Messages

Hi Everyone.

Running the latest OPNsense 25.1.3-amd64 FreeBSD 14.2-RELEASE-p2 OpenSSL 3.0.16

I am trying to set a few devices in LAN network to operate at Priority Network Control(7).

The Rule





When looking at the packets in Live View, the ToS is still set to 0x0 which is default behavior



Does anyone know why the TOS is not applied although set to Network (7)?

Hi Monviech

I disabled Auto HTTPS on Caddy Plugin, since I have a very intricate certificate system setup in ACME Client plugin, that runs automations and pushes certificates to servers within the LAN etc. Thus, I simply set all the Domains to look at the certificates in the Trust store of OPNsense that is generated by the ACME client

There is no issue per se, I simply check the logs (error) and came across this issue where there is "no certificate" for the WAN IP 10.10.19.2, that technically exists in the NAT network between my router and my public IP.

I don't like error messages in logs and thought I would reach out to see if anything can be done to correct the issue. But if it works.... don't _____ with it.

Hi Everyone,

I recently switched from Nginx Reverse Proxy to Caddy on OPNsense.
Works really smart and everything seems to be working, However I get this entry in my logs as error:

"debug","ts":"2024-10-01T09:28:57Z","logger":"http.stdlib","msg":"http: TLS handshake error from 105.232.xxx.xxx:9078: no certificate available for '10.10.19.2'"}

This is in my home lab, so I have the Fiber Router NAT everything to the Firewall and obviously OPNsense then handles the tcp/80 tcp/433 within OPNsense.

So the connection looks like this:

<Public IP 197.188.xxx.xxx/32> to <OPNsense IP 10.10.19.2> to <LAN Network 192.168.200.0/24>

From my understanding, since 10.10.19.2 is not internet routable it cannot get a certificate, but it should not worry about that, it should be looking at the Public IP, but does not seem to get resolved or I cannot find any way to static it. I cannot bind it in custom conf's since 197.188.xxx.xxx is not on the firewall anywhere?

Any ideas?

I have a rule in my LAN interface for a device that I change the priority to Video of all packets and low delay (ACK packages matching any packet type.

With the latest update any change to priority causes the rule to not pass? Anyone else have this issue?

Hi Guys,

I use a custom curl URL to notify me on my Telegram when my servers have completed startup. I am looking to do the same thing with OPNsense, but cannot figure out how to go about it.

The GUI CRON section has no support for a custom curl command, and adding the entry to /etc/crontab makes no difference.

on Debian and other Linux Distros I use the @reboot directive of cron to achieve this.

I did not take the decision lightly. But the connection on TCP/22 is controlled via GeoIP source only from my country, which is quite small and does not have a lot of people that know what SSH is.

Access to Firewall is done via 4096bit RSA Key & all machines behind it uses its own 4096bit RSA key, with password auth disabled.

Confident that this setup is secure enough for my setup  ;)

Can be done via VPN yes.

However, I want to allow SSH access to Linux hosts behind the firewall without VPN, and restrict them in the firewall rules using the source directive in the rule.

I managed to get this going by simply allowing SSH to "This Firewall" on the WAN Rule, using SSH Key, I connect to the Firewall and then connect to the Linux host on the LAN.

Has anyone ever attempted to use OPNsense as a SSH Proxy / Jumphost?

Currently I forward port 22 from my GEO Location to a Linux server on the network and then jump the SSH session from there to other hosts in the network. But if I have active SSH connections via this server and I bounce that server, all other connections are lost.

Would be great if OPNsense itself could be the Jumphost.

I recently installed a new firewall V22.7 and I manipulated the backup files from my old firewall on the new firewall (completely different interfaces, lagg setup etc.)

Everything is working, but I cannot get the ipfw Shaper service to list in the services.
on the console when running service ipfw status I get "Cannot 'status' ipfw. Set firewall_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'."

I have complete removed the shaper and set it back up from scratch but the service does not enable, list or start.

Any ideas where I can check now?

[[Tue Jul 5 10:41:23 CAT 2022] Error add txt for domain:_acme-challenge.anything.com.na]

There seems to be an issue with the latest version of the ACME client using DNS-01 Verification.

Anyone know how to fix this?

<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 98916 - [meta sequenceId="1"] [Tue Jul  5 10:41:20 CAT 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 15494 - [meta sequenceId="2"] [Tue Jul  5 10:41:20 CAT 2022] Single domain='*.anything.com.na'
<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 42590 - [meta sequenceId="3"] [Tue Jul  5 10:41:20 CAT 2022] Getting domain auth token for each domain
<14>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 5764 - [meta sequenceId="4"] [Tue Jul  5 10:41:23 CAT 2022] Getting webroot for domain='*.anything.com.na'
<14>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 52261 - [meta sequenceId="5"] [Tue Jul  5 10:41:23 CAT 2022] Adding txt value: 0Yfe1V7sfNU***********************hock71wr_GCqU for domain:  _acme-challenge.anything.com.na
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 57425 - [meta sequenceId="6"] [Tue Jul  5 10:41:23 CAT 2022] Error add txt for domain:_acme-challenge.anything.com.na
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 59624 - [meta sequenceId="7"] [Tue Jul  5 10:41:23 CAT 2022] Please add '--debug' or '--log' to check more details.
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 62170 - [meta sequenceId="8"] [Tue Jul  5 10:41:23 CAT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

Maybe a bug in the configd template. Are there any log files which would indicate that?

It seems the issue is with the error pages, I have no idea how to fix this. Is there any way to completely purge the NGINX configuration and re-setup everything from scratch?

This seems to be suspect. I have no clue what I am looking at but can see there is issues with nginx.conf and location.tmpl, so it seems you are on the right track with your thinking

<11>1 2022-04-22T09:18:53+02:00 opnsense.badenhorst.com.na configd.py 448 - [meta sequenceId="45"] [1943752e-de03-4a5a-9c00-5ad11b7a976b] Inline action failed with OPNsense/Nginx OPNsense/Nginx/nginx.conf 'dict object' has no attribute 'statuscodes' at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/template.py", line 270, in _generate     content = j2_page.render(cnf_data)   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 1304, in render     self.environment.handle_exception()   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 925, in handle_exception     raise rewrite_traceback_stack(source=source)   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/nginx.conf", line 21, in top-level template code     {%   include "OPNsense/Nginx/http.conf" %}   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/http.conf", line 328, in top-level template code     {%         include "OPNsense/Nginx/location.conf" ignore missing with context %}   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/location.conf", line 47, in top-level template code     error_page {{ errorpage.statuscodes.replace(',', ' ') }} {% if errorpage.response is defined and errorpage.response != '' %}={{ errorpage.response }} {% endif %}{% if errorpage.redirect is defined and errorpage.redirect != '' %}{{ errorpage.redirect }}{% else %}/error_{{ errorpage_uuid.replace('-', '') }}.html{% endif %};   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 474, in getattr     return getattr(obj, attribute) jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'statuscodes'  During handling of the above exception, another exception occurred:  Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 506, in execute     return ph_inline_actions.execute(self, inline_act_parameters)   File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 51, in execute     filenames = tmpl.generate(parameters)   File "/usr/local/opnsense/service/modules/template.py", line 347, in generate     raise render_exception   File "/usr/local/opnsense/service/modules/template.py", line 338, in generate     for filename in self._generate(template_name, create_directory):   File "/usr/local/opnsense/service/modules/template.py", line 273, in _generate     raise Exception("%s %s %s" % (module_name, template_filename, render_exception)) Exception: OPNsense/Nginx OPNsense/Nginx/nginx.conf 'dict object' has no attribute 'statuscodes'

I recently re-installed my OPNSense using OPNsense 22.1.6-amd64

Everything was working great up and until 2 days ago, I am attempting to add another Upstream Server to be used via the reverse proxy. However no matter what I do, the configuration does not change after clicking Apply. If I change the port of an already configured Upstream Server or simply add a new upstream server, the configuration remains completely unchanged.

After any change to upstreams / upstream servers are made, Services>Nginx>Traffic Statistic still shows the old uptream server and ports.

I have verified this by creating a MD5 hash of /usr/local/etc/nignx/nginx.conf and absolutely no change happens upon making changes in the GUI.

OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022

os-nginx (installed)   1.26

[From Home:]

Dear All,

I have a bit of a weird issue that I cannot figure out for the life of me. I was hoping getting more sets of eyes on the problem someone can help me pin point where the issue might be.

I have 2x OPNsense Firewalls installed. 1x at the Office and 1x at Home. Both run the same version OPNsense 21.7.3_3-amd64 and both have same WireGuard installed (os-wireguard 1.7, wireguard-go 0.0.20210424,1, wireguard-tools 1.0.20210914)

The only difference...

Office I have a router from the ISP configured as PPPoE
Home I have a router with Static IP address and setup as exposed host (Forward all public traffic directly to OPNsense Firewall (Double Nat'ting)

From Home: Notebook PC on LAN > Office-WireGuard Tunnel > Office Debian Server - Everything works, SSH, DB Connections, FTP, SFTP etc. NO HTTP or HTTPS Traffic in any browser. Curl in CMD also not working - This is true for other locations / servers on different subnets behind the Office OPNsense Firewall, basically effecting all HTTP/S traffic regardless of destination.

From Home: Android Phone on LAN> Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Public Internet: > Notebook PC via Mobile Data or Public Wi-Fi > Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Android Phone via Mobile Data or Public Wi-Fi > Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Office: Notebook PC on LAN > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Office: Android Phone on LAN > > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Notebook PC via Mobile Data or Public Wi-Fi > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Android Phone via Mobile Data or Public Wi-Fi > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

I simply cannot understand why this condition, when connecting from my home network using my Notebook via the Office WireGuard Tunnel does not pass any HTTP/S traffic to the local webservers in the Office Network. This is true for devices that work on various webservers (Apache, Nginx and lighttpd) and even some of them on custom ports like 8443, 8080, 8006, 8007 etc. Obviously any traffic that bypasses the VPN Tunnel (split tunneling via "AllowedIPs") works without any issues.

Any help or insight to what the issue might be would be greatly appreciated.

I have  OPNsense 20.1.4-amd64 running with os-nginx 1.19 installed and working 100%
Certain HTTPS servers are restricted by IP ACL's, which also works great.

Is there anyway to configure a custom 403 Forbidden page when a HTTP/S requested is rejected based on the IP ACL?