Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Patrick M. Hausen

Pages: 1 ... 452 453 [454] 455 456 ... 463

6796

20.7 Legacy Series / Re: Ipsec Site-to-Site VPN goes down regularly

« on: November 22, 2020, 08:20:00 pm »

Quote from: Ricardo on November 22, 2020, 07:31:54 pm

Nobody uses dynamic IP with site2site IPSEC VPN?

Nope. At least I don't support any such configuration and would strongly argue to get fixed IP addresses to any customer. And I have built quite a number of IPsec based VPNs in my life.

Doesn't help - sorry.
Patrick

6797

General Discussion / Re: LACP is not working

« on: November 22, 2020, 07:00:39 pm »

OPNsense has both sysctls, since FreeBSD has them:

Code: [Select]

root@opnsense:~ # sysctl net.link.lagg.lacp
net.link.lagg.lacp.default_strict_mode: 1
net.link.lagg.lacp.debug: 0

You could give the debug function on the OPNsense side a try. I just enabled it, then "shut; no shut" one interface on the Cisco side:

Code: [Select]

actor=(8000,00-0D-B9-57-27-90,012B,8000,0001)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-B6-70-D6-32-80,0004,8000,0110)
partner.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
maxdelay=0
igb0: lacpdu receive
actor=(8000,00-B6-70-D6-32-80,0004,8000,0110)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-0D-B9-57-27-90,012B,8000,0001)
partner.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
maxdelay=32768
igb1: lacpdu receive
actor=(8000,00-B6-70-D6-32-80,0004,8000,0111)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-0D-B9-57-27-90,012B,8000,0002)
partner.state=1d<ACTIVITY,AGGREGATION,SYNC,COLLECTING>
maxdelay=32768
igb1: lacpdu transmit
actor=(8000,00-0D-B9-57-27-90,012B,8000,0002)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-B6-70-D6-32-80,0004,8000,0111)
partner.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
maxdelay=0
igb0: lacpdu transmit
actor=(8000,00-0D-B9-57-27-90,012B,8000,0001)
actor.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
partner=(8000,00-B6-70-D6-32-80,0004,8000,0110)
partner.state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
maxdelay=0

As for the strict mode - there should not be anything fundamentally different wr/t lagg(4) in PFsense vs. OPNsense - different default values, perhaps. So just go ahead and set it to 0 ...

HTH,
Patrick

6798

General Discussion / Re: LACP is not working

« on: November 22, 2020, 12:51:32 pm »

I can only comment that lagg does work in the general case.

My OPNsense:

Code: [Select]

lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC>
	ether 00:0d:b9:57:27:90
	inet6 fe80::20d:b9ff:fe57:2790%lagg0 prefixlen 64 scopeid 0x9
	laggproto lacp lagghash l2,l3,l4
	laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
	laggport: igb1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
	groups: lagg
	media: Ethernet autoselect
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

My Cisco 2960-L:

Code: [Select]

cisco#sh lacp 4 neighbor 
Flags:  S - Device is requesting Slow LACPDUs 
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode     

Channel group 4 neighbors

Partner's information:

                  LACP port                        Admin  Oper   Port    Port
Port      Flags   Priority  Dev ID          Age    key    Key    Number  State
Gi0/15    SA      32768     000d.b957.2790   5s    0x0    0x12B  0x1     0x3D  
Gi0/16    SA      32768     000d.b957.2790   4s    0x0    0x12B  0x2     0x3D

So, does your Brocade switch have some debugging capability? E.g. if I bring one of my two links down on the OPNsense side, enable debugging of LACP events on the Cisco, then bring the interface up again, I get this:

Code: [Select]

cisco#debug lacp event 
Link Aggregation Control Protocol events debugging is on
cisco#
Nov 22 11:48:29.174: LACP: Gi0/16 set to UNSELECTED
Nov 22 11:48:30.170: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to down
Nov 22 11:48:31.174: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to down
Nov 22 11:48:33.939: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to up
Nov 22 11:48:34.943: LACP: Gi0/16 STANDBY aggregator hex address is 64DA810
Nov 22 11:48:34.944: LACP: Gi0/16 set to STANDBY
Nov 22 11:48:36.722: lacp_handle_standby_port_internal called, depth = 1
Nov 22 11:48:36.722: LACP: Gi0/16 standby->selected
Nov 22 11:48:36.722: LACP: Gi0/16 set to SELECTED
Nov 22 11:48:38.551: lacp_handle_standby_port_internal called, depth = 1
Nov 22 11:48:39.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to up

Please try and find some more detailled information on the switch side.

Kind regards,
Patrick

6799

German - Deutsch / Re: mehrere Subdomains via Port 80/443

« on: November 19, 2020, 11:24:25 pm »

Guacamole ist im Prinzip dasselbe wie diese unsäglichen "SSL-VPN" Portale von Cisco und Konsorten - nur in Open Source und in gut

6800

German - Deutsch / Re: mehrere Subdomains via Port 80/443

« on: November 19, 2020, 09:22:56 pm »

Quote from: lfirewall1243 on November 19, 2020, 08:41:44 pm

Ich hoffe aber Mal, dass du deine Haussteuerung und RDP nicht aus dem Internet erreichbar machen willst oder ?

Apache Guacamole rulez ...

http://guacamole.apache.org/

6801

German - Deutsch / Re: mehrere Subdomains via Port 80/443

« on: November 19, 2020, 08:31:20 pm »

Quote from: dslthomas on November 19, 2020, 08:12:26 pm

Quote from: lfirewall1243 on November 19, 2020, 08:02:41 pm
Also bei mir läuft Exchange Einwand frei mit LE auf dem HaProxy
Ja, aber das muss ja auf dem Server gemacht werden und nicht auf der Firewall??? Ich kann ja nicht ein Zertifikat auf 2 Geräten erstellen. Das Problem ist auch, dass ich immer nur ein begrenztes Zeitfenster habe bis ich alles wieder zurück bauen muss damit eben der Exchange läuft und alles wie bisher von außen erreichbar ist

Was muss auf dem Server gemacht werden? Letsencrypt? Wozu?

Aus dem Internet erreichbar ist nur der HA-Proxy. Der kriegt sein Zertifikat per Letsencrypt. Der HA-Proxy spricht mit dem Server entweder unverschlüsselt oder über ein selbst signiertes Cert.

Ich habe zwar einen Apache 2.4 für den Job und nicht den HA-Proxy der OPNsense, aber das Prinzip ist dasselbe. Der Apache spricht mit allen Anwendungen HTTP.

6802

20.7 Legacy Series / Re: Add restart CRON Job for RADVD

« on: November 16, 2020, 09:30:45 pm »

Here's a short write-up by me:
https://forum.opnsense.org/index.php?topic=19032.msg90983#msg90983

6803

Tutorials and FAQs / Re: What is the function of "Mail Gateway"?

« on: November 11, 2020, 11:15:53 am »

ClamAV is an open source antivirus engine, Rspamd an open source spam filter - so: yes.

6804

General Discussion / Re: An old chestnut - mDNS/Bonjour across VLANs

« on: November 10, 2020, 10:48:33 pm »

I run two VLANs over a lagg/trunk port to a Cisco switch and mDNS works for me. I do have rather permissive "pass all" rules between those two VLANs, though. So I cannot tell you what traffic precisely to allow. I use os-mdns-repeater.

Bonjour uses multicast predominantly. If your rules are not based on interfaces alone but also networks, probably something is missing.

Although this does not help much - I guess the information that os-mdns-repeater generally works is still valuable.

HTH,
Patrick

6805

German - Deutsch / Re: Hilfe bei Firewall ipv6 nach außen erlauben

« on: November 05, 2020, 11:14:53 am »

web.de hat keinen AAAA-Record ...

Code: [Select]

# ping6 web.de
ping6: hostname nor servname provided, or not known
# ping6 heise.de
PING6(56=40+8+8 bytes) 2a00:b580:8000:12:8889:774a:7b67:a226 --> 2a02:2e0:3fe:1001:302::
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=0 hlim=60 time=2.800 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=1 hlim=60 time=3.019 ms
^C

6806