"Recent posts
#1
General Discussion / FIB/VRF support in OPNsense
Last post by pfry - Today at 04:34:27 PMThere have been a few discussions of this in the fora; I didn't see any relevant github requests.
Would anyone be up for FIB/VRF support?
It could be implemented pretty simply. As with many OPNsense features, you could use VRFs/FIBs to really screw yourself up. But I think the feature would be quite usable. The beauty is that default behavior would not change in any meaningful sense, and it could be tested to a considerable extent without (GUI) implementation.
Details:
Possible kernel compile option: "options ROUTETABLES=n". Apparently the standard kernel can be configured (using "net.fibs", as below) for at least n=2. Appropriate setting? I imagine it would depend on impact, if any.
System:
Interfaces:
Firewall:
I've likely missed (quite) a few... e.g. "fib" for ping, trace.
Possible caveat: "route" may be fussy with fib > 0 - it might require an "up" interface in the fib in order to add routes. I'm not sure if this is a non-default behavior, as I haven't tested it.
Would anyone be up for FIB/VRF support?
It could be implemented pretty simply. As with many OPNsense features, you could use VRFs/FIBs to really screw yourself up. But I think the feature would be quite usable. The beauty is that default behavior would not change in any meaningful sense, and it could be tested to a considerable extent without (GUI) implementation.
Details:
Possible kernel compile option: "options ROUTETABLES=n". Apparently the standard kernel can be configured (using "net.fibs", as below) for at least n=2. Appropriate setting? I imagine it would depend on impact, if any.
System:
- Settings:
- "net.fibs" in loader.conf. Not sure where to put this setting (General -> Networking, as "FIBs" or "VRFs"?). It would be used as an interlock for most of the settings below. Interlock behavior options: vanish/gray/do nothing/error on setting; zero/ignore fib settings when "net.fibs" is unconfigured.
- "net.add_addr_allfibs" - I would make this a tuneable, default 0. I'm not sure if this setting is still available, or if it will be in future versions.
- Gateways:
- Configuration:
- "fib" setting for the gateway.
- "fib" column (not selected by default) for the display. I would display data from all fibs, using "setfib n [command]", as n=0 should always be valid.
- Routes:
- Configuration:
- "fib" setting for the route.
- "fib" column for the display, as above.
- Status:
- "fib" column for the display, as above.
Interfaces:
- [Interface]:
- "fib": integer
Firewall:
- Automation:
- Filter:
- "fib" column for the display, as above. I would include this as the current display has lots of options.
- Rules:
- [Interface]:
- Interlock: for "Action" = Pass, "Direction" = In: "fib" (pf "rtable") setting: integer.
I've likely missed (quite) a few... e.g. "fib" for ping, trace.
Possible caveat: "route" may be fussy with fib > 0 - it might require an "up" interface in the fib in order to add routes. I'm not sure if this is a non-default behavior, as I haven't tested it.
#2
German - Deutsch / Re: Wireguard VPN Verbindung a...
Last post by BeTZe313 - Today at 04:32:30 PMIch habe in der OPNsense bei WAN, LAN und WG1 habe ich den Port 51820 für IN alles freigegeben.
Leider hat das nicht geholfen.
Ich habe jetzt den Client auf meinem Handy installiert. Da leider das gleiche. Die Verbindung wird aufgebaut, ich kann im VPN Netz aber nichts aufrufen.
Leider hat das nicht geholfen.
Ich habe jetzt den Client auf meinem Handy installiert. Da leider das gleiche. Die Verbindung wird aufgebaut, ich kann im VPN Netz aber nichts aufrufen.
#3
25.1, 25.4 Series / Re: Question about 2 vulnerabi...
Last post by franco - Today at 03:52:28 PMIt's pretty interesting. I'll try to delete it when I see embedded links, but they mostly stick random stuff on here or repost old forum messages and only go back later and add links everywhere they already posted.
Cheers,
Franco
Cheers,
Franco
#4
25.1, 25.4 Series / Re: Question about 2 vulnerabi...
Last post by meyergru - Today at 01:51:55 PMSaw that only after it started advertising... damn AI slop.
#5
25.1, 25.4 Series / Re: Question about 2 vulnerabi...
Last post by franco - Today at 01:32:43 PMYou both have been arguing with a bot :)
#6
25.7, 25.10 Series / Re: Problems Uploading Photos ...
Last post by AnthonyStark - Today at 12:55:52 PMI was able to identify the issue. Contrary to the recommendations in the documentation - which I was not yet aware of at the time - I had mixed tagged and untagged VLANs on the switch port. All VLANs are now tagged, and the problem no longer occurs.
EDIT:
Too early, the problem unfortunately still occurs.
EDIT:
Too early, the problem unfortunately still occurs.
#7
General Discussion / Re: Site-2-Site VPN and additi...
Last post by tkrn - Today at 12:53:45 PMI had a similar problem where I was just getting a single end point on my site-to-site VPN and I could not get a L3 subnet for a full route table between networks. My problem turned out to be that the common name has to match the client certificate which I issued to the other site. The common name did not match the common name within the certificate thus never applying the Client Specific Overrides which is the mechanism that pushes the routed subnets. As you expand the common name within Client Specific Overrides, it gave me the hint that "Enter the client's X.509 common name here."
After that was resolved, I forced a disconnect and it came back up as expected! Additionally, my OpenVPN role is SERVER, and type TUN, topology SUBNET. Let me know if you have any questions!
After that was resolved, I forced a disconnect and it came back up as expected! Additionally, my OpenVPN role is SERVER, and type TUN, topology SUBNET. Let me know if you have any questions!
#8
Virtual private networks / VPN Site-to-Site + LDAP
Last post by Jhon Luke - Today at 12:45:01 PMPreciso criar uma VPN Site-to-Site, onde a filial se autenticará com o Active Directory da matriz e toda a navegação será controlada pela matriz.
Quem pode me ajudar a configurar essa VPN?
Envie-me uma mensagem privada.
I need to create a Site-to-Site VPN, where the branch office will authenticate with the headquarters' Active Directory, and all browsing will be controlled by headquarters.
Who can help me set up this VPN?
Message me privately.
Quem pode me ajudar a configurar essa VPN?
Envie-me uma mensagem privada.
I need to create a Site-to-Site VPN, where the branch office will authenticate with the headquarters' Active Directory, and all browsing will be controlled by headquarters.
Who can help me set up this VPN?
Message me privately.
#9
General Discussion / Re: GUI/Shell crashing
Last post by Mattps - Today at 12:36:36 PMThank you,
I did try the tuneable (point 23) as you suggested previous - as indicated in post #3. Sorry, only just spotted Patrick's reply - this was installed before creating this post.
I did try the tuneable (point 23) as you suggested previous - as indicated in post #3. Sorry, only just spotted Patrick's reply - this was installed before creating this post.
#10
25.7, 25.10 Series / Re: VPN: IPsec: Status Overvie...
Last post by dstr - Today at 11:41:53 AM25.7.7_4-amd64 fixed phase2 view
Thanks and regards
Thanks and regards
