Messages

Alright so after some testing, it seems it does work, well 50/50%. So the blocks do not work when I set configurations in "App Controls" but they do when I completely configure a block in "Web Controls"

That all being said, technically "App Controls" should work but don't. What else can I check to understand why blocking doesn't work in "App Controls"?

Hi ALL,

I can't help but notice that when using Web Proxy in Opnsense that it completely bypasses Zenarmor since it sees my hosts connecting to the destination which is the LAN interface hosting Squid Proxy. I am not sure if there is a setting on the Zenarmor or Proxy side a way to parse the data coming from source being the LAN interface and dest is whatever the proxy is connecting to?

It would be nice if the WAN interface was selectable since I am sure it would capture from LAN out during proxy options.

You are 100% correct, I guess I didn't understand before. So removing all other entries and adding a external binding of 0.0.0.0/24 worked. Thanks so much for the help!

Here is my config.

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
    nbproc                      1
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         172.16.10.6:514 local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Resolver: HV-DNS
resolvers 60d520816d7b32.78243365
    nameserver 8.8.8.8:53 8.8.8.8:53
    parse-resolv-conf
    resolve_retries 3
    timeout resolve 1s
    timeout retry 1s



# Frontend: External-Pub ()
frontend External-Pub
    bind ctlgmon01.hvnoclabs.com:443 name ctlgmon01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
    bind ctauth02.hvnoclabs.com:443 name ctauth02.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
    bind ctitools01.hvnoclabs.com:443 name ctitools01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
    bind ctlgmon02.hvnoclabs.com:443 name ctlgmon02.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
    bind ctcoms01.hvnoclabs.com:443 name ctcoms01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
    mode http
    option http-keep-alive
    # tuning options
    timeout client 30s
    # stickiness
    stick-table type ip size 50k expire 30m 
    tcp-request connection track-sc0 src
    # logging options
    option httplog
    # ACL: Netbox
    acl acl_60dea475186677.51330295 hdr(host) -i ctitools01.hvnoclabs.com
    # ACL: Graylog
    acl acl_61208941d9bf35.04710772 hdr(host) -i ctlgmon01.hvnoclabs.com
    # ACL: Keycloak
    acl acl_61209978a36e65.49477166 hdr(host) -i ctauth02.hvnoclabs.com
    # ACL: Mattermost
    acl acl_612d2c6c0e9208.90351294 hdr(host) -i ctcoms01.hvnoclabs.com

    # ACTION: Netbox
    use_backend External-Netbox if acl_60dea475186677.51330295
    # ACTION: Graylog
    use_backend External-Graylog if acl_61208941d9bf35.04710772
    # ACTION: Keycloak
    use_backend External-Keycloak if acl_61209978a36e65.49477166
    # ACTION: Zabbix
    # NOTE: actions with no ACLs/conditions will always match
    use_backend External-Zabbix
    # ACTION: Mattermost
    use_backend External-Mattermost if acl_612d2c6c0e9208.90351294

# Backend: External-Netbox (Pool to Internet)
backend External-Netbox
    option log-health-checks
    # health check: Monitoring Profile
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server ctitools01 172.16.10.11:80 check inter 2s

# Backend: External-Graylog (Pool to Internet)
backend External-Graylog
    option log-health-checks
    # health check: Monitoring Profile
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server ctlgmon01 172.16.10.8:443 check inter 2s  ssl verify none

# Backend: External-Keycloak (Pool to Internet)
backend External-Keycloak
    option log-health-checks
    # health check: Monitoring Profile
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server ctauth02 172.16.10.25:443 check inter 2s  ssl alpn h2,http/1.1 verify none

# Backend: External-Zabbix (Pool to Internet)
backend External-Zabbix
    option log-health-checks
    # health check: Monitoring Profile
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server ctlgmon02 172.16.10.9:80 check inter 2s

# Backend: External-Mattermost (Pool to Internet)
backend External-Mattermost
    option log-health-checks
    # health check: Monitoring Profile
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server ctcoms01 172.16.10.24:80 check inter 2s

# Backend: External-ctcoms01 (Pool to Internet)
backend External-ctcoms01
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server ctcoms01 172.16.10.75:443




listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED

So I am using DDNS/Cloudflare and am binding to those DNS entries that are pointing to my PPPoe address assigned by the ISP which always worked flawlessly until the upgrade.

Anyone has any advise as to what I can do to fix this?

Hi Forum,

If I was more technical I wouldn't post, but after upgrading from 22.7.7 to 22.7.8, since I've upgraded to 22.7.9 without fixing the problem. Here is the output for when I manually try to start the service;

root@ctgwfw01:~ # service haproxy restart
haproxy not running? (check /var/run/haproxy.pid).
Starting haproxy.
[ALERT]    (21092) : Starting frontend External-Pub: cannot bind socket (Can't assign requested address) [72.10.1.x:443]
[ALERT]    (21092) : Starting frontend External-Pub: cannot bind socket (Can't assign requested address) [72.10.2.x:443]
[ALERT]    (21092) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy
root@ctgwfw01:~ #


Note I have a PPPoe IP from my ISP. So each time I reboot, it seems to be binding to the old IP that is no longer being used. I am not sure if there is a cache I need to wipe out?


Any help would be great :)
Thanks

So Web Proxy "Squid" and "Suricata" are two separate things. I can run Squid and Zenarmor on the same interface, but the way the inspection works isn't really working out for me since Zen is mainly just We filtering.

I've been using and playing with Sensei and bought a home license, however, I've noticed that this service doesn't incorporate Squid Proxy very well. When running proxy, I can see traffic from my endpoints going straight to the proxy port on the box classified as "Web Browsing". It would be ideal if I could set my capture from the source interface of the proxy IP and Dest being the internet.. 

Perhaps running both services on the same box just doesn't work, but I thought I would post and see if anyone else has a workaround or a solution.

Um that might be a little tough for me if I understand your workaround correctly. I am using DDNS to generate records on the internet with Cloudflare and Lets Encrypt for the SSL certificates. When I am pointing stuff to the Public side, its the DNS address that's pointing from Cloudflare, but also this is the same hostname of the internal resource that I am pointing to the internet.

I will look into binding the HAProxy service to the internal IP address (I think its on 127.0.0.1 currently, but I would have to check) 

Does anyone have any ideas? I tried to use Dnsmasq which worked for a few hours, but after rebooting the system, it acts the same as Unbound. I've looked at the system logs which do not provide much. HAProxy just provides when a system was started or stopped. My question is, is this normal behavior while trying to run these two types of services, or is this a bug?

Good afternoon,

I have a general question, when I use HAProxy and have Unbound running at the same time, it forces the service of HAProxy to fail. I have "overrides" DNS entries for the stuff I have hosted in HAProxy, but I fail to see how this will affect what is running on HAProxy but it does. As soon as I disable Unbound and restart HAProxy, HAProxy works again.   

Would anyone have any advise of something I need to set or do? Or if this is normal and I can't run both of those services at the same time?

Thanks,

Bump/Help

Hi Forum,

I recently installed the plugin os-freeradius in hope to use the LDAP module for authentication. However I've had issues running the LDAP feature and get auth issues. Now my remote LDAP server is a webmin build with Open LDAP server/client enabled onto it to provide the LDAP access to my opnsense box. I know my LDAP server works since I have a few different applications and services that use my LDAP server. So below are the logs that


I get when attempting an auth from the "tester". 

Auth: (0) Login incorrect (ldap: Failed performing search: Bad search filter)
Auth: (0) Invalid user (ldap: Failed performing search: Bad search filter): [


Also I feel it has something to do with the LDAP settings after seeing the "bad search filter" in the logs. Its unclear how to set and adjust the "Group Filter" and I tried to read up on the documentation, however the documentation doesn't even mention the LDAP feature (perhaps the Wiki needs updating?)

Wiki: https://docs.opnsense.org/manual/how-tos/freeradius.html


One last thing, even when I try to configure just LDAP under "access servers" I cannot get LDAP to work. Just putting it out there.

Regards!