Messages

1696

20.7 Legacy Series / Re: Alias exclusions

« on: September 06, 2020, 09:40:03 pm »

Good news!
Ad Schellevis has already made changes and added Alias exclusions feature.
Thanks again for quick responses and patience 

1697

20.7 Legacy Series / Re: NAT reflection issues with double NAT

« on: September 06, 2020, 09:28:32 pm »

sorry, from the first post I could not understand that you are using vlans not only for reflection testing.
can you please descripe your setup in more details?
and now i cant understand how your nat rule relates to forward rule.
what is in your port foward rule?
as i understand your client is on igb1 interface. on which interface is your server?
and most important: i realy think that use of interface groups in nat rule is not a perfect idea. its realy confusing. have you tried to make the NAT rules one by one (one rdr rule for specific client-server traffic -> one related nat rule) and check results?

1698

20.7 Legacy Series / Re: Upgrade OPNsense 20.7.2 reboot fails due to suricata pid

« on: September 06, 2020, 04:58:58 pm »

my 2¢
read this thread before 2.7.2 upgrade and just disable suricata before upgrade.
upgrade was smooth. but attempts to launch a suricata ended in error (error (1)). some error in rule-updater.py.
I didn't have time to find out the reason - its just update rules and started normally on 4th or 5th try.
works well since that

1699

20.7 Legacy Series / Re: Aliases from local hostnames

« on: September 05, 2020, 07:36:23 pm »

glad it works )

1700

20.7 Legacy Series / Re: Aliases from local hostnames

« on: September 05, 2020, 07:10:59 pm »

" I am not sure what you mean by "opnsense uses internal DNSes," because I am using Unbound DNS in OPNSens"
the idea is that opnsense can resolve the hostname from Alias without the domain suffix.
in that case you can make Alias without domain part at all. just host part. eg ("Engineers" {host1,host2,host3})
Then you can change your local domain name whenever you want and no alias edit needed.
or I didn't understand the task

1701

20.7 Legacy Series / Re: NAT reflection issues with double NAT

« on: September 05, 2020, 07:02:36 pm »

i just quick tested solution i mentioned.
it works. no messing with virtual IP or VLANs needed.
it is not necessary that the ip must be on the firewall for rdr rule (port forward) to work.
and nat rule is needed just because target server and client is in the same subnet and server will reply directly to the client if requset will be forwarded without nat

1702

20.7 Legacy Series / Re: openvpn client config problem

« on: September 05, 2020, 11:47:29 am »

no, i mean /var/etc/openvpn/client1.conf  is the file that opnsense generates when you save your client config in GUI.
so better look on its content than on vpngate.ovpn content to understand what can go wrong.
so please configure client again (with raised verbose level) and attach client1.conf and verbose log

1703

20.7 Legacy Series / Re: Aliases from local hostnames

« on: September 05, 2020, 10:43:32 am »

ulysses, is domain in System-General matches your lan domain and what dns-servers your opnsense use ?
if yes and opnsense use internal DNSes:
just tested: "Host(s)" Alias type accepts hosts names without domain and correctly resolves it to IP when prepares table. is that what you want?

1704

20.7 Legacy Series / Re: openvpn client config problem

« on: September 05, 2020, 09:04:58 am »

you attached client config from server. not config used by opnsense
what in
/var/etc/openvpn/client1.conf ?
and try to change verbose to 3.
current log tells nothing usefull

1705

20.7 Legacy Series / Re: NAT reflection issues with double NAT

« on: September 05, 2020, 08:40:39 am »

"Pretty much all of them."
great answer 
anyway
split dns imho is the right solution. but if you need more complexity in network:

Reflection is not some special technology. just automation of rule creation.
since opnsense knows nothing about real external IP you just need to create Port Forward and Outbound rules manualy.

one outbound rule for all traffic from lan to lan:
interface: LAN, source: LAN Net, source port: tcp/*, destination: Lan Net, dest port: tcp/*, NAT address: interface address.

and port forward rules for your services:
eg if want to do this with tcp 80:
Port Forward:source: interface LAN, proto tcp, address LAN net. Destination: *YourRealPublicIP*, ports: HTTP/S, redirect target: *lanaddressofyourhttpserver*, port HTTP/S

1706

20.7 Legacy Series / Re: NAT reflection issues with double NAT

« on: September 04, 2020, 09:59:56 pm »

and how many services you need to reflect back to lan?

1707

20.7 Legacy Series / Re: Unbound DNS override and firewall rules

« on: September 04, 2020, 05:38:43 pm »

wonderful )

1708

20.7 Legacy Series / Re: Firewall Rules Optimization

« on: September 04, 2020, 08:03:00 am »

it's not really about hardware. just an attempt to arrange the order of the rules (and some rules "cleaning") to reduce the number of iterations.
so if you have no doubts about the correctness of the optimization or special strict conditions for the order of applying the rules, just leave it at the default.
As far as I understand, the "profile" is trying to additionally change the order of the rules with the quick directive, based on real traffic statistics. (that is, this is a "basic" plus additional optimization of quick rules).

good reading: http://undeadly.org/cgi?action=article&sid=20060927091645

1709

20.7 Legacy Series / Re: BIND - Need Port setting for DNS Forwarders

« on: September 03, 2020, 08:10:43 pm »

are you sure you read the path carefully?
its template. its not overwritten ever (plugin reinstall does not count). it contains instrutions to fill .conf based on settings

1710

20.7 Legacy Series / Re: BIND - Need Port setting for DNS Forwarders

« on: September 03, 2020, 07:02:12 pm »

imo for workaround (if you plan to request this feature) you can play with template
i think its
/usr/local/opnsense/service/templates/OPNsense/Bind/named.conf
and set port there