Messages

1

24.7 Production Series / Re: Problems accessing WebUI

« on: September 03, 2024, 10:50:31 pm »

Glad that your problem was that minor. I would just want to give small tips, incase you ever loose access to web GUI ever again.

As long as issue is just not being able to connect to WebGUI, in most cases all you have to do, is access the console via SSH or physical method and either select restore backup. By default, opnsense automatically creates an backup everytime, you make changes to system. Now it does start overwriting oldest backup after x amount of changes made (can't remember what default value is, since I changed mine, but it is quite high and propability it working is high, as long as last 20 or so changes caused the issue).

As long as you have access to console, you are able to either revert to quite a few last automatic backups named on date and time they were created (unless you have disabled it) or less safe option which is disabling firewall from shell.

Best practice would be creating backups before and after you have made changes to the system, or configure automatic backups (https://docs.opnsense.org/manual/how-tos/cloud_backup.html) in which case you are always able to just reset everything to factory defaults

2

24.1 Legacy Series / Re: Try to NAT port 53

« on: July 19, 2024, 12:52:04 am »

On consumer internet contracts you won't be able to host your own DNS server which is open to internet, you need to either host that DNS on VPS like azure or AWS or setup VPN or proxy.

ISPs of most countries block incoming DNS traffic on UDP 53 to prevent people being able to mess up global DNS servers and DNS spoofing, outgoing smtp traffic on TCP 25 to prevent spamming and few other ports only hosting companies like google, amazon AWS, Microsoft and Eila Kaisla need, in fact some countries (for example Finland for one) even have laws which obligate ISPs to do that.

3

General Discussion / Re: No Internet for Only Windows Client on VLAN

« on: June 14, 2024, 04:08:11 am »

Thanks so much for the reply.

My switch is an HP ProCurve J9298A and I believe, if I'm looking at the documentation right, the ports support IEEE 802.3/802.3u/803.2ab.  It seems like it's a few versions ahead of 802.1Q, but perhaps they are different standards?  This is my first major foray into networking so I apologize for not knowing.

Given the above, would you still suggest enabling IEEE 802.1Q/VLAN tagging on the Windows network adapter?  I'm happy to try anything at this point.

You can try enabling it. Assigning VLAN ID on the network adapter should solve the issue, only downside is, that you have to do so, with each windows client on your network.

4

General Discussion / Re: No Internet for Only Windows Client on VLAN

« on: June 13, 2024, 03:05:23 pm »

Reason for your issue might be because Windows doesn't support IEEE 802.1Q or VLAN tagging (linux, Android, iOS and Mac OS does), so you have to enable it from your machines network adapter properties and enable 802.1Q tags or change the VLAN ID to correct VLAN ID if network adapter doesn't support IEEE 802.1Q tagging.

If that's too much of an hassle, way you can fix this is buying Switch that supports VLAN tagging (so IEEE 802.1Q protocol, Cisco is best and easiest choice for a switch, but any brand will do), that way you don't have to change other than Firewall rules and add static routes on your firewall and configure VLAN on your switch

5

24.1 Legacy Series / Re: Backup/Restore config.xml file using command line

« on: March 21, 2024, 03:32:31 pm »

There is a way, you can use scp or tftp, but neither give you option to encrypt the file, and you have to be 10000000% sure which config.xml is correct one, since restoring to old configuration is just plain copy text from old config.xml file, paste it to config.xml you want to replace and reboot your opnsense.

Anyway, opnsense by default automatically backs up old configuration whenever you make changes to local cahce and you can restore to one of those from console selecting option 13) Restore a backup.

6

23.7 Legacy Series / Re: Need Help with NAT Configuration on Multiple WAN IPs

« on: December 01, 2023, 11:24:17 am »

If I'm not mistaken, you need to apply filtering rules and NAT on the WAN port that is directly connected to the internet.

Kinda similar to transparent filtering bridge mode (https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense). Only port that is directly connected to the internet can filter traffic coming from internet.

Not sure though (just spitballing here), but when you think of it, reason why second wan port is completely open, might be because Traffic doesn't come from specific external port or IP, it comes from WAN that is connected to the internet.

Only methods I have used to use more than 1 public IPs, is to connect a switch directly to internet and firewalls to the switch and transparent filtering bridges. Honestly both of those are much simpler (though not ideal) than playing around with Dual WAN configurations.

Also you could check routes as well and make sure, that traffic for each IP is routed as should. But if internet works on both ports as should and only issue is that 1 is completely open, then it's definitely something related to NAT and firewall rules.

7

23.1 Legacy Series / Re: Blocking specific TLD

« on: May 20, 2023, 12:00:29 pm »

I use pihole to do this with regex.

something like this:
\.(zip|mov)$

Yea that was first thing I looked into, but I'm looking for option to block something that runs on my OpnSense, since I would have to un-install OpnSense and replace it with something that supports pi-hole and that's not going to happen.

Might have to check if SNORT or Suricata has that option

8

23.1 Legacy Series / Blocking specific TLD

« on: May 19, 2023, 05:54:06 pm »

Don't know how many are aware, but google just released bunch of new TLDs (or at least started advertise them) couple of days ago.

Among those TLDs were .zip (yes, DOT ZIP) and .mov TLDs. So my question is, is there a way to setup alias to collect all .zip domains or setup unbound to block them?

9

General Discussion / Re: How do I (2) - - -

« on: May 08, 2023, 07:14:17 pm »

@ajojeiam You could spin up a virtual OPNsense to experiment with:
https://github.com/punktDe/vagrant-opnsense

Hmmm - - - - I find 7 options - - - 5 of which are seriously out of date.

I spent a lot of hours a number of years ago digging around in the virtual system world - - - - landed up getting burnt quite badly.

So its maybe a good idea but I'm more than a little leery of crawling down a hole that caused me so much grief in the past.

I'm a thinking that this might be understandable - - - I hope so:
Da ist ja kein Meister von Himmel gefallen - - - - at least - - - not yet - - - - ja?

Doesn't make any sense not to read that book or any book, about how firewalls work. (btw that book is pretty much about the same version of Opnsense, as the current version of Opnsense. Just like all firewall and switch firmware, also opnsense isn't updated to very latest version of platforms out there. In fact opnsense runs on couple of version older version of FreeBSD).

You can install oldest maintained version of Opnsense  and you should, if security and stability is your concern, using the very latest version means you are taking a risk of exposing your network to certain exploits as well as not having 100% guaranteed functionality etc. after all free and community supported software is always dependent on community testing and reporting any issues they have.

10

General Discussion / Re: How do I (2) - - -

« on: May 08, 2023, 04:27:18 pm »

Ah.....if you are interested to learn about opnsense and it's functions in depth, you can either read the soruce code or buy either a firewall from the store in Opnsense website, or the book that comes with every firewall bought from the official store.

https://www.amazon.com/OPNsense-Beginner-Professional-next-generation-firewalls/dp/1801816875 <---- here's a link for the book

11

General Discussion / Re: How do I (2) - - -

« on: May 08, 2023, 10:20:18 am »

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

That is one you can check (though might not be what you are looking for).

You don't have to connect opnsense directly to the internet (it's just heck of a lot easier to setup that way), but for NAT, your firewall has to route traffic, otherwise it will just either block or allow any connection to X IP it can find and only thing filtering traffic past that, is device where traffic goes to.

12

General Discussion / Re: How to openport 51820?

« on: May 07, 2023, 05:26:40 pm »

As pmhausen mentioned, change Filter rule association to pass.

Also if you are testing the port with regular online port checker, it might not display port as open (unless filter rule association makes that difference) even when it is.

Most online port checking tools won't be able to check if port is open when using UDP protocol (if interested, read about the difference between UDP and TCP. Shortly, both are same, except TCP is slower, more "trustworthy" and visible, UDP is faster, less stable and invisible)

13

Hardware and Performance / Re: Question: thunderbolt 3 networking support

« on: May 07, 2023, 05:14:16 pm »

I'm not sure about this, but I think opnsense does support it as long as interface cards drivers you install is supported by FreeBSD.

To my knowledge, there are no hardware limitations on opnsense outside of what is supported by FreeBSD, other than on models sold in the official store (if the model doesn't have physical expansion slot for it, you can't install the card).

So if there are drivers available for the same or older FreeBSD OS than OpnSense uses, then it should be supported at least in theory.

14

Hardware and Performance / Re: 10gb home internet, nic question

« on: February 07, 2023, 06:20:04 pm »

Well NIC is good but you have to consider other things as well.

First of all to have 10Gb internet on your computer, you need at least 2 10Gb ports on your firewall (1 for wan and 1 for LAN), if you only need that for 1 computer, then it's just that, but more than 1 device, it's always 10Gb port per each device which also means firewall needs more powerful hardware.

for example https://shop.opnsense.com/product/dec840-opnsense-desktop-security-appliance/ has 2 10 Gb ports and 4 Gigabit ports. It is designed so, that 10Gb ports are connected to internet where 4 gigabit ports are connected to switches and provide up to 1 gigabit simultaneous internet connection to for example up to 256 computers (you need Switches and create VLANs for that or bunch of wifi APs) without connections getting slowed down at all.

To provide 10 Gb/s to for example 10 computers, you need a switch with 100Gb port, firewall with 100Gb port and internet contract of at least 100Gb connection, and even then you would have to check the maximum throughput of your switch and firewall to make sure they can handle such traffics. Needless to say this, but you most likely won't be buying or building that type of firewall for your home anytime soon .

Anyway, theoretically you are fine with firewall I linked, but I would advice you to contact ZA and Opnsense support via e-mail, they are more than capable of giving advice to you about hardware specidics you need

15

General Discussion / Re: HOW TO FIX FIREFOX PROBLEM ON KALI LINUX??!!

« on: January 10, 2023, 08:59:25 am »

As you can see from image, inside my apartments fuse box, there is a ethernet port which has 2 cables, 1 going all the way down to switchboard of my apartment block that connects to internet and 1 that goes under the floor or behind the ceiling to ethernet socket in my living room.

From living rooms ethernet, I have ethernet cable connected to WAN port of my Opnsense, and from opnsense LAN port, I have ethernet cable going to my switch.

Lastly from one of the ports of my switch, I have ethernet cable connected to my computer.

That means my Opnsense isn't behind any firewalls, modems or routers, so in other words it is directly connected to Internet and receives public IP address.

There is a way to get things working without being able to connect your opnsense firewall directly to internet, but that is something I would recommend avoiding, since it's in the area of either routing, 1:1 Nat or being able to disable NAT, DHCP and firewall of your router or modem, last option rarely being an option, unless you own enterprise level router or modem