61
Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly
« on: April 18, 2020, 11:12:28 am »
Sorry for the late reply,
Your NAT Rules are fine.
However, your firewall rules need tweaking, here's what I understood from your screenshots:
1-I assume that the FIREWALL LAN screen 1& 2 are pages 1 and 2 from your FW rules respectively, and you don't have other group or floating rules and that the "SSL VPN CA" is a self-signed certificate that you created.
2- In that case "your redirect traffic to proxy" rules need to be at the top of the list (Unless there's users you don't want to redirect to proxy), followed possibly by your DNS rule and finally a "block all rule" (unless of course, you want to use other ports like SMTP, IMAP, ...etc).
3-The order of FW rules is important as the first rule gets evaluated first (in your case you have block HTTP(S) rules first so nothing won't be allowed to reach the proxy, for as to why HTTP worked but not HTTPS it's probably because of the anti-lockout rule which allows HTTP traffic to the FW)
4- BTW 127.0.0.1 subnet mask should be 32, not 24 ex: 127.0.0.1/32, you might want to add your LAN address (the firewall LAN address with which you access the WEB GUI) to the unrestricted IP addresses in access control just to make sure everything works fine.
5-You can troubleshoot Firewall rules by going to Firewall> log files> Live view and type in the filter 3129 and check whether it's being blocked or denied (red) or allowed (green), you can also use ".*" for advanced filter ex: 127.0.0.1.*3129 to see all the rules associated with IP 127.0.0.1 on port 3129.
So to recap:
1- Add proper Firewall rules.
2-configure the proxy to enable SSL inspection ( and log SNI information only if you don't want to bump sites).
3- enable NAT.
4-At this point you should restart OPNsense.
5- Test by Entering Manual configuration in Firefox.
Your NAT Rules are fine.
However, your firewall rules need tweaking, here's what I understood from your screenshots:
1-I assume that the FIREWALL LAN screen 1& 2 are pages 1 and 2 from your FW rules respectively, and you don't have other group or floating rules and that the "SSL VPN CA" is a self-signed certificate that you created.
2- In that case "your redirect traffic to proxy" rules need to be at the top of the list (Unless there's users you don't want to redirect to proxy), followed possibly by your DNS rule and finally a "block all rule" (unless of course, you want to use other ports like SMTP, IMAP, ...etc).
3-The order of FW rules is important as the first rule gets evaluated first (in your case you have block HTTP(S) rules first so nothing won't be allowed to reach the proxy, for as to why HTTP worked but not HTTPS it's probably because of the anti-lockout rule which allows HTTP traffic to the FW)
4- BTW 127.0.0.1 subnet mask should be 32, not 24 ex: 127.0.0.1/32, you might want to add your LAN address (the firewall LAN address with which you access the WEB GUI) to the unrestricted IP addresses in access control just to make sure everything works fine.
5-You can troubleshoot Firewall rules by going to Firewall> log files> Live view and type in the filter 3129 and check whether it's being blocked or denied (red) or allowed (green), you can also use ".*" for advanced filter ex: 127.0.0.1.*3129 to see all the rules associated with IP 127.0.0.1 on port 3129.
So to recap:
1- Add proper Firewall rules.
2-configure the proxy to enable SSL inspection ( and log SNI information only if you don't want to bump sites).
3- enable NAT.
4-At this point you should restart OPNsense.
5- Test by Entering Manual configuration in Firefox.