Messages

Few questions to help guide it along..

1) Are they on the same subnet as your linux PCs? Ie. do the same firewall rules apply to your linux PCs as your Android phone and TV?

2) Did you install with zfs? Maybe try using bectl to make a snapshot then upgrade again to 22.7 series and see if it works?

3) Have you done the log live view with maybe a few filters such as interface=$LAN (or whichever), IP=$sonyIP, etc.? Do you use netflow to gauge traffic to individual clients? That could help too.

I can't confirm as I didn't much use it before with my old system (on 21.x) but I'm using 22.1.2_1 with ZFS and see the same error when trying to authenticate. I couldn't authenticate over openvpn so I went back to basics, made sure freeradius is set and configured and used System-Access-Tester and still get this same error.

For you 22.1.3 should do it, I dont use zfs, No idea whats wrong over there

Well, I've been doing a little swapping between my backup firewall and my normal one and the one on 22.1.4_1 is now working just fine authenticating via freeradius. No config changed between it all so must have just been a bug on that version or something.
Thanks!

I can't confirm as I didn't much use it before with my old system (on 21.x) but I'm using 22.1.2_1 with ZFS and see the same error when trying to authenticate. I couldn't authenticate over openvpn so I went back to basics, made sure freeradius is set and configured and used System-Access-Tester and still get this same error.

What is set for ipv6 in Server 2019?

Also, your "fe80:xxxxx" addresses are the private ones. And if you wanted ipv6 disabled entirely, you can do so under Firewall-Settings-Advanced if you don't plan on using it (and prefer not to for whatever reason.)

Trying to configure GeoIP and am unsure what I am doing wrong.

I'm trying to make my firewall aliases smaller by selecting the countries I want to allow then just inverting them.
So I've selected maybe 15 countries and made a GeoIPv4 alias (only IPv4 entries).

I then go to make a rule on my LAN with
- reject
- ipv4
- in
- destination ! GeoIPv4

This does not work. It seems to just block any and all traffic on the LAN. I've upped the max firewall entries from 400k to 800k, recreated the alias etc. and nothing seems to work. My only real thought is I either need to make it out direction OR make a newer alias including GeoIPv4 and LAN in one (so I can hit my dns, etc.)

I hope this is a right place to post.
I have PIA VPN and trying to get it to work via OpenVPN.
What I basically want: route none but specific machines through PIA.

I've read most of this thread, and in the essence, I can either:
- have a full tunnel and everything going through the VPN or
- nothing

I tried various combinations with the boxes set in the Client-Connection (Don't pull routes and Don't add/remove routes), first, second or both checked.
NAT is configured manually, I have created both NAT for the LAN net and localhost net.
I created a rule saying IPv4* LAN net over PIA_VPN gateway.

Yet, I get the ISP-IP when querying the IP over internet.

And the same thing happens when I try doing it the other way: everything over VPN, except client x. In that case, the client remains in the VPN, although the rule is in place.

Where do I start troubleshooting?

Small edit:
I found out that if I use a "Don't pull routes" configuration, and both NAT and rules as needed, I can't browse... but I figured I can ping.  Apparently resolution isn't working... so, how do I get DNS to work?

From the log:
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.32.112.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.32.112.224 255.255.255.0,peer-id 2,cipher AES-128-GCM'

This will be basic and quick but I believe I got it.

1) Configure your aliases- just whatever you want to put behind a vpn.
2) Configure your client- this varies between VPN providers but the stickler is leaving don't pull routes unchecked but do check "Don't add/remove routes".
3) Add the interface- don't change defaults- just add it.
4) NAT outbound- make it hybrid and then add a rule

• VPN interface
• Source- your VPN alias for what is behind it
• NAT Address- VPN interface (I did not leave this as Interface Address)

5) Firewall rule on LAN that is pass, IPv4, direction in, vpn alias as source, sent out the VPN gateway, then expand advanced and set local tag NO_WAN_EGRESS or other. This rule needs to be above your default LAN pass rule.
6) I like this one just in case- firewall rule on LAN above #5- reject, ipv4 tcp/udp, source is your vpn alias, dest is LAN address, port 53 (or select DNS). This will block VPN clients from your internal DNS just in case.
7) Firewall rule on floating- Reject, IPv4, direction out, source and dest are any, gateway is your normal WAN gateway. Expand advanced and on Match tag put NO_WAN_EGRESS (or whatever common thing you want- we are just matching the tags for policy routing.)


Going off memory but I believe that is it. You can test for dns leaks while it's up with whatever client you want that is in your alias list. Should ping, have DNS, etc. If you are assigning clients into a certain subnet (which I do), you can set them statically in your VPN alias range AND set their DNS options there like using OpenDNS or other. Or set them on the client itself- whichever works.

I tested for leaks and found it worked. Then I set a constant ping and confirmed it was going out properly. From there I disabled the VPN tunnel and having 2 windows on the GUI I could see that the firewall blocked it as it was catching the NO_WAN_EGRESS floating rule. Enabled the client, ping did not start going through because I think the state was kept. In any case, restarted the ping fine and then did another dns leak test and it was confirmed good.

So it was a bit different coming from pfsense but this is working so far. I'm sure there are some tweaks needing to be made but it does load balance properly.

1) Make a VIP as the load balancer under Interfaces-Virtual IPs (IP alias)
2) In Services-haproxy-Real Servers set up your real servers as the actual control plane nodes- IP, port, and do not check SSL
3) Go to Rules and Checks and make a healthcheck- http, GET, healthz, HTTP1.1 version, and the FQDN of your VIP host (load balancer FQDN). Do click "Force SSL" as you need that for the check.
3) Click on virtual services and make your backend pool comprising those nodes from above. TCP, Source-IP hash seems fine, your servers, enable health checking and select your check you just made, and set stick table persistence to source-ip.
4) Click virtual services dropdown arrow and then Public Service. This is the frontend. Select your listen addresses (VIP FQDN and IP), TCP, select the backend pool you just made. I didn't do anything else to this.
5) Settings-Service. Save and test the syntax and check the boxes to enable haproxy and then hit apply.

Should be good to go then.

I actually somehow got this going after a lot of trial and error (still not sure it's correct.) I will update this post when I'm back at my computer with details on what to configure and how.