Recent Posts

1

Tutorials and FAQs / HELP!! OpenVPN can't access local server

« Last post by MiMarGa on Today at 07:02:03 am »

I use OpenVPN to access my home network from outside, VPN has successfully connected to OPNSense, but why can't I access the data server at home?

IP openVPN 10.10.100.0/24
Local server IP that will be accessed 192.168.4.0/24

I have created a rule in OpenVPN according to the tutorial on
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

2

20.1 Production Series / Re: Packets bigger than MTU get dropped

« Last post by mimugmail on Today at 06:53:27 am »

http://yurisk.info/2009/09/01/ping-setting-dont-fragment-bit-in-linuxfreebsdsolarisciscojuniper/

your ping denies the firewall to fragment ... you have to remove on the cilent or add a scrubbing rule to delete the df bit from the packet (which costs cpu cycles)

3

Web Proxy Filtering and Caching / Re: Why Alias can't block YouTube

« Last post by MiMarGa on Today at 06:51:38 am »

well, the bad news is that: long story short, you can't block youtube through firewall aliases (unless you got much time, patience and technical knowledge to enter every single IP youtube uses).
see this link for reference: https://forum.opnsense.org/index.php?topic=5279.0.

The good news is that there's a couple of solutions Depending :

1- Use DNS to block access to youtube which is simple enough to do, but users can use VPN to access blocked websites.

2-Use IPS (Intrusion prevention system) deep packet inspection to block certain websites and VPN but it's hard and not fail-proof.

3- Ideally use a transparent proxy server to filter traffic and block VPN for good (again this isn't for the faint of the heart).

You should study your case and choose the appropriate solution.

thank you

4

20.1 Production Series / Re: Packets bigger than MTU get dropped

« Last post by danielm on Today at 06:51:34 am »

If I set the MTU low enough (e.g. 900) everyday stuff starts being affected - e.g. some websites like google refuse to load for example. Ping also reflects that then with packets above size 900 getting lost. I thought about potential driver issues - the machine is a HP DL320e gen8 v2, I am using its default NICs. Do you think it might be a good idea to buy a different NIC card and try with that?

5

20.1 Production Series / Re: Packets bigger than MTU get dropped

« Last post by danielm on Today at 06:47:23 am »

No, I am using ping on linux like "ping -s 1600 ..." and the WAN interface has a MTU of 1500 (1492 effective bc. PPP)

6

20.1 Production Series / Re: NAC on opnsense.

« Last post by hlyi on Today at 06:18:08 am »

Thanks @mimugmail!

7

Development and Code Review / Re: Access Servers - Radius: Adding default radius realm to configuration page

« Last post by mimugmail on Today at 05:59:03 am »

Field validation in new code are in mvc/app/model.../bla.xml
On old code you can search for "preg" in source files.

Create an account in github, fork opnsense/core, do you changes local in your fork, create a pull request ( button are all there )

8

20.1 Production Series / Re: MS Windows 10: Always on VPN using an OPNsense as VPN server

« Last post by mimugmail on Today at 05:55:24 am »

Use OpenVPN with Certificates and let it start as a service.
If your clients depend on internal DHCP, DNS etc. you could also use tap to bridge them in your LAN

https://strongvpn.com/autoconnect-windows-10-openvpn/

9

20.1 Production Series / Re: Packets bigger than MTU get dropped

« Last post by mimugmail on Today at 05:50:50 am »

Do you set the DF bit with your ping test?

10

20.1 Production Series / Packets bigger than MTU get dropped

« Last post by danielm on Today at 03:57:27 am »

The problem: On my box, I noticed that if I ping something that is connected to the physical WAN port (something on the internet or the modem) and the packet is bigger than the MTU, it seems to get dropped (in case of ping: no echo answer). If the packet is smaller though, ping works reliably. To my understanding, the packet should have been fragmented, the fragments being sent over the WAN. Also, e.g. if I lower the MTU on the WAN interface, I can see that also smaller packets will start to get dropped reliably, so I think the opnsense firewall is the culprit.

The system looks like this:

VDSL2 internet connection
^
Modem (Draytek Vigor 165)-----------------------------|
^                                                                             ^
Firewall PPPoE on VLAN 7 (WAN interface)       Firewall VLAN 0 ("Modem" interface only for accessing modem gui)
^                                                                             ^
OPNSENSE (v. 20.1.3)-----------------------------------|
^
LAN interface
^
LAN network

The MTU on WAN interface and on Modem interface are set to default for now. I saw no logs that gave anything useful. Interestingly, ipv6 ping also seems to get lost if packets are too big. As of now, everyday stuff like browsing, VOIP, conferencing or servers dont seem to be affected by this problem, but it seems to me that this is mostly luck and I fear this will bite me when it comes to things like VPN in the future, so I'd be glad if someone can point me in the right direction here.