"Recent posts
#41
25.1, 25.4 Production Series / Re: 25.1.11 - Dnsmasq tries to...
Last post by phaze75 - July 18, 2025, 12:16:52 PMQuote from: Monviech (Cedrik) on July 18, 2025, 11:05:58 AMI cannot see a line like this
interface=vlan0.1,vlan0.2
Can you check "Services: Dnsmasq DNS & DHCP: General: Default: Interface" and choose the interfaces there that DHCP should work on?
In your case igb1. That also generates the DHCP firewall rules.
You are my hero! Choosing "LAN" as interface did the trick. But why doesn't it work if it is set to "All"? Is this intentional?
#42
25.1, 25.4 Production Series / Re: VPN and NAT Reflexion
Last post by Monviech (Cedrik) - July 18, 2025, 12:03:16 PMA secret technique is to put the reverse proxy on the OPNsense itself which will cut out all the NAT issues just like that.
There are quite a few to choose from.
There are quite a few to choose from.
#43
25.1, 25.4 Production Series / VPN and NAT Reflexion
Last post by dennis_u - July 18, 2025, 11:58:59 AMHello.
(network diagram is attached)
Due to limited public IPs, we use Port Forwarding from outside to inside. The NAT points in most cases to some servers in the DMZ. Let's assume, we have an URL like app.acme.com, which resolves to our public IP 1.2.3.4 . You can access https://app.acme.com from the internet as expected. In order to reach app.acme.com also from inside, the OPNsense does NAT Reflection. This works also fine (you can see blue RDR rules in the log).
But: it doesn't matter, if you use OpenVPN or Wireguard, Road Worriors can not access https://app.acme.com. If they disable VPN, they can use it immediately. But then, they cannot access pure internal applications anymore. Rules and routing are double and triple checked.
It is no routing issue, since I am able to follow the traces, if you access the Reverse Proxy directly. One work around may be that app.acme.com is resolved direct to the Proxy instead of the public IP. But we have also a general purpose DNS name and the OPNsense decides which destination is the right one based on the port.
In general, why is it a problem to do NAT reflexion and through a VPN tunnel? Or is there a tick I missed to set? There are already some related topics here in the board, but they are in most cases unanswered and damn old. I would like to investigate this.
(network diagram is attached)
Due to limited public IPs, we use Port Forwarding from outside to inside. The NAT points in most cases to some servers in the DMZ. Let's assume, we have an URL like app.acme.com, which resolves to our public IP 1.2.3.4 . You can access https://app.acme.com from the internet as expected. In order to reach app.acme.com also from inside, the OPNsense does NAT Reflection. This works also fine (you can see blue RDR rules in the log).
But: it doesn't matter, if you use OpenVPN or Wireguard, Road Worriors can not access https://app.acme.com. If they disable VPN, they can use it immediately. But then, they cannot access pure internal applications anymore. Rules and routing are double and triple checked.
It is no routing issue, since I am able to follow the traces, if you access the Reverse Proxy directly. One work around may be that app.acme.com is resolved direct to the Proxy instead of the public IP. But we have also a general purpose DNS name and the OPNsense decides which destination is the right one based on the port.
In general, why is it a problem to do NAT reflexion and through a VPN tunnel? Or is there a tick I missed to set? There are already some related topics here in the board, but they are in most cases unanswered and damn old. I would like to investigate this.
#44
Virtual private networks / Re: IPSec Connections setup wi...
Last post by Monviech (Cedrik) - July 18, 2025, 11:58:31 AMlol
#45
Virtual private networks / Re: IPSec Connections setup wi...
Last post by Patrick M. Hausen - July 18, 2025, 11:54:16 AMPah! Documentation! Where we are going we don't need "documentation"! :-)
#46
Virtual private networks / Re: IPSec Connections setup wi...
Last post by Monviech (Cedrik) - July 18, 2025, 11:51:00 AMIts also stated in the documentation:
https://github.com/opnsense/docs/blob/8b9ae8e47871cf5925738fe45046e52dd9072e8f/source/manual/vpnet.rst?plain=1#L114-L117
https://github.com/opnsense/docs/blob/8b9ae8e47871cf5925738fe45046e52dd9072e8f/source/manual/vpnet.rst?plain=1#L114-L117
#47
Virtual private networks / Re: IPSec Connections setup wi...
Last post by Patrick M. Hausen - July 18, 2025, 11:44:22 AMQuote from: Monviech (Cedrik) on July 18, 2025, 11:39:36 AMHaving multiple networks in the same child works, just depends on the peer on the other side. Between two OPNsense or a recent strongswan peer it works just fine, other vendors might need tunnel isolation, meaning one child SA per traffic selector.
I figured as much: that entering multiple networks in a single child vs. creating multiple children corresponds with the old "tunnel isolation" setting. Thanks for confirming.
#48
25.1, 25.4 Production Series / 25.1.10 => 25.1.11: DHCP on WA...
Last post by JanOsch - July 18, 2025, 11:43:02 AMHi,
since updating to 25.1.11 (coming from 25.1.10) i'm not getting an ip address on one of my WAN interfaces anymore:
(This is a cable modem connecting, running in bridge mode, worked fine for months)
2025-07-18T11:34:40 Notice dhclient dhclient-script: Reason FAIL on vtnet2 executing
2025-07-18T11:28:39 Notice dhclient dhclient-script: Reason FAIL on vtnet2 executing
2025-07-18T11:22:40 Notice opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for interface opt1
2025-07-18T11:22:40 Notice dhclient dhclient-script: Reason FAIL on vtnet2 executing
2025-07-18T11:22:39 Notice dhclient dhclient-script: New Routers (vtnet2): 91.x.x.x
2025-07-18T11:22:38 Notice dhclient dhclient-script: New Routers (vtnet2): 91.x.x.x
2025-07-18T11:22:38 Notice dhclient dhclient-script: New Broadcast Address (vtnet2): 91.x.x.255
2025-07-18T11:22:38 Notice dhclient dhclient-script: New Subnet Mask (vtnet2): 255.255.255.0
2025-07-18T11:22:38 Notice dhclient dhclient-script: New IP Address (vtnet2): 91.x.x.x
2025-07-18T11:22:38 Notice dhclient dhclient-script: Reason TIMEOUT on vtnet2 executing
Deleted the interface completely, rebooted, added it again but still no joy. Disabled DHCPv6, makes no difference.
Any hints how to solve this would be highly appreciated.
Kind regards
Jan
since updating to 25.1.11 (coming from 25.1.10) i'm not getting an ip address on one of my WAN interfaces anymore:
(This is a cable modem connecting, running in bridge mode, worked fine for months)
2025-07-18T11:34:40 Notice dhclient dhclient-script: Reason FAIL on vtnet2 executing
2025-07-18T11:28:39 Notice dhclient dhclient-script: Reason FAIL on vtnet2 executing
2025-07-18T11:22:40 Notice opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for interface opt1
2025-07-18T11:22:40 Notice dhclient dhclient-script: Reason FAIL on vtnet2 executing
2025-07-18T11:22:39 Notice dhclient dhclient-script: New Routers (vtnet2): 91.x.x.x
2025-07-18T11:22:38 Notice dhclient dhclient-script: New Routers (vtnet2): 91.x.x.x
2025-07-18T11:22:38 Notice dhclient dhclient-script: New Broadcast Address (vtnet2): 91.x.x.255
2025-07-18T11:22:38 Notice dhclient dhclient-script: New Subnet Mask (vtnet2): 255.255.255.0
2025-07-18T11:22:38 Notice dhclient dhclient-script: New IP Address (vtnet2): 91.x.x.x
2025-07-18T11:22:38 Notice dhclient dhclient-script: Reason TIMEOUT on vtnet2 executing
Deleted the interface completely, rebooted, added it again but still no joy. Disabled DHCPv6, makes no difference.
Any hints how to solve this would be highly appreciated.
Kind regards
Jan
#49
Virtual private networks / Re: IPSec Connections setup wi...
Last post by Monviech (Cedrik) - July 18, 2025, 11:39:36 AMWell sometimes having less magic leads to more explicit configuration.
- I had to use certificates before, its quite common when setting up roadwarrior IPsec setups (EAP-TLS), but also in S2S when higher security than just a PSK is needed. https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html
- Having multiple networks in the same child works, just depends on the peer on the other side. Between two OPNsense or a recent strongswan peer it works just fine, other vendors might need tunnel isolation, meaning one child SA per traffic selector.
- The reqid value is just needed if you have a mix of legacy and connection tunnels at the same time. If you migrated everything to connection the requid can be deleted as they will be auto generated.
Just give this component some time, it is way more powerful than the old GUI.
- I had to use certificates before, its quite common when setting up roadwarrior IPsec setups (EAP-TLS), but also in S2S when higher security than just a PSK is needed. https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html
- Having multiple networks in the same child works, just depends on the peer on the other side. Between two OPNsense or a recent strongswan peer it works just fine, other vendors might need tunnel isolation, meaning one child SA per traffic selector.
- The reqid value is just needed if you have a mix of legacy and connection tunnels at the same time. If you migrated everything to connection the requid can be deleted as they will be auto generated.
Just give this component some time, it is way more powerful than the old GUI.
#50
25.1, 25.4 Production Series / Re: removed “disable integrate...
Last post by proctor - July 18, 2025, 11:22:41 AMHi franco,
thank you for your explanation and I understand the reason for that decision.
SSH is limited to ssh-keys, password login is not permitted.
My boxes are physical systems but located at customers place, so auto login is obviously no option.
That would be a nice solution (and root does not need direct remote access gui/ssh).
Additional use case:
Loading a customers configuration in a box without internet connection (no ntp server reachable).
Kind regards,
proctor
thank you for your explanation and I understand the reason for that decision.
Quote from: franco on July 18, 2025, 10:38:19 AMOne of the problems with disabled integrated authentication is that it downgrades password strength through SSH and for the console. Console is less risk because you need "physical" access, but the game changes in SSH password authentication which should be avoided.
SSH is limited to ssh-keys, password login is not permitted.
QuoteFor physical systems in server racks I enable auto console log in so I don't have to deal with this at all. The rack or the server room should provide enough protection. ;)
My boxes are physical systems but located at customers place, so auto login is obviously no option.
Quote from: Patrick M. Hausen on July 18, 2025, 10:44:18 AMEnforce 2FA for all administrators except root, which keeps password authentication, set an e.g. 40 character password and keep it somewhere safe for emergency access. Like failing time synchronisation.
That would be a nice solution (and root does not need direct remote access gui/ssh).
Additional use case:
Loading a customers configuration in a box without internet connection (no ntp server reachable).
Kind regards,
proctor
