Messages

136

Virtual private networks / Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range

« on: November 13, 2024, 05:51:31 pm »

Which client do you use?

Verify the routing table of the client OS if the networks are indeed all in your routing table. Some clients/OS (like windows) dislike routes other than /24.

If not create a full tunnel, some clients do not like split tunnels. Try to use 0.0.0.0/0 in the child.

Since I have a feeling its windows native client: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#windows-10-11-native-vpn-client

Windows hated split tunneling with its native client. Rather use Wireguard or OpenVPN.

137

24.7 Production Series / Re: What determines the size of a snapshot?

« on: November 13, 2024, 01:34:57 pm »

The delta is always to your current active zpool.

These snapshots are not incremental and not in a chain relationship to each other, they are differential.

Some of them replace a lot of files and the kernel so the delta will be larger than for others.

Also I think a lot of logging will inflate them too. Keeping them around too long will make you run out of space eventually.

138

24.7 Production Series / Re: What determines the size of a snapshot?

« on: November 13, 2024, 01:11:51 pm »

The delta is your current active zfs pool vs the snapshot zfs pool for each of these snapshots.

Try marking a different one as active and you will see all values change to the delta of the new active one.

So the more files change the larger they get over time.

139

24.7 Production Series / Re: Broadband / WAN Speed Widget?

« on: November 13, 2024, 11:57:03 am »

There is none right now that works with the new dashboard. Somebody would have to create one.

140

General Discussion / Re: Difficulty with DMZ traffic

« on: November 13, 2024, 09:07:42 am »

You can look at dynamic routing protocols to make routing between multiple routers less of a hazzle since it automates it.

E.g. for simple networks using RIP could solve this with the os-frr plugin:

https://docs.opnsense.org/manual/dynamic_routing.html#rip-section
https://docs.opnsense.org/manual/how-tos/dynamic_routing_rip.html#setup-rip-between-routers

141

General Discussion / Re: NDProxy - Status Feature Request

« on: November 12, 2024, 02:34:48 pm »

It will soon be supported in the GUI.

https://github.com/opnsense/plugins/pull/4348

142

24.7 Production Series / Re: Captive portal + SQuid together (web proxy) is it possible ?

« on: November 12, 2024, 12:58:04 pm »

Yes they can not work together.

The Captive Portal is just for authentication of users, not for logging which web sites are visited.

You could force all users to use Unbound and enable verbose logging so you can log all dns requests.

143

24.7 Production Series / Re: Captive portal + SQuid together (web proxy) is it possible ?

« on: November 12, 2024, 09:59:23 am »

https://github.com/opnsense/core/issues/7557

144

24.7 Production Series / Re: Configuring firewall and routing for a standalone wireguard server in LAN

« on: November 10, 2024, 09:28:10 am »

Just use the built in wireguard server of the OPNsense, it will cut down all complexity and fix all routing issues.

145

General Discussion / Re: VXLAN Setup

« on: November 09, 2024, 11:27:56 am »

I just recently wrote new tutorials for vxlan and the frr plugin:

https://docs.opnsense.org/manual/how-tos/vxlan_bridge.html
https://docs.opnsense.org/manual/dynamic_routing.html

Maybe they can help you, I tested it all extensively so these things should work with stock OPNsense on both sides. Please note I had trouble getting vxlan working properly on virtual appliances. I used real network adapters either passed through via pcie or bare metal OPNsense installations.

146

24.7 Production Series / Re: Port forwarding with an automation

« on: November 08, 2024, 06:15:27 pm »

Thats because a port forward is destination nat.
The automation only has outbound nat (source nat).

147

Virtual private networks / Re: IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?

« on: November 08, 2024, 02:07:14 pm »

You can only run one shared pool per public IP address.

If you want more control you have to remove the current Phase 1+2 with eap id %any.

If you want to have different profiles for multiple users, you have to use the other example in the guide. With that you can have a separate phase 1/2 + pool per user. Its more work to set up but gives you maximum flexibility per user.

Of course if you have 10000 users that option scales badly.

148

Virtual private networks / Re: IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?

« on: November 08, 2024, 01:16:12 pm »

Hello,

I think that can be controlled by the connecting client (it depends on the used client though).

Some clients can ignore the IKE Configuration Payload, and then you can choose your own routes that should be installed.

For example the strongswan client on android could have two profiles, one with default options, the other with "Split tunneling" networks defined. (both with same user name etc... since its only a client side option thats changed).

On the OPNsense side the child would have 0.0.0.0/0 and ::/0, but on the client side its either the full tunnel profile, or a "User defined split tunnel" profile.

149

General Discussion / Re: Missing .crt Download Option in CA Management (OPNsense 24.7)

« on: November 08, 2024, 11:54:21 am »

What you need depends on what your application expects.

Some want a certificate bundle. Some want seperate files for CA and Leaf Certificate and Private Key.

Without knowing whats expected its hard to give a suggestion what to do.

150

General Discussion / Re: Missing .crt Download Option in CA Management (OPNsense 24.7)

« on: November 08, 2024, 09:15:56 am »

You can just rename ".pem" to ".crt" after downloading the file when using "certificate" as download option. Its the same.