Messages

136

General Discussion / Re: Cannot Connect To Network Switch From LAN

« on: October 26, 2024, 05:54:31 pm »

So the switch has an IP in the LAN subnet from the OPNsense DHCP?
But you cannot access it from other LAN devices?

137

General Discussion / Re: Cannot Connect To Network Switch From LAN

« on: October 26, 2024, 05:32:12 pm »

Does the switch have a gateway setting? And if, is the switch interface IP set correctly?

If it is missing a gateway setting, you can get access with an outbound NAT rule for masquerading the source address.
 

138

24.7 Production Series / Re: Returning traffic not picked up by policy based VPN

« on: October 25, 2024, 04:53:15 pm »

OPNsense has only one physical interface (WAN) (private IP + public IP) vtnet0. I have port forwarding on IPsec on port 8091 redirecting to internal network. I have full outbound NAT on both WAN and IPsec.

Can you give some more details on this, please?

You have an IPSec s2s to a remote site?

What do you forward? On the WAN private IP or on IPSec?

Can you post your rules and the capture?

139

24.7 Production Series / Re: Configuration help needed

« on: October 24, 2024, 11:42:55 am »

You mention "a transit network between the router and the modem" but the only thing between my router (which is Google Home WiFi) and my modem is an ethernet cable.

I tried to find out, if there is a local subnet between your modem and router or if your router gets the public IP address from your ISP.

I have OPT1 because I followed step 4:

4. Assign a management IP/Interface
To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assign a new interface to the bridge and setup an IP address.

Go to Interfaces ‣ Assign ‣ Available network port, select the bridge from the list and hit +.

Filtering Bridge Step 4.png

Now Add an IP address to the interface that you would like to use to manage the bridge. Go to Interfaces ‣ [OPT1], enable the interface and fill-in the ip/netmask.

You can do this though, but you would have to connect your computer directly to OPNsense OPT1 interface to access it. You cannot access it from behind the router, because it doesn't know this IP and directs all traffic to unknown destinations to the default gateway, which is either the modem or somewhere at the ISPs network.
Seems a bit inconvenient to me.

140

24.7 Production Series / Re: reply-to: default does not seem to work as expected.

« on: October 23, 2024, 04:08:58 pm »

Do you confirm, that the rule you've added to the interface matched the access?
To ensure, state a proper description to the rule and and enable logging.

141

24.7 Production Series / Re: reply-to: default does not seem to work as expected.

« on: October 23, 2024, 02:42:30 pm »

in case it somehow takes precedence and breaks it.

Yes, it does.

Floating rules and interface group rules take precedence over interface rules.
Therefore you have to ensure, that none of these matches the incoming traffic.

In a multi WAN environment you should avoid creating floating pass rules applied to the WANs and also not create a WAN interface group.

142

24.7 Production Series / Re: reply-to: default does not seem to work as expected.

« on: October 23, 2024, 02:30:43 pm »

Where did you define the management access rule?
To enable the default reply-to, the rule allowing the incoming traffic must be defined on the respective interface. It must not be on an interface group or a floating rule.
This means, you need separate rule for your WANs on the respective interface. Is this given?

143

24.7 Production Series / Re: reply-to: default does not seem to work as expected.

« on: October 23, 2024, 02:08:48 pm »

Did you even add both WANs to System: Settings: Administration: Listen Interfaces?

144

German - Deutsch / Re: HA Cluster Probleme mit Internet Access

« on: October 23, 2024, 10:00:29 am »

Hab nun den Client hinter den Switch und den Switch direkt an der Fritzbox angeschlossen. Der Switch hat die 192.18.0.5/24 lässt Internet durch aber ist selbst nicht im Internet, warum auch immer.

Vermutlich, weil er kein Gateway hat. Nicht untypisch für solche Geräte.

Ist echt schwierig zu sagen. Also entweder dem Switch gefällt das CARP Geraffel dahinter nicht oder die Firewalls blocken noch irgendwas. Bin echt etwas ratlos an der Stelle. Was für Fakten kann ich noch schaffen?

Das Problem ist nun nach wie vor, dass die CARP VIP nicht ansprechbar ist? Aber Internet geht hinter der OPNsense?
Für Internet wäre ja die CARP VIP als Gateway zu nutzen. (?)

Untersuchungen kannst du mit Packet Capture anstellen. Damit kannst du prüfen, ob die an die CARP VIP adressierten Pakete am Interface ankommen.

145

24.7 Production Series / Re: Configuration help needed

« on: October 23, 2024, 09:49:07 am »

I assigned OPT1 an IP address within the same scope as my home network. The directions are not specific, but they say "to be able to configure and manage the filtering bridge (OPNsense) afterwards...." I assumed this IP would have to be one within my network.

192.168.86.x/24

/24 = 255.255.255.0 Correct?

Since you didn't state your network ranges before, I don't know.
If it's the LAN subnet behind the router, it's wrong. This would put the whole OPNsense bridge inside your LAN, which isn't that, what you want.

You might have a transit network between the router and the modem,  where you put the firewall in between. I asked for it, but you didn't mention. OPNsense should have an IP inside this subnet, it should be defined on the bridge.

AND your bridge should only have two member interfaces. The OPT1 is useless for your purpose.

146

24.7 Production Series / Re: PPPOE is constantly reconnecting

« on: October 22, 2024, 09:58:15 pm »

And I don't see this gateway in System-Routes-Status when the pppoe connection is established.

Which one?

10.0.36.1 is obviously given to you as default gateway. Is it this one, arpresolve is logging errors?

So you get your interface IP via DHCP. From a local device?

Presumably it doesn't respond to the ARP request if the error appears. The ARP cache is flushed after 20 minutes by default and OPNsense needs to renew it then. But seems, this fails.

Did you obey the installation hints for virtualization?
https://docs.opnsense.org/manual/virtuals.html

147

German - Deutsch / Re: HA Cluster Probleme mit Internet Access

« on: October 22, 2024, 09:04:36 pm »

Geb ich dir in allen Punkten vollkommen recht. Was kann ich nun tun? Hab mal eben auf die Schnelle gegooglet, habe keinen Switch gefunden der das können soll.

Ich wollte eigentlich sagen, dass das vermutlich gar nicht das Problem ist, weil Layer 2 Switche das üblicherweise gar nicht unterbinden, schon gar nicht, wenn sie dafür keine Einstellung haben.

Es könnte auch am ESXi liegen. Früher gab es die Anforderungen, den 'Promiscuous Mode' auf den virtuellen Switchen zu aktivieren. Das ist aber mittlerweile aus den Anleitungen verschwunden.
Die letzte CARP habe ich auf Version 6 aufgesetzt. Das war das zwingend erforderlich.

148

24.7 Production Series / Re: PPPOE is constantly reconnecting

« on: October 22, 2024, 08:48:15 pm »

arpresolve: can't allocate llinfo for 10.0.x.x on vtnet1

I guess, this is your gateway IP. No reason to obscure private IPs here. We will not able to access it anyway.

This almost means, that the node is not reachable in the configured L2.

See https://wiki.opnsense.org/troubleshooting/gateways.html

I don't think, that the private gateway IP should really be outside of the interface subnet.
But maybe you can give some more details on how you set up the interface.

149

German - Deutsch / Re: HA Cluster Probleme mit Internet Access

« on: October 22, 2024, 07:40:28 pm »

Der Text beschreibt lediglich standardmäßiges Switch-Verhalten.
MAC Spoofing sollte bei einem L2 Switch gar kein Thema sein, fällt mir ein. Ist eher was für Geräte, die mit IPs (L3) arbeiten.

Bei CARP gibt es für die VIP eine eigene MAC Adresse. Die hat eben der Master inne und wechselt natürlich mit der Rolle zur anderen Node.
Dieser Punkt würde sich nur bei einem Failover auswirken.

Die andere Sache ist aber, dass die OPNsense Pakete immer von ihrer primären Interface-MAC aussendet.
Wenn also ein Request auf die CARP-MAC geht, kommt der Response dennoch von der Interface-MAC. Das gefällt einigen Geräten eben nicht und wird MAC-Spoofing genannt.

Ein Sicherheitsrisiko wäre das nur insofern, dass auch ein anderes Gerät mit einer gespooften MAC antworten könnte.
Die MAC ist aber ebenso wie die Interface MAC bekannt und die Kommunikation könnte darauf beschränkt werden.

Der Switch lernt, welche MAC an welchem seiner Ports angeschlossen ist. Da die CARP-MAC aber von mehreren Geräten verwendet wird, muss auch der Switch hier umschalten. Ob das manuell so eingetragen werden kann, weiß ich nicht.
Es sollte aber nicht erforderlich sein. Manuelle Einträge wären eine Absicherung, um nur bestimmte MACs zuzulassen.

150

General Discussion / Re: Strange behavior

« on: October 22, 2024, 05:07:28 pm »

Could possibly be an IP conflict in your network.
Look into the system general log and search for ARP entries showing an IP toggling between two MACs.