Messages

ok nach ausprobieren und queer lesen.

erst greift die "normale" regel , dann gehts durch die traffic shape regel,

also wenn keine regel zb für web surfen erlaubt ist kommt erst gar nicht der zweite schritt für das eingrenzen von der Geschwindigkeit.

Hallo,

ich habe wie ind er Doku beschrieben ein traffic shape angelegt .

Ziel wäre es down/upload 10mbit für web port 80/443.

Muss ich dafür die Ports eingrenzen? greifen die normalen regeln vor dem traffic shape?

1. regel client darf webports 80/443 tcp benutzen, alle anderen ports nicht
2. Traffic shape regel

Oder greift die traffic shape regel zuerst und dadurch sind alle ports frei?

oder greift die regel als erstes und die blocks usw zählen nicht mehr?

Hey,

thanks for your answer. Have you open a ticket ? Have the support answer? when not i open a ticket, because , the function when the plugin works like it would be, where the best.Eventuelly they have not become reported the bugs!? Which alternate have you in your mind?

Greets

Hello Joel,

we also buy a Deciso Appliance. And we also want to you squid as a forward proxy. With the opn-proxy buisness plugin we think, it have the complete function that we want.

But we also dont udnerstodd it full. we try different settings , but we see also policy fallback allow, and dont know where it come from.
we have a * block and test one single site allow, but when we change ip or diffenret , policy falllback allow rule comes.

when we delete custom rules. apply, restart or stop the plugin and start it again, policy tester ,s how the old custom rules and say allow.
how can we clear the cache from the tester?  i though its a buisness solution not , one time its function, one time not.

the wiki is not good for the product. it must have examples for a default buisness like sceneraio with block all, and allow custom different sites.

do you have a final resolution? or can someone thats used the buisness proxy settings , can share pictures?

which socs do you run your arm sense? i think to buy a arm device. can anyone recommed a device for me? i have 1g isp.

you can block all, thats have input ips , and allow only what you want.

you can out a us alias and and a allow rule only for this as source or destiny. or negatate the alias on all rules.

for the handshake ,it needs only the wg ips/net

can you post the full config from the ios device , without priv keys?

have you tried with another key pair?

the log in ios , say no handshake?

you can see udp pakets in the firewall log?

which ips are in the allowed config from your ios device?

no right, the services dont start clearly.

But i try it next days again. I thought defguard are a good tool, rust code, mfa not only on the app side ,opnsense plugin.

But!

Documentation, really really bad. Bugs ( opnsense ) weeks open. Sound like with Version 1.0 they split the features to no enterprise / with enterprise license.

The developers must paid, thats are clear, but in the last time you see often, that opensource code goes the paid way and finally closed.

And when you go in to support opnsense , why no good documentation?

defguard with opensense = can really go enterprise wireguard vpn, but now it does not good work.

But try!! When more people from the opnsense community will try defguard, they will eventually kick in and the support level goes up!

I hear from many people / buisness peoples, the want wireguard , the like wiregurad , but the want a mfa layer. Only asymetrics keys, yes security are good, but too loose the config ( windows , not fully encrypted , malware) and you have they keys . With mfa you have a extra security layer.

I dont understand why its are not in the code from beginning. Like you must put in a code for the connect and then a new psk where handled from peer to peer , or you must proof the psk token, with a code, and then the connection are working.

Greets

So i fight with this module.

What i want, web filterung for specific user for specific websites.
without the old buisness plugin opnporxy i can block all and give websites free, but this wher eonly for all users.

with the opnproxy plugin i have many erros , users can not authetificate:

   Error   (basic_pam_auth)   in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()

User where authificate can accees all websites! , but it have all deny all , and only one website allow.
we though to use ist in our buisness , when test are ready, but when it has no forced block all fallback mode, i have no garanty that all things are right , how  i configured.

so how can i find out where i missconfigured? The policy tester say , the rule is right, but on the real side, user has accees to everthing, when authification comes right.

Failure : athentification:

   Error   (basic_pam_auth)   in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()

Picture one deny all for the web user

Picture two allow opnense website

Have you done this with the opnproxy plugin?

ok with a fresh opnsense install , same settings , its works .

So finaly question, how can a user purge all data from a plugin? so he can go started from scratch. everytime install a new sense , sounds no good.

So i purge the plugins and clear the config file to start from scartch, but it works not anymore.

What is my goal:

Proxy without ssl isprection, only sni information because of url .

I have created a user, this has a block rule with * , so everything and an allow rule for two three pages.

The policy tester says that they work.

In the browser I enter squid as proxy port 3128 https also, but rich can call any page and there is no query for the user data for the proxy.

The opnproxy takes effect via the normal settings with the white and black lists or?

I also see in the log that the requests go through the proxy and are called up. why is there not even a user query without a user?

Does anyone run squid with opnproxy plugin and could show me his config? Slowly I don't know where to start.

purge , must i have clear the squid from the config.xml or clear a folder?