Topics

I enabled mmonit on opnsense to do some basic monitoring to make sure various virtual and physical machines are alive on the network. I now need to monitor things like making sure backup runs every 24 hours, and license demons are alive. It looks like I need to install instances of monitor systems where I monitor local events.

My question is can I/should I use the opnsense instance of mmonit as the central monitoring system or create a second one for the central node for everything on the internal network?

I'm trying to monitor my network from inside the firewall, onto my local network, and out to the Internet. The immediate need is to determine why SSH connections break and why connections to streaming services "stall" (streaming, aqua speech recognition, video conferencing)

Monit is a possibility but I don't want to send alerts to an email address. in this case, I don't want immediate alerts. I'll review the data as needed. If I need immediate alerts, I prefer sending alerts to my phone, for example, NTFY.

Functionally, I like Smoke Ping because I'm familiar with it and like the way it presents the data. There is a related package called Vaping which presents ping data the same way as smokeping

Are there any other alternatives that I should be aware of?

I have a situation where it would be nice if the user could view the traffic webpage in opnsense. Other than making him an admin and letting him log into the firewall web interface, what's a better solution?

Continuation of https://forum.opnsense.org/index.php?topic=37435.msg183770#msg183770 I'm starting a new message thread since it has been 3 months since I was able to look into LDAP and opnsense has moved to a whole new version. 

The TL;DR is System: Access: Tester tells me: Authentication failed and User DN not found. If you look at the message history, you'll see that kind people helped me figure out some of the problems, and the last problem was the extended query expression. I need the log where opsense logs what it looks for in LDAP.

The extended query I've worked out is:

Code Select Expand

&(memberOf=memberOf=cn=vpn_users,ou=Users,o=no-see-me,dc=jumpcloud,dc=com)
The attached image shows what I  get using the extended query string in vscode's ldap browser. To my naive eye, looks correct.  However, the tester still says:

The following input errors were detected:

    Authentication failed.
    error: User DN not found

One of my assumptions is that I don't have to explicitly import users as they are just using openVPN. Of course, the openVPN LDAP connection opens up another set of issues, such as how to create the open VPN package for the user who's only active in LDAP.

Thanks in advance.

[edited to clear up my poorly worded description of testing]

My goal is to create an opnsense user account and generate openVPN credentials from LDAP . Our LDAP service is provided by jumpcloud. I followed the instructions (https://docs.opnsense.org/manual/how-tos/user-ldap.html) to connect to the LDAP server. It appears that everything is set up correctly, but the test interface (System >> Access >> Tester) says my authentication credentials are wrong. however it does not indicate if the wrong credentials are for the ldap connection or the username/password I've entered. I ran an ldapsearch on opnsense and it returned the expected results

command:
ldapsearch -H ldaps://ldap.jumpcloud.com:636 -x -b "o=$ORG_ID,dc=jumpcloud,dc=com" -D "uid=$BINDING_USER,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

result (filtered):
dn: uid=xxx,ou=Users,o=yyyy,dc=jumpcloud,dc=com
homeDirectory: /home/xxx
cn: xxx xxxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uidNumber: 5002
gidNumber: 5002
sn: xxxxxx
initials: z
displayName: xxxx xxxxxx
uid: xxxx
loginShell: /bin/bash
mail: xxxx@example.com
givenName: xxxx
memberOf: cn=vpn_users,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com
memberOf: cn=ldap_users,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com

afaik, the LDAP info is correct. when I run the opnsense Tester with the given uid, it gives me the authentication credentials error.

I don't know where the logs are for LDAP so I have not been able to check to see what the system thinks it's doing. A pointer to where the log files are would be much appreciated.

it looks like I have a VLAN configured, but I don't have the right firewall rules to make it work. there was a help file on the opnsense wiki, but it seems to have vanished after the latest site rework.

What I want should be a relatively simple set of rules but I'm missing some knowledge that keeps me from doing it alone.

   
• VLAN shares LAN interface for inbound/outbound traffic
• switch has a trunk for redirecting VLAN traffic to ports
• no need for DHCP/DNS service. Will use external DNS servers for machines on the DMZ

Rules I think I need:

   
• Permitting LAN to VLAN
• Permitting VLAN use of the LAN interface?
• baring VLAN access to LAN
• VLAN access to the Internet via NAT
• Internet access is VLAN via pinholes in the NAT

what I have tried:

   
• pinging the VLAN machine and looking for the ICMP packet with tcpdump (nothing visible)
• replicating rules that look appropriate from the LAN interface to try and open a connection.
• added rule with DMZ net as the source and asterisks for all the other fields

Since I am not firewall rule fluent at this level, it's not clear how to handle routing through VLAN by the LAN interface. thanks in advance for any help.

is there an "official" way to use checkmk on opensense?  I've found one solution (https://fingerlessgloves.me/2022/04/09/opnsense-checkmk-agent/ but I'd rather use a supported solution if one exists.

thanks!

Why see what change in the firewall rules. I had a fumble fingers moment thinking I was typing in a text field but instead I was typing with focus on the firewall rules. Screen flashed,  I got the message that the firewall rules have changed but I have no idea what changed and in what rule.

How do I figure out what changed?

There really needs to be a "discard changes" option. :(

This is happened twice in the past month. Log files in /var/log/filter grow and take over the entire disk. 

Questions:
1) what subsystem is creating the log entries (shown below) in such volume? Is this a bug or a mistake I made?
2) what tool in opnsense cleans up log files and why didn't it detect the growth of these files and remove them before they overflowed the file system?

<134>1 2022-09-27T14:30:07+00:00 fw.xx.com filterlog 97605 - [meta sequenceId="70307"] 149,,,4323e97f6be45a912e1dde65bee932a7,igb1,match,pass,in,4,0x0,,128,52704,0,DF,6,tcp,972,192.168.3.60,18.210.236.123,53138,443,932,PA,475949628:475950560,3790384092,1025,,

I set up a test network on a second interface on my firewall. I'm looking at using a package like UCS (https://www.univention.com/) or FreeIPA in this network for providing authentication across multiple servers. And usually these packages require running their own DNS/DHCP servers and what I need is to direct DNS queries for the test domain to the test domains DNS server and not try to resolve it on the firewall.

For example, the test domain is hidden.opnsense.org.  There is a variety of DNS systems I've used that will see the hidden.opnsense.org top part of the domain and then relay DNS queries to the name server associated with hidden.opnsense.org. However, DNS queries for forum.opnsense.org go to the name servers for opnsense.org

I've been through the unbounded DNS interface but not finding anything. What am I missing?

Thanks in advance

I've been able to make the FTP reverse proxy work for passive mode. The default settings for Filezilla work fine. If I force active mode, then I can't list the directory. something is keeping the Filezilla log below. I also attached screen shots for the NAT and Rules added for the proxy.

Status:   Disconnected from server
Status:   Connecting to xxxx:21...
Status:   Connection established, waiting for welcome message...
Status:   Plain FTP is insecure. Please switch to FTP over TLS.
Status:   Logged in
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/"
Command:   TYPE I
Response:   200 Switching to Binary mode.
Command:   PORT 192,168,21,104,82,59
Response:   200 PORT command successful. Consider using PASV.
Command:   LIST
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing
Status:   Disconnected from server
Status:   Connecting to xxxx:21...
Status:   Connection established, waiting for welcome message...
Status:   Plain FTP is insecure. Please switch to FTP over TLS.
Status:   Logged in
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/"
Command:   TYPE I
Response:   200 Switching to Binary mode.
Command:   PORT 192,168,21,104,82,72
Response:   200 PORT command successful. Consider using PASV.
Command:   LIST
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing

Proxy log shows many entries
2020-11-25T16:41:31   ftp-proxy[84028]   #290 client reset connection