OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of fsebera »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - fsebera

Pages: [1] 2
1
21.7 Legacy Series / Problem: OPNsense fw with IPSec VPN fails after reviewing config
« on: February 01, 2022, 06:09:23 pm »
We setup the OPNsense fw 21.x  - 21.7.8 - with a policy based site-to-site IPSec VPN tunnel with the latest IKEv2 and mid-level security parameters. Everything on the vpn tunnel, static routing, filtering policies have been operational for several months now.

Our problem:
We noticed that if we review the GUI IPSec VPN configuration (Phase I and/or Phase II) this causes the tunnel to fail several hours later without warning. If we reboot the fw the VPN tunnel recovers but reviewing the IPSec VPN configuration again. Same issue - the tunnel later fails. We noticed that if we review the IPSec VPN tunnel configuration on a Friday the tunnel fails sometime on Friday and on Monday morning it is still in a failed state. We sort of assumed after several days it would recover on its own but it did not. Rebooting reactivated the tunnel.

NOTE: If we don't review the IPSec VPN tunnel configuration the tunnel remains up without issues.

We have been applying the OS updates hoping the bug we are experiencing would be corrected but so far the issue persists and we are currently running OS ver 21.7.8.

The fw log reports it was ignoring an in process request due to already processing, then the fw closed and deleted child SA/SPI which left the session in a half open in hung state. Remote side continues to query. A reboot clears the failed session. The remote side is a Fortigate fw that has many other IPSec VPN tunnels without issues.

We have tried to use the GUI VCR buttons (green arrow and gray square) to reset the vpn tunnel but this only causes the fw to later reboot on its own.

Wondering it we could restart some process other than rebooting the entire fw. We plan on upgrading to OS 22 but were hoping to get a fix before then. I know someone would like to see our configuration but I doubt I can provide this for obvious reasons but perhaps I can provide sections of the config.
Thank you Frank

2
21.7 Legacy Series / OPNsense Security vulnerabilities site
« on: January 11, 2022, 05:35:27 pm »

Is there a web site that shows known OPNsense security vulnerabilities?

Thank you
Frank

3
21.7 Legacy Series / Is there a procedure to downgrade OPNsense OS
« on: January 11, 2022, 04:46:07 pm »

Upgrading OPNsense is simple and easy but once the upgrade has completed, if you discover an issue with the upgrade, Is there a method to revert back to the previous OS version?

Thanks

4
21.7 Legacy Series / Is there a different GUI interface available???
« on: September 23, 2021, 05:27:46 pm »
 
Wondering if there is a different (better) GUI interface for OPNsense (latest OS). I'm currently using the web based GUI as it's the only interface I am aware of.
Thank you
Frank

5
21.1 Legacy Series / Is there a different GUI interface available???
« on: September 23, 2021, 05:26:21 pm »
 
moved this message to Production Series as I cannot delete this message.

6
21.7 Legacy Series / Simple changes cause BGP to reset
« on: September 21, 2021, 07:27:14 pm »
 
I downloaded, installed and configured the os-frr plugin for dynamic routing for BGP -- OPNsense 21.1.9_1. Testing and evaluating in an isolated test lab.

I notice every little change within OPNsense causes BGP to reset which forces a BGP reinitialization. BGP resetting of course brings the network down. Example, changing the Routing logging level, or adding or removing a prefix filter, etc., causes BGP to reset. How do others work with this vendor's product? Is there a fix to these issues other than don't make changes. LOL

Thanks
Frank


7
21.7 Legacy Series / How to enable route date and timestamps?
« on: September 21, 2021, 05:09:41 pm »
 
My Question: Is there a way to show the date and time routes?
 
I usually judge the stability of the network (other vendors) by how old or new my routes are.
 
Thank you
Frank

8
21.1 Legacy Series / BGP Router-id same on both peers
« on: September 13, 2021, 07:34:44 pm »
 
I configured OPNsense FW with the complete configuration, interfaces, admins, rules, NAT, IPSec and BGP ....verified operational and then cloned it. Now both boxes had the sane BGP Router-ID and I cannot find the settings to change it.
 
Anyone know how to change the BGP Router-ID?
 
Thank you
Frank

9
Virtual private networks / Routed Point-to-Point IPSec IKEv2 VPN Tunnel with discontiguous nets
« on: September 09, 2021, 08:55:28 pm »
:
I setup OPNsense (latest 21.x version) to MikroTik routed Point-to-Point IPSec IKEv2 VPN with dynamic BGP routing in my isolated test lab for a pre-production implementation.

While capturing through data traffic on my vCloud (simulated Internet) I noticed traffic being forwarded to OPNsense configured "Remote Network" address range does get encrypted, Natted and routed and-to-end;  this is correct behavior.   However, I notice traffic that falls outside the "Remote Network" address range is not encrypted. As I analyzed this issue, I realized this is also correct behavior based on my configuration.

Example:
OPNsense IPSec VPN Tunnel Settings "Remote Network" address 192.168.3.0/24 - traffic to this range is encrypted. 
We implemented a new remote network address 172.16.25.0/23  - traffic to this range is NOT encrypted.

MY QUESTION:
OPNsense as-well-as MikroTik offers a single box to add a remote address.  Since my 2 networks are discontiguous and cannot be changed, is there a way to encrypt both subnets but just these 2 subnets without encrypting any other network traffic egressing the WAN interface?

Thank you
Frank

10
21.1 Legacy Series / Site-2-Site IPSec VPN with multiple discontiguous networks
« on: September 09, 2021, 08:23:07 pm »
:
I setup OPNsense (latest 21.x version) to MikroTik routed Point-to-Point IPSec IKEv2 VPN with dynamic BGP routing in my isolated test lab for a pre-production implementation.

While capturing through data traffic on my vCloud (simulated Internet) I noticed traffic being forwarded to OPNsense configured "Remote Network" address range does get encrypted, Natted and routed and-to-end;  this is correct behavior.   However, I notice traffic that falls outside the "Remote Network" address range is not encrypted. As I analyzed this issue, I realized this is also correct behavior based on my configuration.

Example:
OPNsense "Remote Network" address 192.168.3.0/24 - traffic to this range is encrypted. 
We implemented a new remote network address 172.16.25.0/23  - traffic to this range is NOT encrypted.

MY QUESTION:
OPNsense as-well-as MikroTik offers a single box to add a remote address.  Since my 2 networks are discontiguous and cannot be changed, is there a way to encrypt both subnets but just these 2 subnets without encrypting any other network traffic egressing the WAN interface?

Thank you
Frank

11
21.1 Legacy Series / OPNsense running in HA mode in Azure
« on: July 27, 2021, 08:58:14 pm »
Is there anyone running OPNsense setup in High Availability (HA) mode within Azure.

I run an evaluation test lab with OPNsense setup in HA mode in Oracle VirtualBox 6 and find that without the use of promiscuous mode, Proxy ARP or gratuitous arp-ing, OPNsense does not work effectively as an HA failover pair.

The 2 OPNsense HA boxes do forward end-user data traffic but ingress and egress traffic flows are not manageable. The only way I can get this to work in HA mode is to use IP Aliases but as I mentioned, no way to control which box is forwarding the actual end-user data traffic. As soon as you refresh the ARP tables, the end-user data traffic may or may not follow the same path. When one of the HA pair fails, if you don't refresh the ARP tables on the adjacent routers, end-user data traffic stops flowing until the ARP timer expires on that path (think hours).  If you set the adjacent routers ARP timeout to a low number, every time ARP is refreshed, end-user data traffic flip-flops back and forth between the two HA pairs. Sometimes egress traffic uses the Master LAN interface while the return ingress traffic uses the WAN interface of Backup and this changes pretty much evert time ARP refreshes.

If you run OPNsense in HA mode within Azure, would you share? PLEASE!

..... And if I have something configured incorrectly, PLEASE point out my mistake!!!!!!!!

PIC of flip-flop data flows attached jpg file.

Thank you
Frank


12
21.1 Legacy Series / FW VRRP master
« on: July 23, 2021, 09:40:57 pm »
My Backup FW always takes over the data flow when it is on line. It just occurred to me that VRRP uses the highest IP address when selecting the Master. And because my Backup fw was built second, it was given the higher IP addresses. Ahhhh Duh.

Sometime things are just too simple.

Sure would be nice is OPNsense had a control feature for VRRP.
Thanks
Frank

13
21.1 Legacy Series / Interface alias VIPs and mask
« on: July 23, 2021, 08:11:41 pm »
Should the fw interface alias VIPs use the same mask as the interface they are representing?

Example:
LAN IP 192.168.25.1
Mask 255.255.255.0 (or /24)

Alias VIP LAN IP 192.168.25.254 /24

Thank you
Frank

14
21.1 Legacy Series / HA pair, how to control Master/Backup data flows
« on: July 22, 2021, 07:37:53 pm »
I have setup a pair of OPNsense fw ver 21.1 - I am hoping correctly :)

My HA pair appears to be working correctly:
Updates are being synchronized to the Backup when I click on the manual sync to Backup button on the Master
Disable preempt box is not checked on the Master
Disable preempt is checked on the Backup

Master HA STATUS shows the Master control detail stuff
Backup HA STATUS blue box states "The backup firewall is not accessible or not configured" - which is really misleading.

Master CARP vips show Master
Backup CARP vips show as BACKUP
Master skew 0
Backup skew 100

With both fw up and running, I run data traffic (SSH and continuous ping) through the firewalls, the Backup fw passes this traffic until the Backup is taken out of service which then -after a some delay- the Master passes the traffic. Once the Backup fw is brought back into service, -after some delay- the Backup takes over again.

I verify what is happening by doing packet captures.  Reloading both fw doesn't change the outcome nor allowing the Master to load first.

Any ideas and or suggestions are welcomed ...... and yea I've been through the documentation multiple times.
Thanks
Frank


15
General Discussion / Should FW rule counters increment?
« on: July 02, 2021, 10:57:18 pm »
Hey guys, need some clarification PLEASE

A new PC requests a web page from the Internet. The traffic enters the LAN interface with destination being some Internet based web server. The FW does increments the appropriate FW LAN inbound rule.
While the traffic is allowed out the WAN interface via an outbound rule, the outbound rule is not incremented.

Should the FW increment both the LAN inbound rule as-well-as the WAN outbound rule for this traffic?
Thank you
Frank


Pages: [1] 2
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2