Messages

I have installed the freeradius plugin and so far it is working fine. I can access the radius server from devices in my LAN and have them authenticated.

Now I want to setup a captive portal and want the captive portal to use the internal radius server for authentication.

So I created an internal radius server in System/Access/Servers and gave it the address 127.0.0.1 for the local host.

Afterwards, I have said internal radius server available in:
"Captive Portal"/"Edit Zone"/"Authenticate using"

However, the internal radius server does not do what I want. When I do a test in System/Access/Testers I do not get a reply.

How do I have to set up an internal radius server in System/Access/Servers so that I can use the freeradius server which is already installed?

Well, finally I found the reason.

In my testing environment, the WAN interface receives its configuration via DHCP. This includes the automatic setting of a gateway for the WAN interface and the gateway can not be disabled.

Hence, OPNsense will automatically use the "reply-to" option per default for the WAN interface. The bad thing is, you can not see this on the GUI, not in the routing table and not in the rule table.

However, you can solve the problem by disabling the "reply-to" option manually in the firewall rule(s) for your interface, in my case the WAN interface. Et voila. It works.

Well, as far as I can say I do not think so. My IP address is 192.168.99.102, the address of OPNsense is 192.168.99.100. Hence, we are in the same subnet and according to the routing table, an entry exists for the local network on link #1 which is the LAN interface.

Furthermore, I have two firewall rules on the WAN interface, one for incoming traffic and one for outgoing traffic. For the outgoing traffic source I have also tried "This firewall" instead of WAN address, however, it did not make a difference.

In my despair I have allowed almost everything on the WAN interface, however, the TCP packets are still being blocked. I have also disabled blocking of private and bogon addresses.

Anyway, the TCP-S packets pass, only the following TCP-A, TCP-R .... packets are blocked. So I do not think, it is a routing problem.

Also, I can connect to OPNsense when I disable the firewall rules via the serial console. This is another hint that the problem has to do with the rules and not the routing.

The only way to prevent state tracking from killing partial connections is to disable state tracking in the pass rule, but you may want to lock that rule with an IP or something... "pass" all by itself is not enough.

Can you tell me more about this option? However I think it is difficult to lock the rule with an IP, because when I am traveling and use my laptop, I will not have a static address to lock on. I have to rely on a reliable remote access to my appliances.

Accidentally I found the solution:

1.) Create a new VLAN interface Interfaces/Other Types/VLAN

However, before you can use the new VLAN interface you have to assign and enable it.

2.) Go to Interfaces->Assignments and use the + to add a new interface.

I got stuck at this point before, because the new VLAN interface was not offered for assignment.

Actually it seems that I can only assign virtual interfaces after I have assigned all physical interfaces on my machine. After I had assigned all physical interfaces on my appliance, also the VLAN interface I had created before was offered for assignment.

After assigning and enabling the VLAN interface, this interface also appeared in the list of available interfaces for a new zone in the Captive Portal.

I have read several posts in the OPNsense fora that people created a dedicated captive portal for one VLAN only, e.g. only for a Guest VLAN.

How can I do this? I have created a VLAN interface on the LAN interface. When I want to create a zone, the listbox for the interface only offers LAN. I can not find the VLAN interface I created before.

Is it also possible to set it in site-enabled? I don't like to touch radiusd.conf ...

Where can I do this? Is there another config file for that?

If yes, I'll add a button for ... just for you  8) :-*

Well, that's what I expected. Finally it is a <bad_joke> PERSONAL firewall </bad_joke>  ::)

No seriously, thanks a lot for your support!!!

I am continuously facing the problem that I am locked out from the WAN interface. After some analysis I found that only TCP:S passes through the firewall, all other TCP packets with other flags set will be blocked, have a look at the screenshot.

I tried some of the TCP flag settings, "any flag", ticking some flags, but without result. No matter what I do, only TCP:S passes.

I also clicked the green arrow in the log to add an "easy rule" to let the blocked TCP packets pass. Rules were added, however, they do not seem to have any effect.

I am using OPNsense-17.7-OpenSSL-nano-i386.img, fresh install.

What can I do for further analysis?

My second name is "patience"  :)

Actually, I set the entry in the conf file to "yes" and it really logs username and MAC address. So you will not work in vain  ;)

In order to log authorisation requests, one has to enable it in the radiusd.conf, log section, "auth = yes". I think the entries should include the MAC address.

However, I do not know if the radiusd.conf will be overwritten by an OPNsense template when I edit it manually.

I have installed the freeradius plugin and so far everything seems to work fine.

I would like to trace radius authentication in more detail. In particular, I want to know details about unauthorised authentication attempts.

Is there a way to log the combination of user name and MAC address which is used for an authentication attempt? I think it might be in the logfile.

Can I log radius activities via the GUI?

Or can I inspect the radius logfile via the GUI (or via a convenient api call ;-) )?

Is there a way to backup the radius logfiles for later analysis?

It would be extremely convenient to have them emailed regularly but it would also be fine to backup them regularly on google drive, preferably encrypted.

Finally, the api calls work fine.

I will use mimugmails curl statements in a script and so I will be able to do an automatic management of radius subscribers.

Maybe it is worth mentioning the root cause for the problems I encountered before.

I started with the configuration of a WAN interface and I was connected to the appliance via the WAN interface. Even after a fresh install I found myself locked-out unexpectedly again somewhere in the course of configuration.

It seems that upon activation of a LAN interface, the default non-lockout rules (allow incoming port 80 and 443) are automatically removed from the WAN interface and established on the LAN interface. Hence, further login attempts from the WAN interface (and the api calls of course) will fail. After manually adding the rules on the WAN interface again, also the api calls worked as expected.

If someone else can confirm this, maybe one should consider a correction in one of the next versions of OPNsense.

Anyway, thanks a lot for all the support. And after it is working, I really appreciate these api calls. A great tool to manage all aspects of your firewall automatically.

I have just set up a fresh system. Seems this is a great opportunity to prepare a How-To enable api access from the scratch ;-)

I will open a new thread and when the access to the API problem is solved, I can focus on the RADIUS configuration again.

Thanks for all the support I have received so far.

To be continued ...

I have now changed the Settings / Admin Access to https because I hoped that would activate port 443.
I also activated ssh access.

However, as a result I have locked myself out completely. I can neither use the serial console (output can not be read any more, does not react to any keystroke), nor ssh access (timed out) and the web access fails with:

Code Select Expand

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.

Seems I have to make a fresh install/write a fresh image to the CF card before going on ...

Did you change the Port for webadmin?
Check your Firewall rules please

No, I did not do any port changes.
I checked the firewall rules and from the logs I can confirm, that packets to port 443 actualy arrive and pass the firewall.

Use the network debug with your browser to see whats happening within the API, it's really easy:

curl -k -u "key":"secret" https://<yourip>/api/freeradius/user/searchUser

Send a POST via setUser and you should be able to add new users ...

The result of the cURL command on the command line with -v option is just:

Code Select Expand

*   Trying 192.168.99.100...
* connect to 192.168.99.100 port 443 failed: Connection timed out

How would I use cURL in firefox?

Is there a logfile in opnsense where I could find information what is going on?

I just did an NMAP scan of the firewall. Port 80 is open, however, 443 seems to be closed. Hence, no https process seems to be active. How can I activate https access?