Topics

Hi,
I have twwo internet connections to two different ISPs and would like to direct outgoing traffic to some ASN (mainly facebook, instagram, ...) to go through a given one of them.
I added an alias to the desired destination facebook_Meta_asn_32934_n_63293 and would like to add a static route to that ASN, so non production traffic goes through a given ISP.
Couldn't find how to do it.
Could someone help me please ?
TIA.
Fathi B.N.

Hi,
One of our firewalls is a Fortigate that i have been asked to replace with another one less expensive and I hope it could be Opnsense.
Of course some people, inside my company argue that few products can compete with that brand. My arguments are that opensense can repond to our needs without trying to compare both products feature by feature.
The following is just a suggestion.
One of the features of the above brand is a daily security report, which looks like this:
Security Analysis
Report Date: August 16, 2024 14:00
Data Range: 2024-08-15 00:00 2024-08-15 23:59 GMT+1 (FAZ local)


Table of Contents
Bandwidth and Applications 3
Traffic Bandwidth 3
Number of Sessions 3
Top Applications by Bandwidth 3
Top Applications by Sessions 4
Top Users by Bandwidth 4
Top Users by Sessions 4
Top Destination by Bandwidth 4
Top Destination by Sessions 5
DHCP Summary 5
Top Wifi Client by Bandwidth 5
Traffic History by Number of Active Users 5
Web Usage 6
Top 20 Most Active Users 6
Top 20 Most Visited Categories 6
Top 50 Most Visited Sites 6
Top 10 Online Users 6
Top 10 Categories 6
Top 50 Sites By Browsing Time 6
Top 20 Bandwidth Users 7
Top 20 Categories By Bandwidth 7
Top 50 Sites (and Category) by Bandwidth 7
Top 20 Most Blocked Users 9
Top 20 Most Blocked Categories 9
Top 50 Most Blocked Sites 9
Emails 10
Top Senders by Number of Emails 10
Top Recipients by Number of Emails 10
Top Senders by Combined Email Size 10
Top Recipients by Combined Email Size 11
Threats 12
Malware Detected 12
Malware Victims 12
Malware Source 12
Botnet Detected 12
Botnet Victims 12
Botnet C&C 12
Botnet C&C Detected by DNS Filtering 12
Intrusions Detected 13
Intrusion Victims 14
Intrusion Sources 14
VPN Usage 15
VPN Traffic Usage Trend 15
VPN User Logins 15
Authenticated Logins 15
Failed Login Attempts 15
Top Dial-up VPN Users 16
Top Sources of SSL VPN Tunnels by Bandwidth 16
Top SSL VPN Tunnel Users by Bandwidth 16
Top SSL VPN Web Mode Users by Duration 16
Top SSL VPN Users by Duration 16
Top Users of IPsec VPN Dial-up Tunnel by Bandwidth 16
Top Site-to-Site IPsec Tunnels by Bandwidth 16
Top Dial-up IPsec Tunnels by Bandwidth 16
Top Dial-up IPsec Users by Bandwidth 16
Top Dial-up IPsec Users by Duration 17
Admin Login and System Events 18
Login Summary 18
Login Summary By Date 18
List of Failed Logins 18
Events by Severity 18
Events by Date 18
Critical Severity Events 18
High Severity Events 19
Medium Severity Events 19
Appendix A 20
Devices 20

And my question is : is there inside the opnsense installation a central repository to collect all this data so it could be possible later to extract it and generate a corresponding report. I know, the sensei plugin generates and sends such reports but they are not so exhaustive as the fortigate ones.
TIA
Fathi B.N.

Hi,
When creating a new openvpn profile, the "Certificate Depth" value is always reset to "Do Net Check" after saving whatever value is chosen before saving.
May be this is related to the issue described in the topic 35225.0 https://forum.opnsense.org/index.php?topic=35225.0 (no way to select the peer CA to check client certificates against).
TIA

Hi,
In the openvpn profile form the "Peer Certificate Revocation List" option is present but not the "Peer Certificate Authority" one allowing to select which Certificate Authority will be used to verify client certificates.
May be the form doesn't show because i have created only one Certificate Authority when creating an openvpn server before the 23.7 version change, and so it is implicitly chosen. In this case please ignore this post.
TIA.

Hi,
As several parameter names, descriptions and locations (order in the form) have changed between the old openvpn server generation wizard and the new openvpn profile form, would it be possible, as a suggestion, to print the old parameter names in italic, between parenthesis, under the new parameter names, so people could rapidly and with minimum possible mistakes manually migrate their old config to the new profile form.
Or at least have one preview button, similar to the one down this page, that allows previewing what will be the server config file.
TIA.

Hi,
When creating a new openvpn profile for a server, there is no textarea to fill a static key nor is there the old option to "Automatically generate a shared TLS authentication key".

HI,
I have setup openvpn server to allow remote users to connect to internal network. I would like to setup intrusion detection to detect malicious traffic from compromised vpn clients to corporate lan. I am only interested on vpn client address as real addresses are dynamic (3G/4G mobile network) and opnsense is behind another firewall, so all clients seem to be coming from dmz gateway.
Which surricata rules should i activate, mainly to detect attacks against windows servers and databases ?
TIA.

Hi, I have followed the document at https://docs.opnsense.org/manual/multiwan.html and setup a weighted monitored loadbalanced multiwan group between 2 adsl connections.
on the interfaces configuration page relative to the WAN interface (both adsl connections are on the same subnet but to two different isp), the gateway group doesn't appear. If i leave the Gateway vakue to its default, packets are not forwarded from the lan clients to the internet. If i choose any of the wan gateways traffic is forwarded from  lan clients to the internet but then i don't have load balancing.
Can someone help me please ?
TIA
Fathi B.N.

Hi,
It seems that OPNsense is sending Calling-Station-Id and Called-Station-Id only in the authentication packets and not in the accounting packets.
How can I fix this, so it sends these two radius attributes even in the accounting packets ?
TIA.

Hi,
We have setup an OPNsense (now 19.1) as VM with captive portal and radius authentication against an independent radius server.
This firewall is connected to the internet via a mobile broadband router.
When it reaches ~40 simultaneous users, the servers nearly hangs and stops responding for a while.
I will have to buy a new server and would like to know, hardware people are running OPNsense on and simultaneous users they can allow to the internet.
I am not running any proxy, nor ssl inspection, nor suricata, ... just routing authenticated users to the internet.
TIA.

Hi,
Shouldn't be only the certificate field required.
I need to trust the certificate of a samba AD domain controller to be able to use it as an authentication server for Opnsense.

Since Samba enforces authentication over TLS, otherwise we get an ldap bind error Strong(er) authentication required.
I could solve this by allowing authentication over unsecure ldap connexion in smb.conf but this is not an advisable solution since it will expose all user credentials over the net.
TIA

Hi,

RFC 7710 allows to send the url of a captive portal in dhcp responses. I use a separate dns/dhcp server and couldn't setup CP to work. Which url should i send in my dhcp responses to let devices discover OPNsense captive portal ?
TIA

Hi,
I am settin up blacklist on squid and noticed 2 starnage behavior:
1) lines styarting with ^http(s)? gets repeated several times even if I inserted them only once, so to restrict access to 10.0.0.0/8, 192.168.0.0/16 and 172.12.0.0/12 i used ^https?:\/\/192.168\.([0-9]+)\.([0-9]+),^https?:\/\/172\.[16-31]\.([0-9]+)\.([0-9]+),^https?:\/\/10\.([0-9]+)\.([0-9]+)\.([0-9]+)
After several modifications to the opnsense config, when I go back to add other domains to block, I find these lines repeated once or twice

2) It is not possible to insert in the blacklist field the domain googlevideo.com even if I export the config, insert this domain manually and then import it, the import fails.

Does someone noticed similar behavior ?

Hi,
My setup:
WAN interface connected to a 4G router via an ethernet switch
LAN interface connected to another switch with several wifi access points
All user traffic coming to OPNSense LAN interface through wifi-ap --> switch -->  LAN
DHCP assignments and DNS resolution served by another server on the LAN net segment with OPNSense LAN served as default gateway for dhcp clients
So dhcp and dns resolution works even if OPNSense VM is down but no internet connection is possible as the other server doesn't route any traffic to the internet even if it is connected to the internet independently of the OPNSense server.
Squid is set transparent mode with related port forwarding rule active and works well.

When I setup captive portal on LAN interface, all traffic to the internet is blocked but no captive portal page is show. Tried to acces ONSense on ports 8000-8002 while CP is active but it doesn't show any page.
without cp, an ipfw list shows one single rule, that all traffic is allowed. When activating cp, ipwfw list shows a lot of new rules.

Can someone help me please.
TIA

Hi,
I have a particular setup where opnsense would be put on trains to filter and shape internet traffic.
What I am trying to setup is a captive portal with self registration by SMS: user is promted to enter his phone number, upon receiving his password he can connect with his phone number as username and the randomly generated and sent by sms password.
Also, this authentication system should be centralized, meaning when a user registers onboard of train A, leaves it and rides train B, he hasn't to reregister and should be able to login with credentials created on train A.

I am thinking of a centralised auth system, like a central radius server but would also like to minimize traffic between each embedded opnsense and the central auth server (no accounting for now).

Does anyone have a similar setup ? How did you solve thess issues ?

TIA
Fathi Ben Nasr