Messages

A am running 19.1.6.
After the patch the symptoms still exist.
I also ran this patch,

Code Select Expand

opnsense-patch 50c25ea

from https://github.com/opnsense/core/issues/3214

This fixed the issue.

Just re read    
Aliasing completely broken for me recently https://forum.opnsense.org/index.php?topic=12407.0 
This is exactly the same issue.

Hello all

I have an alias, host_Webservers, with 2 IPv6 addresses, of my 2 web servers (Public IP's).
When I create a WAN rule to allow port 443 through to the web servers, it gets blocked by the default Deny rule.

If I create 2 rules, one for each server instead of using the alias it works as expected.

Has anyone any ideas?

Just noticed it doesn't seem to work for any Aliases,  only IP addresses for  the Source or destination.

Hey Wellenmann,

This is my experience with MITM.

I have tried MITM now and nearly had it working for everything on my network.

I use the transparent option.

The main issue I found was services like Netflix still refused to work as it detected the proxy. This may be just the fact  that it is in transparent mode. Other services like game consoles dont work, so I bypass the NAT rules for these hosts. This just complicates the firewall rules also. In saying that, I have not tested this in a work environment, but I am assuming I would find more Apps, software etc NOT liking the MITM proxy..

I have resigned to the fact that it is quite hard to implement correctly and keep it maintained, as it is actually breaking the rules of HTTPS that is designed to stop this.

My approach is to use just the SNI option and monitor web usage via Light Squid.

We can block sites form remote access control lists. We can create our own as well. Using Spamhaus eDROP / GEO IP we can then stop access from most known malicious networks.

I have not fully looked into it, but the Snort Rules have application (Layer 7) Next Gen firewall type detection.

The only thing I can see missing from the Man in The middle, is content filtering, and virus filtering. as said before, using UT1 can block Categories of sites, but NOT actual content.

I then have to trust that the anti Virus installed on the work stations will pick up any viruses coming from the web, just a bit like Email, where (unless there is a edge server with filtering) we have to rely on the local anti virus, the Email provider and /or any Spam filtering.

I have found that in turning of and on different options in the GUI and no errors showing, the setup actually gets all tangled up doesnt work at all. ( I havent looked into why yet).

Hi, Has anyone had the experience of setting up a OPNsense firewall  to work how you want and move it to another location to have it FAIL.. (in particular Squid with SNI, a few SSL Bump additions, a restrictive firewall to allow only web access through the proxy)

This  setup works like charm, with speedtests  (speedtest,net) reaching maximums I have recorded.
I then take this fire to a customers premises and change the WAN IP address, reset up the gateways, etc. to have the firewall just be a brick.

The only change is the WAN IP address and Gateway. web browsing is sporadic and random. there appears to no issues looking at the logs in the GUI.

I haven't been able to look any more closely, as I needed to get this firewall going for the client (had to set to up like an ISP modem  :-[). I then take the firewall back to the office, change the Gateways again and it works as expected.

Another random issue, with 18.7 was trying to get the Failover going. After 2 weeks (client break ) I went to troubleshoot, and the fail over was just miraculously working. NO CHANGES.

Is there any sort of caching, in RRD databases, Squid Cache etc that may Cache or otherwise still retain the OLD WAN address and or gateway ? (This is the thread I was troubleshooting the with this older gateway issue).

Has anyone had any similar issues?

The Sage !!

OK, after an exhausting weekend of success and failure, I decide to try dev 19.1. Rebooted and lo and behold. All the features I was trying to get setup just worked.
:'( :'( :'(

But at least it is working now :D

Thanks mimugmail, I lost this post and didnt finish it, I thought i deleted it.

I will continue the list, and I ask for some issues that I cant find answers too and try to add to the docs. I will do this at a later date.

[iPhone App store]

I have tried pfSense SSL Man in the middle years ago and ran into many issues, and have picked it up again in OPNsense. I have managed to get get many annoying things going, but still have issues with several aspects (described later) that are show stoppers. The current docs are adequate to start  the Web Proxy, but there are many things not documented. This is by no means a dig at the developers, more of a plea to the community to contribute to this AWESOME project. 

With my understanding of the mission ".. the most widely used open source security platform." we need to band together and consolidate our knowledge into documentation so we can continue to make this the BEST Security platform available and make more accessible and straight forward to new users.

How can we get these questions answered and incorporated into the Docs / Wiki after they are confirmed actual best practices for the problem they solve.

I will start.

Here is a list of how I solved some common issues (sourced from this forum, the web and some deep dark areas of my brain)

iPhone App store, Add these to the No Bump  .apple.com, .cdn-apple.com, .icloud-content.com, .itunes.com, .nzstatic.com.

Bypass proxy altogether. Create Alias "No_Proxy", Add IPs of devices to completely bypass. Edit the NAT rules for transparent with source to be invert Alias.

I added home Playstation's and X Boxes to the No_proxy alias so it would connect to the PS network.

On iOs devices, instagram how do I get videos to play with transparent Squid SSL proxy?.

We cant just add hosts to the No_proxy alias so one program / one app / one feature works. This defeats the purpose of the transparent squid proxy.

Can we get ideas and solutions in one place so we can try to add these to the wiki / docs.


 

FYI -     OPNsense 18.7.10-amd64
After I get it to work with IP, I changed it back to Alias IP's (5 IP's) (Also tried an Alias with 1 IP to see if was trying to do an ALL comparison) No connection.

Reboot

Confirmed. aliases DO NOT work with the following rules.

LAN (This is before BLOCK 80 and 443 to force using Squid)
IPV4 TCP/UDP Alias * * 80 *
IPV4 TCP/UDP Alias * * 443 *


NAT (This is to NOT NAT to Squid The IP's in the Alias)
LAN TCP/UDP !Alias * * 80 127.0.0.1 3128
LAN TCP/UDP !Alias * * 443 127.0.0.1 3129

I am testing with a Play station 4 "Test Internet Connection."

If I replace the Alias with an IP it works.
With alias it Fails.

So it is NOT a reboot.

I have made an issue here https://github.com/opnsense/core/issues/3137

Just spent 2 hours trying to get rules for No NAT Squid going .... using Alias ... Guess what. i thought the issue was fixed. But I changed it to IP address and it work straight away.
Will report back findings later.

Will try later.  >:(     :'(

I have a few strange things like this happen over the years. To infrequent to reproduce, but very annoying non the less.

Thanks

GEO Ip has been made redundant in Suricata.

Use Firewall alias, Geo IP instead. (cant find link)

I use a URL Table(IP).
Add a file to a webserver - blockIPs.txt

Edit the file and add all the IP addresses, one per line. (may use other delimiter, not sure ??)

then Add alias URL Table (IPs) , then frequency of update, then FQDN of file.

This works for me.

Try from LAN Net to This Firewall.

This is now working. Updated to 18.7.10 firmware.