Messages

1

General Discussion / Enabling load balancer on WAN does not allow connecting to internal services

« on: August 28, 2024, 12:24:50 am »

Hi Forum, I have two WAN connections and I am doing load balancing between both and it works, but when I activate the firewall rule that goes out to the Internet to the entire VLAN, I lose access to internal services such as email, web and other apps.

Attached is an image of the GW group and the FW rule, The rule that added the load balancer in the firewall is the last one.

note:

2

24.1 Legacy Series / Re: SNMP interface indexing bug(?)

« on: May 15, 2024, 10:00:38 pm »

I am monitoring with librenms, but it does not detect it correctly, it puts it as a freebsd pc

3

Intrusion Detection and Prevention / Re: Unchecking "Enabled" on a policy doesn't stop it from processing

« on: May 11, 2024, 08:12:11 am »

same here!
I´m trying to costumize the ruleset with policies. But no matter what settings I use in the policy, it just have no effect on the alerts its generates. 

I would be very happy about a solution

This worked for me, but is this a bug or is it the correct procedure to deactivate a nasty rule?

4

Intrusion Detection and Prevention / Disable Rule not working

« on: May 11, 2024, 07:57:32 am »

Hi forum , I am trying to deactivate an ips rule, it blocks my vpn (openvpn) traffic, deactivate the rule and restart suricata, but it continues to block the traffic, any ideas?

5

23.7 Legacy Series / Re: [Solved] Redirected DNS to local DNS Servers unable to resolve

« on: May 08, 2024, 01:18:17 am »

I have this same scenario, but I can't get it to work.

https://labzilla.io/blog/force-dns-pihole
Steps two and 3 of this manual do not apply to the latest version of opnsense

6

Tutorials and FAQs / Re: HOWTO - Redirect all DNS Requests to Opnsense

« on: May 08, 2024, 01:11:29 am »

Hi, I have followed this post and created almost all the rules to redirect my DNS traffic to a server with dnsmasq and it does not work for me, I am using the latest version of opnsense, I have adguard+unbound dns working together.

What I want to do is that my vlans can only use two DNS, the opnsense one and my server with dnsmasq, but I can't also pass the traffic to my dnsmasq

i have 3 vlan:

192.168.11.0/24 ## servers
192.168.13.0/24 ## users clients
192.168.14.0/24 ## wifi guest.

dnsmasq is  192.168.11.4

7

Hardware and Performance / Re: Bandwidth cut in half when traversing system but direct bandwidth test is fine

« on: May 05, 2024, 11:51:04 pm »

hi, I am in the same situation, I have the same hardware as you, my connection is not fast, just 200MB/200MB upload and download, but behind the fw I only have 100MB download and 112MB upload, what parameters helped you?

8

General Discussion / Re: [SOLVED] Cant get firewall rules to work

« on: May 03, 2024, 12:26:30 am »

So i stumbled upon a rather correct and detailed guide on LabZilla (https://labzilla.io/blog/force-dns-pihole)

i tried out those rules and everything worked. I'm able to resolve domain names on both PiHole and the clients, and DNS is being redirected to my DNS server.

I was getting close with last post. Traffic wasn't going to where it was supposed to be. I had the first rule

Code: [Select]

NAT Rule 1: Redirect DNS queries to PiHole

    Interface: VLANTEST
    Protcol: TCP/UDP
    Source: VLANTEST net
    Source Port range: From: Any - To: Any
    Destination / Invert: Ticked
    Destination: 192.168.99.11
    Destination Port Range: From: DNS - To: DNS
    Redirect Target IP: 192.168.99.11
    Redirect Target Port: DNS

But what i mostly tried was to add a firewall rule to allow traffic from my DNS server. Instead, i needed to create another NAT rule, but without the port forwarding.

Code: [Select]

NAT Rule 2: Exempt PiHole from DNS query redirects (Above Rule 1)

    No RDR (NOT): Ticked
    Interface: VLANTEST
    Protcol: TCP/UDP
    Source: VLANTEST net
    Destination: Any
    Destination Port Range: From: DNS - To: DNS
.

I also added the 3rd rule the author described, to Firewall > NAT > Outbound. I'm not sure if i will come across it but i added it just to be sure.

Code: [Select]

NAT Rule 3: Prevent clients from giving unexpected source errors

    Interface: VLANTEST
    TCP/IP Version: IPv4
    Protcol: Any
    Source: VLANTEST net
    Source Port range: Any
    Destination: 192.168.99.11
    Destination Port: DNS
    Translation / Target: Interface address
    Translation / Port: EMPTY

All in all, over a week of blood, sweat and tears, i finally got what i wanted.

Hi, I know the post is somewhat old, but I am in a similar situation with dnsmasq, which is the dns of my lan, in rule two of nat, how did you do it? , it is an outbound nat

9

General Discussion / Re: packages with vulnerability

« on: April 29, 2024, 09:16:10 pm »

thank for information

10

General Discussion / Re: packages with vulnerability

« on: April 29, 2024, 08:30:05 pm »

I think it would be good to remove a package from the repo that could affect security.

note: would I have to remove iperf to remove this package or can I directly remove ruby?

11

General Discussion / packages with vulnerability

« on: April 29, 2024, 04:23:24 am »

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 24.1.6 at Sun Apr 28 20:20:29 CST 2024
vulnxml file up-to-date
ruby-3.1.4_1,1 is vulnerable:
  ruby -- Arbitrary memory address read vulnerability with Regex search
  CVE: CVE-2024-27282
  WWW: https://vuxml.FreeBSD.org/freebsd/2ce1a2f1-0177-11ef-a45e-08002784c58d.html

1 problem(s) in 1 installed package(s) found.
***DONE**

any idea how to fix them?

12

General Discussion / Re: About Business License

« on: April 25, 2024, 07:51:43 pm »

I wrote to you privately

I also sent you the conversation with the person I was talking to on behalf of the decision team.

13

General Discussion / Re: About Business License

« on: April 25, 2024, 07:11:15 pm »

I wrote to you privately

14

General Discussion / Re: About Business License

« on: April 25, 2024, 06:14:16 pm »

My license key was less than an hour and we are in the USA so there are some conversions that needed to be done.

Got an email that an order was placed, a few minutes later got an email that the order was accepted, and then some time later the key was emailed but the whole process was under an hour during their after work hours so the system must be working.

Well, I have been waiting for more than a week for them to send me the payment method, my last email was on Monday with Robert of  Deciso, and today I am still waiting.

 

15

General Discussion / Re: About Business License

« on: April 23, 2024, 02:06:30 am »

I am in a similar situation, I have finished assembling a couple of boxes for opnsense, and I am in the process of acquiring a couple of licenses in the business version, but the process is slow on the part of Deciso I am still waiting for a response when I can buy the licenses.

Now that I'm seeing this message, I don't know whether to wait for version 24