Messages

Hi all,

I've read and followed those three thread's: https://forum.opnsense.org/index.php?topic=448.0 and https://forum.opnsense.org/index.php?topic=7299.msg32981#msg32981. Especially the last one has a very specific solution but sadly that does not help with the current version of 3CX

This is what the test tells:


This is what I've setup in OPNsense (BTW: 19.1.7)


This is the Forwardings:

Doesn't make a difference if I disable or enable those rule's...

And yes as this is Multi-WAN there's a rule to tell the 3CX to only use VDSL:


The Document supplied by 3CX neither isn't very supportive, it's just telling in detail why the test is correct: https://www.3cx.com/docs/firewall-checker/

So I'm kinda lost with this, and 3CX totally refuses any further support until firewall test gets "GREEN"

@ralf.kirmis No, as shown in the above ScreenShot ;-)

Had a call with Jos, installing two patches solved the Issue:

Code Select Expand


sudo opnsense-patch 7835e9c 198887ed


So I'll be skipping 19.1.5 or wait for the Hotfix Franco has in the makes ...  8)

EDIT: seems to be already out:

Code Select Expand


[13/38] Fetching opnsense-19.1.5_1.txz: 100%    4 MiB   2.2MB/s    00:02


@ralf.kirmis

THX for the hint, just tried it but no change so far:

@va176thunderbolt For me this is no similar issue as I can connect from one side of the tunnel but not from the other side. Probably just my fault in the firewall settings...

Then it's blocked on the other side in incoming direction I'd guess

Definitly not as it worked before changing the WAN setup on location #1 ;-)

As a picture based approval:


Firewall log on location #1:


Firewall log on location #2:

Yes the Tunnel's are established, and sorry for not stating that clearly in my intro!

I can't connect from 10.10.2.x to 10.10.23.2 (for example) but I can connect from 10.10.23.x to 10.10.2.2

I already created dumps on the OPNsense on location #1 ,one is from Interface CS the other from IPsec... All I tried to do is open a ssh connection behind the IPsec...

@mimugmail: THX for your reply, but both of the system are running since 16/17 and both of the tunnel's have been there for a while... But I checked anyways and the tunnel's have it checked on both side's of the connection.

Hi hi,

I've got two APU based OPNsense's which are connected using Ipsec



After I've added MultiWAN with a failover config on location#1:


I modified the firewall rules like so:


But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!

BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24

Hope one of you spot's my failure...

Hi Fabian,

thx for your reply...

But I've tried al those options before posting here...

It accepts non of the following:
- "80, 443"
- "80 443"
- "http, https"
- "http https"

I've setup shaping in another firewall, I cloned the settings from another machine.

On the clone source (which was setup while running 18.7) I could setup the rule entering a port list:



The target is now running 19.1.4 and doesn't any longer allow me to enter a list of ports:


Could some please tell me if this is intended, or if there's still a way to define several ports in one rule?

Most of my Router's are build on APU's.

But those two sadly aren't, but I also had this on APU's with SSD's that are still used until today...

One of them is a year old the other, is way older... As it happened with a new and an old one and happened before I hope it's not the hard drive...

Anyways the new one is 250km's away, the old one only 15mins driving! I'll probably reset the old one during the next week!

Is there any data that would help you debug the issue?

EDIT: just found a third system (my father in law's ...), this time an APU with a 6month old SSD:


As you can see in the screener on that one the webinterface still works! And I'm only seating only a few meter's away and just loaded the latest installer image. I'ld bet that after the cold boot it will be fine...

Hi Franco, nope sure I have tried su with the root passwd... But guess what!

And as I said I've had that a few times with 18.7 upgrades too, all of them worked fine after the webif reboot...

Greetz

Hi all,

just upgraded a bunch of machines using SSH. I've seen similar probs during 18.7 upgrades but never took the time to post...



Being dropped to such a limited shell I'm kinda lost, I can't use sudo or su, so I can't reboot the machine. And as the webinterface doesn't load through my usual SSH tunnel I can't even reboot from there!!! So pls help! :-(

If I remember correctly I didn't post when having that issue in 18.7 because back then I could use the webinterface.

Thanks Franco,

even though I don't like it to loose SSH during an upgrade I surely like hardening the system...

But how can I avoid being locked out prior to the upgrade? I was hoping there's a way to do that in preparation before running the 18.7 upgrade... Specifically because I got quite some machine's I only have SSH access to!

And yet so far all I found about it was:

o SSH access can be set for an arbitrary group as well under System: Administration for non-members of "admins" group.  However, in both cases only SCP works due to a request in the forum to be more proactive regarding yielding of shell access rights.  If you want a user to gain true SSH access you need to change their shell from "nologin" to an installed shell in their respective settings.

in your above mentioned thread...

EDIT:
Had a support call with Jos on friday, he suggested to script it and have the script that change's my user's login shell run after the upgrade...

I'm aware of this Posting. And if there's no way around that issue I need to drive quite a few km's.

There's also an older Posting which describes how I did it when setting up the Router...

But how the f... could that working setting be destroyed during the upgrade path. For me it's a basic security setting to disable root and allow only key login to the other user's. That is how I run all my system's! And as I'm running more than two dozen OPNsense router's all over germany I'm now kind of afraid to upgrade them with a simple SSH login... Seem's I need to go to every single Webinterface and downgrade my security settings before I upgrade. Not good!

Greetz
Mircsicz