Messages

The only thing that I was able to find related to this error referred to SSL/TLS and not using a username/password with SSL/TLS.  But I'm no expert here so hopefully someone with actual knowledge pipes in.

Hello all,

anyone have a good updated guide on how to configure a VPN services (in my case AirVPN) with OPNsense?  I tried something like this when I was on pfSense/PIA but I made a hash of it since the UI had been updated but the guide had not been.

Thank you in advance

I can say that when I turned off UPnP a number of things stopped working.  Once I turned it on they started working again.  Now nothing ever shows up under status no matter how many UPnP connections I make.

I could be mistaken since I'm new around here but I don't believe so.  You would need something like Meraki, Sophos or Palo Alto, but then you would need to use their hardware at all your endpoints. 

I ran into a double NAT issue a while ago but that's not my issue.  I haven't had a chance to do some testing on this but for now it's working.  I did move off of PIA and onto AirVPN and so far it doesn't seem to mess around with my network like PIA would sometimes do.

I've seen this error a few times myself (not with OPNsense mind you).  I don't know if there are other causes but here is what I ran into in case it helps.

1.  Bad USB stick.  They are not all alike and some work better than others.  Whenever I am going to boot off a usb i stick to the SanDisk Ultra Fit and the Lexar Jumpdrive S45.  SanDisk is an old standby but the Lexar is faster.  I've installed everything on these without an issue.

2.  What did you use to create the USB boot drive?  I've found that some applications work well with certain images (and even certain versions of the same image) then others.  Try a different applixcation.

3.  Take a gander at this thread:  https://forum.opnsense.org/index.php?topic=4526.0

I'm going to buy you guys a beer or two.  Did as you recommended, I only put in that many DNS servers since I thought it would query them all and select the fastest one.  I have the Gateway being monitored now.

I did notice that if you have three columns and have the DynDNS widget up the IP's stick out past the "box" on the right. 

ok i'm going to investigate which one is noob friendly.  I did noticed that under the WAN interface I had a ton of DNS servers:

ISP DNS servers   127.0.0.1
75.75.75.75
75.75.76.76
192.168.7.1
208.67.222.222
208.67.220.222
208.67.220.123
199.85.127.30

Also i'm not sure how to setup WAN monitoring

@fabian  I keep an active PING to the 20 sites that I typically have open at any given time (since I can never be sure which one will drop out).  when the outages happen I don't see any packet loss (to any of the sites that are down).  DNS resolves fine but the sites are not reachable by ping. 

@Animostiy022  I wasn't even aware that there was a Gateway monitoring.  I have looked at the gateway status during the outages and it is up. 

The old thing is that the last time this happened I had turned off UPnP and restarted OPNsense, buthat could just be a coincidence.  Turning it back on and rebooting the firewall did not help but once I shut it down for a bit everything was back up.  I'm going to test this tonight after the girls are sleeping to see if i can replicate.  I looked at the logs but I really didn't see anything.  Is there some logging or anything that I can turn on or use that can help pinpoint this issue if i can replicate it?

I'm hoping someone can help with this.  Every now and then I will get on one of my PC's and a certain number of websites will fail to load.  I get the ERR_CONNECTION_TIMED_OUT message.  It seems random and it's not just PC or browser based b/c it will occur across multiple browsers and PCs.  I'm thinking it has something to do with the network/firewall.  I saw this behavior in pfSense also.  It almost seems like if I wait and reload long enough most if not all the websites will start loading.  Much more rarely a page will partially load.

I've looked at the logs but since I don't know what I'm supposed to be looking for I didn't see anything that stood out as a possible culprit. 

EDIT:  I do get DNS resolution to the websites and most do reply back to pings.  Flushing the DNS on the PC's doesn't do anything and for whatever reasons rebooting OPNsense doesn't seem to help at all.  BUT If I shut it down and leave it off for a few minutes and turn it back on the websites will either connect by themselves or after a few seconds on a refresh.

Soon as I have some time I want to spin up a VM and install an ELK (Elasticsearch, Logstash, and Kibana) Stack on it.  I don't know the differences between greylog and Kibana so I don't know which one would better suit your needs. I was planning on using the Bitnami ELK stack since they have an OVA.

my Cujo started blocking all sorts of connection attempts to port 443 so I tested disabling that rule and the PLEX server did not drop (even after disabling remote access, rebooting everything, etc...).

I actually want to get a cert for my OPNsense box so i was thinking of using this.  If my girls give me some time tonight I'll give this a spin and try to get this installed to see what happens.

After a reboot can you ping the IP for the LAN interface?  Just a guess here but I had a similar problem that every time I rebooted I would lose my configuration and was unable to log into the WEBUI.  Turns out I was running in CD Live Mode and not really installed.

[seems]

This is mostly b/c I am trying to learn and understand this stuff better but in part b/c i hope to drop my Cujo security appliance when the subscription ends (I like the automated reports/notifications and how it seems to block things that aren't picked up anywhere else)

https://fzuckerman.wordpress.com/2016/10/09/iptables-firewall-versus-nmap-and-hping3/
https://javapipe.com/iptables-ddos-protection

Alongside of that a friend of mine pointed me to https://secthemall.com  for some automated features.  Seems like these guides would help someone secure against scans of various types.  Just not sure how to implement this if I'm using OPNsense (or even if some/all of this is already being done).