Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Patrick M. Hausen

Pages 1 ... 695 696 697 698 699 ... 706

#10441

20.7 Legacy Series / Re: Ipsec Site-to-Site VPN goes down regularly

November 22, 2020, 08:20:00 PM

Quote from: Ricardo on November 22, 2020, 07:31:54 PM
Nobody uses dynamic IP with site2site IPSEC VPN?

Nope. At least I don't support any such configuration and would strongly argue to get fixed IP addresses to any customer. And I have built quite a number of IPsec based VPNs in my life.

Doesn't help - sorry.
Patrick

#10442

General Discussion / Re: LACP is not working

November 22, 2020, 07:00:39 PM

OPNsense has both sysctls, since FreeBSD has them:

Code Select


root@opnsense:~ # sysctl net.link.lagg.lacp
net.link.lagg.lacp.default_strict_mode: 1
net.link.lagg.lacp.debug: 0

You could give the debug function on the OPNsense side a try. I just enabled it, then "shut; no shut" one interface on the Cisco side:

Code Select


actor=(8000,00-0D-B9-57-27-90,012B,8000,0001)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-B6-70-D6-32-80,0004,8000,0110)
partner.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
maxdelay=0
igb0: lacpdu receive
actor=(8000,00-B6-70-D6-32-80,0004,8000,0110)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-0D-B9-57-27-90,012B,8000,0001)
partner.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
maxdelay=32768
igb1: lacpdu receive
actor=(8000,00-B6-70-D6-32-80,0004,8000,0111)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-0D-B9-57-27-90,012B,8000,0002)
partner.state=1d<ACTIVITY,AGGREGATION,SYNC,COLLECTING>
maxdelay=32768
igb1: lacpdu transmit
actor=(8000,00-0D-B9-57-27-90,012B,8000,0002)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-B6-70-D6-32-80,0004,8000,0111)
partner.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
maxdelay=0
igb0: lacpdu transmit
actor=(8000,00-0D-B9-57-27-90,012B,8000,0001)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-B6-70-D6-32-80,0004,8000,0110)
partner.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
maxdelay=0

As for the strict mode - there should not be anything fundamentally different wr/t lagg(4) in PFsense vs. OPNsense - different default values, perhaps. So just go ahead and set it to 0 ...

HTH,
Patrick

#10443

General Discussion / Re: LACP is not working

November 22, 2020, 12:51:32 PM

I can only comment that lagg does work in the general case.

My OPNsense:

Code Select


lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC>
	ether 00:0d:b9:57:27:90
	inet6 fe80::20d:b9ff:fe57:2790%lagg0 prefixlen 64 scopeid 0x9
	laggproto lacp lagghash l2,l3,l4
	laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
	laggport: igb1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
	groups: lagg
	media: Ethernet autoselect
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

My Cisco 2960-L:

Code Select


cisco#sh lacp 4 neighbor 
Flags:  S - Device is requesting Slow LACPDUs 
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode     

Channel group 4 neighbors

Partner's information:

                  LACP port                        Admin  Oper   Port    Port
Port      Flags   Priority  Dev ID          Age    key    Key    Number  State
Gi0/15    SA      32768     000d.b957.2790   5s    0x0    0x12B  0x1     0x3D  
Gi0/16    SA      32768     000d.b957.2790   4s    0x0    0x12B  0x2     0x3D

So, does your Brocade switch have some debugging capability? E.g. if I bring one of my two links down on the OPNsense side, enable debugging of LACP events on the Cisco, then bring the interface up again, I get this:

Code Select


cisco#debug lacp event 
Link Aggregation Control Protocol events debugging is on
cisco#
Nov 22 11:48:29.174: LACP: Gi0/16 set to UNSELECTED
Nov 22 11:48:30.170: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to down
Nov 22 11:48:31.174: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to down
Nov 22 11:48:33.939: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to up
Nov 22 11:48:34.943: LACP: Gi0/16 STANDBY aggregator hex address is 64DA810
Nov 22 11:48:34.944: LACP: Gi0/16 set to STANDBY
Nov 22 11:48:36.722: lacp_handle_standby_port_internal called, depth = 1
Nov 22 11:48:36.722: LACP: Gi0/16 standby->selected
Nov 22 11:48:36.722: LACP: Gi0/16 set to SELECTED
Nov 22 11:48:38.551: lacp_handle_standby_port_internal called, depth = 1
Nov 22 11:48:39.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to up

Please try and find some more detailled information on the switch side.

Kind regards,
Patrick

#10444

German - Deutsch / Re: mehrere Subdomains via Port 80/443

November 19, 2020, 11:24:25 PM

Guacamole ist im Prinzip dasselbe wie diese unsäglichen "SSL-VPN" Portale von Cisco und Konsorten - nur in Open Source und in gut :)

#10445

German - Deutsch / Re: mehrere Subdomains via Port 80/443

November 19, 2020, 09:22:56 PM

Quote from: lfirewall1243 on November 19, 2020, 08:41:44 PM
Ich hoffe aber Mal, dass du deine Haussteuerung und RDP nicht aus dem Internet erreichbar machen willst oder ?

Apache Guacamole rulez ...

http://guacamole.apache.org/

#10446

German - Deutsch / Re: mehrere Subdomains via Port 80/443

November 19, 2020, 08:31:20 PM

Quote from: dslthomas on November 19, 2020, 08:12:26 PM
Quote from: lfirewall1243 on November 19, 2020, 08:02:41 PM
Also bei mir läuft Exchange Einwand frei mit LE auf dem HaProxy
Ja, aber das muss ja auf dem Server gemacht werden und nicht auf der Firewall??? Ich kann ja nicht ein Zertifikat auf 2 Geräten erstellen. Das Problem ist auch, dass ich immer nur ein begrenztes Zeitfenster habe bis ich alles wieder zurück bauen muss damit eben der Exchange läuft und alles wie bisher von außen erreichbar ist

Was muss auf dem Server gemacht werden? Letsencrypt? Wozu?

Aus dem Internet erreichbar ist nur der HA-Proxy. Der kriegt sein Zertifikat per Letsencrypt. Der HA-Proxy spricht mit dem Server entweder unverschlüsselt oder über ein selbst signiertes Cert.

Ich habe zwar einen Apache 2.4 für den Job und nicht den HA-Proxy der OPNsense, aber das Prinzip ist dasselbe. Der Apache spricht mit allen Anwendungen HTTP.

#10447

20.7 Legacy Series / Re: Add restart CRON Job for RADVD

November 16, 2020, 09:30:45 PM

Here's a short write-up by me:
https://forum.opnsense.org/index.php?topic=19032.msg90983#msg90983

#10448

Tutorials and FAQs / Re: What is the function of "Mail Gateway"?

November 11, 2020, 11:15:53 AM

ClamAV is an open source antivirus engine, Rspamd an open source spam filter - so: yes.

#10449

General Discussion / Re: An old chestnut - mDNS/Bonjour across VLANs

November 10, 2020, 10:48:33 PM

I run two VLANs over a lagg/trunk port to a Cisco switch and mDNS works for me. I do have rather permissive "pass all" rules between those two VLANs, though. So I cannot tell you what traffic precisely to allow. I use os-mdns-repeater.

Bonjour uses multicast predominantly. If your rules are not based on interfaces alone but also networks, probably something is missing.

Although this does not help much - I guess the information that os-mdns-repeater generally works is still valuable.

HTH,
Patrick

#10450

German - Deutsch / Re: Hilfe bei Firewall ipv6 nach außen erlauben

November 05, 2020, 11:14:53 AM

web.de hat keinen AAAA-Record ...

Code Select

# ping6 web.de
ping6: hostname nor servname provided, or not known
# ping6 heise.de
PING6(56=40+8+8 bytes) 2a00:b580:8000:12:8889:774a:7b67:a226 --> 2a02:2e0:3fe:1001:302::
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=0 hlim=60 time=2.800 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=1 hlim=60 time=3.019 ms
^C

#10451