Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - throwaway26a

Pages1
#1
23.1 Legacy Series / Creating new vlan and interface broken
June 27, 2023, 01:26:22 PM
I haven't attempted to create a new interface in a few months, but at some point the process seems to be broken. I've been running opnsense for 3 years now and this is the first time I've had this issue. I create a new vlan, add the interface, configure a static IP and add a any/any firewall rule for the interface (just to make sure) and then I attempt to the ping the interface IP (which should be up) and results are intermittent.

Code Select

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=4ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=1ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=1ms TTL=64
Reply from 10.0.3.254: bytes=32 time=1ms TTL=64
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.


When I ssh into the box check the interfaces, there are some inconsistences between different type of vlans, for example

Vlan 1270 which I've been running for ~3 years has this config and the new vlan 1236 has this minimal config.
Can anyone else duplicate this?

Code Select

igb1_vlan1270: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LDAP (opt8)
        options=4000000<NOMAP>
        ether 90:e2:ba:25:e3:31
        inet 10.0.1.214 netmask 0xfffffff8 broadcast 10.0.1.215
        groups: vlan
        vlan: 1270 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

igb1_vlan1236: flags=8003<UP,BROADCAST,MULTICAST> metric 0 mtu 1500
        description: F5_VIPs (opt31)
        ether 90:e2:ba:25:e3:31
        inet 10.0.3.254 netmask 0xffffff00 broadcast 10.0.3.255
        groups: vlan
        vlan: 0 vlanproto: 0x0000 vlanpcp: 0 parent interface: <none>
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
#2
Virtual private networks / Integrate keychain for Symmetric Keys
October 07, 2022, 11:53:20 PM
In lieu of an integrated keychain that supports key rotation on a certain date/time, I wrote a bash script to rotate the keys instead. However, the keys are hashed or encrypted in the config file. Does anyone happen to know the method the obfuscates the keys inside the ipsec.secrets file?
#3
General Discussion / NETFLOW export to Splunk
March 03, 2022, 09:48:18 PM
Has anyone tested sending netflow data to splunk? I've captured data using an intermediate forwarder as well as directly into a splunk indexer. When data is sent to the Intermediate forwarder, the data is gibberish, when it's sent to the indexer it's never received. Thoughts?
#4
Virtual private networks / Separate IPSEC VTI per Phase 1
May 08, 2021, 05:08:56 PM
Is it possible to have a separate Virtual Tunnel Interface per Phase 1? E.g. with IPSEC actively working with 1 or more IPSEC connections to different locations, the VTI created is 'enc0'. This makes monitoring with NMS difficult since the only interface being reported by SNMP is 'enc0'
Pages1