Topics

My OPNsense was running fine on 23.1.  Once I upgraded to latest 23.7.4 and unit rebooted I lost connectivity and could not get internet connectivity and internal DNS was lost. 

Looking around I had to disable this rule I had for years on FIREWALL---NAT--PORT FORWARDING.  Pic of rule is attached here.  If I disable this rule then external connectivity is fine and I can connect on internet from LAN interface.

Still no internal DNS,  I can no longer ping by name all static reserved addresses I have created.  All this was ok before the upgrade.  I do not use any dnsmasq or OpenDNS.   I have ticked the option to Register DHCP static mapping in Unbound DNS--General.

Any help how to overcome this?  I was planning to roll back to 23.1 but I know I will hit this again if I wanted to upgrade at some point.

I need to have a PC on internal LAN (Interface1 on OPNsense) to access a confluence webserver on DMZ (interface2 on OPNsense). 

My current setup:
1. There is a rule in place that blocks all traffic from DMZ to LAN.
2. All traffic from LAN to DMZ is allowed.
3. HA-proxy is setup and all traffic from WAN gets forwarded properly based on certs to servers in DMZ.

I have no problem accessing the confluence server as https://myconfluence.mydomain from externally.

I need to have access at the same https://myconfluence.mydomain from my PC that is on LAN network.  It appears that OPNsense does not allow traffic to get out on WAN and come back for an internal server.

What rule do I need to setup to allow for this traffic only for a specific alias (IP address of my laptop) on LAN network?

Thanks,

I'm having this issue with HAproxy module.  The service does not start after configuring correctly:

1. Backend server
2. Backend pool
3. Condition
4. Rule
5. External webserver.

Starting the service for HAproxy fails.  I looked at the logs and I saw this when I tried to start the service;

root@myrouter:/usr/local # /usr/local/etc/rc.d/haproxy onestart
Starting haproxy.
[ALERT] 044/221323 (92978) : Starting frontend media_fe: cannot bind socket [10.0.a.b:443]
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy

I think I see where the issue is: Here is what I found;
When I configured the External Webserver I gave the FQDN of the server as someone would connect externally via https  so in the "Listen Addresses"  I gave   myserver.domain.com:443 

If I save this then the Haproxy service goes down and this is because that name myserver.domain.com resolves internally to 10.0.a.b address that shows on the log file.  That is the IP address of the real backend server.

I use internally the same domain name, for instance mydomain.com that is used externally.  When I configured opnsense under System-->Settings-->General-->domain  I put mydomain.com and not mydomain.local 
Is this a bad thing?  I have been using same domain name internally due to some apps on the phone that require this to operate seamlessly on wi-fi (local LAN) and 4G (external)

I tested this and changed the internal domain to mydomain.local instead and haproxy service started fine and with no issues. 

The other test I did was to switch back the internal domain as it was to mydomain.com and did the following:

I changed the Listen address on Public Server in the HAproxy config to 0.0.0.0:443 and saved it and the haproxy service started fine and now I can connect externally via haproxy to the backend server and doing SSL offloading on hadproxy via a certificate I imported and used in the configs.

Is there a downside of binding to 0.0.0.0:443 for the listening address field in the public sever config?  I'd like to enter the specific address in the listen field like myserver.mydomain.com:443

Is there a way to tie the Public Server in haproxy config with WAN interface only and not resolve internally? Yes, I forgot to mention that i use the opensense as a DHCP server and DNS server using DHCP static mapping for most of the devices.


Any help is appreciated.  Thank you!

Hello, this is my first post here as I decided to try out OPNsense and setup a new hardware Qotom-Q575G6-S05 with
OPNsense 21.1-amd64
FreeBSD 12.1-RELEASE-p12-HBSD
OpenSSL 1.1.1i 8 Dec 2020

Hardware is Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz (4 cores)  and 16GB RAM

The basic installation went fine and main rules are in place.  All is working fine so far.  Today is my 3 day of running it.

I was using before sophos UTM and thought to try OPNsense and while I'm doing so I have the following question?

I have about 4 websevers that need to have external access from internet via HTTPS.   In sophos I was using WAF feature (Web Application Firewall)  where I would create a "Real" webserver (you basically tell define the real http or https path of the internal server) and link it with an external one created in the sophos UTM where I would upload the certificate and so the mapping is done via SNI and no ports were opened in the firewall to allow https traffic.  This also helped with the fact that I can use the same 443 port for all servers connections coming from the single WAN address.

How would I accomplish this in OPNsense?  can this be done in the webproxy section?  I also saw a plugin called
"Nginx HTTP server and reverse proxy"  would this help for the issue I'm having?

Thanks in advance.