Messages

121

General Discussion / Re: Howto setup rules for linux repository updates

« on: January 25, 2024, 12:40:44 am »

You can configure multiple DNS names in a Host Alias, if "resiliency" is an issue, configure multiple in your (neighbour) country. Looking at the hostnames in the mirror overview, they are pretty random, so a regex wouldn't work.

*.archive.ubuntu.com could work with a dns wildcard or regex, they standardized their mirror naming. For Debian fastly redirects the right mirror through debian.map.fastly.net.

You might want to write a HTML scrapper and run that one daily to fill the list.

122

General Discussion / Re: Howto setup rules for linux repository updates

« on: January 25, 2024, 12:18:12 am »

Or any other solution I didn't think about, other than a regex that allows anything containing "mirror" ^^

Instead of some generic entry point which automagicly decides which is the nearest / fastest every time, pick one from this list which works for you.

https://mirrors.almalinux.org/


Until AI is at the next level: If you want a "restricted" (firewall) policy for a dynamic resource you should configure _something_.

123

Virtual private networks / Re: IPsec to Cisco ASA - received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

« on: January 25, 2024, 12:05:07 am »

Still it didn't seem far off from the configuration I *think* I'm working against, other than the example seemed to show "group 5" being used (1536 bits) instead of 2.

If you can work with the people on "the other side" you definitely want to work to something like this:

• aes128gcm16 / aes256gcm16 (128 bits should be sufficient for most cases, the important part is using GCM instead of CBC)
• => SHA256  ( SHA384 / SHA512 )
• EC Group => ecp256 ( ecp384 / ecp 521)

124

General Discussion / Re: Howto setup rules for linux repository updates

« on: January 24, 2024, 11:40:17 pm »

Has anyone ever found an elegant solution for this scenario ?

If you're using an "Host Alias" this shouldn't be that difficult. As you said it depends which mirror you use and if/how the CDN behind it is operating. But with a little try & error you should setup your alias in 5min.

This is an example of an Host Alias that's working for years here, it's the official Debian Mirror which uses Fastly, but everything is behind a single CDN hostname which is automaticly resolved by OPNsense for IPv4 & IPv6. Took me 3 or 4 apt-get runs to define.

If you still have issues look for some other, more 'static' mirror which doesn't use a CDN or redirects. But the Host Alias is the way to go IMHO.

Code: [Select]

"3e976b85-d2a7-40d7-ac2b-b39059c37953": {
        "enabled": "1",
        "name": "PUB_DEBIAN_MIRROR",
        "type": "host",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "security.debian.org\ndeb.debian.org\ndebian.map.fastly.net\nmetadata.ftp-master.debian.org\n",
        "categories": "",
        "description": "Public Debian Mirror"
      },

125

Virtual private networks / Re: IPsec to Cisco ASA - received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

« on: January 24, 2024, 09:47:43 pm »

They are using a Cisco ASA 5505 which seems to be a little dated from what I can tell.

Well, that's not the most modern appliance ;-) but it definitely could do _much_ better. Looks like the proposal is configured with a default / standard wizard for maximum compatibility (and minimum security ;-)).

They even have a Strongswan inspired documentation page:

https://www.cisco.com/c/en/us/support/docs/interfaces-modules/virtual-private-network-module/221568-vpn-technologies-documentation-reference.html#toc-hId--1867615638

126

Virtual private networks / Re: IPsec to Cisco ASA - received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

« on: January 24, 2024, 08:40:38 pm »

In looking through the list for ESP proposal the only thing I saw that seemed like it might match is "aes256-sha512-modp1024 [DH2]" just going off the DH2 primarily (Duffie-Hellman #2?) But choosing that doesn't seem to help.

Looking at the "table" from your remote peer I suspect (seeing 3des and md5) their interpretation of SHA is SHA1.

So you could try aes256-sha1-modp1024, but as @Monviech already mentioned you need to use the "old" interface for that.

Be aware that this combo is pretty insecure, funny enough the best part is SHA1 used as HMAC. Although you have AES256 it's in CBC mode, and modp1024 (or even modp2048) well....

You might want to ask the remote peer to look at some available software updates for their VPN appliance, but it might be possible the box is EOL for quite some time. Or is this one of the Cloud Providers you trying to connect to ?

127

General Discussion / Re: Set Date and Time using GUI. Feature request

« on: January 24, 2024, 08:10:00 pm »

Yes. But it is a cascading failure.
- Box boots with date 01-01-2012

Do you have a hardware defect ? You could simply solve it by changing a battery:

https://www.duracell.com/en-us/products/lithium-coin-batteries/

128

General Discussion / Re: VLAN untag on specific interface

« on: January 24, 2024, 08:03:35 pm »

From a quick look at your screenshots:

The Bridge Device is the only interface that should be numbered (including the tunables you did)

Bridge member interfaces should be unnumbered

Create VLAN10 on your LACP uplink and bridge that VLAN10 device under bridge0

The bridge interface ip will be the gateway interface for VLAN10

129

Tutorials and FAQs / Re: [HowTo] - PPPoE, VLAN & RFC4638

« on: January 23, 2024, 10:40:33 pm »

Newbie here. If my isps config uses only vlan tag do I follow iptv or vlan ipv4/6 config ? And BTW I found this info at the router config cause I got no manual from my isp or any kind of instructions  neither for oknsense neither for what to set at each label.

If your ISP is using VLAN's you need to know which VLAN ID's for which service upfront. This How-To is using VLAN ID 4 & 6 for IP connectivity and IPTV, but this will/may be different for each and every other ISP.

The only thing that matters is the VLAN ID of the VLAN interface you create, it should match the ID your ISP is using for the service you like to consume.

You're free to name this interface anything you like. The required IP configuration on this interface also depends on the specs and requirements of your ISP (ie. Static, DHCP, PD etc)

130

Virtual private networks / Re: IPSec between OPNSense and EdgeRouter Infinity, no traffic from OPNSense side

« on: January 09, 2024, 06:16:16 pm »

You're using the "new-style" IPsec config, did you _uncheck_ the "Policies" flag at the child (Phase 2) config ?

131

Virtual private networks / Re: IPSec between OPNSense and EdgeRouter Infinity, no traffic from OPNSense side

« on: January 08, 2024, 10:12:10 pm »

The problem seems to the that the OPNSense gets traffic through the tunnel but doesn't send it to the ipsecN interface (and likewise, traffic from the inside network that should be routed to the other end of the IPSec tunnel doesn't enter the ipsecN interface).

The tunnel is up according to the VPN > IPSec > Status Overview page and I can see traffic arriving on the enc0 interface with tcpdump. However, tcpdump on the ipsec10 interface doesn't show any traffic.

https://docs.opnsense.org/manual/vpnet.html#route-based-vti

I followed the guide at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html to set up a new-style connection instead of the "legacy" style.

Any hints?

Did you set static routes for the relevant networks ?

132

Tutorials and FAQs / Re: [HowTo] - PPPoE, VLAN & RFC4638

« on: January 03, 2024, 05:06:04 pm »

Does this patch apply to '23.7.10_1-amd64' -

https://forum.opnsense.org/index.php?topic=21207.msg176018#msg176018

I seem to be getting something like 4 out of 5 failed block messages.

Block messages ? This is about MTU, not packet filter.

133

Virtual private networks / Re: IPSec Connection Between Two OPNsense Firewalls

« on: December 28, 2023, 01:24:10 am »

I am wondering that I am getting the traffic selector unacceptable bc Site B is behind a router?

Yes, if Site B's upstream IP is private (NAT as DMZ host from router) but the traffic selector is for the Public IP you might see this "unacceptable" message.
I don't have a direct answer what to change in the GUI though, what could help is converting the "old" OPNsense IPsec config to the new-style in the GUI and c/p your "raw" strongswan config (you need to that that anyway at some point in time). You now get the new strongswan "connection" style configuration and see how the remote TS is configured in there.

Code: [Select]

cat /usr/local/etc/swanctl/swanctl.conf

134

Virtual private networks / Re: IPSec Connection Between Two OPNsense Firewalls

« on: December 28, 2023, 12:30:08 am »

Quick Note: You've posted public IP's and PSK's. I can't judge if they are real, if they are please change your PSK ASAP !!!

Back to your problem, is 10.0.1.0/24 directly connected at site B ?

135

General Discussion / Re: I Set Up A VLAN But Can't Ping Systems On It

« on: December 28, 2023, 12:20:28 am »

Yeah when I graduate to big boy hardware I want to get away from Cisco, a lot of smart people seem to complain about it, this is just a cheapo used switch for learning purposes.

Well, although not a fan (*sigh*), you own a decent piece of hardware. I guess every (network) device has it's quirks, you just have to know what these are ;-).

Thanks for putting up with my insane levels of confusion here. Hugely appreciated.

You're welcome, love your persistence and can-do mentality!