Messages

496

Zenarmor (Sensei) / SOLVED Re: Sensei does not start after upgrade to opnsense 21.7.1

« on: August 04, 2021, 06:57:51 pm »

If other users have this problem also:

After upgrading to upnsense 21.7.1
I noticed a change in settings -> interface - LAN.
The LAN interface - IPv6 Configuration Type -> was set to “Track Interface”
This caused the sensei crash at my end.

When I changed this to “ none”
And save, sensei can be started again and is up and running now.

Update:

p.s. There where some more things to fix on the interface part also see here: https://forum.opnsense.org/index.php?topic=24248.0

497

Zenarmor (Sensei) / [SOLVED] Sensei does not start after upgrade to opnsense 21.7.1

« on: August 04, 2021, 06:45:26 pm »

Sensei does not start after upgrade to opnsense 21.7.1
it fails to load

have others this problem also?

498

21.1 Legacy Series / Re: email smtp port 25 and 587 firewall rule/port forward protection

« on: August 03, 2021, 08:35:43 am »

humm… on Opnsense 21.7 I tried some different settings in the outbound rule.

When:
- changing the source to myVPN network address -> after some time, the iPhone 4g email stops working. It looks like it takes a couple of minutes before the changed outbound rule is taking effective.
- changing the source to the ip range of openvpn -> same result - stops working
- changing the source to <Lan address>  (I learned earlier that this is the opnsense ip-address on the lan only) -> same result, stops working
- changing the source to <Lan Network> same result
- changing to source to OpenVPN network -> same result - stops working
- changing to source to This Firewall -> I can receive emails on my MacBook Pro on local wifi and using an email to sent to my own email server e-mailaccount. Replying on that email back (with my own email server) is not working….
- changing to source any -> everything is working again…. I find this very strange… I should be able to narrow this rule in my opinion.

And when source is any -> on my iPhone 4 g -NOT connected to VPN - and trying to get email en sent email on the mail app for my own mailserver works also….

I surely do not know what is causing this all. I have on my synology firewall a rule to only accept port 587 and 993 to accept ip range lan and ip range vpn.
So when no vpn is on on the iPhone 4g, it should not accept email…. But it does… It looks to me that there is a flaw in opensense 21.7 to let the connection trough with the ip 192.168.1.1 (the ip of opnsense) ?

What is causing this? Openvpn fault? Opnsense 21.7 fault? Or my fault in what?

499

Virtual private networks / Re: Openvpn port forward ->hitting the real ip instead of virtual Ip?

« on: August 03, 2021, 08:33:50 am »

humm… I tried some different settings in the outbound rule.

When:
- changing the source to myVPN network address -> after some time, the iPhone 4g email stops working. It looks like it takes a couple of minutes before the changed outbound rule is taking effective.
- changing the source to the ip range of openvpn -> same result - stops working
- changing the source to <Lan address>  (I learned earlier that this is the opnsense ip-address on the lan only) -> same result, stops working
- changing the source to <Lan Network> same result
- changing to source to OpenVPN network -> same result - stops working
- changing to source to This Firewall -> I can receive emails on my MacBook Pro on local wifi and using an email to sent to my own email server e-mailaccount. Replying on that email back (with my own email server) is not working….
- changing to source any -> everything is working again…. I find this very strange… I should be able to narrow this rule in my opinion.

And when source is any -> on my iPhone 4 g -NOT connected to VPN - and trying to get email en sent email on the mail app for my own mailserver works also….

I surely do not know what is causing this all. I have on my synology firewall a rule to only accept port 587 and 993 to accept ip range lan and ip range vpn.
So when no vpn is on on the iPhone 4g, it should not accept email…. But it does… It looks to me that there is a flaw in opensense 21.7 to let the connection trough with the ip 192.168.1.1 (the ip of opnsense) ?

What is causing this? Openvpn fault? Opnsense 21.7 fault? Or my fault in what?

500

Virtual private networks / Re: Another OpenVPN Struggle

« on: August 03, 2021, 07:56:12 am »

@marsch
when adding openvpn in opnsense by the wizard, you probably should she a rule under firewall rules.
Not under NAT portforward but under
firewall->rules->WAN:
Protocol (IPv4 UDP)- Source (*)-   Port (*)- Destination (Wan address)- Port ("Your OpenVPN port number")- Gateway (*)- Schedule (*)

If it is not yet there, add it.

501

Virtual private networks / Re: Openvpn port forward ->hitting the real ip instead of virtual Ip?

« on: August 02, 2021, 09:25:38 am »

looks like it had to do with a missing nat outbound rule:
Interface (LAN) - source (any) - source port (*) - Destination (*) - Destination port (*) - NAT Address (interface address) - NAT port (*) - Static port (NO)

now it works, but now I have to narrow this rule down to something instead of any I think....

502

21.1 Legacy Series / Re: email smtp port 25 and 587 firewall rule/port forward protection

« on: August 02, 2021, 09:24:05 am »

Looks like it was an missing NAT outbound rule(?)
When I add a NAT - outbound rule >
Interface (LAN) - source (any) - source port (*) - Destination (*) - Destination port (*) - NAT Address (interface address) - NAT port (*) - Static port (NO)

it works.......
Now I have to figure it out how to narrow it down I think.
(I'm still a fairly new user in opnsense)

503

21.1 Legacy Series / Re: email smtp port 25 and 587 firewall rule/port forward protection

« on: August 01, 2021, 10:04:24 pm »

maybe this is happening?
https://forum.opnsense.org/index.php?topic=24183.0

504

Virtual private networks / Re: Openvpn port forward ->hitting the real ip instead of virtual Ip?

« on: August 01, 2021, 10:00:42 pm »

could it be that with 21.7 this old bug has resurfaced in some other manner?

====

I have had the same issue after upgrading from 16.x.

You have to create an Alias (Firewall -> View -> Aliases) and create an alias called WANIP with the primary IP address of your router (so the WAN Address).

After that change the rule that has WAN Address in it and set the Destination address to your newly created alias. After that everything starts working.

It seems that the bug is that instead of WAN Address being used, the WAN NET is being used in the port forward.

======

I tried the above, with no difference, but the problem spoken about here:
https://forum.opnsense.org/index.php?topic=5312.0
looks the same?

505

Virtual private networks / Openvpn port forward ->hitting the real ip instead of virtual Ip?

« on: July 31, 2021, 09:39:16 pm »

I have a NAT Port Forward rule in opnsense to the local mailserver.
When I connect from outside with iPhone 4g on vpn (vpn on opnsense with Redirect Gateway on) and look at the live firewall log I see that the REAL IP of the iPhone hits the port forward rule, shouldn't it be the openvpn virtual IP that should get through ?
Can it be that this is since version 21.7?
Or how to let the outside devices go to lan with the vpn virtual ip? e.g. 10.8.0.0/24

506

Virtual private networks / Re: OPENVPN Harder than it should be

« on: July 30, 2021, 03:40:54 pm »

maybe this guide is of some help:

https://homenetworkguy.com/how-to/configure-openvpn-opnsense/

507

21.1 Legacy Series / Re: email smtp port 25 and 587 firewall rule/port forward protection

« on: July 30, 2021, 09:50:16 am »

Dear Chemlud,

Thank you for your reply.
Yes the OPNvpn is working on all other parts. I can connect, browse the internet and connect to lan available services/devices.

When I look at the firewall live view I see that my iPhone real IP gets blocked while I have an alias nat port forward with alias for 10.8.0.0/24 as for local lan and Wireguard. The last 2 are working, only the vpn/10.8.0.0/24 does not.
The realIP gets blocked instead of the virtualIP/VPNIP gets through

I have attached 2 pictures

508

21.1 Legacy Series / Re: email smtp port 25 and 587 firewall rule/port forward protection

« on: July 30, 2021, 08:45:04 am »

Testing with Wireguard VPN  -> it works and connection to email (587)
Testing with OpenVPN -> gets blocked

I am convinced openvpn was also working before opnsense 21.7. But I can't figure out why it is not working now, if it has to do with the upgrade to 21.7 and Wireguard works like it should.. I am obviously missing something

509

21.1 Legacy Series / Re: email smtp port 25 and 587 firewall rule/port forward protection

« on: July 29, 2021, 10:07:29 pm »

Humm...
I still must be doing something wrong.
When choosing LAN Network or just the Ip range of VPN 10.8.0.0/24
the port 587 gets blocked by opnsense.
My iPhone 4g connected to opnsense with vpn has a virtual-ip 10.8.0.2 but opnsense blocks it. Have I something wrong in the port forward or is this something I have done wrong in the vpn setup? with  Redirect Gateway enabled....
In the firewall log I see the REALIP of the iPhone getting blocked and not the virtual ip 10.8.0.2 getting handled...

p.s. this happened after updating to opnsense 21.7

510

Tutorials and FAQs / Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

« on: July 28, 2021, 09:40:35 pm »

Better as in what? ;-)

good question :-)
When learning about DoT and DoH I read this: "However, from a privacy perspective, DoH is arguably preferable. With DoH, DNS queries are hidden within the larger flow of HTTPS traffic. This gives network administrators less visibility but provides users with more privacy."

And that made me choose DoH back than...

But I'm also looking at opnsense and read about the native DoT usage in Unbound, added with the latest update of opnsense loosing the DoH custom option in Unbound, made we switch to DoT and keeps things over here easy to manage and update future proof without having to "mesh around in the console" :-)

Thanks for your help!
Running DoT works as a charm...