Messages

Damn! Had the same problem here after an upgrade to 21.7.2_1 - thank you very much!

The OpenVPN-GUI validates the field correctly and warns about spaces in the list of networks, but if you have those spaces migrated from a previous version, the routing won't work anymore.

I can confirm this behavior on my 21.1 installation. Some counters increment, some not.

I'm writing these files from a php-script now. Much easier ;-)
Good example: https://github.com/opnsense/plugins/blob/master/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php.

Hi everyone,

I'm developing a plugin where I need to write the content of a certificate from the OPNsense's truststore to a local file. I already have a corresponding dropdown in the form and selecting / saving works well.

How can I access the certificates "content" from within a template? When I access it via the model's property, I just get a string like "5eb0efc71fa7f" - maybe its id / hash?

Best regards
Tobias

The PF doesn't check its ruleset for each packet if it's allowed to pass. He does this for the first packet of its kind and creates a state, where he remembers his decision. Your old ruleset allowed the ping to pass -> the pass was saved in a state. Your new ruleset would deny it, but the states timeout was not reached and so the new ruleset was not checked.
Under the Firewall > Diagnostics menu are tools to view and reset those PF-states. But the reboot was the most simple method in your case.

I'd say the last screenshot should be fine. Did you reboot the OPNsense between the test of the different rulesets? Maybe the pf's state was still alive and allowed the ping?!

So how does your ruleset for VLAN38 look like? "Allow any from VLAN38 to any"? That would mean that also traffic to local RFC-1918-addresses (192.168/16, 172.16/12, 10/8) is allowed and thats why you get routed in the wrong direction to VLAN1.

In my case I have to seperate several nets with internet-access from each other (similar like you), so every interfaces ruleset starts with an "deny access to RFC1918-net" followed by the allow-any-out-rules. I'm not sure if this is the "normal" way to go, but it works...

In my company we use bsd-based genuscreen firewalls from the company genua, where I can define the in- AND outgoing interface for each rule. There the rule would look like "Allow from vlan31-net coming in via VLAN31-interface to ANY outgoing via WAN-interface". No problem with routing back into VLAN1.
A possibility I would love to have on the OPNsense <3

Same problem here after the update to 18.7:
I've got an outbound-NAT-rule using a port-alias containing the two port 80 and 443 as the destination-port. The automatically generated rule in /tmp/rules.debug begins with a "#" so it's commented out. When I remove the alias and use a single port (80 or 443), the # disappears.

As a workaround I cloned the rule for each of the aliases ports.

Hi everyone,

I'm trying to access the management-website through an already existing OpenVPN-tunnel. Is there a possibility to do so? Binding to the VPN-interface is not possible and also nating the incoming connection didn't work.

For security-reasons a out-of-band-management with a dedicated interface is only allowed in case of a vpn-failure. The rest of the time the interface must be disconnected.

Best regards
Tobias

Hey everyone,

first of all thanks for this great project!

We are planning to use the OPNsense captive-portal in our guest-wlan, but have some special requirements.
When people want to go online, they have to provide their first name, surname and email-address and also accept our terms and conditions. There is no need to validate these information, just enter, accept, click OK and they should be online.
At the same time, these information and the corresponding mac-address has to be logged.

Is there a possibility to extend the existing captive portal this way?


Best regards
Tobias