Topics

Hi,
I currently try to use the ACME-Client from OpnSense what depents on acme.sh to issue certificates from my own pki.
On my other Linux-Systems this works great, but i have some issue with opnsense.

The Challenge seems to be the issue.
Normaly i use as challenge type http-01.

If I choose this setting -> it won't work.

Can anybody explain what "automatic port forward" is generated when i use this setting?

The Webinterface from my opnsense is running on a different port (not 443).

Thanks for your help!
Kinds regards

Hi!
I searching for a while to find the issue in my home network what is limitating the throughput.
But now its clear. Its Surricata.

My Setup is a SuperMicro Board with C2750.
If I enable Surricata with IPS I can only get 100mbit throughput, but if I disable it, I am near 1 Gig (Arround 780mbit).

So what can I do to optimize the throughput?

My current setup looks like this:

[X] Disable hardware checksum offload
[X] Disable hardware TCP segmentation offload
[X] Disable hardware large receive offload

Disable VLAN Hardware Filtering.

I have only one interface for my local network with 10 VLANs.

IPS-Settings:

Interfaces: LAN, WAN (thats my physical interfaces)
Pattern matcher: Hyperscan
Promiscuous mode: "not checked"
Home networks: LAN-Adresses, WAN-Adress

Thanks for your help!
kind regards

Hi,
I have upgraded to the latest version of OPNSense but for now the NET-SNMP Service won't start any more.
If i try to start it manually through the cli I receive the same error as shown in the logs.

Code Select Expand

Starting snmpd.
/usr/local/etc/rc.d/snmpd: WARNING: failed to start snmpd

Any Ideas about that?

Hallo,
habe heute meine OpnSense gepatcht und musste feststellen, dass seit dem Update auf 23.1_6 das Plugin für Home-Asisstant einen regelmässigen Crash verursacht.

Anbei der Logauszug:

Code Select Expand

#0 /usr/local/etc/inc/xmlrpc/hass.inc(12): eval()
#1 /usr/local/opnsense/contrib/IXR/IXR_Library.php(446): exec_php_xmlrpc('\nini_set('displ...')
#2 /usr/local/opnsense/contrib/IXR/IXR_Library.php(384): IXR_Server->call('opnsense.exec_p...', '\nini_set('displ...')
#3 /usr/local/opnsense/contrib/IXR/IXR_Library.php(357): IXR_Server->serve('__construct(Array)
#5 /usr/local/www/xmlrpc.php(104): XMLRPCServer->start()
#6 {main}
  thrown in /usr/local/etc/inc/xmlrpc/hass.inc(12) : eval()'d code on line 8
[02-Feb-2023 18:51:33 Europe/Vienna] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /usr/local/etc/inc/xmlrpc/hass.inc(12) : eval()'d code:8

Danke für die Hilfe!

Hi,
i currently try to establish another layer of security by webproxy filtering.
But on my opnsense installation i have diverend usecases which sites are allowed or not.

Especually my Linux-Servers should get access to *.debian.org, the windows-server should get access to *.microsoft.com

But i didn't found any way to make rules per host or subnet or interface.

Can anybody give me a short advices how to realize that use-case?

I don't want to have an outbound "any" connection from my servers... they should only receiver their repos. And as Benefit a could enable the caching functionality.

thanks for your help!

Hi,
I have few hosts for developing and I wan't to isolate them from the whole internet, just only github.
So can you tell me, is there any way like on Checkpoint or Palo or some kind of firewalls to place i firewall-Rule where the destination is an objekt called *.github ?

And in the Background it makes a Reverse-Lookup for the DNS-Entrys and Puts them in the Alias-List?

Thanks for Feedback.
Kind regards

Hi,
is there any background why the backup types CIFS and NFS not available?
I would really like it to have my opnsense-config on-Prem, because if my appliance fails, I would not be able to get the backup from google.

thanks for feedback.

Hi,
I have made a setup with a reverse proxy based on nginx and not on ha-proxy because i would use the naxsi features.
But whats happen now is, that the bot-protection ban every smartphone client with davx running.
As seen in the davx log it uses okhttp for the sync and as far as I know nginx detect this as bot.

So is there any way to made an expection for the okhttp or better for the client-subnet?

Thanks for your answer.

kind regards

Hallo,
ich würde gerne meine Nextcloud-Instanz mittels zusätzlichen HA-Proxy schützen. Jetzt würde mich interessieren ob das auch in Kombination mit IPS möglich ist und wenn ja, wie da der HA-Proxy zu konfigurieren ist?

Die Idee im kurzem wäre, dass die Firewall (HA-Proxy) die TLS-Verbindung aufbricht und über Suricata drüberlässt und anschließend weiterleitet in Richtung Nextcloud-Instanz.
Ist das so Umsetzbar oder muss man TLS am HA-Proxy terminieren und in die DMZ unverschlüsselt gehen um Suricata arbeiten zu lassen?

Danke für eure Rückmeldungen.

mfg

Hi there,
i am completly rebuilding my opnsense setup and get a little bit struggling with the backup strategy.
Currently my opnsense is running on proxmox and i backup the full vm with proxmox every day. So currently no config backups needed.

With my new hardware I got Problems to get the full troughput trough the opnsense, so I decided to install opnsense native.

For all my backups (vms, container, ...) I got a NFS-NAS, is there any way to backup the configuration for disaster recovery on this NAS?
I only found ways to do this with nextcloud or google. But thats not my prefered way if i got no internet-access.

Thanks for help!

Hi there,
i currently try to setup ips with opnsense. I followed the description in from the wiki.
As descripted i had to assign the IPS to the master Port, because i use on one port multiple vlans.
But if i do that, opnsense would be available again. Every Connection get lost.

I followed the instruction from the wiki to disable hw-offload and so on. But no way to get that working.
If i select the vlan-interfaces instead of the master interface it works, i see some drops and information, but whats now the right way?

PPPOE Session still not working or ?

Thanks for help.

Hallo Leute,
ich versuche mich schon seit ein paar Tagen mit der Anbindung meiner Opnsense an ein Microsoft AD. Vorzugsweise soll der Connect natürlich über LDAPs funktionieren.

Das MS AD hat eine zweistufige PKI im Hintergrund. Das RootCA ist im Truststore der Opnsense. Dennoch klappt die Verbindung mittles LDAPs nicht. Bekomme immer die Meldung:

Code Select Expand

opnsense: Could not startTLS on ldap connection [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate),Connect error]

Egal ob StartTLS oder SSL verwendet wird.

Danke für die Hilfe.

mFg

Hi there,
i am currently trying to setup suricata on my opnsense 20.1.3. But it do not work as espected. If i change the interface in the intrusion detection -> configuration to my physical one as notized in the howto the system freezes.
First i thought this has to do with my underlaying system (proxmox) because i selected virtio as ethernet adapter.
I found a thread with an info that it's better to use e1000 instead of virtio.

But unfortunetly its not working and the interfaces (vlans) still freezing.

Thanks for adverdise.