OPNsense Forum
English Forums => General Discussion => Topic started by: Dzioobasek on January 15, 2018, 10:30:43 am
-
Hi
Im about end configuring newest opnsense and its great. Configuring antivirus is so easy atm :)
I cant handle opening ports for lan or wan. I have 2 java based apps and i need to open 8443 and 8447 ports.
Can you guys help me with that?
-
First, if you need this to be permanent, allocate static IPs for those machines on the LAN side from Services:DHCP Server. Restart the network interface(s) on those machines to make sure the IPs are allocated (verify on local machine).
Then, go to Firewall:NAT:Port Forward and according to your network setup, create a port forwarding rule for your machines.
Also, do not forget to edit your local firewall rules on your machines (eg. Windows Firewall) to allow inbound connections to those ports.
-
i have 35 PCs in lan, cant i just open ports for entire lan?
-
You have to allocate IPs and create rules for each machine in your lan. If you need to forward the same destination port, choose different ones for each machines as source ports.
-
is is possible to do use aliases? eg CompanyLan and place there all IPs? All PCs have static addresses.
-
You can't create one port forward rule for 35 pcs. You have to tell OPNsense (or any other firewall for that matter) which source IP/port to forward to which destination IP/port. You can't do that by a collection of IPs in one alias as destination, as there will be [source] IP(s)/port(s) to [destination] 35IPs/port(s). You need [source] IPs/port(s) to [destination] 1IP/port(s).
In other words, you can only have 1 IP as your destination IP for the forward to work correctly.
I can't imagine one (and the same) TCP/UDP stream to be forwarded to 35PCs at once at the same time.
-
1. I dont know why but its not working. Can i use aliases for ports or its also wrong?
2. On other side, when i was setting proxy in control panel > internet connection Ive checked Dont use proxy for LAN. Shouldnt land apps work then without restrictions?
Anywas can you please show me example setup so i could check what im doing wrong?
-
Perhaps it would be useful if you gave a description of what you're actually trying to achieve, and why, with your "port forward" configuration and your 35 pc LAN.
-
As phoenix said, it would be helpful for us to know what are you trying to do.
Nevertheless, for any port forward, you should follow this guideline (take it step by step, and verify each one if possible):
1. Start the process on a PC that you would like to connect to (with the port forward) and verify it's config, make sure you got the port right
2. Create a local firewall rule (e.g. in Windows Firewall / Inbound rule) for that port (allow it) and pay attention to the selected profile (domain, private, public)
3. Verify that you can connect from another PC in the same subnet to that machine and port (easiest is with telnet, install it if not already installed)
4. If it works, move forward, if not, check that the process you are trying to connect to is up and running (not suspended or something) and that it uses the port you configured in the local firewall
5. Go to OPNsense and allocate a static IP for the machine you are trying to connect to (if you would like to make this port forward permanent, you cannot skip this step, you have to make sure that the exact same IP is always allocated to that same machine even when leases expire).
6. Next, make sure the IP you configured is allocated to the machine; if not, go to network settings on your machine and renew your ip (you can do that easily by disabling/enabling the network interface). Re-verify!
7. Next, go to OPNsense Firewall:NAT:Port Forward and set as source IP the WAN address, source port: any, destination IP: your machine IP, destination PORT: the port you are trying top connect to. Apply.
8. Verify, from the internet, that you can connect from the internet to your WAN IP : PORT you configured in your port forward
9. You should harden your firewall rules by various techniques in order to secure your exposed IP:PORT
-
Ofcourse sorry. I have application, database is on server 192.168.0.199. Ports needed for this app 8443, 8447, 3050, 8080, 60000-65535. Now i want clients to connect to server with those ports. Ive made alias with those ports.
I dont use dhcp, all pcs have static ip, its LAN with domain
-
1. The clients are all on the same local subnet?
2. Or, would you like to connect from the internet to that database?
Are you absolutely positive, 100% sure that you would like to open ~5500+ ports and expose those ports to the internet (if this is the case)?
-
same subnet, i want ports opened in lan only. Everything is working when i connect without opnsense so im sure im doing sth wrong with setup
2. On other side, when i was setting proxy in control panel > internet connection Ive checked Dont use proxy for LAN. Shouldnt lan apps work then without restrictions?
-
Ah, ok.
But if the clients are all on the lan side, you don't have to create port forwards in OPNsense to connect to the other clients.
I think the problem lies elsewhere.
You should verify that you do not block the local subnet / bogon networks on the LAN interface in OPNsense.
You should verify your firewall rules as well.
You are blocking something on the LAN side with OPNsense. By default, you should be able to connect from the LAN to the LAN without any other setting.
-
I don't think proxy has anything to do with the issue. That proxy you are referring to - by default - only works for port 80/443 (and maybe ftp and socks) and it is for browsing only, nothing to do with your db ports.
Actually, this is how it should work, i'm not entirely sure with OPNsense though as I don't use proxy, but i highly doubt it's set up to proxy any other ports.
-
Block bogon networks is only checked on WAN interface. Only firewall rules are those from AV config to block proxy bypass
-
What AV are you referring to? Where is it installed?
-
https://docs.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html
this one
-
Ok, this AV (the proxy actually) will not use the ports you want to use for your db (pls somebody correct me if i'm wrong).
Again, i don't think the proxy has anything to do with your problem unless your clients connect from the port (source port) 80 or 443.
I think you should (re)verify your firewall rules on the LAN side.
-
I think we should start with another simple question. Your database server(s) listen on port 3306, don't they? From one of the machines on your LAN (from where you run the Java app), can you connect to the DB server by running the following command:
telnet <db_server_ip> 3306Do you get a connection to the DB server and if not, what happens? If you get a connection then there should be no problem connecting to the from any app on your LAN.
-
kinda found solution, in internet settings > connections > LAN settings > advanced Ive added exception for server address and application is working now.
phoenix
I cant connect with telnet command - it says failed connect to host on port 3306. Connection failed.
Ping command is working also i can browse local network
-
kinda found solution, in internet settings > connections > LAN settings > advanced Ive added exception for server address and application is working now.
phoenix
I cant connect with telnet command - it says failed connect to host on port 3306. Connection failed.
Ping command is working also i can browse local network
You lost me here (again)...
So your app is working after adding a local firewall rule (so not in OPNsense, but in Windows Firewall) as i told you before, but still telnet isn't working?
-
Try this:
PC1-the client, with the java app
PC2-the server, with the database
Temporarily TURN OFF windows (or whatever OS) firewall on PC2
Go back to PC1 and type this from the command line:
telnet PC2IP 3306 (eg: telnet 192.168.0.199 3306)
Is it working?
-
kinda found solution, in internet settings > connections > LAN settings > advanced Ive added exception for server address and application is working now.
This is in control panel > internet options.
As I mentioned before app is working when im conecting to server without opnsense. Im not using windows firewall, I have eset but its not blocking my app. Problem is in opnsense. Im after work now, so ill check anything tomorrow.
If we wont find whats the problem ill manually add this excpetion on every client as i have to set proxy connection anyway.
Big thanks for you!
PS
Ill contact apps support tomorrow if it has any specific settings to work with proxy
-
Well, that's the thing... You add "exceptions" to something related to Windows (probably proxy, as the location of settings you described is related to proxy) and then it works.
This is what I don't understand, why is it OPNsense at fault here.
If you are proxy-ing http and https traffic, that's done for ports 80/443 and 2 others on the local machine, and any other (the configured proxy ports) in OPNsense. If you are not allowing http/s traffic except through the proxy server on your LAN, it would make sense to force the client to use a specific proxy server, if you did not configure PAC (proxy auto-config) on OPNsense. In this case, clients do not automatically collect proxy server and manually configured proxy server needs to be added.
But, if proxy is involved, on the client, only 80/443 and two others are proxied (usually). This is what confuses me, why you app works if you configure a proxy, unless your app uses 80/443 to connect to the db as well. In this case, it is proxied.
But maybe your app connects to the server on at least two different ports, the db on the server on port 3306 and the webserver on the server on port 80/443. 3306 most probably is not proxied and should work from the client, and port 80/443 which is proxied only if the client is configured. Isn't this your case?
I'm not the best to explain stuff, but i'll try anyway.
Sure thing, you're very welcome.
-
Settings which Im writing about are in windows control panel and yeah, its about global proxy settings for all browsers. Adding server address if for now only working solution for me. It has to be something with opnsense because without it app is working.
i have another problem now :P i cant access https://cas.mpips.gov.pl:8443/CAS/signin.do Can you help me with that?
-
So let us recap:
- you have at your workplace a 35 clients LAN
- you have deployed an OPNsense box and you are the sole administrator of that box
- for some reason you enabled the proxy server on the OPNsense box
- without properly (and manually) configuring LAN clients you cannot make your app work
- also, you cannot access a polish government login website and you cannot debug the reasons
Am i correct up until this point?
-
all yeap. Reason im using proxy is for web filter and AV. Access to that site is important in my work, im from Poland :)
when I added my IP in WebProxy>Forward proxy>access control list > unrestricted IP i can access site now you think its ok doing that this way or should i try someting else?
-
I prefer IDS/IPS + custom DNS services like OpenDNS or AdGuard as a protection layer (with enforced rules for DNS queries), instead of proxy, in "office" environments.
But this is just me.
I know the headaches a proxy server can give to you in such environments if it's not properly maintained. IDS/IPS needs some attention as well in the beginning, a few days to see what's being blocked (and to allow stuff if necessary). General performance is just poor and waste of resources with proxy, this is how it works. "Unrestricting" ips sounds like making the proxy server almost useless...
It has its own applications, no doubt about it, maybe you really need it, but also maybe you can try protecting your network is some other ways and would be good enough. I'm not trying to make you change your mind here, just consider other stuff as well.
This is a good article describing various protection techniques, many of them available in OPNsense as well:
http://resources.infosecinstitute.com/network-design-firewall-idsips/
Otherwise, you need to debug your proxy setup. Since it has been a long time since i didn't use proxy, i forgot many details about it. What i do remember, is that you need proper security certificates to make it work in https as well, not just http (without the need to trust CAs and other stuff with every client), a powerful box if you have many proxy clients, caching properly configured, and many other aspects...
-
oh maaaan, when im about to finish you say i could choose sth else :P
IDS/IPS will block viruses like av module? This opnsense proxy AV seems to be working.
You got any link how to set it up in opnsense and test? Im not in hurry so i can check diffrent solutions.
-
IDS/IPS will not block viruses like an AV but rather they are complementary to each other. IDS/IPS will scan network traffic (packets) while the AV scans files. Both work with rules/signatures., both heavily dependent on these (except some newer technologies).
There's always a compromise to be made between speed and security. I prefer obviously both if possible, but this is difficult.
I prefer IDS/IPS in inline mode as it's lightning fast. The protection it offers is as good as your rules are. Combine this with a good DNS service and you will get a nice and fast security.
I will write you in the next comment a little howto.
-
Getting ready
1. BACKUP OPNSENSE FIRST (absolutely mandatory and first step): System: Configuration: Backups
In the case something goes wrong, you can always revert using the backup set.
2. Copy-paste this comment in a txt file on your test machine and save it
3. Run a few speedtest.net to verify performance and throughput before and after these techniques are deployed in your environment
3. Disable the proxy server in OPNsense and configure clients not to use the proxy :) Do this on one machine first, see if it works.
DNS
Some particular public DNS servers will block queries pointing to malicious websites. I use OpenDNS or AdGuard DNS servers. OpenDNS will block no ads but more malware, AdGuard will block ad servers but less malware.
OpenDNS servers: there is a client integrated into OPNsense for this, create an account on OpenDNS.com and just fill in the form in OPNsense:Services:OpenDNS, the GUI will fill in the DNS servers from step 1 below for you.
AdGuard: https://adguard.com/en/adguard-dns/overview.html
Lets go with AdGuard as it is easy to verify and this one you need to manually configure:
1. Go to System: Settings: General
2. In the DNS servers field, delete everything and add these (don't configure gateways, leave it on none):
176.103.130.130
176.103.130.131
2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff
3. Uncheck if not already: 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and 'Do not use the DNS Forwarder/Resolver as a DNS server for the firewall'
SAVE
4. if you use Unbound DNS (OPNsense default), go to Services: Unbound DNS: General
5. Check if not already: 'Enable Forwarding Mode'
SAVE
6. Just to be sure everything works, reboot and check your internet connection on that one machine
IDS/IPS
1. Go to Services: Intrusion Detection: Settings tab
2. Check these: Enabled, IPS mode (do not check promiscuous mode)
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.
5. Select all Home networks
6. Choose something for log rotation (whatever suits you best).
APPLY
7. Go to Download tab, select all, Enable then Download & Update rules
8. After everything is downloaded and enabled, edit each one, one by one, and select "Change all alerts to drop actions"
9. Select all again, download and update rules
10. Reboot just to be sure
11. Open this website https://www.wicar.org/test-malware.html and click on "EICAR TEST-VIRUS"
12. If nothing downloads, it works. If it doesn't work, a txt file will be downloaded (will not harm your PC in any way, it is a test virus)
13. Go to Services: Intrusion Detection: Schedule tab and configure a cron job so that the rules are automatically refreshed once a day (for 12AM each day, enabled: check, minutes: 0, hours: 0, day month: *, months: *, days week: *, command: update and reload ids rules)
What to do when something is not working (can't open a website, torrents don't work, can't connect to something)
1. Go to Services: Intrusion Detection: Alerts tab
2. In the search box, type blocked
3. If you found a rule you wish to unblock, edit it (click on the pencil icon) and select 'Alert' for 'Configure action', instead of 'Drop'
4. Go back to Services: Intrusion Detection : Rules tab and click 'Apply'
If absolutely nothing works, verify each step here, concentrate, read every word, don't skip anything unless you know what you are doing. If still nothing is working, go to System: Configuration: Backups and restore your backup. Don't forget to reconfigure the clients to previous settings, in your case the proxy.
Verify results:
1. wicar tests should fail (most of them) -> the site with the eicar test virus, there are more tests there
2. if you choose AdGuard dns servers, most of the ads in websites/ games etc will disappear and everything will load faster
3. if everything works, run a few speedtest.net again and compare
With these techniques, you should have a good protection and speed as well without the proxy. If you wish to tweak these more, you can configure your OpenDNS account and filter out more categories to block. With another set of AdGuard servers, you can block Default + blocking adult websites + safe search (Family protection DNS servers).
Relying also on DNS, you may want to make sure all DNS queries from the clients go to the ones you configured. If you wish, you can enforce this with a firewall rule:
Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY
With these settings, I just got these results (from Romania, ISP is RDS with Fiberlink 1000 line, 1Gbit/sec download, 500Mbit/sec upload theoretical link, both are up-to values, with an i3-8100 CPU):
-to Amsterdam: http://www.speedtest.net/result/6972207406
-to Romania: http://www.speedtest.net/result/6972210834
Thats it :)
-
Man youre great! thank you for you time and help, yesterday i was busy but in next few days ill try to set it up with your guide. Again big thanks for you!
-
Sure thing, you're welcome!
Nevertheless, you should ask around for a second opinion, someone else who also knows your network requirements (if possible) :)
-
im trying this but i have problem in IDS/IPS part. If i check IPS it blocks access to internet and access to opnsense.
Also in point 5. Select all Home networks - i dont have such option, only LAN and WAN.
-
im trying this but i have problem in IDS/IPS part. If i check IPS it blocks access to internet and access to opnsense.
It shouldn't! Maybe you checked (as in, enabled and set to block) every and each rule in every and each ruleset, without checking what each is doing?!?! :-\
Also in point 5. Select all Home networks - i dont have such option, only LAN and WAN.
Click on "advanced mode" (upper left corner - vis-a-vis of "full Help)
-
at 3rd time its working, previous 2 times it blocked everything. At this home networks i have 3 values: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 is that ok? My wan network is 192.168.1.0 lan is 192.168.0.0
Now i cant login to joomla panel, i have found rule which was blocking it, changed to alert. Now when i switch to Rules tab should i check and apply all rules?
-
It definitely shouldn't. Actually, if you only set the rulesets (so not the rules on a one by one basis, just the rulesets from the 'download' tab), all of them, to drop, you will notice that not all of the rules will actually be set to drop. This is how it should work, don't set to 'drop' anything else (the rules) manually unless you know what you are dropping. Unless something went wrong, it should never isolate you completely.
You will have issues, that's for sure, some stuff will be blocked right after the first deployment, but if you only set the rulesets to drop, you should be able to set the actually dropped packets to 'alert' in the 'Alerts' tab in order to allow it for future use. After you have set a rule to 'alert', hit 'Apply' in the rules tab, otherwise, it won't be applied.
-
Now i cant login to joomla panel, i have found rule which was blocking it, changed to alert. Now when i switch to Rules tab should i check and apply all rules?
Just go the Rules tab, don't select anything, just hit 'Apply'. It should work. Don't worry, there won't be that many stuff blocked. They will be, some, but once you allow them (aka. set the to 'alert'), everything will work :)
-
i did everything you wrote and i cant login to joomla admin panel. I can access site but after i provide login and password it drops connection
-
Do you have dropped alerts you may have missed to set to 'alert' from that host, in the 'Alerts' tab? Refresh the 'Alerts' tab, delete the 'blocked' from search, verify the results again... It has to be there..
-
alert for this site appears as `allowed` but still cant login
in IPS description there is `Before enabling, please disable all hardware offloading first in advanced network.` I havent done it, may this be the reason?
-
As far as I remember, Hardware Offloading is, by default, OFF.
Only check!
-
nope, i have unchecked those and then everything is blocked.
Im going home, if you give me any tips ill try them on wednesday. Have a nice weekend guys!
PS
This should be official guide.
hutiucip - its all checked by default
-
nope, i have unchecked those and then everything is blocked.
Im going home, if you give me any tips ill try them on wednesday. Have a nice weekend guys!
PS
This should be official guide.
hutiucip - its all checked by default
Leave them checked: as they state "Disable hardware 'bla-bla-bla' offload" it means unchecking them enables/ activates offloads. Negation of negation = affirmation / non p and non p = non non p = p (if I remember it accurately) :)
-
Another good point, all offloading must be disabled. They are by default, but who knows :)
-
nope, i have unchecked those and then everything is blocked.
It should be exactly like in this snapshot: https://docs.opnsense.org/_images/disable_offloading.png
After you have verified that it is, reboot your OPNsense box.
1)
Then, go back to Services: Intrusion Detection and disable IPS mode.
Please confirm things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.
2)
Then, go back to Services: Intrusion Detection and enable IPS mode.
Then, go to 'Download', take each ruleset one by one, and set to 'Alert'.
Then, go to 'Rules' and hit 'Apply'.
Please confirm things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.
3)
Then, go to 'Download', take each ruleset one by one, and set to 'DROP'.
Then, go to 'Rules' and hit 'Apply'.
Please confirm things are working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'
4)
Go to 'Alerts', select a 'blocked' packet (do this with the eicar test file), edit it and set it to 'Alert'.
Go back to 'Rules' and hit 'Apply'.
Try to download the eicar file again, it should work this time. If it does, set it back to 'Drop' and hit. 'Apply' again from the 'Rules' tab.
5)
Verify the joomla login page.
Check the 'Alerts', see if anything is blocked. If it is, set it to 'Alert', go back to 'Rules' and hit 'Apply'.
Verify the joomla login page again.
Check the 'Alerts', see if anything is blocked. If it is, set it to 'Alert', go back to 'Rules' and hit 'Apply'.
Repeat these steps until the joomla login page is fully working.
Please report your findings for each step.
-
I have found guilty ruleset ET open/emerging-policy it is. Even if its set on alert its blocking my joomla panel access, when i disable it is working and i can login. Its a bug?
About adblocking, should it block all ads or only most of them? Can you check wp.pl or onet.pl if there are any ads? I have many.
-
I have found guilty ruleset ET open/emerging-policy it is. Even if its set on alert its blocking my joomla panel access, when i disable it is working and i can login. Its a bug?
"Policy" is the keyword here: the Policy ruleset contains rules regarding use policy (companies/ corporations). Be very careful with these sets, since are organized as a template of rules, and as a template of enabled/ alert/ block pattern. Most likely, and by default, are going to "break" things. Any ruleset should be activated on a "one-by-one rule" approach, and especially that type of rulesets.
So, I guess it's not a bug, it's a "different than template/ default" need.
-
There was an issue with the reporting of dropped packets in OPNsense 18.1.r2 (not all were reported as dropped in the GUI).
You should apply this patch from the console in order to see all the blocked rules in the GUI:
https://github.com/opnsense/core/commit/573612d48
opnsense-patch 573612d48
-
Im gonna wait for next update, i dont feel like could do it and dont want to make bigger mess ;)
Also had problem with updating joomla today. When i pressed update button it dropped connection, hopefully it will be fixed soon
-
Sure thing, whenever you feel like it, 18.1 is coming very soon anyway, so you don't have to wait that much.
-
can you reply me about adblocking?
-
can you reply me about adblocking?
There are different ways to display ads on a website. The most common two:
1. using external ad services, like google ad services; these ones are among the most aggressive, as they are usually java scripts bundled in the website, which connect to ad servers and based on many rules & browser activity, display ads; many of these hijack cookies as well. AdGuard will block most of these servers, but not all. Ad providers often change their IPs/hostnames and new ones might not be blocked.
2. Classic banner based ads, hosted on the same server(s) as the webpage; the ad blocker must be content aware in order to block these, and if the content doesn't contain some ad specific metadata, they won't be blocked. AdGuard DNS servers obviously are not content aware (it is a DNS based ad blocker). Content aware ad blockers must be locally installed (software).
I attached 2 pictures (with AdGuard as DNS ad blocker and without). It works for all the ads displayed using java scripts even with the two websites you mentioned. There are also other type of ads on these two websites, which a DNS based "ad blocker" simply cannot "block".
What a DNS based ad blocker does is that it will resolve ad server hostnames to 127.0.0.1 for example. If you want full ad blocking, you could combine DNS ad blocking with uBlock Origin + uBlock Origin Extra as browser extensions. These two extensions are content aware.
-
so its not blocking ads for me :/ I did everything you said in your guide.
-
It probably means your DNS requests are not resolved by AdGuard DNS servers.
Are your DNS settings in OPNsense look exactly like the ones in the attached snapshot? You should not have any other DNS servers configured, only the ones from AdGuard.
-
yes, i have same settings. Do i have to set those dns on clients or it doesnt matter?
-
Your clients should use one and only one DNS server, which is the OPNsense local IP address. If you had any other dns servers configured, after the changes, you should flush the DNS cache locally on each clients from the command line.
For Windows clients (cmd 'run as administrator'):
ipconfig /flushdns
-
if opnsense have to be only dns then i have another problem because domain controller also have to be there :)
-
if opnsense have to be only dns then i have another problem because domain controller also have to be there :)
Of course. And you have 2 ways to solve that problem:
1. If you have already set OPNsense as the only DNS for devices your network, then create a domain override in Unbound so that DNS queries made for either your domain, or your internal IP address range, to be forwarded to your domain DNS server(s) (your domain controllers having that role).
2. If all network devices have your domain DNS server set, then set OPNsense as the forwarder only in your domain DNS service.
What of the 2 ways you will choose, it depends on how difficult is for you to change your DNS (and DHCP) settings for clients, or DNS settings on domain controller/ OPNsense.
PS If you choose the first, be very carefull to set domain overrides for both forwarding (name to IP addresses) and reverse (IP addresses to names) DNS queries.
Reverse domain ovverride example:
Domain 1.168.192.in-addr.arpa IP "your-domain-controller-internal-IP-address" will send to domain controller every query for "ping -a 192.168.1.XXX"
-
2. If all network devices have your domain DNS server set, then set OPNsense as the forwarder only in your domain DNS service.
sounds easier but i still dont know how :P
-
A simple google search for "change dns forwarders windows server" returned first, foremost and on top:
Setting up DNS Forwarding for Windows Server 2012 and 2012 R2
From the Start menu, start typing DNS, then select DNS from the search results.
Choose the server you want to edit, then select Forwarders.
Click the edit button.
Add OpenDNS addresses in the IP address list. ...
Click OK once more.
Seems to be from a support page of OpenDNS. Replace "OpenDNS addresses" with the internal IP address of your OPNsense machine/ viartual appliance, and should be OK
Cheers!
-
and story goes on ... I have updated to 18.1 and now i cant Download and update rules ET open/emerging-policy i can enable it but when i press Download and update rules nothing happens. It shows `not installed`and as Im checking its not updating any rules at all.
-
It might be beneficial to respond to similar topics and not provide a continuation of an already otherwise epic thread that is hard to follow. :D
-
I was thinking that might be good idea to end this topic :P