"Recent posts
#1
General Discussion / Re: Crashing after upgrading t...
Last post by bigdog420 - Today at 04:39:19 PMQuote from: newsense on Today at 04:52:05 AMYou can start by posting a health check and the output of this commandCode Selectls -ltrh /var/crash/
Looks like it comes up empty
I did have something though from my previous search engine searches:
Fatal trap 12: page fault while in kernel mode
Similar to this topic: https://forum.opnsense.org/index.php?PHPSESSID=bjvl1u7vtsaeu670pfvni5gvk5&topic=28302.15
I guess I'll need to wait for the crash to happen again to grab the info needed. I'll update this thread once that is done.
Thanks!
#2
26.1 Series / Re: tunables set to unknown va...
Last post by mr.aksu - Today at 04:31:08 PMHm, no change in 26.1.5, "System: Settings: Tunables" still showing random things for "Value" and "Default".
#3
26.1 Series / Rule migration: Inverting dest...
Last post by szotsaki - Today at 03:22:17 PMI followed the migration wizard steps and after importing the rules I was given four "lines" in a pop-up window without further explanation. Whether they are errors or just warnings, or whether the said rules were migrated or not were not clear.
These are two examples:
After the import, I see them in the new rule set table, but I cannot edit them:
I can look up for the "reference" for these rules with the button, but will they be gone after I remove the old rule set? Currently, I assume so.
Could you please handle these kind of rules during import gracefully?
Additionally, I find the old rules editor a lot better from UX perspective:
These are two examples:
Code Select
destination_net Inverting destinations is only allowed for single targets to avoid mis-interpretations bf920f1c-a9ab-4383-8dd7-9ca5e9b8c2f7;1;keep;;371;pass;1;0;lan;in;inet46;any;;;;;0;1;0;0;0;;;;;;;;;;;;;;;;;;;;;;;"Allow access to WAN";0;lan;;1;PrivateIPv4,PrivateIPv6;
destination_net Inverting destinations is only allowed for single targets to avoid mis-interpretations 2ace6415-7b35-4c42-9bb8-ee5415de71ec;1;keep;;451;pass;1;0;opt1;in;inet46;any;;;;;0;1;0;0;0;;;;;;;;;;;;;;;;;;;;;;;"Block access to other internal networks but allow access to the Internet";0;opt1;;1;PrivateIPv4,PrivateIPv6;
After the import, I see them in the new rule set table, but I cannot edit them:
I can look up for the "reference" for these rules with the button, but will they be gone after I remove the old rule set? Currently, I assume so.
Could you please handle these kind of rules during import gracefully?
Additionally, I find the old rules editor a lot better from UX perspective:
- Physical keys (up, down, PgUp, PgDn) work on the page right away, no need to click around
- Having two scrollbars next to each other (page in page) is weird, just to have an Apply button in the bottom.
- Restricting a huge table on a huge monitor into a small area with many borders feels very cluttered.
#4
Virtual private networks / Re: Issues with new "IPSec" ve...
Last post by mrzaz - Today at 03:12:56 PMHi,
Thanks for answering.
The "Local addresses" is my public WAN IP address that is static, not DHCP or DHCP reserved.
My WAN is not double-NATed but real public static IP. Internet reaches my WAN directly.
I even have recursive DNS lookup on two of my three IPs I "own" (helps running my mailserver as more legit)
The "Remote address" is a domain-name the resolves to a A-record in DNS.
And is using the exact IP/PSK and similar in my IPSec legacy working totally fine and is up
and could reach network on the other side of IPSec.
From what I could see, both local and remote accepts "single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges."
I do not use pools so that is switched off.
I'm a little puzzled about the Local and Remote Authentication screens.
The connection is the only one selectable in the drop down menu and auth = PSK
but don't know if I need to specify anything in the "Round" and "ID" ?
If I read this correctly it is more to do when using certificates.
"IKE identity to use for authentication round. When using certificate authentication
the IKE identity must be contained in the certificate; either as the subject DN or
as a subjectAltName (the identity will default to the certificate's subject DN if
not specified). Refer to https://docs.strongswan.org/docs/5.9/config/identityParsing.html
for details on how identities are parsed and may be configured."
I have not been needing to create any certificate in the legacy IPSec OpnSense setup.
The Children (aka ~= Phase 2) is having the following:
Connection = <connection name>
Mode = Tunnel
Policies = YES. (As I am not using VTI in the setup but a straight old fashion IPSec.)
Start action = Start
DPD action = Start
Reqid = <blank> This one I am not sure if needs to be populated with anything if not using manual certificates ?
ESP proposals = default
Local = 192.168.120.0/24 ; this is my LAN
Remote = 192.168.100.0/24 ; this is remote LAN.
In the PreSharedKey setting i have setup a PSK.
Local Identifier = <my public static IP>
Remote Identifier = a specific DNS A-record domain name
Pre-Shared Key = Our PSK shared key that works in legacy IPSec right now.
Type = PSK
I just realized one thing.
In Legcay IPSec you are manually defining "My identifier" and "Peer identifier"
where in my legacy setting I could not find that setting !?
My identifier = My IP address (my WAN IP address same as defined in Connections "Local addresses".
Peer identifier = Distinguished name = <a specific domain name like "xxx.yyy.zz" format.
There must be something I'm missing but could not find out what that is.
Firewall is set to following on WAN:
- Allow ESP for IPSec (IPv4)
- Allow IKE port500 for IPSec. (Udp ISAKMP (500)
- I also have "IPSEC-NAT-T (4500)" on WAN. (Allow IPSec IKEv2 MOBIKE NAT-Traversal)
Best regards
Dan Lundqvist
Stockholm, Sweden
Ps. I have using OpnSense for many years and pfSense (before they stagnated and I moved to much better OpnSense and never looked back. :-)
I have been using both legacy IPSec standard but also VTI tunnels (OpnSense<->OpneSense) with at least
3 VTI plus one standard IPSec at the same time.
Anecdote is that I have had my own domain since 2000, and been running a mailserver since late 2002 with at least 1-2
real persons since day one entrusting me as their main email provider for 20+ years. :-)
Thanks for answering.
The "Local addresses" is my public WAN IP address that is static, not DHCP or DHCP reserved.
My WAN is not double-NATed but real public static IP. Internet reaches my WAN directly.
I even have recursive DNS lookup on two of my three IPs I "own" (helps running my mailserver as more legit)
The "Remote address" is a domain-name the resolves to a A-record in DNS.
And is using the exact IP/PSK and similar in my IPSec legacy working totally fine and is up
and could reach network on the other side of IPSec.
From what I could see, both local and remote accepts "single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges."
I do not use pools so that is switched off.
I'm a little puzzled about the Local and Remote Authentication screens.
The connection is the only one selectable in the drop down menu and auth = PSK
but don't know if I need to specify anything in the "Round" and "ID" ?
If I read this correctly it is more to do when using certificates.
"IKE identity to use for authentication round. When using certificate authentication
the IKE identity must be contained in the certificate; either as the subject DN or
as a subjectAltName (the identity will default to the certificate's subject DN if
not specified). Refer to https://docs.strongswan.org/docs/5.9/config/identityParsing.html
for details on how identities are parsed and may be configured."
I have not been needing to create any certificate in the legacy IPSec OpnSense setup.
The Children (aka ~= Phase 2) is having the following:
Connection = <connection name>
Mode = Tunnel
Policies = YES. (As I am not using VTI in the setup but a straight old fashion IPSec.)
Start action = Start
DPD action = Start
Reqid = <blank> This one I am not sure if needs to be populated with anything if not using manual certificates ?
ESP proposals = default
Local = 192.168.120.0/24 ; this is my LAN
Remote = 192.168.100.0/24 ; this is remote LAN.
In the PreSharedKey setting i have setup a PSK.
Local Identifier = <my public static IP>
Remote Identifier = a specific DNS A-record domain name
Pre-Shared Key = Our PSK shared key that works in legacy IPSec right now.
Type = PSK
I just realized one thing.
In Legcay IPSec you are manually defining "My identifier" and "Peer identifier"
where in my legacy setting I could not find that setting !?
My identifier = My IP address (my WAN IP address same as defined in Connections "Local addresses".
Peer identifier = Distinguished name = <a specific domain name like "xxx.yyy.zz" format.
There must be something I'm missing but could not find out what that is.
Firewall is set to following on WAN:
- Allow ESP for IPSec (IPv4)
- Allow IKE port500 for IPSec. (Udp ISAKMP (500)
- I also have "IPSEC-NAT-T (4500)" on WAN. (Allow IPSec IKEv2 MOBIKE NAT-Traversal)
Best regards
Dan Lundqvist
Stockholm, Sweden
Ps. I have using OpnSense for many years and pfSense (before they stagnated and I moved to much better OpnSense and never looked back. :-)
I have been using both legacy IPSec standard but also VTI tunnels (OpnSense<->OpneSense) with at least
3 VTI plus one standard IPSec at the same time.
Anecdote is that I have had my own domain since 2000, and been running a mailserver since late 2002 with at least 1-2
real persons since day one entrusting me as their main email provider for 20+ years. :-)
#5
26.1 Series / Re: Wireguard VPN
Last post by meyergru - Today at 03:07:22 PMThere are two parts of firewall rules (well, actually, it's three):
1. On WAN, you need to allow "in" access on the UDP port that your wireguard instance is running on.
2. On the Wireguard group, you need to create "in" rules to access any of the LAN resources you want external clients to have access to. For starters, you could "allow from any to any".
3. In the wireguard peer, you need to set the "allowed ip" range to those of the wireguard clients that you want to pass. You could use 0.0.0.0/0 here.
All of this is explained for both site-to-site and roadwarrior setups in the official docs.
The order of checks would be outside -> in, so first make sure that the wireguard instance is really contacted by your clients.
That means:
a. the client must be able to connect to your external WAN IP, probably by using its dynamic DNS alias.
b. the client must be allowed to use the wireguard instance's external UDP port.
c. the secrets must be correct, otherwise the packets will be silently discarded.
You can check that via the Wireguard status. It must be green, having a "handshake age" and both sent and received traffic.
The second step would be to verify access from your client to your internal networks.
You can enable firewall logging for the default block rules and watch if there are blocks.
1. On WAN, you need to allow "in" access on the UDP port that your wireguard instance is running on.
2. On the Wireguard group, you need to create "in" rules to access any of the LAN resources you want external clients to have access to. For starters, you could "allow from any to any".
3. In the wireguard peer, you need to set the "allowed ip" range to those of the wireguard clients that you want to pass. You could use 0.0.0.0/0 here.
All of this is explained for both site-to-site and roadwarrior setups in the official docs.
The order of checks would be outside -> in, so first make sure that the wireguard instance is really contacted by your clients.
That means:
a. the client must be able to connect to your external WAN IP, probably by using its dynamic DNS alias.
b. the client must be allowed to use the wireguard instance's external UDP port.
c. the secrets must be correct, otherwise the packets will be silently discarded.
You can check that via the Wireguard status. It must be green, having a "handshake age" and both sent and received traffic.
The second step would be to verify access from your client to your internal networks.
You can enable firewall logging for the default block rules and watch if there are blocks.
#6
26.1 Series / Re: Wireguard VPN
Last post by leony - Today at 02:47:31 PMQuote from: meyergru on Today at 01:48:45 PMWhat would be the difference between WAN and pppoe0?
One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.
That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.
You have to understand how things work, otherwise you will be stuck at each crossing.
With a PPPoE connection, you can have one of these topologies on the WAN side:
1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")
With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.
You obviously use it differently, which causes your confusion:
ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")
Many thanks
I have a very simple setup. No VLANS.
ISP -> PPPoE (WAN) -> LAN Devices
So I did apply the firewall rules to the WAN interface as per the video, so what could be wrong?
Is there a way to check logs or something else that I can identify the problem?
#7
26.1 Series / Re: New VLAN on OPNsense 26.1....
Last post by pfry - Today at 02:28:33 PMQuote from: abranca on Today at 09:06:27 AM[...]Parent interface: igc1[...]
Code Select
igc1: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
description: vlan1_lan (lan)
[...]
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
[...]
I do not configure the main interface that I use for VLANs, as it doesn't fly at all when using bridges. I can't say if it's your issue, though - too many differences in our setups.
#8
Zenarmor (Sensei) / Re: Zenarmor performance @ Int...
Last post by meyergru - Today at 02:07:54 PMI got hooked by their APs many years ago, so adding their switches is a no-brainer. The management is more "prosumer" than what Cisco or Mikrotik offer, but quite effective and easy to manage. Of course it depends on if you already have one of their router-type appliances or can use all of that on a VM.
Matter-of-fact, the network controller is also available on iOS and Android as standalone apps, because apart from the guest portal, you do not need it running 24/7. I never tried those, because IMHO, you need a bit of screen real estate to easily use the interface.
My main gripes about them are:
1. The dream boxes are crap.
2. Unify protect is only available on their hardware (dream boxes and NVRs) - they stopped the VM versions.
3. In the last 2 years, they started way too many variants of their products, leading to a confusing portfolio and, with the many new offerings, degraded support for any of them.
Matter-of-fact, the network controller is also available on iOS and Android as standalone apps, because apart from the guest portal, you do not need it running 24/7. I never tried those, because IMHO, you need a bit of screen real estate to easily use the interface.
My main gripes about them are:
1. The dream boxes are crap.
2. Unify protect is only available on their hardware (dream boxes and NVRs) - they stopped the VM versions.
3. In the last 2 years, they started way too many variants of their products, leading to a confusing portfolio and, with the many new offerings, degraded support for any of them.
#9
Zenarmor (Sensei) / Re: Zenarmor performance @ Int...
Last post by Seimus - Today at 01:59:18 PMQuote from: meyergru on Today at 01:33:15 PMI have the USW-Pro-HD-24-PoE, which offers more ports, 4xSFP+, 2*10 GbE, PoE. I like the centralised management for Unifi Gear. Their routers are crap, but you can have the network management on a VM.
There are smaller offerings available as well, with and without PoE:
https://geizhals.de/?cat=switchgi&xf=13283_2%7E16696_8%7E2270_Ubiquiti&sort=p#productlist
Woo thanks for the link! I will look thru it.
The CRS326-4C+20G+2Q+RM compared to yours USW-Pro-HD-24-PoE, has the same amount of ports 20+4 Combo, but it has extra 2xQSFP minus the PoE. From my point of view this Mikrotik switch is more targeted as a CORE/Aggregation where the Unifi is more of an access switch.
I will not lie, I did look on the Unifi switches, they have good performance/cost ratio and lot of variations.
But the main beef I have, and I know this is sounding stupid, is the central management/orchestration. I do not own any other Unifi product, thus I would have to run the Management platform for only one device which sounds to me unreasonable.
So basically I am bit torn apart between getting Mikrotik or getting Unify.
Regards,
S.
#10
26.1 Series / Re: Wireguard VPN
Last post by meyergru - Today at 01:48:45 PMWhat would be the difference between WAN and pppoe0?
One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.
That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.
You have to understand how things work, otherwise you will be stuck at each crossing.
With a PPPoE connection, you can have one of these topologies on the WAN side:
1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")
With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.
You obviously use it differently, which causes your confusion:
ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")
One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.
That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.
You have to understand how things work, otherwise you will be stuck at each crossing.
With a PPPoE connection, you can have one of these topologies on the WAN side:
1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")
With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.
You obviously use it differently, which causes your confusion:
ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")
