Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - NEOSA

#1
French - Français / Re: Quel materiel ?
December 20, 2024, 04:38:49 PM
Une réponse en message privé.
#2
@vicent

Quelle liste GeoIP utilisez vous dans votre config ?

J'ai l'habitude d'utiliser GeoIPLite country (CSV) de Maxmind, mais leur politique a changé, et l'URL "classique" ne charge pas les listes Maxmind.

Merci pour vore réponse ;-)
#3
Dual WAN Failover : loose primary Gateway when workload is higher

Hi All !

We are facing an issue with a DualWAN OpnSense Configuration.

Details :

- OpnSense version :    OPNsense 23.7.10_1-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

We have two identicals nodes, running as HA Cluster

- Fisrt Gateway :
Static IP - Priority : 254
Behind a 5G LTE Zyxel NR7101 Routeur
WAN IP is static

- Second gateway :
Static IP - Priority 255
Behind an aDSL routeur

- Gateway Group
Tier1 : Fisrt Gateway
Tier 2 : Second gateway
Trigger Level : Member down

- Issue we meet : when a quite big workload is initiate (ie trying to download a several Gb file), the lantency / packet loss grows up for the Fisrt Gateway, the firewall toggles from Tier1 to Tier2, but the Fisrt Gateway is ssen as back about 10 to 20 seconds later :-(

I tried to setup the gateways monitoring from 8.8.8.8 / 8.8.4.4 to ISP DNS servers : same issue.

I tried to change the Default Packet Loss thresholds for the First Gateway, from Default is 10/20 to 20 /40 : same issue.

Here is one of the last dpinger log :


2024-03-08T15:47:17 Notice dpinger ALERT: WAN_5G (Addr: 185.61.146.1 Alarm: loss -> none RTT: 30.7 ms RTTd: 6.3 ms Loss: 20.0 %)
2024-03-08T15:46:23 Notice dpinger ALERT: WAN_5G (Addr: 185.61.146.1 Alarm: none -> loss RTT: 31.2 ms RTTd: 6.7 ms Loss: 21.0 %)
2024-03-08T15:38:44 Notice dpinger Reloaded gateway watcher configuration on SIGHUP
2024-03-08T15:38:44 Warning dpinger send_interval 1000ms loss_interval 4000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 0ms loss_alarm 0% alarm_hold 10000ms dest_addr 185.61.147.1 bind_addr 192.168.1.251 identifier "LIVEBOX_ORANGE_GWv4 "
2024-03-08T15:38:44 Warning dpinger send_interval 1000ms loss_interval 4000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 0ms loss_alarm 0% alarm_hold 10000ms dest_addr 185.61.146.1 bind_addr 192.168.100.251 identifier "WAN_5G "
2024-03-08T15:38:44 Warning dpinger exiting on signal 15
2024-03-08T15:38:44 Warning dpinger exiting on signal 15
2024-03-08T15:37:16 Notice dpinger ALERT: WAN_5G (Addr: 185.61.146.1 Alarm: delay -> none RTT: 85.3 ms RTTd: 116.9 ms Loss: 0.0 %)
2024-03-08T15:37:04 Notice dpinger ALERT: WAN_5G (Addr: 185.61.146.1 Alarm: none -> delay RTT: 203.7 ms RTTd: 184.8 ms Loss: 0.0 %)


Do I need to increase the Packet Loss thresholds ?

The latency for this 5G LTE routeur is slitgly higher than the aDSL one, but no so much.

Thank you so for your opinon and/or any clues / ideas, if you also met such behaviours.
#4
French - Français / Re: Openvpn acces rdp sur client
December 01, 2023, 09:42:46 AM
Ton premier post n'est - de toute façon - pas assez clair : fais un schéma de ton infra + adressage IP de toutes tes interfaces.

Entre autres, que vient faire le réseau 172.22.8.0/24 ? Il est où ?

Et Check sur les tutos ici https://provya.net/index.php?liste, il y a pas mal de bons articles. Je bosse avec eux sur les matériels, rien à reprocher ! Les articles sont souvent basés pfSense, mais c'est kif-kif.
#5
Bonjour,

Personnellement, je ne vois pas du tout l'intérêt de vouloir agir ainsi : un pare-feu ne sert pas à faire tourner / exécuter une VM dessus... A la rigueur OPNSense dans une VM, mais même moi je ne ferais pas ça ==> Je préfère installer un Cluster HA OPNSense.

Sur un autre forum (FR), en l'occurence pfSense, j'ai connais un qui ne mégote pas avec la sécurité : il trouvera certainement ceci étrange ;-)
#6
French - Français / Re: Openvpn acces rdp sur client
November 26, 2023, 01:05:41 PM
Bonjour,

Je changerais la plage DHCP du serveur VPN, 10.0.29.0/24 par exemple.

Dans ta description, ton interface OPT1 possède une plage IP identique aux adresses obtenues via VPN.

Quel est le type de VPN utilisé ? Si c'est OpenVPN, indiquer les plages IP accessibles ( 192.168.0.0/24,172.29.0.0/24 dans ton cas) dans la section correspondante (IP V4 Local Network)

#7
Back for news ;-)

The HA Cluster has been tested in a separate way, behind an ISP router different from the first post (Sagem Livebox V5).

I added a small 8 ports switch between the ISP routeur & the WAN interface of each Opnsense box.

One modification has been done : the outbound rules where set as "Source : LAN Address" instead of "LAN Net" ==> My expert told me it wasn't relevant enough for the previous CARP_VIP/MacAddress issue we met.



For now, the HA Cluster is fully responsive, the failover works great, incoming VPN or incoming NAT rules are processed ;-) The only "trouble" I have is OpenVPN connection not kept during a failover, but this will be not a real problem for end users.

I will give you some feedback when I well go back on site.
#8
Hi All@community

We are facing an issue with a CARP/HA cluster.

Environment works perfectly with the HA Cluster, last OpnSense release up2date :

- 2 identical OpenSense boxes,
- A CARP LAN woking correctly : toogle from MASTER to SLAVE while removing one member,
- Two gateways : first ISP is a fiber connection (Zyxel VMG3625-T50B routeur), second on a GSM 5G cellular WAN
- Both gateways are in a CARP WAN OpnSense setup : WAN_CARP ans 5G_CARP
- Gateways Group setup : also working in good state, setup from WAN to 5G ou 5G to WAN if any gateways are removed

Issue we met : the WAN IP fiber router sees only an ARP table with the two IP of each OpnSense boxes (192.168.1.3/24 and 192.168.1.4/24), the CARP address (192.168.1.254/24) + the CARP MacAddress is not seen :-(

We thought of an ISP router misconfiguration but no L2/L3 setup available at this side.

We added an intermediate Ethernet switch beetween the 2 OpnSense boxes and the fiber ISP routeur : same issue.

We absolutely do not have any outbound issues from the LAN side toward the Internet, but due to this fact as no ARP entries are shown at the ISP router  side, we are not able to perform any incoming traffic.

The ISP broadband routeur (Zyxel VMG3625-T50B routeur) is setup to perform NAT (not as bridge mode) : while adding a NAT rule for accepting OpenVPN traffic ==> IP address for one of the 2 OpnSense box instead of the WAN CARP IP (192.168.1.254), we ar able to open a VPN tunnel from outside. If we modify the VPN behaviour to use the WAN_CARP address + modifying the NAT entry at the Zyxel VMG3625-T50B routeur, no more any OpenVPN incoming traffic works.

As a reminder, the broadband router always shows ARP/IP address for the two OpnSense boxes.

Any clues/ideas will be welcome, we will have a look with an expert this Wednesday October 25th do go deeper, if we missed a setup.

Ciao - Au revoir

Sorry for any English mistakes, I'm not english native spoken !!!
#9
Hi all !

I did an upgrade this afternoon for a previous version from opnsense 22.7.11_1 -> 23.1_7.

This upgrade was done in two steps :

opnsense upgraded: 22.7.11_1 -> 23.1_6
opnsense upgraded: 23.1_6 -> 23.1.7_3

I'm not sure that that point, but it seems that we lost the WAN netmask from /24 to /32 after upgrade :-(

OPNSense was claiming a gateway 100% lost packet, the cellular router was OK, o dropped packets from itself.

I check at the Gateways settings, tried a modification for the Monitor IP and OPNSense told the network range ( /24) wasn't relying the WAN interface

I did a check for the WAN settings, and the IP V4 address was  /32 instead of /24. Once changed to /24, situation came back to nominal.

Did a such behaviour was seen in the past ?
Is it a known bug ?

Everything was OK before the upgrade.

Thanks a lot for your opinion.

PS : No VLANs, no Virtual Interface, just a very easy setup with a 4 x GB I211 Gigabit Network / Core i3-4010U CPU @ 1.70GHz
#10
Quote from: proctor on March 29, 2022, 12:55:57 PM
Shame on me. - Enable IPsec was not checked...
Hi !

I was creating an IPSec macOS Mobile setup*, and the same shame : forgot to turn it on ;-)

*https://github.com/thomergil/opnsense-ipsec-vpn
#11
Hello to all of you,

I would like to ask you about an OPNSense project, to be deployed at a manager's home place.

This manager has a pfSense firewall (installed by myself) in his agency. This pfsense will be replaced by an OPNSense version.

The customer wants a site-to-site VPN between his home (SoHo) and the agency: easy with 2 OPNSense.

I will propose him an OPNSense installation at his home, a good triplet of Ubiquiti WiFi points and the associated WiFI controller.

The customer will also receive an A/V equipment (ARCAM connected amp + a nice dose of Focal in Dolby Atmos !!!), video-projector, etc... in short the whole package.

In the absolute, and according to the diagram below, I could not control the IPTV Decoder (Orange TV France ) via the WiFi and/or Ethernet equipment of the 192.168.100.0/24 LAN

https://i.imgur.com/Z7XxGTO.jpg

I don't want to replace the ISP routeur (LiveBox) with an OPNSense firewall + tricks on it, to make the IPTV video streams + phone flow through it (the customer will keep a fixed phone connected to the Livebox).

Thanks for your opinion !

Regards.
#12
Bonjour à toutes & à tous,

Je me permets de vous solliciter au sujet d'un projet OPNSense, à déployer au domicile d'un gérant.

Ce gérant possède un firewall pfSense (installé par moi même) au sein de son agence. Ce pfsense sera remplacé par une version OPNSense.

Le client souhaite un VPN site à site entre son domicile (SoHo) et l'agence : facile avec 2 OPNSense.

Je compte donc lui proposer une pose d'un OPNSense à son domicile, d'une bonne triplette de points WiFi Ubiquiti et le contrôleur WiFI associé.

Le Client va recevoir également un équipement A/V (ampli connecté ARCAM + une belle dose de Focal en Dolby Atmos !!!), vidéo-projecteur, etc... bref la totale.

Dans l'absolu, et selon le schéma ci dessous, je ne pourrais pas contrôler le décodeur TV Orange via les équipements WiFi et/ou Ethernet du LAN 192.168.100.0/24

https://i.imgur.com/Z7XxGTO.jpg

Je ne souhaite pas remplacer la LiveBox par un firewall OPNSense + tricks dessus, pour y faire transiter les flux vidéo IPTV + téléphone (le client va conserver un téléphone fixe branché sur la Livebox).

Selon vos expériences, est-il possible - à l'aide d'un firewall OPNSense côté SoHo - de faire fonctionner l'ensemble ? Le firewall sera très certainement un modèle 4 interfaces, en provenance de chez Provya.

Merci pour vos avis et expériences sur une telle configuration et m'indiquer si elle semble réalisable ou non.

PS : je pense conseiller l'utilisation d'une ChromeCast pluggé sur le contrôleur A/V ARCAM pour y diffuser le contenu TV Orange