Messages

781

General Discussion / Re: Switch between LAN and DMZ blocks

« on: November 04, 2015, 02:46:30 pm »

Hi Remi,

It should be solved in the latest development version, details on the patch can be found on GitHub.

When Franco finishes the release, you can easily test the current development version by installing it via pkgng.
Some additional info on how to to do this can be found on the forum:
https://forum.opnsense.org/index.php?topic=917.msg3174

Regards,

Ad

782

General Discussion / Re: Switch between LAN and DMZ blocks

« on: November 02, 2015, 09:19:31 pm »

Hi Remi,

Jos tested this at our office, it seems to go wrong when disconnecting cables.
No fix yet, more info here: https://github.com/opnsense/core/issues/451

Regards,

Ad

783

15.7 Legacy Series / Re: Alias ports group no working

« on: November 01, 2015, 11:23:02 am »

Hi zotgene,

It's an input error, you can only use ports on tcp/udp traffic, not on all. (so it's discards them on save)

Cheers,

Ad

784

15.7 Legacy Series / Re: OPNsense bugus WAN IP

« on: October 30, 2015, 08:45:05 pm »

Hi Hrv,

Found the bug, pfSense added an extra (non standard) option to ifconfig "setfirst" which is called in the dhclient-script.ext script.
Because we don't use that custom patch, ifconfig tries to resolve the name to a number when booting.
On your end it receives an IP address and sets it, I tried it on my end and saw the setfirst.<local domain> passing as well, but on my end there's no address involved.

The fix for this issue can be found here https://github.com/opnsense/core/commit/fb20b901d31b51e8b07c1d803697eb241b57f476

Regards,

Ad

785

General Discussion / Re: Temporary ip blacklist

« on: October 22, 2015, 10:09:17 am »

Hi Maarten,

You can use aliasses for that, just create a new one in
Firewall -> Aliases ( and choose IP when creating a new one)

Next create a firewall rule attached to this alias to block your clients on the correct interface.

Regards,

Ad

786

General Discussion / Re: [SOLVED] IPSEC NAT/BINAT

« on: October 21, 2015, 09:40:51 am »

Hi,

If you want to outbound nat all your traffic from your tunnel to one ip, you can select under NAT/BINAT:
Type : Address
Address: Your (firewall) IP you want to nat to

That should do the trick.

787

General Discussion / Re: [SOLVED] IPSEC NAT/BINAT

« on: October 20, 2015, 05:19:52 pm »

Frank wrote some additional comments on this subject, here:

https://github.com/opnsense/core/issues/440

Outbound nat on real tunnels functions (defined in the NAT/BINAT option of the phase2 tunnel) should work, but you can't define custom nat rules for ipsec traffic at the moment. (the option is just not there)
I have tested the first with a point-to-point setup.

Probably we're going to add this feature at some point, but no date is set yet.

788

15.7 Legacy Series / Re: Captive Portal - Redirecting from HTTPS stucks

« on: October 15, 2015, 01:31:36 pm »

Hi Holger,

It's very likely a bug, we're in the process of completely rewriting captive portal because of various issues and the current quality of the code behind it.

Soon we will release development packages with the new code in it.

Cheers,

Ad

789

15.7 Legacy Series / Re: [WONTFIX] LAGG - VLAN - CARP not working

« on: October 12, 2015, 04:00:37 pm »

Hi Romain,

I haven't followed all parts of the conversation, but your testing with a setup like this now?

[vm, client]   -->  [master, vip] --> outside world
                           [slave, vip]   --> outside world

And are pinging from the client to the vip of your CARP setup? Normally this should work, your clients arp table should see the carp reserved mac address in it's arp table.
The mac addresses are managed by CARP and you should never need to update those addresses yourself.
Just to be sure, there are no other machines using something like VRRP in the same network?

Given the complexity of your setup (vlan, lagg, etc), I would really advice you to build a simple test setup first and then extend it step by step to determine what part of your solution is causing your issue.

Cheers,

Ad

790

General Discussion / Re: IPSEC NAT/BINAT

« on: October 12, 2015, 03:24:48 pm »

Just fixed the issue, more information over here:
https://github.com/opnsense/core/issues/369

The changes will probably be part of the next release.

791

15.7 Legacy Series / Re: Can't add VIP Alias

« on: October 11, 2015, 06:15:56 pm »

Hi Romain,

Confirmed the issue, when you add a new VIP it forgets to put it on it's todo list for applying the change.
This commit fixes this issue:
https://github.com/opnsense/core/commit/8d28488f221ae1776084639a17eb60529631aa8b

Cheers,

Ad

792

15.7 Legacy Series / Re: Disable log for default WAN rules

« on: October 02, 2015, 07:20:23 pm »

@Kuragari
I missed your last question, but if you only want to disable logging for a specific IP within the RFC 1918 range, you probably should disable the interface setting and add the block rules manually in the firewall for these ranges.

793

General Discussion / Re: How does the web interface work ?

« on: October 02, 2015, 09:11:42 am »

Hi,

Currently the web interface is running as root, but we are making efforts to migrate away from the need for root at the GUI part.
All new parts, and some of the existing, already use the configd system which provides an easy command structure to a unix domain socket.

For more information on the architecture we're migrating too, see:
https://wiki.opnsense.org/index.php/Develop:Architecture

Regards,

Ad

794

General Discussion / Re: Shared bandwidth

« on: October 01, 2015, 06:22:02 pm »

Enable advanced when creating a rule (in the left corner of the dialog), choose your lan interface as interface and your wan as "interface 2".

795

15.7 Legacy Series / Re: How do I restart openvpn client from the command prompt?

« on: October 01, 2015, 05:07:06 pm »

Hi,

At the moment we don't have a call for that, although it shouldn't be very hard to create a configd call + script for it like all new features we implement.

Maybe you can add an issue on github (https://github.com/opnsense/core/) for such a feature? When there's time, we might pick it up and come up with calls like:

Code: [Select]

configctl openvpn client list
configctl openvpn client start <id>
configctl openvpn client stop <id>
configctl openvpn client restart <id>


Regards,

Ad