61
22.1 Legacy Series / Re: Problem FW stop for new connection
« on: June 14, 2022, 07:44:05 am »
Did you turn off the ramdisk?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
62
Virtual private networks / Re: Ping over VPN
« on: June 14, 2022, 07:32:02 am »
I didn't say anything about gateways.
When ping is blocked, you may find it difficult to check your routes.
When ping is blocked, you may find it difficult to check your routes.
63
Virtual private networks / Re: WG Site-to-site - only RDP and VNC work
« on: June 14, 2022, 07:26:18 am »I will give it a try, but wouldn't the general rule that allows *any* traffic already cover this? I have this on the Wireguard (group) interface --
Yes, that should work.
Are you sure that the devices you're trying to ping do answer pings at all?
64
Virtual private networks / Re: OpenVPn multiple networks
« on: June 14, 2022, 07:25:22 am »
What kind of VPN?
65
Virtual private networks / Re: WireGuard VPN - Connecting to IPs on LAN not working with the exception of GW
« on: June 14, 2022, 07:17:29 am »
If the phone is an endpoint, it should be /32. On the endpoint, the IP addresses and/or networks that are supposed to go over the tunnel need to be allowed.
66
Virtual private networks / Re: Ping over VPN
« on: June 14, 2022, 07:11:24 am »Such a VPN provider would need to fix their configuration so that pinging is possible ...
Not really. Blocking pings is just a form of protection you can use. Just because you can't ping something doesn't mean connections won't work, it just means you can't find clients and hosts just by sending ICMP traffic over the network.
Ping is at least required for diagnostics, so if they are blocking it, it's a misconfiguration, especially when they don't give you an option to unblock it. What's the point of having a connection that is blocked anyway.
67
Virtual private networks / Re: Ping over VPN
« on: June 12, 2022, 08:52:55 pm »
Such a VPN provider would need to fix their configuration so that pinging is possible ...
68
22.1 Legacy Series / Re: LAN5 to LAN3 IP
« on: June 12, 2022, 08:48:51 pm »
The firewall doesn't get involved when devices are communicating directly with each other --- unless you connect everything to a hub perhaps (if you can still find one ...). In any case, it doesn't matter what the firewall rules are in that case.
69
22.1 Legacy Series / Re: QOS with IPv4/IPv6 setup
« on: June 12, 2022, 08:38:10 pm »
With so many users all needing as much bandwidth as they can get, you might want to set up some kind of fair queueing, unless that already happens.
I looked at the rules of the traffic shaper, and it seems you should be able to specify an IPv6 address at least when you choose IPv6 as protocol. Since you're so lucky to have static IPv6 addresses, you could set fixed leases for the devices in the DHCPv6 server for the devices you want to limit if you don't mind the privacy issues IPv6 brings about.
I looked at the rules of the traffic shaper, and it seems you should be able to specify an IPv6 address at least when you choose IPv6 as protocol. Since you're so lucky to have static IPv6 addresses, you could set fixed leases for the devices in the DHCPv6 server for the devices you want to limit if you don't mind the privacy issues IPv6 brings about.
70
Virtual private networks / Re: WG Site-to-site - only RDP and VNC work
« on: June 12, 2022, 09:13:21 am »
Maybe you need a rule to allow TCP and UDP on the wireguard interface (or the wireguard group), and another one for ICMP if you want ping.
71
Virtual private networks / Re: Ping over VPN
« on: June 11, 2022, 11:04:20 pm »
Hmm, that's weird. What happens to the pings when you use the default gateway? Did you check the firewall log or a packet capture?
72
22.1 Legacy Series / Re: OPNsense as VM in Xen: Network interfaces down after Debian dom0 updates
« on: June 11, 2022, 10:59:39 pm »
Why don't you use KVM/QEMU instead of Xen and Fedora instead of Debian? OPNsense does work with that if you can figure out passing through the network cards.
73
22.1 Legacy Series / Re: LAN5 to LAN3 IP
« on: June 11, 2022, 10:53:07 pm »
Firewall rules do not prevent devices on the same network from communicating with each other. You'd have to use VLANs or other means to prevent that.
74
22.1 Legacy Series / Re: QOS with IPv4/IPv6 setup
« on: June 11, 2022, 08:54:09 pm »thanks for the reply
it's reporting my latency was over 60ms and not good for online gaming, but there doesn't seem to be an issue when doing online gaming.
Only thing we do notice is that if xbox or pc is downloading they hog the bandwidth, rather than qos kicking in across the devices and can only assume that this is because they using IPv6.
Is it causing issues? You could limit their bandwidth and then downloads take even longer. I wanted to limit my xbox some time ago and the best way would have been to limit it in the switch, but due to lack of documentation and unresponsiveness in their forum, it remained impossible to do with the EdgeSwitches from Ubiquity I have. I only know that the switch can do it, not how to make it so.
Quote
So is there a way to get QOS working for both IPv4 and IPv6
I don't see how you could reasonably do it. It seems you would need to specify IPv6 addresses for your devices in the rules, and when you don't have an IPv6 network statically assigned to you, you'd have to keep changing the addresses in the rules according to the addresses your devices happen to currently have all the time.
However, that I don't see it doesn't mean anything. I can only say that internet without static addresses sucks much worse with IPv6 than it does with IPv4, and I don't understand why anyone is giving out dynamic IPv6 addresses at all, rather than static ones. It should be illegal to give out dynamic IPv6 networks.
75
22.1 Legacy Series / Re: LAN5 to LAN3 IP
« on: June 11, 2022, 01:17:59 pm »I tried to follow your discussion, but your network diagram and the conversation completely got me confused. Basically, the fact that IN are all traffics coming into the OPNsense firewall and OUT are all traffics coming out of the OPNsense follows the same convention as Windows Firewall and PiHole.
It's not a network diagram, it's a diagram of a router. I don't know what a PiHole is or does, and Windows never seemed to actually have something that could actually be called a firewall.
Quote
About your topic, the person answered your question correctly. "The "inbound/outbound" distinction is strictly from the firewall's point of view."
But I would bet that you are confused with what that answer means.
He also said: "Well, a machine on the guest network sends a packet to a machine on the LAN network. That packet goes in to the firewall on the guest interface and out of the firewall on the LAN interface ..."
Maybe I'm confused, but doesn't that mean that OUT means "going out of the firewall"?
Quote
For simplicity explanation of IN and OUT, picture your firewall having only one input and one output. Which interface is input and which interface is output will depend on which interface is initiating the connection. So if I am pinging 192.168.3.2 from my laptop (192.168.5.10), my interface at my laptop is input and the interface at 192.168.3.2 is output. On other hand, if I am pinging 192.168.5.10 from my device, my interface at my laptop is output and the interface at the device is input.
This explanation is omitting that these packets must go through the firewall. That means they go IN to the firewall and come OUT of it.
That is a crucial distinction, see here: https://forum.opnsense.org/index.php?topic=28447.msg138240#msg138240
> Quote from: defaultuserfoo on May 23, 2022, 01:07:49 pm
>
> An outbound rule on the LAN interface that blocks everything from <group> /would block traffic coming out of the firewall before the traffic could enter the LAN interface and go out of the LAN interface/.
>
> Exactly.
This distinction is crucial in that it does matter where the outgoing traffic is coming from, the particular interface or the firewall, i. e. possibly coming from any interface (i. e. out of the firewall). --- The point is that you need not put many IN rules on all interfaces to prevent traffic going to some interfaces because you can place a single OUT rule blocking traffic from all the very interfaces that are in a particular interface group. That's because the traffic you want to block doesn't come out of the interface you put the rule on (going to devices connected to them) but out of the firewall (possibly coming from many other interfaces). (The problem is that you might need many interface groups to achieve what you want.)
There is also traffic going to the firewallwall and traffic coming from the firewall. The diagram in the other thread is supposed to show that.
Or am I confused?