Messages

[my]

Hello,

I have reviewed the documentation at https://docs.opnsense.org/manual/nat.html for the most basic port forwarding exercise (i.e. traffic to an internal mail server) as follows:

Code Select Expand


Firewall: NAT: Port Forward
Edit Redirect entry
Disabled unchecked
No RDR (NOT) unchecked
Interface WAN
TCP/IP Version IPv4
Protocol TCP
Source any
Source port range from any to any
Destination / Invert unchecked
Destination Single host or Network
74.6.235.14 30
Destination port range
from: IMAP/S to: IMAP/S
Redirect target IP Single host or Network
192.168.1.3
Redirect target port IMAP/S
Pool Options: Default
Log unchecked
Description My description
Set local tag <blank>
Match local tag <blank>
No XMLRPC Sync unchecked
NAT reflection Use system default
Filter rule association None


Unfortunately, recognized external mail servers (viz. Gmail, Hotmail, Yahoo, etc.) are unable to communicate to my mail server for this purpose. Live View of the filtered log provides the originating IP addresses of the traffic that were passed to the internal mail server (and WhoIs lookup confirmed my presumption about Hotmail server).

My mail server is working fine in the intranet and also, FWIW, can SMTP directly via the WAN interface.

What is my mistake, please? Thanks.

Kind regards.

@Julien, very interesting question from my perspective. I am just one grain of sand on the beach but let allow me to share my GeoIP experience.

There are the Shodans, Computer Science 101 students and, of course, the professionals. Scanning as opposed persistent efforts to logon using expired accounts is routine. What surprised me is that the attempts to use long expired accounts are geographically spread (including Oceanic countries). There must be an international trade in expired accounts - scavengers of the Internet world. For my SOHO operation, my whack-a-mole approach is not efficient unless I want to do forensics (not my cup of tea). So reluctantly I have had to resort to using regions except for NA and I've had to become very, very selective with Europe.

The reason I'm mentioning all this is that OPNsense with GeoIP gives me peace of mind. This is something that my mail server (in its current version) does not perform for some lazy reason since it pays lip service to GeoIP - looks up country for individual IP addresses via GeoIP but cannot block by country/regions.

Kind regards.

@hitechhillbilly,

FWIW, I too ran into the same type of issue & message with Google and Nextcloud. Since I've dabbled with Google app authentication slightly in other custom apps and use Nextcloud routinely in the farm, in my case, I feel that my settings are not aligned with requirements for OPNsense Backup.

As a primitive measure, given my limited exposure to OPNsense admin work, I simply use the fail-safe Download method on a weekly basis.

Kind regards.

OK @mimugmail, I can do that. I have run community supplied plugins under FBSD but, of course, I haven't tried these under HBSD. Thanks.

Kind regards.

My limited knowledge tells me that one can reserve IP addresses through full (not partial/prefix) MAC addresses. I am not competent enough to participate in any VLAN discussion but each DHCP server must always have non-overlapping address pools.

Kind regards.

I installed GeoIP for the the first time under 20.7. As a newbie, I was rather pleased that it worked once I used the right URL.

It is nice not to receive alerts from the mail server that some unsolicited logon attempt was being from an external address.

Kind regards.

[syslog-ng]

I had to reboot 20.7 twice and in both occasions, as others have reported, I had to manually start syslog-ng. At least I can start this service unlike snmpd which refuses to start at all.

Kind regards.

Hello @lar.hed,

I have about 500+ IP addresses. I can see the option for URL table from external sources. I was wondering if there such an option for a local table that I can update on my own. OPNsense would of course refresh per the schedule set by the admin. Thanks.

Kind regards.

OK. Thx.

Not LDAP & didn't use uuid (via Nextcloud issued OAuth) until the three Nextcloud account usernames failed to work. I'll keep on tinkering to see where I entered incorrect data. Obviously some disconnect at my end.

Kind regards.

Hello,

I noticed that 20.7 continues support for NRPE. Is there some documentation on the Plugins installed to support this service?

While OPNsense has extensive self-monitoring capabilities, it would be nice to leverage monitoring of OPNsense into one's Nagios deployment. The configuration page in OPNsense for NRPE emulates the basic command fields (as in nrpe.cfg) but it would be desirable to know which plugins are implemented (and the folder reference for the corresponding executables).

Is there any documentation on the list of installed plugins? Thanks.

Kind regards.

As @crc32 points out, Pi-hole is great for blocking ads (especially for those with limited infrastructure configuration skills). I have used Pi-hole for two years. I am using OPNsense for two months.

As an RPi fanatic I reluctant to dispose Pi-hole for now until I am comfortable with OPNsense. The Pi-hole, owing to its light load for the primary mission, serves as a secondary replication server for MariaDB rather well (i.e. imperceptible latency). The DHCP features of the Pi-hole server leave a lot to be desired. The development team is doing a good job by incrementally refining DNS features (e.g. CNAME support in the latest release). I haven't done any blocklist management with OPNsense but Pi-hole's functionality is zero maintenance unless one is adding custom lists.

Owing my self-inflicted challenges with learning OPNsense, I keep Pi-hole operational but sincerely all that eye candy is superfluous since we all have to look at logs anyway to have a feel for the state of affairs.

Looking forward to the day when I can state that I have completed OPNsense Boot Camp for Dummies.  ;D

Kind regards.

[Firewall: Alias]

Hello,

I would like to block all unsolicited inbound traffic from a set of IP addresses. Ideally, I could use GeoIP but owing to my learning challenges (or rather handicap), I would like to use the Firewall: Alias approach first in case I do more inadvertent damage to my setup.

I need help with the Edit Alias page, please.

For the field Type, I selected URL Table (IPs).
For the field Content, presumably I should be able to specify a tabulated custom list? On the preceding page, under the Aliases tab unfortunately I cannot create any entry because when I click the "+" button (on the bottom right), the detail pane is "locked" into displaying Loading... for an extended period of time. After a while, the Edit Alias page appears and I am stuck no personal choice in the Content field.

What is my mistake, please? How can I define an alias for a collection of IP addresses (that I would like to block)? Thanks.

Kind regards.

Thx, @Fabian.

The error message on the page is:

The following input errors were detected:

    Saved settings, but remote backup failed.

There are two (I think,  :) entries related to the attempt to setup the backup to Nextcloud:

• Settings in JSON format

• "Cannot get real username"

In my ignorance, I used an active Nextcloud username at the first attempt and then after some reading used an OAuth id generated by Nextcloud for access by apps. Both attempts resulted in the same status message. In response to the prompt for the username field "The name you use for logging into your Nextcloud account" I did confirm that I can logon to Nextcloud using this username and the specified folder exists in the Nextcloud instance under that user's home folder. Obviously, this is some user authentication issue owing to my inability to understand the backup credential requirement since not a single Nextcloud username (even one with elevated privileges) seems to work for this setup.

I am presently on OPNsense 20.7 and Nextcloud 19.0.1. How can I meet the requirement for username to backup the configuration, please? Thanks.

Kind regards.[/list][/list]

[System]

Hello!

At System --> Configuration --> Backups, Download and Restore are working for me but the others fail after saving the settings.

Google Drive, Mailer and Nextcloud didn't work. For Mailer, I used telnet to confirm that the the LAN connectivity to the SMTP server is open (incidentially, the receiving mail server is the same instance and is working with other mail traffic). For Nextcloud, I used the same credentials to logon to Nextcloud server and to confirm that the Directory Name folder exists under the home folder. Don't know how to check Google Drive independently (but that come later).  :)

The important one for me right now is backup to Nextcloud. What else can I check (or set) to enable this functionality, please? Thanks.

Kind regards.

Hello @meazzi,

You need TWO Pi-hole servers? High-availability because even alert notifications would be too slow for your LAN?

You're going for a router-behind-router plan for your IoT? You would need to dedicate a 192.168.4.x static address for the second "router" and configure your IoT sub-net to use it as the external gateway.

Kind regards.