Topics

1

24.1 Legacy Series / OSPF weird behaviour

« on: March 06, 2024, 01:21:51 pm »

Hello everyone,

I stumbled accross a weird routing behaviour on my network.
In general my network is:

Mikrotik CCR2004 as internet & VPN router connected to 2x OPNsense which are connected to a Mikrotik CCR2116 as my network router.
As a failover my CCR2004 is also direct to CCR2116 but with higher costs so any traffic would go through my firewall.

Anytime I modify an OSPF setting on OPNsense and reload the process it gets reconnected but no traffic is going through it - it becomes unreachable.

Both Mikrotik routers show that OSPF is connected and exchanged all information (State = Full).

I connected to an OPNsense VM to see what is happending there and FRRs vtysh also show that it's fully exchanged on I can see all routes.
Only ICMP and traceroute is not working:

Code: [Select]

PING k8s-1.hks.lan (10.0.22.80): 56 data bytes
92 bytes from 172.16.1.2: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 b660   0 0000  01  01 35e7 172.16.1.2  10.0.22.80

92 bytes from 172.16.1.2: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 ef8c   0 0000  01  01 fcba 172.16.1.2  10.0.22.80

92 bytes from 172.16.1.2: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 cbe3   0 0000  01  01 2064 172.16.1.2  10.0.22.80
Traceroute is running between Mikrotik and CCR2116 - I guess until TTL is reached and is then been kicked.


Currently the only solution is to restart CCR2116 to get everything running again.


Is there a bug somewhere?

2

24.1 Legacy Series / Nginx not working on CARP address

« on: February 05, 2024, 09:54:56 am »

Hello there,

I just started to test the Nginx plugin to use it as a reverse proxy.
When running it on the firewall IP it works as expected but as soon as I use my CARP IP I am no longer able to connect to the site.

Is this a know behaviour or a bug?

3

23.1 Legacy Series / nginx reverse proxy WAF

« on: July 25, 2023, 09:27:14 am »

Hello there,

just a quick question:
Nginx WAF section offers three options:
- block XSS score
- block SQL injection score
- custom security policy

Would block XSS and SQL injection score not being needed if I apply the custom security policy with the available values?

4

Intrusion Detection and Prevention / Suricata "blocks" traffic but doesn't

« on: July 19, 2023, 01:34:41 pm »

Hello everyone,

I am using Suricata for quiet a while on my virtual OPNsense firewall.
I recently stumbled accross an intressting thing: On Suricatas log it says that it blocks some specific IPs for e.g. SSH scan but on the destination host I can also see that fail2ban is banning the specific IP.
So from my point of view it looks like that Suricata is "lying" about blocking it.

Anyone else having same troubles?

5

23.1 Legacy Series / Surricata blocks traffic on local allowed list

« on: February 05, 2023, 10:28:03 am »

Hello there,

I am using a Mikrotik router in front of my OPNsense firewall (virtualized) to act as an internet border router and takes care of VPN, OSPF & BGP.
On OPNsense it is connected to my WAN interface and there are firewall routes which allow traffic from VPN sites to my subnets behind OPNsense.
In general this works.

As I am using Surricate IDS/IPS additional also on my WAN interface I recognized that there are a lot of blocking messages altough the blocked addresses are being allowed on the local/home network tab at Surricata.

What is strange: It still works - Surricata tells that it blocks the traffice but in the background it still works.

Is this an expected behavious?

6

22.7 Legacy Series / IPv6 on OPNsense

« on: January 13, 2023, 07:34:20 am »

Hello fellow everyone,

I am seeking for guidance/help.
As my ISP does not support IPv6 I decided to use HE tunnelbroker.net.

My current network setup would be:
Internet --> Mikrotik router --> 2x OPNsense HA firewalls --> LANs

LANs:
192.168.10.0/24
192.168.11.0/24
192.168.12.0/24
and so on.

On Mikrotik router I have added the routable IPv6 and advertise it.

On OPNsense I use "SLAAC" on IPv6 at WAN interface.

For my internal LAN interfaces I use "track" with WAN interface.


So far my devices behind OPNsense do get IPv6 address but connectivity is a pain.

Sometimes I can ping remot IPv6 hosts - sometimes I can't.

After a restart OPNsense is using it's own local-link address as a default gateway?

It seems it's nearly impossible to get a proper setup with OPNsense and IPv6 for my subnets.


Can someone enlight me?

7

22.1 Legacy Series / Monit only on MASTER fw

« on: June 11, 2022, 06:43:55 pm »

Hello there,

is it possible to define a Monit rule which works only if the VIP status is Master?

8

22.1 Legacy Series / HA failover interrupts streams

« on: May 03, 2022, 10:13:20 am »

Hello everyone,

I am using two OPNsense firewalls as HA.
So far everything works as expected but I am having difficulties when it comes to streaming media (e.g. audio streams, VoIP session).

If I do a failover the connections get interrupted.
Is this a known behaviour?

9

22.1 Legacy Series / CARP Virtual WAN IP

« on: April 16, 2022, 10:00:33 am »

Hello there,

I tried to use my WAN IP as a virtual one to have a failover/HA but unfortunately as soon as I follow the steps which I found at pfSense forum it does not work.

I have one static IP from my ISP.
Therfore I use a private /30 range on each OPNsense box and share the real public IP via Virtual IP.
But the gateway shows always offline. I am also not able to ping my ISPs router via my real public IP.

Is anyone using HA with just one IP?

10

22.1 Legacy Series / [Solved] XMLRPC is copying wrong settings

« on: April 16, 2022, 08:39:20 am »

Hello everyone,

yesterday I launched a 2nd OPNsense VM on my Proxmox hypervisor to give HA a try.
Both VMs have mostly the same configuration - only the CPU type differs (AMD vs Intel).

I also added XMLRPC to "copy/past" the firewall configuration from my working OPNsense to the newly build one and for most configuration settings it works but not for all.

E.g.: Virtual IPs are being connected to the wrong interface on the 2nd firewall while they are correct on the 1st one.


Is this a known issue or am I doing something wrong?

11

Virtual private networks / Transparent proxy

« on: January 03, 2022, 08:17:41 pm »

Hello there,

I have enabled Squid transparent proxy on my OPNsense and for my LAN interfaces it works pretty good but unfortunately not for my VPN connections (OpenVPN & Wireguard).

On OpenVPN I had to create an interface to be able to select it at the Squid configuration but as soon as I enable this connection I cannot open any HTTP/HTTPS.
I selected the tunnel to be used as default gateway.

On Wireguard I am a step further: Via this VPN I get always a Squid "access denied" error message.

Any ideas how to solve this?

12

Virtual private networks / Wireguard connection working but no internet access

« on: January 03, 2022, 08:17:09 pm »

Hello there,
I recently enabled Wireguard for a "roadwarrior" setup.
In general it works out of the box and I can connect my Android phone with OPNsense.
Also pinging, DNS resolution and so on works flawless

BUT as soon as I open my Firefox browser and try to open a website it times out.
Any ideas why that happens?

13

21.7 Legacy Series / Nginx WAF SNI forwarding

« on: January 02, 2022, 01:27:08 pm »

Hello everyone,

I tried enabling the Nginx WAF for my webservers.
Unfortunately my main webserver which hosts a couple of sites only shows an error message that no SNI is provided.

Within the location tab I have enabled that TLS SNI forward option - still no luck.


Any ideas?

14

General Discussion / Virtualized firewall

« on: December 24, 2021, 05:34:58 pm »

Merry Christmas!

I have tried to migrate my small network from Sophos XG over to OPNsense but without luck.
My setup is/was:

- Virtualized OPNsense with direct internet conneciton + static IP
- Virtualized OPNsense with NAT
- Turris router (CZ modified OpenWRT)

As I have two remote sites I wanted them to connect via ZeroTier S2S VPN + OSPF routing and here my pain started.

From Turris I was able to ping the NATed OPNsense without any issues - worked flawless.
From my local OPNsense I had an average ICMP package loss of around 50  %.
Also OSPF routing was not working due to that.

Any idea what might be the root cause?

15

German - Deutsch / LDAP User fällt aus admin group

« on: November 15, 2020, 11:58:09 am »

Hallo,

ich habe meine OPNsense nun mit meinem LDAP (Active Directory) gekoppelt.
Userabfragen funktionieren soweit und ich habe mir meine AD-Admins auch in die sense importiert.

Weiters habe ich die AD-Admins auch in der Firewall-internen Admin Gruppe hinzugefügt und meine AD-Server als Authentifizierer ausgewählt - klappte ebenfalls problemlos.


Problem:
Möchte ich mich nun mit einem AD-User anmelden, dann lande ich wieder auf der Loginseite und der User fällt aus der lokalen OPNsense-Admin Gruppe heraus.


Was mache ich falsch?