Messages

I'm fairly confident there would be a way of doing this via docker on opnsense right?  Pihole on docker is readily available.  It would make a lot more sense to host it on your firewall than add another point of failure.

I just wanted to add, in case it helps that I'm having a similar problem since one of the recent updates where my OpenVPN VPN will connect, will allow traffic to the firewall, but doesn't get internet.  So it doesn't seem to be specific to wire guard.

I tried the workaround to click save and in my case that did not solve the issue though, so it may be something else.

This is just a personal firewall and I'm the only VPN user so I will have a look at it later.

OK so I've figured out I can disable nat reflection for just those two rules 80 and 443.  And now I can browse again.  I am left wondering what this means though.  I.e for other ports - any port that is enabled for NAT reflection no longer can be used to access anything on the internet side?  Is that normal?

Perhaps I need to rename this ticket now.

I am just going to add here, that it's possible I am wrong of course.

The thing that breaks it for me is enabling reflection for port forwards.  What I mean is the internet web sites cannot be accessed any longer after enabling this.  I assume this is happening because I have standard 80/443 port fowarded. 

My understanding grows. :D

So in this case, is there a way around this?  I mean I have web servers but clearly if I port forward 443 this apparently will mean I can't use 443 when browsing the web?

Thanks.

Hi, this ticket is just being put here so that someone knows that this is an issue.  I've logged them before and some weird answer that results in no help, a closed ticket and therefore with a closed ticket nobody ever gets the message that there's a bug to be fixed.

So I thought I'd put this here so that there is something open that can be referred to for a future version.

If there is a more appropriate bug tracker that I should put this in, please advise before closing this ticket as closing this ticket is obviously completely unhelpful.

Plenty of people have posted messages about this.  Failing that, as much as I prefer opnsense, I will unfortunately need to move to the dark side - PFSense, which I understand does have this feature working.

I think it's broken and it would seem that there is a bug open for this (below).  It's probably worth going in there and voicing your opinion to get some visibility that it isn't just a few of us being green about firewall configuration.  I note there are a lot of other threads about this issue going back many versions, one of them logged in 2020 has had 11093 views so I think that says a lot.

https://github.com/opnsense/core/issues/5941

I feel that with all there issues in here with NAT reflection that either it is broken or needs an overhaul to make it make sense.  I too have this issue.  I want to use NAT reflection for my mail server because Split DNS is causing issues with my security certificates.  Basically the internal different IP keeps questioning me why the certificate has changed and blocks the traffic.

Hopefully someone at OpnSense will make it a priority after so many years of unanswered questions.

For completeness (now that 21.7 has removed the Unbound Custom options from the GUI), the way I have continued to use the GUI to address this is as follows:

Under System, Administration, Alternate Hostnames: plex.direct otherhost (where other hosts are separated by spaces)
Under Services, Unbound DNS, Blocklist, Whitelist Domains: plex.direct
Under Services, Unbound DNS, Blocklist, Private Domains: plex.direct

This works well for me.  It pays to note that the reason I have it under both whitelist and private is I found it solved a problem when connecting to a remote plex server (not my own) which was reporting indirect connections.

For those of you missing the aforementioned way of doing this via custom options, that can still be done manually by editing /usr/local/etc/unbound.opnsense.d instead.

Hope that helps someone out there!

Marshalleq

I've been googling this one and I'm unclear if this basic feature exists or not.  What I'm looking for is some method whereby the firmware can be auto downloaded, updated and rebooted if necessary at a scheduled time.  Seems like a pretty basic feature for a firewall to me.

There are a few discussions e.g here https://github.com/opnsense/core/issues/1798

What am I missing?

Many thanks,

Marshalleq

I stumbled upon this old thread, complete with code to resolve the issue, but for the life of me I can't find this feature in the GUI anywhere.  Perhaps I'm misunderstanding it.

Anyone know if there still exists a scheduled reboot feature in the GUI?

Thanks,
Marshalleq

https://forum.opnsense.org/index.php?topic=4471.0

Hi, I hope it's OK to add to this thread - I don't think Suricata works very well, if at all for many people right now.  The documentation here has left a lot to be desired and in my case I can only get it to kind of work by protecting the LAN instead of the WAN which is not at all what I want.

I am quite frustrated about it and not really sure what to do other than bail on Opnsense and go to pfsense.  However, I've been with Opnsense a long time and would prefer to stay for all the reasons I chose it in the first place.

I suspect, that bringing forward Suricata 6 would allow us to iron out these challenges.  So if we could have it added I would be happy to help.

I assume there is a downloadable beta somewhere I can get my hands on?  (Looking now).

Thanks,

Marshalleq

This seems to be the known unknown in Opnsense.  No-one seems to be able to support Suricata, it's a black art.

I can't even get mine going - no alerts ever show up.

Sadly, while there was one step missing, it still doesn't work. :(

So I've installed and I've tried a few different things, including using an external DB, but always get told to reset reporting, which fails as per attached screenshot.

Admittedly, I do only have 4GB RAM in the box, I could upgrade it, but was lead to believe it would work, particularly with an external database, which installed, but did not present any data.

Any ideas?

Thanks.

Deleted my post and moving to a separate topic