Messages

196

Virtual private networks / Re: Multiple WireGuard Instances with Different ports

« on: November 20, 2023, 11:28:39 pm »

I created another wireguard instance simulating the wireguard that i had setup with with listen port and client endpoint ports of 123,53 however when looking on the client end seeing under Transfer seeing rx  as 0 and tx numbers increasing

With 123,53 you mean that your second wireguard instance is listening on port 123 ?

1. That port is (officialy) assigned to NTP, you could use it but you shouldn't
2. I guess (not 100% sure), wireguard doesn't bind to restricted ports <1024 by default

What if you change 123 to any port you like but greater than 1024 ? Something like 51821 for instance (and creating the according rules)?

197

23.7 Legacy Series / Re: Traffic-Monitor on Dashboard is empty with Firefox

« on: November 20, 2023, 08:14:31 pm »

You should select the 'pencil' icon, select one or more interfaces and press save (hold your breath for 3sec or so). Firefox is working (for years here), shouldn't be the problem...

198

General Discussion / Re: need help with opnsense firewall

« on: November 20, 2023, 07:30:56 pm »

Use Interface Groups docs for your Firewall Rules docs

199

Virtual private networks / Re: How do I route all traffic to external VPN?

« on: November 17, 2023, 09:02:41 pm »

There's very little support or documentation for any of us messing with External VPN's.  I've been posting here looking for help for days now and rarely does anybody contribute

You know this is a community forum ? If you need a fix _now_ for your mission-critical setup: https://shop.opnsense.com/product-categorie/support/

OPNsense software is way overcomplicating things, as you've seen by simply trying to follow that selective routing guide, it should've been possible in less than half the steps.

Where can we find your lean-and-mean, just enough, easy configuration How-To, really like to read it.

And once the guide is done and followed to the tee, they leave you completely dry with how to make use of it afterwards!

Just send packets, no magic involved...

200

General Discussion / Re: Internet for my VLANs

« on: November 17, 2023, 08:38:15 pm »

BIG UPDATE :
After adding new NAT rules the connection is working !

Nice!

As "Patrick M. Hausen" already explained automatic NAT rules (if it's for OPNSense, Fritzbox, or whatever device) are normally only configured for what's known to the device, ie. the directly connected network. You fixed it for OPNSense as I understand, but I would advise you to work to a design where the only NAT is happening where it needs to be: Fritzbox.

It's been a while since I had a Fritzbox, but I remember they're very flexible from a configuration point of view. I'm sure you can configure a static route in your Fritzbox (just like you did from OPNSense to Mikrotik). So start with something like  network: "10.0.0.0/8" gateway: "192.168.3.100", your Fritzbox now knows where to send traffic for your local LAN (via OPNSense).
The last thing to do in your Fritzbox is to NAT ALL traffic from it's directly connected 192.168.3.0/24 network (which is your current setting) AND 10.0.0.0/8 (your local LAN). I don't know where to configure that in th Fritzbox, but I'm 99% sure it can be done.

The end result is that you ONLY NAT when traffic is going out of your Fritzbox to the Internet, all other routes are just standard, not-natted route, which makes your LAN network design simple and transparant.

Code: [Select]


  Only NAT Here!
      ______
         |
         |
         |                                                   
Internet — Fritzbox — OPNSense — Microtik — VLAN1 / VLAN2 / VLAN3
                                                                   


THANKS A LOT for you guidance Patrick M. Hausen, I learn a lot today !
And thank you too netnut for you help !

You're welcome! 

201

General Discussion / Re: VLAN Implementation, unsure.

« on: November 15, 2023, 09:27:48 pm »

Upon looking, it seems my Cisco SG500X can indeed do LACP but being that is all new to me, I may for now, keep it simple Trunk will will indeed look into it.
The OPN is running via VM on Proxmox so I only have 2 Interfaces [lan/wan] so this LACP would be assigned on the LAN Interface..

If running virtualized there isn't much reason to use LACP with OPNsense, in that case it's more relevant for your (physical) Proxmox hosts. But leave that for later....

Would the GE 1 on the Switch need to be a L3 or keep it L2, but keep it out of any vlan and just assign it [interface/trunk] to the GE 1.

Just L2 for your initial plan, if you want to do something L3 you can create a seperate VLAN for that and play with it, not needed for your OPN setup.

FYI, your switchport will always use a VLAN if you "do" nothing, that's VLAN1 aka "default VLAN". You can use VLAN1 like any other VLAN, but it's best practice to just leave it as is. You have 4095 other digits to choose from .

202

General Discussion / Re: VLAN Implementation, unsure.

« on: November 15, 2023, 06:44:01 pm »

Or would I create all 3 vlans on the OPNSense and create a tunnel from LAN to Switch and leave in L2 but assign groups of interfaces on Switch to each vlan and let OPNSense do the routing/directing?

Both scenario's will work but if you want full control and a (relative) simple network design use switch for L2 and OPNsense for L3. Your switch can filter only stateless (ACL) and with OPNsense as default GW for all your VLANs you can easy benefit from it's many services without any special setups and configs.

Just assign an interface (or more if you like redundancy with LACP if your switch supports that) on your OPNsense firewall that's directly connected to your switch and use this as a Trunk port for all your VLAN's.

This interface is the "parent" where you can stack up all your (tagged) VLANs, just assign the different ports on your switch to these specific VLAN's and you're King!

203

General Discussion / Re: Internet for my VLANs

« on: November 15, 2023, 06:06:58 pm »

gateway: 10.0.1.1

Did you fill in this gateway address at the LAN interface ? If yes:

Delete the gateway definition from the LAN interface, leave blank.

Create a single gateway: "System : Gateways : Single": just fill in ip address (10.0.1.1) and interface (LAN), leave the rest default.

Create a route to your local network: "System : Routes : Configuration": With network address (10.0.0.0/8) and gateway the gateway entry (10.0.1.1) you just created.


You now told OPNsense to route all traffic to the subnets in the 10.0.0.0/8 range (VLAN1, VLAN2 &  VLAN3) via your Microtik which should take care of your intra-vlan routing

204

Virtual private networks / Re: IPsec config is not generated

« on: November 13, 2023, 09:28:29 pm »

I'll make a ticket to maybe make this more prominent. It was mentioned to me again last week.

Yes please, finally had some time to create the 'new' swanctl config style tunnels, took me an hour or so to realize I didn't checked the box...

If IPSec isn't enabled, the Start, Restart and Stop buttons aren't visible (Top Right Header). IMHO this might be a nice place for the enable checkbox. The checkbox itself maybe isn't the nicest visual element to have there, could be an iOS style like on/off switch/slider.

205

Tutorials and FAQs / Re: [HowTo] - PPPoE, VLAN & RFC4638

« on: November 05, 2023, 09:57:43 pm »

Anyway, I changed the WAN interface MTU value back to 1492 and 'magically' no more errors in/collisions for the parent interface

You still didn't confirm if your ISP is supporting RC4638, which is mandatory to make "this" work.

The only last suggestion I have, when your are using PPPOE on top of a VLAN, try to set the MTU on the physical parent interface to 1512. If that doesn't work I'm out of options...   

206

23.7 Legacy Series / Re: Using own CA for certificates within OPNSense . How?

« on: November 05, 2023, 09:39:55 pm »

Anyone some further ideas?

A few things:

Imported both keys (CA and intermediate CA) into the key management of my MacBook

Not the source of your problem, but just import the Root CA cert, all others (Intermediate and Server/Client) will be trusted.

X509v3 Subject Alternative Name:
                URI:https://router.domain.zeroed

SAN names are type DNS (or IP, but don't use that) and don't need a scheme (https), just the fqdn. It depends on your crypto library, but it's good practice to _always_ use a CN and a matching SAN entry.


Can you post your full chain, ie all three certs (Root, Int, Server, don't paste your key!!!). Something like:

Code: [Select]

openssl x509 -in /path/to/cert -text -noout

207

23.7 Legacy Series / Re: NGINX no resolver defined

« on: November 03, 2023, 07:29:33 pm »

DNS servers are configured globally somewhere in system settings.

But aren't useful for Nginx proxy setups with split DNS or required for OCSP Stapling what the OP probably is doing.

As far as I know, it's not even possible to configure a DNS resolver in nginx itself.

https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver

208

Tutorials and FAQs / Re: [HowTo] - PPPoE, VLAN & RFC4638

« on: October 15, 2023, 11:14:51 pm »

The NICs are I225-V and I'm pretty sure they support jumbo frames.

These go up to 9.5KB Jumbo's, so yeah, that NIC shouldn't be a problem. Are you really sure your ISP supports RFC4638 ? It's common, but certainly not default.

So, are you saying that this is a 'serious' issue even if it's on the parent interface of WAN?

Well, don't panic . But errors are BAD, no errors are GOOD .
Since the reboot for the v23.7.5 upgrade 19 days ago (and a non-reboot upgrade to v23.7.6) my pppoe and parents showing zero collisions/errors, that should be the norm...

Having collisions means something is sub optimal (or Realtek ), normally a collision gets resend so the effect is not always noticeable, especially on a single interface ISP uplink.

What does "Media" in  "INTERFACES: OVERVIEW" shows you at the physical parent interface ?

Other common things to check are the quality of your patch cable (try a non-self-made > CAT5e), and the connector (pull in/out and check if it fits firmly on both sides).

209

Tutorials and FAQs / Re: [HowTo] - PPPoE, VLAN & RFC4638

« on: October 14, 2023, 10:49:47 pm »

I've now changed the WAN port MTU to 1508 -> the calculated MTU goes from 1492 to 1500 and the MTU of the parent interface shows 1508. So far so good, BUT I noticed in the interface statics that the parent interface has a never stop number of 'errors in' and 'collision': should I worry about or not?

Yeah, you should.... But I would be surprised if this is related to this MTU change if your ISP is supporting RFC4638 and you're sure (double check) your NIC _supports_ >1500 MTU sizes. You can simply check by reverting the MTU change and see if these errors are still there in default (1492) mode.

Collision errors are in most cases related to duplex errors, check if your NIC speed & duplex settings are aligned with switch port or modem port. Auto Negotiation shouldn't be a problem for decades, but funky NIC's (Realtek) and cheap "smart" switches can still be trouble makers. You can try to set the speed & duplex settings fixed on _BOTH_ sides manually (10/100/1000Mb / Half/Full-Duplex), just be sure _BOTH_ sides are configured exactly the same (Fixed or Auto).

If you fix the collisions you probably fix the errors with it, but one step at a time .

210

23.7 Legacy Series / Re: Automatically generated rules - is the reason I stopped migrating to OPNSense

« on: October 03, 2023, 11:09:54 pm »

Also, if this is not normal and confirmed by more than one user, isnt this a priority issue?

Because it isn't an OPNSense issue, which you already discovered after installing an alternative fw.

Your problem is visible in the Wireshark capture screenshot where you can see _all_ your ICMP echo/reply's with "id=0x0001". There are no states in ICMP, but to decide/relate which reply matches which echo is normally based on this unique id. So your pings from the OPT network should have an other id than the initial ping from LAN.

For some reason there isn't much creativity in the uniqueness of this id, so all ICMP echo/reply will match. Could be a client NIC, driver, bad or inferior hardware  (Realtek?), funky IP stack, etc