Topics

I just migrated from legacy to instances, and I used to have a TAP based tunnel routed via BGP.

server: 172.28.1.1, clients: 172.28.1.2 and 172.28.1.6

The configuration for that was client specific overrides for the clients, and a network of 172.28.1.0/28, of which the server automatically got the .1 .

So I migrated that 1:1, and the server interface would not get an IP, so that didn't work.

Switched to TUN, everything seemed fine, client can ping server, BGP session is active, but no traffic seems to be routed through the tunnel. TCPDUMP on the client says, packets are sent, TCPDUMP on the server, nothing except the unrouted traffic.

Then I switched to DCO just for the hell of it, and it works.

Any ideas? Could this be the dreaded openvpn builtin packet filter?

EDIT: On second thought, must have been the packet filter - but the question remains, why did the TAP interface not get an IP address?

It looks nice, but it's unreadable.

Would it be possible to at least make the topic headings more distinct?
The normal forum topic list is soft of ok, but the "Unread Posts" view is really bad.

Free edition, as the subject says.
Kind of annoying.

What the subject says, does an excessive number of ipsec tunnels slow down the firewall, does it lead to memory problems or something similar?
What would the recommended maximum number of ipsec tunnels be?

Hi,

so, in my firewall logs, pretty much any packet that is allowed is allowed because "let out anything from firewall host itself".
I do have rules that allow traffic, so I would expect to see them there.

Is this because this is the name of the last match rule in the "out" direction?
If so, I do understand this, but it still makes the whole thing a bit useless.

Hi, I just setup my own KEA HA cluster, but the help seems to be wrong, it states in ha peers for the peer url:

Code Select Expand

This specifies the URL of our server instance, which should use a different port than the control agent. For example http://192.0.2.1:8001/
while the control agent is on port 8000.

Now both a kea setup I did for a customer a while ago and the key documentation specify that the port of the control agent must be used. My new setup confirms this.

So, what's up with that?

I quote the documentation:

Selecting which logs to ingest

Our Wazuh agent plugin supports syslog targets like we use in the rest of the product, so if an application sends its feed to syslog and registers the application name as described in our development documentation it can be selected to send to Wazuh as well.

For Intrusion detection we can send the events as well using the same (eve) datafeed used in OPNsense, just mark the Intrusion detection events in the general settings.

But what does it mean?

Quite some time ago, the nginx plugin had the same problem of only being able to bind to a specific port on all interfaces, the same seems to be true for OPNWAF.

Is that the case or am I just unable to find the option, and if true, is it possible to expand this option from "port" to something like "ip:port"?

As is, opnsense numbers network interfaces in sequence of creation, opt1 to optX. Additionally, there are lan and wan predefined interfaces.
Firewall rules are associated to this interface identifier.

If, for any reason, this interface identifier changes, it is quite hard to get all this to work again through deleting interfaces and recreating them in the correct sequence. Especially if the sequence has been broken through deleting an interface somewhere in the middle.
Also, in an opnsense HA cluster, interfaces must be created in identical sequence on all firewalls in the cluster, which is a hassle, and potentially problematic if this goes out of sync for some reason.

So, why not give users the ability to choose the interface identifier themselves on creation, or even be able to rename the identifier in an existing interface?

A customer needs a reverse proxy the backend of which uses different hostnames than the frontend and has 3 websites on it using namevirtualhosts (also using SSL).

So this seems to be doable with haproxy:

- on my frontend, differentiate between the different hostnames via SNI
- the real servers use different custom SNI names, so the backend can differentiate
- a Host header is set for the backend with abovementioned SNI names, or else the backend doesn't switch to the right website
- location headers in the response are rewritten to my frontend names

In apache, one would do this using ProxyPass / ProxyPassReverse, while I didn't test it, this seems fairly simple.

Now correct me if I'm wrong, but this doesn't seem possible with nginx on opnsense, not having the UI elements to specify a custom host header for an upstream?

Can we please have the old diagnostics back? The new ones are fairly low on information content.

I have a opnsense cluster with PPPoE dialup and I'm struggling to configure dialup failover.

I suspect there are certain limitations on what has to be configured for it to work. Does the parent interface of the PPPoE interface have to have a CARP ip for it to work?

There is the github thread on the feature but I couldn't get it to work with the rather minimal information in there.

Thankful for any pointers.

EDIT: is it correct that the base interface must have a CARP IP? It seems to work now - with a great amount of flapping, but it quietens down after some minutes.

Is that implemented in the current rspamd version?

There is a request from colleagues to not reject extensions via multimap, but quarantine the mails in question.

So I created a new VLAN subinterface, applied, everything was fine.
Then I assigned the interface, also ok.
But when I configures the IP address of the interface, I lost 3 pings to google (which ran over different VLANs).

I am told changing an interface does not lead to downtimes for other interfaces, am I the only one with this problem?
Or is this normal because the traffic that experienced a short outage runs over different VLANs on the same hardware interface?

So I use fq_codel because it's a huge plus in general for the usability of internet connections under load.

It still became important to reduce the priority of a specific flow in relation to the others (it's a backup job to the cloud and takes up all bandwidth).

Apparently with fq_codel that's not possible since it ignores the weights chosen in the queue.
If WFQ is used in the pipe, prioritization works as expected, but the queue management is gone - the "Enable codel" checkboxes seem to do almost nothing - or rather, the codel part without the fq is not hugely beneficial.

Cake seems to solve this, but it's not available on dummynet.

Any other ideas?

I see a lot has been done in that regard.

I like that we can now have IPv6 dynamic hosts.
It would be great if we could also get IPv6 dynamic networks - pretty much the same functionality as hosts have, only no automatic /128 and instead an ability to specify a netmask. Then I could get rid of my interface group rules and do it via alias, which is much nicer.
Now that the functionality to swap out the first 64 bits is there, dynamic NPTv6 doesn't seem that hard to me either.

Also, we need a thumbs up smiley in the forum :) .

Typically my firewall sits at the center of many local networks. Some of them should be accessible to clients, some of them not.
I can restrict that using the firewall.

But if I enable the web proxy, that circumvents the firewall? How to I prevent clients from accessing otherwise protected internal networks by using the proxy?

My impression is that opnsense is a good traditional UTM firewall.

But what about the future?
Is some support for concepts like zero trust that are difficult or impossible to implement with a traditional firewall planned?
What might such a thing look like in an open source firewall?

I did ask this in another thread, but maybe it deserves its own.

I'll start with my personal universal firewall concept. Maybe someone else wants to share as well.

I divide networks into a few standard zone types (clients, servers, backend, dmz, admin, restricted, internet) with a standard communications matrix.
For example, clients are allowed to access servers, dmz and the internet.
I create a netgroup for each of those zone types with a standardized name (netgroup_dmz).
Then I create a second netgroup for each zone which contains all networks that are allowed to access it, called accessgroup_dmz.
More of those groups can be created for special needs according to the same scheme.

In my firewall rules there are only rules of the form "Allow quick accessgroup_XXX -> netgroup_XXX" .
For internet access there is a rule "Allow quick accessgroup_internet -> !netgroup_internet_inverted".
netgroup_internet_inverted contains all internal networks and net_blocked. Net_blocked is basically firehol L1.

For access from outside to inside there are interface rules on WAN of the form Allow quick !net_blocked -> PORTS -> This Firewall .

Importantly, there are no drop rules except the default drop. That makes the ruleset easier to understand and the order of rules is irrelevant.
If this ruleset is implemented somewhere else, all that is necessary is usually to add the local networks to the right aliases and create a few special rules for DMZs.

I have been hacking away at plugins for a few weeks now, and have to say, it's pretty easy to develop for.
It as a fairly clean structure, and while it's not perfect, it's pretty good.

So keep up the good work.