Messages

Yes, years ago.

Thank you! And thank you for all your work on an amazing firewall.

While tuning some rules for a new site, I went to look at the default core.rules and noticed that the original NAXSI repo is archived and they direct users to https://github.com/wargio/naxsi.

Has this been reflected in OPNsense?  Maybe it already is, but thought I would ask. Really love the WAF, and wanted to make sure it wasn't running some unmaintained plugin.  Thank you!

Hi

Trying to work with netflow data that I am sending to Graylog.  I want to separate it into streams so I can work with it easier, etc.  Is there a way in the firewall (gui or CLI) that I can see what index number for nf_input_snmp matches the actual interfaces?  I have a lot of VLANs, so I want to make sure I am getting it right.  Thanks in advance!

Curious if anyone knows if it's possible to send Naxsi logs to syslog?  I'm not seeing options specific to Naxsi.  While I see NGINX access and error logs, I'm not seeing NAXSI_FMT events.  Thanks!

Trying to convert an existing VPN from policy to route-based.  The tunnel works fine, but when I enable my 1:1 NAT rule, the traffic never actually leaves the firewall.  It's funny, if I do a tcpdump on the VTI, it appears that traffic is leaving.  However, it's not as I don't see the ESP frames leave my WAN interface, nor are they seen at the remote site.  Disable the NAT and traffic flows.

To use the 1:1 NAT on the policy-based tunnel, I had to add the "real" local host into the Manual SPD entries field of the phase2 entry, however that is not present on routed tunnels.  I'm at a loss.

Which repo would this be an issue for on github?  core?

I have a couple Port-Forward rules doing this same thing.  I don't know if it will make a difference since I have several public IPs which are just Virtual IPs, which I use for my "Destination".  Here is what mine look like:

Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP
Destination: Virtual IP (you can use WAN Address or type in a host as well)
Dest Port: Port Alias (contains a group of ports such as 80, 443, etc)
Redirect target IP: 192.168.4.25/32
Redirect target port: (same alias as dest port)
NAT Reflection: enabled (I think this is what you may need, the system may default to disabled)

Time to roll back I guess.  NAT or PPPoE is broken, can't even overwrite with a manual rule, still uses the wrong IP.

Hi

I have a /28 IP block with my ISP and am required to use PPPoE for these static addresses.  Firewall is being assigned the first IP when viewing packet capture and checking PPP IPCP frames (all other IPs are created as IP Aliases).  It seems that after upgrading to 22.1, the "WAN Address" is showing as the second usable IP now (first Alias), and this is also being used in the Automatic Outbound NAT rules.

I may have to switch to Manual outbound to fix this, but curious if anyone else has seen this?  What can I check?

Thanks!

[Firewall]

Mine works and allows me to access my internal servers via their public IP.  All I did was setup a port-forward under Firewall > NAT > Port Forward.  I think the key is to enable NAT reflection in the NAT rule.

Interface:WAN
Destination: Public IP (I have a /28 block so I created aliases, but you could choose WAN Address)
Destination Port: HTTPs, etc.
Redirect target IP: Alias of server's internal IP
Redirect target port: Same as dest (change if you want port translation applied)
NAT reflection: enabled

In my case I have created a firewall group of all local interfaces, called ALL_LOCAL. This gives an automatic alias of ALL_LOCAL net, which contains all the IPv4 and IPv6 subnets configured on those interfaces (and so changes with changes to those networks or interfaces in the group). [emoji3]

Wow, been using OPNsense for a little over a year, how have I not known about Interface groups?!  Thank you for opening my eyes.  LOL.

I only have a couple years experience with OPNsense (and a few more with PFsense), but I don't think there is another easy way since they don't have the concept of zones that you can associate interfaces too.  I came from Sophos UTM which had a out of the box network object called "Any Internet IPv4" (or something similar) which I think is probably just doing the same thing as the invert box in OPNsense.

Would love to hear what others are doing, but this is the cleanest way I've found of preventing traffic between internal networks.

What rules do you have in your WiFi interface/list?

I was genuinely curious, so I fired up my test instance to see.  I found the same behavior between two networks (pinging from LAN to LAN2), but as soon as I disabled all the rules for the LAN interface, I got a DENY with "Default deny rule".

Here's what I think is happening for you.  You likely have a rule in your WiFi list that is allowing destination to ANY.  So traffic is allowed in WiFi (and you likely don't have logging turned on for that rule), and then the floating rule is allowing the traffic out of the LAN interface and that is logging as "let out anything from firewall host itself".  (The floating rule is for traffic leaving an interface)

What I did for my internal network rules on DMZ, Guest, etc. is I created an Alias which has all the RFC1918 private networks (you could also be more specific and just use your actual networks).  Use this alias as the destination in all your rules that would typically be "Any", but you need to check the "Invert" checkbox.  This way my rule allows all traffic to destinations that aren't private such as all the other networks behind my OPNsense.

Thanks Greelan

I was a little lost on your outbound NAT rule for the LAN before you shared the config.  Seems this is needed, other wise the response traffic from pi-hole would leave and try to head directly back to the SRC IP of the clients, which would be an asymmetrical route, and probably dropped by them I would imagine since that's not where they sent the query to.

Started digging around and found I have a GEO alias that isn't populating with entries.  I removed it and things seem to have cleared up.  When I add it back in as a test (only includes United States) and it sits and spins and then errors with: "Cannot allocate memory. [UnitedStates]"

I have another Alias which includes the United States and Ireland and it has 469829 prefixes, doesn't seem to have issues.  I set tunables net.pf.request_maxcount to 3000000 before trying to create the new Alias, but now it's back at 1000000.  ??