Messages

Thanks for all of your answers!

Hello OPNsense-Forum!

Due to a change of my network-setup, i needed one interface less on my opnsense-vm on proxmox.
Therefore I ...

• disabled the interface on interfaces > [interface-name]
• deleted the interface on inferfaces > assignements
• removed the corresponding virtual nic of the vm on proxmox

After a reboot of OPNsense all nic-assignements were broken.

Is there a way of deleting virtual unassigned nics without breaking the assignements of the existing nics?

Thanks for your help!
Tom

I have exactly the same settings.

Many thanks for your effort, but manually editing shallalist will not solve the bug. And when shallalist gets updated all changes are gone.

I really would like to initiate a discussion in this thread about eliminating the bug:
the whitelist ist not considered when using remote blacklist in combination with transparent-ssl-sni squid-setting

And as hbc confirms: it really seems to be a bug!

WPAD and static proxy are also working for me - but with mobile clients it would be much more easier to use sni.

I found a similar problem on pfsense-forum:
https://forum.netgate.com/topic/128492/we-are-trying-to-work-with-squid-proxy-squidguard-but-whitelist-dont-work

I really think it's  bug.
The question now: is it a squid-bug or an opnsense-bug?

@Amr

Thanks for trying to help me. But I think - sorry if this is impolite - you can not help me until you really want to recognize my problem.

You say that it is weird that i am using internal certificate - 5 lines further you explain that you are using internal certificate as well. Further you claim that you have tested the same installation, but you don't use a remote acl like shalla list.

The problem is neither the internal certificate nor antivirus (not used).
The problem is the shallalist in combination with transparent/ssl/sni-proxy: whitelisted entrys are blocked. All the rest is working as expected.

Greeds an thanks for you help.

The error is - as always when blocking https - not a squid-error but a browser-certificate-error:
NET::ERR_CERT_AUTHORITY_INVALID

I have reset the cache and restarted squid lots of times...

Can you test, if a whitelisted entry works when blocking with transparent proxy with ssl and sni on your installation?

I think its a bug!

@Amr: Thanks to your response!

I think you got me wrong. The Proxy-NAT works as expected. I can access all websites with proxy except those that I have blocked by an active shallalist-category.

NAT-Rules:

• Interface: LAN / Proto: TCP / Destination-Port: 80 / NAT-IP: 127.0.0.1 / NAT-Port: 3128
• Interface: LAN / Proto: TCP / Destination-Port:443 / NAT-IP: 127.0.0.1 / NAT-Port: 3129

The problem is that the whitelist (e. g. for instagram.com) is not considered  when using a remote acl (e. g. shallalist with active category socialnet) when using proxy in transparent/ssl/sni-mode.

The whitelist is only considered when the proxy is used in non-transparent mode.

Greeds
Tom

[Case 1: No Entry in ACL-Whitelist]

@Amr: Thanks for your answer.

The problem to me still exists.
I found out that it has to do something with the ssl/sni-only-settings.

Here is what i have tested:

• Remote-ACL: Shallalist with only one aktive category: socialnet
• URL for testing: instagram.com

Case 1: No Entry in ACL-Whitelist
Setting Browser to use Proxy-Port 3128
> instagram.com can't be reached
> functioning as expected

Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> functioning as expected

Case 2: Entry in ACL-Whitelist: instagram.com
Setting Browser to use Proxy-Port 3128
> instagram.com can be reached
> functioning as expected

Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> BUG?
> instagram.com as entry in SSL no bump sites has also no effect on this

Hopefully my description is understandable.

Greeds
Tom

May I ask again if there is anybody with an idea?

I have configured the OPNsense-Webproxy with shallalist as Remote ACL.
For some exceptions i always used the Whitelist under Access Control List > Whitelist.
When i try to open a domain blocked by shallalist-category but with a corresponding entry in the whitelist, the domain still will be blocked.

Version of OPNSense: 19.7.8

Forward-Proxy-Config:
- Interface: LAN
- Port: 3128 / SSL: 3129
- Transparent http-Proxy
- SSL inspection
- SNI only

Thanks for your help!

Greeds
Tom

When then somebody should use a proxy?

Because of the possibility of serveral URLs behind the same IP blocking ips via firewall can not be the preferred solution. I just don't want users to bypass the proxy by typing the corresponding ip-address of an url into the browser.

Moreover I do not see the possibility to load a list like the shallalist into the firewall-alias-section. Cloud you explain how to load a list into the alias-section?

My solution for now are the following settings in Services: Web Proxy: Administration: Forward Proxy: Access Control List

• Whitelist: 172\.16\.[0-9]+\.[0-9]+ (allowing local ips [172.20.0.0/16] in urls)
• Blacklist: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ (denyig all other ips in urls)

When I want to select rules for a public service (frontend), the dropdown always shows one rule less as i have defined in the rules section.
Example: When I have defined 9 rules in the rules-section, only 8 rules are shown in the select-rules-dropdown of a public service.

I  observed this behaviour on Firefox and Chromium.

Can you help me?
Greeds and Thanks!
Tom.

[external]

I have a working opnsense-proxy with shallalist as webfilter.

When I try to open an url from a blocked category, it wont open (as expected).
But when i use the ip of the webserver hosting the url, i can reach the website.

Is there way to block external ip-addresses in urls.
Defining the regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ in Forward Proxy > Blacklist does also block internal ips in urls.

Hey Fabian,

thanks for the quick response!
Your suggestion works for me with the following NAT-rule:

• Interface: LAN
• TCP/Protocol: IPv4/TCP+UDP
• Destination port range: 800
• Redirect target ip: <ip of OPNsense>
• Redirect target port: 3128

Thanks for your help!