Messages

The best way to protect your kids is to talk to them. Frequently. And be interested in their life.

+1

The only 24/7/365 guardian your kid has is your kid: just train the guardian and prepare him for the actual and complete reality.

To get back on the topic, a few categories like pornography, gambling, grotesque and alike, together with search engines safe search, should do. Set the filtering on your router and without exceptions, such categories should not be an issue if they're blocked for anyone and everyone.

PS Everyone makes mistakes, kids are no exception. When they eventually will, you'll want them as friends and partners, and want them to see you as such as well, ready and quite eager to seek out understanding, empathy and maybe good advices from you: the spying app/ tracker app will turn your kids in the opposite direction when they'll learn about such an app. And they'll definitely learn about it!

IMO :)

Correct. Yet, even if you don't have the port (123 particularly) explicitly set at the destination, the rule evaluates it because the set service (NTP) uses it -> the rule will only apply to traffic with that particular destination including both IP and port.

It's like having the port evaluated from the application layer, not transport/ protocol layer.

@hutiucip:
I don´t understand:
a) why there should Source set, because it could be any
b) why Destination invert
c) why Destination LAN? Should this not the ntp-Server, so OPNSense?

Hi!

a) Yes, you are correct, the "later edit" thing was for comet (OP); just to over-emphasize this.

b) & c) (both go together) if the NTP request is already made to a device belonging to internal subnet (the router for this particular case, on the interface in the same subnet as the client) you don't want to enforce the NAT rule on that packet, to alter the packet so that its header will be processed AND modified redundently with the same destination, the destination the packet already had when reaching the router. So c) "destination" == internal && b) "destination invert" == not internal negates c) => only packets that seeks an NTP server OUTSIDE the "internal" will be NATed.

Cheers!

Hi!
The DNS queries are made from the tunnel interface, so you have to allow (create a "Pass" Rule for) the tunnel IP address (and even better, for the entire tunnel network, if you so see fit) on the OpenVPN interface in FW.
Hope it helps!
Good luck!

yes, your post at spiceowork made me to configure opnsense and it was kind of cool.

I  followed your steps and blocked all the exe under the RULES  but even its downloading the exe file ..

see my attachments

Glad you liked OPNsense.

About still being able to dld exe files, sorry about that: my case was exactly the opposite, I couldn't download, and found the culprit being IPS with those rules (rulesets) set to block everything. It was a long time ago, and it might be that something wrong occurred either with the rules themselves, or something else in IPS engine, but I cant tell for sure, since I don't need and use exactly those rules.

Anyway, other rules like P2P/ torrents blocking and anti-malware etc. are working fine... So I encourage you to still tinker with IPS in OPNsense, it's a really powerful tool after you manage to "tame" it. :)

Good luck!

You can do it without Squid using IPS (Suricata), but no granular settings/ no exceptions based on IP addrs, only interfaces:

1. In Services: Intrusion Detection: Administration enable IDS and enable IPS Mode, Pattern matcher "Hyperscan" (personal recommendation). Then select the interfaces on which the IPS will take action.
2. In the "Download" tab, enable "ET open/emerging-policy", and change (check) the action to (be) "Alert". Then "Download & Update Rules".
3. In the "Rules" tab, select all types of ".exe" rules you need for blocking and change their action from "Alert" to "Block". If unsure, before blocking anything, you can even download some .exe files and see which rules fire in the logs, as alerts..., then change their action directly in the Alerts tab.

Just fine tune and tinker with rules, rulesets and actions there until you get the desired results.

Good luck!
Cheers!

PS Are you coming from "Spiceworks" forum? I remember I gave the suggestion to use OPNsense + IPS to somebody over there, like 2-3 days ago. :)

Sorry, nope!... :(

You don't need to!

You'll have to have 3 rules:

1. NAT rule on WAN interface: Source: ANY/ any (IP ADDRESS/ port), Destination: WAN ADD/ pptp(1723), NAT: LAN ADD/ pptp(1723) (enable "Filter Rule Association")
2. FW rule (associated): see above, automatically created by the system if you check to enable "Filter Rule Association" option in NAT rule.
3. FW rule on PPTP interface: Source: PPTP NET/ any, Destination: LAN NET/ any. This limits PPTP clients to LAN access, no internet. Case you want to allow LAN and internet access, change Destination: LAN NET/ any to ANY/any.

It should work.

So, how do I set OPNSense to do what I want to do?

Thanks

Bye

The answer, actually the answers, were all given in previous replies here. At least, all the answers regarding exactly that, OPNsense config. As I stated before, something is amiss and not necessarily on OPNsense config... So I kindly ask you to allow me to say that keeping asking here what you should do is not enough any more... This is the most anyone limited to forum can help.

Good luck!

There is no firewall enabled on the LAN computers.

The VDSL2 router should be set up correctly in Bridge mode because, a few months ago, I had a firewall hardware with pfSense and I did not have this problem. How come?

I never used pfSense, but I have a NAS (FreeNAS) and multiple services (like FTP) and plugins (like Transmission - a torrent client, Plex, Emby, NextCloud etc.) behind OPNsense and everything works like a charm accessed from both LAN and from WAN. I so conclude that your problem is not a "works with that, but not with this" problem.

One thing I never understood: If I turn off NAT on the router, I can no longer access the Internet from the LAN computers. This happens with the old and the new firewall hardware. How come?

A very expected behavior: your IPs set for LAN are not routable, so you can't access internet without a NAT device.

With OPNSense, is it possible to configure it so that it also acts as a full NAT for the entire LAN so that I can completely disable the router's firewall?

OPNsense already does that, full NAT, but NAT is a FW function. Can't really turn off FW, in it's entirety, without turning off NAT. There are settings and/ or rules for completely "avoiding" one or the other (as in, allow everything from anywhere to anywhere, and/ or translate everything from this WAN address to this LAN address, or the other way around, or no NAT at all), but otherwise you either have it as a router only, or as a router + FW (and with or without NAT).

I say it again: without directly seeing every link in the chain, every device on the path of your internet connection, I declare myself unable to help.

I truly hope you'll figure it out.
A good day to you!

Hi!

1. Find the PPTP plugin in System: Firmware: Plugins and install it.

2. Configure it so that the server address is the LAN address of OPNsense, and the start of the interval to be used by the PPTP client(s) (just to keep things as simple as possible - otherwise you can choose other subnet than LAN). The length of the interval is given by the "No. PPTP users" option.

3. Create a NAT Rule with an associated FW rule that translates port 1723 from WAN to LAN (public IP to private IP of OPNsense).

4. In FW, on the PPTP interface, create the necessary outbound rules to allow traffic from PPTP clients to LAN... If needed, same thing on LAN interface, to allow outbound traffic to PPTP (by default it's not required, LAN is already allowed everywhere right from scratch - the initial wizard running).

Hope it helps.
A good day to you!

Sounds strange, maybe the reboot did it?


Cheers,
Franco

Hi, Franco!
It might be the same bug "born" when the aliases code was optimized, appeared only once, in a single sub-subversion of OPNsense, don't quite remember well which one, but recently (2-3 month ago). It happened to me as well, web and ftp services went down until I changed from aliases to actual ports (for me it was port translation).

The behavior was that no matter which port was the internal alias port directing to, the redirection was always to the external/ public(shed) alias port.

There are a few posts here in the forum, and a bug report on ghithub about that, + the OP having said that he upgraded OPNsense, it might relate.

I don't know, sorry... It seems to be fine, but it isn't... Even your PC firewall might be interfering, or even the modem, if the bridge mode is not quite a bridge... I don't really know.

It's difficult to find an answer having jut bits, and just from one single link in the chain.

Maybe a "Cisco-like" approach would be something worth considering?

I mean, having 2 separate configs:

1. A running config, effective immediately at "Save"
2. A start-up config, effective at OS load. Would require an extra "Save to start-up config" step to be modified.

This way, if a mistake is made, and you get locked-out or something, a restart would be also a roll-back, since no "Save" has been made to the start-up config yet.

Thank you!

If yes (more votes), I could write that request on github, but what do you people say?

OK, but what about your torrent client, what does it say about the port?