Messages

Hello @MB, Is there any way to bypass a user from sensei filter
OR
More accurately for my case, bypass anyone which goes from a particular gateway.

Actually, i have 2 ISPs which are in load balancing mode on opnsense, i want anyone connected to gateway 2 to just bypass any filters or blocking or logging.

I am sorry to act like an noob here but i do not see or know any option to import ldap users.

In System -> access -> Servers ->
Added a new ldap remote server here. This configuration is working fine with my extended query as group which is specifically defined to vpn users only. Tested in tester tab and working.

Now this ldap server is selected in my openvpn server configuration as "Backend for authentication" and for "Server Mode" it is selected as "Remote access (User Auth)" only.

My ldap server is UCS (Univention Corporate Server)

well, i do not see any users in "linked user" area. I always used external ldap server for authentication and i still want to use it. How can i add the users here in "linked user" list.

Hi @MB,

Few days back we had power issue and after that "Elasticsearch" is not working. I have tried start the service many times, rebooted and tried but didn't work. "Sensei Packet Engine" is working.

I have tried "Perform health check for indices" and it kind of stuck and does not do anything. "You can erase reporting data" option is grayed out. I also tried to run these command from terminal and got the error:
1. /usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
2. /usr/local/sensei/scripts/installers/elasticsearch/create_indices.py
ERROR: ***ERROR: Connection could not be established with elasticsearch server.**

Also tried reset the package but it didn't fix the issue. Haven't delete / uninstall and reinstall the package yet. kindly help.

Hi, Ever since i updated to 19, i do not see any file download option in client export in OpenVPN. Am i missing something here ?

Hi @matzeeg3, you scenario is litter confusing. I might be able to provide some solution if i understand it better

Scenario1: Intertnet with static IP -> opnsense -> opns network -> second router with VPN -> second network with receiving system

Scenario 2: source network & router -> internet with static IP -> opnsense with VPN -> opns network with receiving system

Scenario 3: Internet with static IP -> opnsense with vpn -> opnsense network
                                                                                                    -> vpn network with receiving system

Or any other please specify.

In a simple language:
1. when unbound is enabled and you do not specify dns servers in dhcp setting then by default it uses unbound dns of opnsense.
2.a. In unbound: In general / idle situation, It first try to resolve the query it self if it does not have the answer then it goes to the dns mentioned in option 5.
2.b. In unbound: In forwarding mode, it accepts the query and rather then resoling it, it just forward it to the dns server of options 5.

OPTION 5. : System -> settings -> general:
Any dns server mentioned here will resolve the query which is not resolved by unbound or forwarded by unbound. NOw dns here either you mention it manually or check opton "Allow DNS server list to be overridden by DHCP/PPP on WAN" which will overwrite the dns server mention manually with the ones provided by ISP.

Hi, Your scenario is little confusing. Please answer these question to understand better.
1. You said multiple static IP. So how many ISP connection do you have. because in my area / country you can only have one static IP on one broadband connection. Lease line is different thing, you can have multiple static IPs here.
2. Where is your static IP configured. On OPNsense or on modem/router provided by ISP. In case it is on router provided by ISP then how is it connected OPNsense i.e. nat from ISP modem to opnsense or Bridge mode ?
3. There is no general need to change outbound rules so keep them on "Automatic outbound NAT rule generation" option.
--
I had situation, not something exactly same but it can be related.
So i have 2 isp connections, one with static IP and one with Dynamic. One for office use and one for any other outside. But both going through opnsense so i have to make it working the way that any user with external device / dhcp will automatically go through gateway 2 which is my broadband without static IP. So i configured the firewall internal network rule as:
a. Source -> EXTERNAL USERS (Alias created for easy implementation) -> In your case u can choose your internal network or mail server IP for better restriction or any
b. source port -> any
c. destination -> any
d. destination port -> mine is any but you need to forward email through it so select your SMTP port here
e. Gateway -> This is most important. -> Select the gateway with the static IP which you want to email to work with. (Obiously you have to create/add an another gateway in wan in case you have multiple ISP or virtual adapter with static IP in case of single ISP which also means you have to work with vlans.

You also need similar rule / port forwarding from receiving email and DNS settings from domain to forward / pointing the mx to the opnsense static IP.
NOTE: I am writing this by assuming that your mail server is behind opnsense.
NOTE: Google and microsoft issue: check your static IP in blacklist, verify ssl certificate.

Thanks for the answer @Scooter but this is not what i am looking for. It only tells about source, destination and data used with respect to the time interval we select.

I am looking of logs, exactly or similar to firewall logs in live view. i.e. reports of all allowed and blocked contents.

Hi, We can see live firewall logs but is there any way to see old logs. I am sorry if it is already there but i do not see it.

HI MB, everything works fine as mentioned after the update.

Now i have 1 issue and 1 feature request (If its not already there)

Issue: I am not able to update sensei package from command line when using the autoupdate of opnsense i.e. option 12. Same thing happened when i upgraded from 0.7 and now same for yesterday's update. I can only update sensei package from sensei dashboard in web gui.

Feature: Is there any way to for an single or multiple websites / app / category to only put in alert mode. For example if i want my network users to allow access to certain websites but also want to know who access the website or protocol and when AND for specific blocked contents i.e. when someone tried to access it and rather then looking for access logs or block logs just simply have a different tab for alerts only to check easy and fast. I know we can filter it on reports but it will be easy to have an alert tab for both allowed and blocked for that specific alert mode. AND Can we also send alerts via email ?

Hello MB,

As per your email and post, here are the details you asked:
1. Did you udpate from 0.7 or from an earlier 0.8 beta/rc?
---> Updated from 0.7
2. How much memory do you have?
---> 8GB
3. Which browser are you using? Anything changes if you switch to Google Chrome?
---> Chromium
4. Does your email account password include any special characters e.g. "&" ?
---> It does contains special characters
5. What happens if you invoke the report manually ? command is as follows:
---> Command ( /usr/local/sbin/configctl sensei mail-reports) gave me OK and received the email report

Update: Ever since i reconfigured the email reporting from Saturday (IST), i am receiving the report email. I think i must be the update which somehow messed something.
b> My System is Intel Core i5-7400 CPU @ 3.00GHz with 8 GB RAM and 8 GB SWAP.
c> I use Chromium. But tested it on Google Chrome and firefox and deployment size is still the same.

Hi MB, I am facing few issue after updating the sensei package.

1. Do not see deployment size above 25 (Using routed mode)

2. Disabled the health check in previous version and now if i enable it then do not see the save options. Disabled / grayed out.

3. Email reports not working: After update it generated the report once and it was working i.e. showing the result but after that one report didn't receive any new email.
If i reenter the mail server details and click test then it is working and sends  a notification email. but do not receive the report email generated at night.
Also why it happens i.e. if i test email and save it. Then refresh the page and retest it, it just give me an error:
Your mail configuration is invalid!
Response: (535, '5.7.8 Authentication rejected')
Meaning we can only test it once and then save details and leave it that way. It works and emails works, but why receive error when try to test again until we reenter the password before clicking the test.

Thanks for the reply guys.

@bartjsmit, i also thought about to use the radius and i had some issues with it as well and do not have much time to work on it. I will be using radius in future.

@amichel, it was an MS AD in original then i migrated to Zentyal and then some other and at last on UCS. I am using the Windows and linux client both in my environment and i am not sure if it is completely MS AD compatible or not. I tried and it worked well before by using MS AD parameters but then like i mentioned i do not want to make unofficial changes to registry and server because it then hamper my other projects i need to work with AD as well as overall security.

This worked for me: https://help.univention.com/t/solved-ad-authentication-with-opnsense/12151/2
This also works well with groups which it didn't worked in my previous setup.

Hi, From my OPNsense, I need to use my UCS server as LDAP authentication.

Thing is i did used it before and it was working. Few weeks back my firewall crashed and i reinstalled it. Now i am not able to configure the server.
Before on my UCS i disabled the firewall and did some modification from some posts. Few weeks back i also migrated my Old UCS to new UCS server. I do not want to use those modifications and disabling the firewall.

I tried using OpenLdap and MS AD, tried using ports 389, 7389, and SSL 7636. No matter what i try i am not able to configure Ad authentication from OPNsense. I need help to setup the ldap. Thanks