Topics

226

General Discussion / OPNsense and IPMI

« on: August 13, 2020, 08:58:57 pm »

Has anyone put together a solution that would provide IPMI access to my OPNsense firewall? I would like to be able to remotely do deployments of OPNsense, as long as I have LAN access. My current firewalls are in different buildings, that are connected by extended LANs.

227

Web Proxy Filtering and Caching / 20.7 - Proxy Errors?

« on: August 13, 2020, 04:04:33 pm »

Should I be concerned with these:

2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_FTP_FORBIDDEN': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_FTP_NOT_FOUND': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_FTP_PUT_ERROR': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_FTP_FAILURE': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_FTP_UNAVAILABLE': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_FTP_DISABLED': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_CONFLICT_HOST': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_PRECONDITION_FAILED': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_ZERO_SIZE_OBJECT': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_INVALID_URL': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_UNSUP_REQ': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_INVALID_REQ': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_UNSUP_HTTPVERSION': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_INVALID_RESP': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_TOO_BIG': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_ONLY_IF_CACHED_MISS': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_URN_RESOLVE': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_DNS_FAIL': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_SOCKET_FAILURE': (13) Permission denied
2020-08-13T10:03:03   kid1| ERROR: loading file '/usr/local/etc/squid/errors/local/ERR_SECURE_CONNECT_FAIL': (13) Permission denied

Thanks,
Steve

228

Hardware and Performance / NIC Driver Updates

« on: August 04, 2020, 06:12:12 pm »

I have a single Intel 210(EM0) and a 4 port Intel I350(IGB0-IGB3). Do I need to worry about updating drivers in FreeBSD when updates come out?

229

20.7 Legacy Series / Firewall Rules and NAT Options

« on: August 01, 2020, 12:58:38 am »

I am building a 20.7 firewall, so I can test with it before upgrading my production firewall. I need to restore firewall rules and NAT options. What section of the config backup should I use to get these?

230

20.1 Legacy Series / DHCP - Why Am I Seeing This?

« on: July 20, 2020, 08:11:38 pm »

I am looking at the DHCP server log and seeing alot over and over of these:

2020-07-20T14:09:56   dhcpd: DHCPOFFER on 192.168.0.11 to c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:56   dhcpd: DHCPDISCOVER from c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:55   dhcpd: DHCPOFFER on 192.168.0.11 to c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:55   dhcpd: DHCPDISCOVER from c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:54   dhcpd: DHCPOFFER on 192.168.0.11 to c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:54   dhcpd: DHCPDISCOVER from c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:53   dhcpd: DHCPOFFER on 192.168.0.11 to c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:53   dhcpd: DHCPDISCOVER from c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:52   dhcpd: DHCPOFFER on 192.168.0.11 to c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:52   dhcpd: DHCPDISCOVER from c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:51   dhcpd: DHCPOFFER on 192.168.0.11 to c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1
2020-07-20T14:09:51   dhcpd: DHCPDISCOVER from c4:ad:34:b6:ae:75 (MCSW_1) via lagg0_vlan1

What is wrong here? I am not seeing this IP show up in the leases section.

Steve

231

20.1 Legacy Series / Cannot Ping a Local Device

« on: July 18, 2020, 03:54:24 am »

Hello all,

I am in the middle of productionizing a new firewall. Currently my firewall is a mixture of vlans and non-vlan interfaces, moving to an all vlan topology. My PC is on a vlan interface, trying to ping a local device on a non-vlan interface, and not getting a response. I can ping the default gateway of the non-vlan interface, but cannot go any further.

I believe it has to do with the way my switch is setup for the vlans that are being passed. My question is if there is no vlan on an interface does it get passed by default?

Thanks,
Steve

232

General Discussion / Interface - Can it be Assigned to a NIC and VLAN Simultaneously?

« on: July 14, 2020, 03:24:12 pm »

Can I assign an interface to both a real NIC and a VLAN? It seems it is one or the other?

233

General Discussion / Google Tsunami

« on: July 12, 2020, 06:22:49 pm »

Has anyone looked into this and how it could be deployed on OPNsense, as a plugin? We would need the following prerequisites:

nmap >= 7.80
ncrack >= 0.7

234

20.1 Legacy Series / What Am I Doing Wrong?

« on: July 09, 2020, 06:54:13 pm »

I am in the middle of finalizing my new OPNsense build and it got connected to my Internet connection for the first time. Needless to say it was an epic fail, as I could not access anything on the Internet from my wired PC.

The major difference between my current firewall and the new build is all my LAN subnets are now VLANs. From the new build I can traceroute out to the Internet with no issue. I can also do the same when using my wired vlan as the source, but if I try to access the Internet from my PC no go. I checked the routing tables on the firewall and ARP is telling me it knows about my ISP connection and DHCP IP. I checked the default rules for the wired vlan and they are correct.

Ok what am I missing?

235

General Discussion / Sniff VLAN ID

« on: July 08, 2020, 03:18:57 am »

Is there a tool that would allow me to sniff the traffic coming in from my ISP, so I can determine if they are pushing a VLAN ID?

236

General Discussion / Switch Between Firewall And Internet Service

« on: July 06, 2020, 08:33:53 pm »

Does any have a switch in between their firewall and Internet drop? If yes how do you have the switch configured? I have two ports on vlan 99, both of which are untagged. My firewall NIC is on one port and the Internet drop is on the other port. I never get the DHCP IP from the Internet service.

237

20.1 Legacy Series / CPU Supports Enhanced Speedstep, but is not recognized

« on: June 27, 2020, 05:47:11 pm »

Should I be concerned with these msgs? I am building a new Intel i7 system. Do I need updated drivers?

238

General Discussion / L3 VLAN Routing

« on: June 23, 2020, 06:33:44 pm »

Hello all,

I have upgraded my core switching to include L3 routing functionality. I have also moved to vlans for my collision domains. I have 4 vlans...1, 10(wireless), 20(wired streaming), and 30(servers). I could continue to use my firewall as the router on a stick, but I want to move that to the core switches and let the firewall be a firewall/IDS/IPS/Proxy.

Do you advise this setup or am I barking up a tree with inter-vlan routing on the switches. I bought two Netgear GS108Tv3 switches, which will be stacked together.

Thanks,
Steve

239

General Discussion / Lockout of Admin GUI from VLANs

« on: June 18, 2020, 04:18:24 am »

I would like to be able to lockout access to the GUI from certain VLANs. Is there a way to pull that off? Is it a rule on the interfaces?

240

General Discussion / Jumbo Frames Across a LACP LAG

« on: June 18, 2020, 04:08:23 am »

Curious question...has anyone been successful in using jumbo frames over a LACP LAG? I have a 4 port LAG to my firewall and wondering if pumping up the volume for jumbo frames will yield any performance benefit.