion / Using a Cloudflare Origin Certificate with OPNsense

« on: May 31, 2022, 05:30:29 am »

Evening all,

I would like to secure my OPNsense firewall with a Cloudflare certificate rather than relying on the self signed one. Since I am using Cloudflare I would assume I do not need to install the Let's Encrypt plugin but go directly to System/Trust/Certificates and add my Cloudflare cert.

How can I activate the Cloudflare certificate, or since it is installed will it be used by default. I would think the self signed certificate is still in effect. Right now my firewall's FQDN is OPNsense.my internal domain name.com. Do I need to change this to OPNsense.my external domain name.com, in order for this to work?

Thanks,
Steve