Messages

1

19.1 Legacy Series / Re: Remote ACLs does not work with youtube and other video streaming services

« on: May 24, 2019, 02:55:24 pm »

In the access-view i got this message:

Code: [Select]

[tt][tt]10.10.140.1 TCP_DENIED/403 3848 CONNECT r1---sn-4g5ednz7.googlevideo.com:443 - HIER_NONE/- text/html[/tt][/tt]
only turn off remote acl i get the connection to this url without denying.

2

19.1 Legacy Series / Remote ACLs does not work with youtube and other video streaming services

« on: May 24, 2019, 02:43:44 pm »

Hi,

I have a problem with the remote acls and the webproxy. Turning off the Remote ACLs all works fine with the transparent proxy and videostreams. If I turn it on with only one category, for example drugs, videoservices like youtube, netflix etc. are not working.

Does anybody has experience with this behavior?

3

18.1 Legacy Series / IDS Suricata high pingtime on WAN with high datarate

« on: October 16, 2018, 12:51:31 pm »

Hi,

I have a problem with my IDS/Suricata implementation. There is something wrong while IDS is active on WAN-Port. The Ping-Times getting higher, if I have datarates over 10 Mbit/s. Sometimes it takes over 700 ms. Turning off IDS everything works without problems with high datarates (90-100 Mbit/s).

Does anyone knows whats wrong with it?

4

18.1 Legacy Series / Re: Freeradius 3 Accounting is not working

« on: February 28, 2018, 01:58:17 pm »

It is already enabled. Accounting is checked to at the radius-server configuration. I need this for some security-checking-scripts (MAC,IP, etc.) and have a look at the data-volume.
It seems that opnsense does not send this informations to the radius-server, or am I wrong?

5

18.1 Legacy Series / Freeradius 3 Accounting is not working

« on: February 27, 2018, 03:56:59 pm »

Hi alltogether,

i have a problem using freeradius 3 on an external server and captive portal accounting. Doing a radclient check for accounting from the shell in the opnsense machine all works fine. I see my selfmade MAC, Datarates etc.
this is my  command:

radclient -f /tmp/accounting.txt -x 192.168.1.1 acct secret

accounting.txt:

Code: [Select]

  1 Acct-Session-Id = "105"
  2 User-Name = "jung301084"
  3 NAS-IP-Address = 192.168.216.252
  4 NAS-Port = 0
  5 NAS-Port-Type = Ethernet
  6 Acct-Status-Type = Interim-Update
  7 Acct-Authentic = opnsense
  8 Service-Type = Framed-User
  9 Login-Service = CP
 10 Login-IP-Host = 10.0.0.1
 11 Acct-Delay-Time = 0
 12 Acct-Session-Time = 261
 13 Acct-Input-Octets = 9900909
 14 Acct-Output-Octets = 10101010101
 15 Called-Station-Id = 00-27-22-F3-FA-F1:hostname
 16 Calling-Station-Id = 11:22:33:44:55:66

The Freeradius-Server seems to be fine.

But it does not work with the Captive Portal from opnsense. I can do authorisation, but accounting ist not working. The Captive Portal is running on a V-LAN.

Does anybody has a solution for this

Regards

6

17.7 Legacy Series / Re: Captive Portal with Let's encrypt and external Landing Page

« on: February 01, 2018, 11:38:59 am »

I have found a solution by myself with. The Rediredt is now from http to https. That worked. From the https landing page, I do API calls to an https webdirectory in opnsense without using the Captive-Portal root. This is working well and I don't need more code than in the CP-Template of opnsense.

If my time is not so expensive i will do an howto.

7

17.7 Legacy Series / Re: Let's encrypt Wildcard certificates are working?

« on: February 01, 2018, 10:35:36 am »

OK Thanks. I wait till the end of february.

8

17.7 Legacy Series / Freeradius 3 external server and mac-auth

« on: February 01, 2018, 10:20:06 am »

Hi alltogether,

I'm using Freeradius 3 on an external machine und used it with the Captive Portal from opnsense. The Captive Portal uses V-LAN for the Clients. The Radiusserver is in LAN. While using it with normal userlogin (username and passphrase) everything works fine. But I want to do MAC-Authentification, and this is not working. I don't see the MAC in Freeradius. 

Opnsense is configured as NAS-Client.

Does anyone has experience with this configuraion.

9

17.7 Legacy Series / Let's encrypt Wildcard certificates are working?

« on: January 17, 2018, 04:25:40 pm »

Hi all together,

is it possible to use wildcard certificates with let's encrypt on opnsense? And if it's work, how does it work?

Thanks 

10

17.7 Legacy Series / Re: DHCP server: multiple MAC address for same IP reservation

« on: January 17, 2018, 03:49:38 pm »

Hi,

i have tested this on my opnsense machine, but without luck. Opnsense shows a failure message because the same IP is already in use.

But you can use the same MAC-Adress on the Wifi-Interface and the LAN-Interface on your Laptop. On Ubuntu you can do that in the /etc/network/interfaces conf-File.

The Link shows you how it works:
https://www.howtogeek.com/howto/ubuntu/change-your-network-card-mac-address-on-ubuntu/

In Windows you can do that over the device-manager under Porperties of the device. Your network-card must support that feature.

You should take care for using only one of the interfaces. Don't connect LAN and Wifi at the same time. Errors on the network connection would be the result.

11

17.7 Legacy Series / Captive Portal with Let's encrypt and external Landing Page

« on: January 17, 2018, 03:33:43 pm »

Hi all together,

has anyone experience with the opnsense Captive Portal together with Let's encrypt and an external landing page? I have made a setup with Let's encrypt certficate, transparent Proxy and DNS-entry for redirecting to the Captive Portal Page on the opnsense firewall. This works very well.

But I want to use an external Page for the Captive Portal. For this I made a redirect from the local template to the external site. I have added the public IP of the external webserver to the CP settings. The external Webpage is using another Let's encrypt certificate, that is working while using a direct Request in the browser from a CP Client. But if I use the CP-functionality (redirect) on the clients device it shows me the hint that the certificate is not trusty.

DNSmasq is pointing to the public IP of the external site. I have made an Let's encrypt certificate, that works on the local portal, with an Alternative FQDN, where the Domain of the external Page is added. The Webserver has the same public IP like the opnsense WAN-Port ... or better ... they have the same DMZ. I took a second webserver with the same configuration on another public IP with the same result.

It looks like the captive portal uses the same Let's encrypt certificate (with Alternative FQDN that works under same IP) for the redirect like on the local page. Is there a solution for fixing that behavior? Or is another Solution for the https external landing available.

P.S.: Using http (without Let's encrypt) on CP-Site the CP-Client get's the untrusty hint while interacting with the external Page and the local Captive Portal for registering Client. I don't want that behavoir. This is the reason for using the Let's encrypt certificates.


I know this is a very complicated Topic. But I want to f... o.. pfsense because opnsense is the better understandable software. In pfsense it worked, because it is working with an direct redirect on the captive portal settings. But it is much more insecure.


Thanks for your help.

12

German - Deutsch / Captive Portal Umgehung SSL Zertifikat für eine einzelne Domain/IP

« on: December 11, 2017, 08:29:10 pm »

Hallo,

ich habe mir ein Captive Portal mit einer externen Landing Page gebaut. Dabei findet ein Redirect von der eigentlichen Landing Page im opnsense server vom Port 8000 zur externen Landing Page statt. Ich habe ein Let's Encrypt Zertifikat für die API zum Captive Portal installiert, welches auch mit der Landing Page auf dem opnsense server einwandfrei funktioniert.

Nun habe ich folgendes Problem.

Wenn ich mich als nicht registriertes Gerät am CP registrieren will leitet er mich auf die externe Landing Page mit dem Zertifikat vom opnsense server weiter. Dort kommt dann natürlich der Hinweis zur unsicheren Verbindung. Wenn ich den Browser öffne und den URL zum opensense Server händisch eingebe, also die URL wo das redirect vom opnsense server realisiert ist, werde ich ordnungsgemäß auf die verschlüsselte externe Landing Page ohne Sicherheitshinweis, folglich mit dem für die externe Page richtigen Zertifikat, weitergeleitet.

Ich nehme an das CP leitet den gesamten Datenverkehr über das Zertifikat, was auf dem opnsense Server installiert ist, mit dem Ergebnis, das dass falsche Zertifikat für die externe Landing Page genutzt wird (hab ich auch schon getestet). Komischerweise passiert das nicht beim manuellen Aufruf im Browser. Getestet habe ich das jetzt nun mit mehreren Samsung  Galaxy Geräten von S3 Mini bis Galaxy A5 (2017), wobei beim automatischen aufpoppen immer der Sicherheitshinweis angezeigt wird, was ich natürlich vermeiden will.

Gibt es eine Möglichkeit das für einzelne Domains/IP's zu umgehen? Oder gibt es generell eine andere Möglichkeit verschlüsselten Datenverkehr für die Registrierung von anderen Quellen anzuwenden?

P.S. die Einstellungen am Proxy SSL Verkehr für die Domain nicht abzufangen wurden bereits getätigt, was wahrscheinlich der Grund ist, warum es beim manuellen Aufruf klappt.

Mit pfsense lief das alles, aber das will ich nicht mehr weil ... umständlich ... opnsense ist einfach besser.

Grüße 

13

17.1 Legacy Series / Re: Captive Portal bypass urls

« on: June 02, 2017, 06:11:34 pm »

I have found a solution by myself doing this:

1. Added the IP-Address of the Webserver I want from the Captive Portal in the "Allowed addresses" field.
2. Whitelisted the specific URLs in the Proxy Server

so everythings fine an working 

14

17.1 Legacy Series / [SOLVED] Captive Portal bypass urls

« on: June 02, 2017, 05:03:15 pm »

hi all together,

i want to reach some URLs in the internet without registration in the signup-page with an Captive Portal. I have tried it over the "Allowed adresses" Field in the CP-Configuration, but they are always hidden and it does not work. Is there another solution for this problem? Maybe over the Firewall Configuration?

Greetings 

Appendix: I found out, that the Allowed adresses field is only for IPs and not for URLs. Is there any solution for forwarding URLs in the CP Network without Registration?