-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Group alias "OpenVPN net" do not match in ruleset #5588
Comments
Hi @tobiasstein, It looks like "(ovpns1:network)" doesn't do the right thing on the kernel side. I'm not sure if it can derive a network from a tunnel setup. Can you share the Cheers, |
to show the current contents of
|
Hi @fichtner, Hi @AdSchellevis, thanks for your response and as requested:
I haven't assigned a IPv6 ULA, yet - so it's bare IPv4. I swear I've configured
SNM is missing maybe because the interface is Just for the sake of completeness the content of "OpenVPN_Netzwerk"
|
Ok, as expected there is no way for pf(4) to expand the tunnel network since the kernel never had this information. I'm not even sure if this can be fixed. |
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Description
With OPNsense 21.7+ an 22.1+
the (group) alias "OpenVPN net" does not match,
when it is used in the firewall ruleset.
To Reproduce
Steps to reproduce the behavior:
192.168.249.0/24
192.168.249.0/24
while sleep 1; do ping -c4 -W1 192.168.1.1; done
Expected behavior
The expected label/rule is: "Allow IMCP"
The previous rule with the builtin dynamic alias should have matched.
Describe alternatives you considered
I considered the alias only to be filled, if a corresponding interface has been assigned.
This assumption also turned out to be wrong.
To verify this I logged in via backup-path,
assigned an OPNsense interface "OpenVPN_RA" to the device
ovpns1
(without IP configuration, because it's forbidden on a tunnel interface).
Then I restarted the OpenVPN server to assign the defined tunnel-ip to the interface.
Now I'm able to select the Interface in Livelog,
but the alias "OpenVPN net" as well as the alias "OpenVPN_RA net" still don't match.
Screenshots
Ruleset:
![Screenshot_20220221_160225](https://user-images.githubusercontent.com/1701647/154982835-9dc8ed88-cb29-421c-816d-44116af8ebf5.png)
Livelog:
![Screenshot_20220221_160347](https://user-images.githubusercontent.com/1701647/154982896-6cc60951-5017-4b5f-a9f4-d58652a93466.png)
Relevant log files
I attached a grep of
rules.debug
(of the OS with 21.7)Additional context
It would be nice to have a little hint "(group)"
attached to the OpenVPN group rules to make this clear to the user
as the Wireguard (group) ruleset has recently been received.
But this is a topic for a separete feature request.
Where can I take a look to the builtin, predefined and dynamically created
aliases like ports and networks? Firewall: Diagnostics: Aliases
only provides a very limited subset.
Environment
as well as:
Thanks a lot for OPNsense! :-D
The text was updated successfully, but these errors were encountered: