Messages

Hi Forum, I have two WAN connections and I am doing load balancing between both and it works, but when I activate the firewall rule that goes out to the Internet to the entire VLAN, I lose access to internal services such as email, web and other apps.

Attached is an image of the GW group and the FW rule, The rule that added the load balancer in the firewall is the last one.

note:

I am monitoring with librenms, but it does not detect it correctly, it puts it as a freebsd pc

same here!
I´m trying to costumize the ruleset with policies. But no matter what settings I use in the policy, it just have no effect on the alerts its generates. 

I would be very happy about a solution :)

This worked for me, but is this a bug or is it the correct procedure to deactivate a nasty rule?

Hi forum , I am trying to deactivate an ips rule, it blocks my vpn (openvpn) traffic, deactivate the rule and restart suricata, but it continues to block the traffic, any ideas?

I have this same scenario, but I can't get it to work.

https://labzilla.io/blog/force-dns-pihole
Steps two and 3 of this manual do not apply to the latest version of opnsense

Hi, I have followed this post and created almost all the rules to redirect my DNS traffic to a server with dnsmasq and it does not work for me, I am using the latest version of opnsense, I have adguard+unbound dns working together.

What I want to do is that my vlans can only use two DNS, the opnsense one and my server with dnsmasq, but I can't also pass the traffic to my dnsmasq

i have 3 vlan:

192.168.11.0/24 ## servers
192.168.13.0/24 ## users clients
192.168.14.0/24 ## wifi guest.

dnsmasq is  192.168.11.4

hi, I am in the same situation, I have the same hardware as you, my connection is not fast, just 200MB/200MB upload and download, but behind the fw I only have 100MB download and 112MB upload, what parameters helped you?

So i stumbled upon a rather correct and detailed guide on LabZilla (https://labzilla.io/blog/force-dns-pihole)

i tried out those rules and everything worked. I'm able to resolve domain names on both PiHole and the clients, and DNS is being redirected to my DNS server.

I was getting close with last post. Traffic wasn't going to where it was supposed to be. I had the first rule

Code Select Expand


NAT Rule 1: Redirect DNS queries to PiHole

    Interface: VLANTEST
    Protcol: TCP/UDP
    Source: VLANTEST net
    Source Port range: From: Any - To: Any
    Destination / Invert: Ticked
    Destination: 192.168.99.11
    Destination Port Range: From: DNS - To: DNS
    Redirect Target IP: 192.168.99.11
    Redirect Target Port: DNS


But what i mostly tried was to add a firewall rule to allow traffic from my DNS server. Instead, i needed to create another NAT rule, but without the port forwarding.

Code Select Expand


NAT Rule 2: Exempt PiHole from DNS query redirects (Above Rule 1)

    No RDR (NOT): Ticked
    Interface: VLANTEST
    Protcol: TCP/UDP
    Source: VLANTEST net
    Destination: Any
    Destination Port Range: From: DNS - To: DNS
.

I also added the 3rd rule the author described, to Firewall > NAT > Outbound. I'm not sure if i will come across it but i added it just to be sure.

Code Select Expand


NAT Rule 3: Prevent clients from giving unexpected source errors

    Interface: VLANTEST
    TCP/IP Version: IPv4
    Protcol: Any
    Source: VLANTEST net
    Source Port range: Any
    Destination: 192.168.99.11
    Destination Port: DNS
    Translation / Target: Interface address
    Translation / Port: EMPTY


All in all, over a week of blood, sweat and tears, i finally got what i wanted.

Hi, I know the post is somewhat old, but I am in a similar situation with dnsmasq, which is the dns of my lan, in rule two of nat, how did you do it? , it is an outbound nat

thank for information

I think it would be good to remove a package from the repo that could affect security.

note: would I have to remove iperf to remove this package or can I directly remove ruby?

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 24.1.6 at Sun Apr 28 20:20:29 CST 2024
vulnxml file up-to-date
ruby-3.1.4_1,1 is vulnerable:
  ruby -- Arbitrary memory address read vulnerability with Regex search
  CVE: CVE-2024-27282
  WWW: https://vuxml.freebsd.org/freebsd/2ce1a2f1-0177-11ef-a45e-08002784c58d.html

1 problem(s) in 1 installed package(s) found.
***DONE**

any idea how to fix them?

I wrote to you privately

I also sent you the conversation with the person I was talking to on behalf of the decision team.

I wrote to you privately

My license key was less than an hour and we are in the USA so there are some conversions that needed to be done.

Got an email that an order was placed, a few minutes later got an email that the order was accepted, and then some time later the key was emailed but the whole process was under an hour during their after work hours so the system must be working.

Well, I have been waiting for more than a week for them to send me the payment method, my last email was on Monday with Robert of  Deciso, and today I am still waiting.

:(

I am in a similar situation, I have finished assembling a couple of boxes for opnsense, and I am in the process of acquiring a couple of licenses in the business version, but the process is slow on the part of Deciso I am still waiting for a response when I can buy the licenses.

Now that I'm seeing this message, I don't know whether to wait for version 24