Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - themadwizard

Pages1
#1
24.7, 24.10 Legacy Series / Re: KEA not respecting reservation
November 28, 2024, 06:48:08 AM
And here I thought only Sophos firewalls were stupid enough to require you to break up pools to reserve addresses in the pool space.  Awful design.

Quote from: MarkH on July 12, 2024, 01:28:56 PM
The KEA error log explains the address you chose for hifiberryamp is not available, as it's already in use, so instead it's advertised (offered) 192.168.30.101.

Static lease changes from ISC DHCP to KEA:

DHCP reservations must fall within the Interface subnet and must be outside any DHCP scope defined in KEA DHCP server.

This is a more strict configuration requirement than the legacy ISC DHCP Server.

Having static leases defined that fall within a scope does not prevent a DHCP server from offering that IP as a lease, which may (mistakenly) be the expected behaviour.

In your question you don't specify what your DHCP scope(s) [also known as pool(s)] is/are, so I'll assume you've left these as default which matches the interface's subnet.

This is an example of a CORRECT config:

Code Select

Interface subnet: 192.168.30.0/24
Interface Useable IPs: 192.168.30.1 - 192.168.30.254
Interface IP: 192.168.30.1/24
DHCP Scope: 192.168.30.1 - 192.168.30.180
DHCP static lease for mac address: d8:3a:dd:fc:44:82 192.168.30.182


And below is an example of a INCORRECT config:

Code Select

Interface subnet: 192.168.30.0/24
Interface Useable IPs: 192.168.30.1 - 192.168.30.254
Interface IP: 192.168.30.1/24
DHCP Scope: 192.168.30.1 - 192.168.30.254
DHCP static lease for mac address: d8:3a:dd:fc:44:82 192.168.30.182


If this doesn't work, can you confirm the scope(s) set for KEA on this interface
#2
23.7 Legacy Series / Unable to Access Web GUI from OPT1: Access Denied
January 18, 2024, 08:24:47 AM
Hello!

I have been having this problem literally since day one that I started using OPNSense.  It didn't matter in the past, but I am moving to a new device and some of my requirements are changing.  I have a rule set up to allow the opt1 network to access the opt1 address * * and I have two rules forwarding ports 80 and 443 to the Squid Proxy (transparent).  I have the exact same rules on my LAN interface.  On my LAN interface, I can access the firewall just fine using the LAN IP.  On OPT1, I get an Access Denied message from Squid saying that Access Control is preventing me from accessing the GUI.  I have checked every setting I can find, and I cannot find anything in the Web Proxy that would allow/prevent me from accessing the Web GUI.  I checked the Settings and the Web GUI is listening on LAN and OPT1.  I made sure that reply-to is disabled on the OPT1 firewall rule.

Does anyone have any other ideas as to why I can access the Web GUI just fine from the LAN interface, but not at all from the OPT1 interface?
#3
23.1 Legacy Series / Re: PR_END_OF_FILE_ERROR when browsing to any protonmail site, plus random others
June 29, 2023, 03:38:05 AM
Thanks for the curl -v tip.  I had tried curl with other options, but not that one.  Following that trail led me to running curl -t http://proton.me/mail and getting an Access Control List bock error.  There is no reason whatsoever that proton should be in an ACL, but after whitelisting it (I had already whitelisted everything but proton.me) and bouncing Squid, I am able to access it again. 

It appears that the UT1 list added proton.me to their VPN category, even though that domain is used for ALL of Proton's services.
#4
23.1 Legacy Series / Re: PR_END_OF_FILE_ERROR when browsing to any protonmail site, plus random others
June 23, 2023, 09:14:36 AM
Well, I have confirmed it, it is something with the proxy server.  I disabled the rules forcing SSL traffic to the proxy server, and I was able to connect to protonmail sites.  As soon as I re-enabled the rules (rules that have been in place for years), I was no longer able to go to the sites.

Any thoughts as to where I should start looking in the proxy server?
#5
23.1 Legacy Series / Re: PR_END_OF_FILE_ERROR when browsing to any protonmail site, plus random others
June 22, 2023, 05:37:27 AM
I haven't tried a direct connection without a proxy, as that will take the whole site down.  I might do that late tonight.

As far as browsers, I have tried it in Firefox and Chrome (normal and incognito/private) on multiple windows computers, Firefox on Android, the Protonmail Android app, the Proton Drive Android app, all with the same results of being unable to connect to the site.  If I disable the wifi on my phone, Proton Mail works immediately.
#6
23.1 Legacy Series / [SOLVED] PR_END_OF_FILE_ERROR when browsing to any protonmail site
June 22, 2023, 03:34:04 AM
Earlier this week, I started getting PR_END_OF_FILE_ERROR from FireFox when trying to go to protonmail and I have seen it on a couple of other random sites.  No device on my network is able to load protonmail, not from any browser, phone, or app.  I have tried disabling AV, etc., to no avail.  I updated the firewall to OPNsense 23.1.9-amd64 hoping that might resolve it, but the issue persists.  If I take my devices off my network, they can connect fine.  The common point is the firewall.  Does anyone have any ideas of what I can do to resolve this?  I have added the various proton* sites to the SSL no bump list, but no change.  I can nslookup the proton sites and ping them with no trouble.

Thoughts?
#7
22.7 Legacy Series / Re: 22.7 seems to break streaming from Disney+
October 15, 2022, 09:02:18 AM
I wonder if this is related to the issue that I am having - when I upgraded to 22.7.5, DNS over HTTPS broke for all browsers using it and Netflix and XBox will no longer connect.  Maybe the update broke something in the proxy?

Update: There was an issue in Squid after 22.7.5.  They claim it has been fixed in 22.7.6.
#8
22.7 Legacy Series / Re: 22.7.5 - CloudFlare Secure DNS not working
October 15, 2022, 08:59:57 AM
[Edit: Deleted]
#9
22.7 Legacy Series / Re: 22.7.5 - CloudFlare Secure DNS not working
October 15, 2022, 08:55:43 AM
Some things might let me switch over to DNS over TLS, but the Netflix app won't, and neither will the various XBox and Microsoft services, which are also failing due to this.

I updated to 22.7.6 a little bit ago and bounced Squid a couple of times, and it appears to be working now.  Will update if there are further issues.
#10
22.7 Legacy Series / 22.7.5 - CloudFlare Secure DNS not working
October 07, 2022, 03:30:37 AM
Hello!

Last night, I upgraded to 22.7.5.  Immediately after, any browser on the network that uses Secure DNS through CloudFlare is unable to load any secure sites.  I don't really even know where to start looking for the problem.  No settings have changed since before the upgrade.  I am running a filtering proxy, and I added 1.1.1.1 to the SSL No Bump list just in case, but that didn't help.  My normal DNS for the firewall is OpenDNS and doesn't seem to be having an issue.  I have all DNS requests captured and forwarded to Unbound.

Any thoughts?

Update: CloudFlare isn't the only one that doesn't work.  One of the android phones was set to use AdGuard as a Private DNS and no secure sites would work on that phone until that setting was disabled (or it was connected to the cell network).
#11
Web Proxy Filtering and Caching / Re: Access Denied when connecting to one site with transparent, remote-acl
January 13, 2021, 05:18:06 PM
So, even more sites keep getting blocked, generally by IP.

Now, I even get the message when I browse to the opnsense firewall by the internal DNS name.  I can only get to it if I go to the IP directly.

Any ideas?
#12
Web Proxy Filtering and Caching / Re: Access Denied when connecting to one site with transparent, remote-acl
December 28, 2020, 08:29:19 AM
No.  The opnsense router is providing DNS as well as proxy, content filtering, etc.
#13
Web Proxy Filtering and Caching / Re: Access Denied when connecting to one site with transparent, remote-acl
November 23, 2020, 10:03:46 PM
And now, it is blocking 151.101.193.21 out of nowhere, which is a Fastly IP.  This is preventing purchases via PayPal.  What the hell is going on?
#14
Web Proxy Filtering and Caching / Re: Access Denied when connecting to one site with transparent, remote-acl
November 20, 2020, 04:52:12 AM
Unfortunately, this issue still keeps cropping up from time to time and I am unable to determine the cause.  I am able to work around it by whitelisting the IP address that the error page serves up, but that is a terrible band-aid and does nothing to indicate what the actual problem is.  Does anyone have any suggestions where in the system I would look to see why Access Control is denying these IPs?

idahoparcels.us  (104.238.74.120)
hillmeat.com (104.238.74.120)
kwausa.com (184.168.131.241)
and some GoDaddy control panel at 104.238.65.135

Access Denied occurs whether it is http or https.  None of these sites fit into any of the ACL categories, and it is the IP Address that is listed on the Access Denied page, not the website. 

I am completely baffled.
#15
Web Proxy Filtering and Caching / Access Denied when connecting to one site with transparent, remote-acl
July 08, 2020, 06:30:01 AM
Hello!  I am having a strange issue that I cannot seem to run down.

When anyone on my network tries to browse to https://idahoparcels.us they receive this error message:

Code Select
The following error was encountered while trying to retrieve the URL: https://104.238.74.120/*

    Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is admin

Generated Wed, 08 Jul 2020 03:59:09 GMT by network (squid/4.11)

104.238.74.120 is the IP that the site is hosted on.  I get the same message if I try to go to the IP address directly.  This site works just fine if I check it from outside the network.  I have tried everything I can think of, including putting this on the no-bump-ssl list and on the whitelist, both by FQDN and by IP, but I get the same result every time.  The certificate returned is the internal cert, just like when any other site comes up against the ACL.  I have other sites in the whitelist and they work just fine. 

I have the proxy set to Transparent, Enable SSL Inspection, and Log SNI information only.  All other sites work correctly.

I also have tons of these errors in the log, but I don't think they are related:

Code Select
SendEcho ERROR: sending to ICMPv6 packet to [2620:1ec:bdf::10]: (65) No route to host

When I look in the access log for idahoparcels.us, I get this:

Code Select
2020-07-07T20:59:09.630000 0 192.168.0.110 NONE/403 3682 GET https://idahoparcels.us/favicon.ico - HIER_NONE/- text/html
2020-07-07T20:59:09.360000 0 192.168.0.110 NONE/403 3682 GET https://idahoparcels.us/wordpress/ - HIER_NONE/- text/html
2020-07-07T20:59:05.140000 0 192.168.0.110 NONE/403 3682 GET https://idahoparcels.us/wordpress/ - HIER_NONE/- text/html
2020-07-07T20:56:03.520000 0 192.168.0.110 NONE/403 3682 GET https://idahoparcels.us/wordpress/ - HIER_NONE/- text/html
2020-07-07T20:52:49.960000 0 192.168.0.110 NONE/403 3682 GET https://idahoparcels.us/wordpress/ - HIER_NONE/- text/html
2020-07-07T20:44:20.790000 0 192.168.0.110 NONE/403 3682 GET https://idahoparcels.us/wordpress/ - HIER_NONE/- text/html
2020-07-07T20:40:39.300000 0 192.168.0.110 NONE/403 3729 GET https://idahoparcels.us/wordpress/ - HIER_NONE/- text/html
2020-07-07T20:40:33.780000 95 192.168.0.110 TCP_MISS/404 629 GET http://www.idahoparcels.us/ - ORIGINAL_DST/104.238.74.120 text/html
2020-07-07T20:40:31.150000 105 192.168.0.110 TCP_MISS/404 629 GET http://www.idahoparcels.us/ - ORIGINAL_DST/104.238.74.120 text/html
2020-07-07T20:40:26.060000 91 192.168.0.110 TCP_MISS/404 629 GET http://www.idahoparcels.us/favicon.ico - ORIGINAL_DST/104.238.74.120 text/html
2020-07-07T20:40:25.630000 115 192.168.0.110 TCP_MISS/404 629 GET http://www.idahoparcels.us/ - ORIGINAL_DST/104.238.74.120 text/html
2020-07-07T20:33:45.340000 0 192.168.0.110 NONE/403 3729 GET https://idahoparcels.us/favicon.ico - HIER_NONE/- text/html
2020-07-07T20:33:45.080000 0 192.168.0.110 NONE/403 3729 GET https://idahoparcels.us/wordpress/ - HIER_NONE/- text/html
2020-07-07T20:33:31.910000 154 192.168.0.110 TCP_MISS/200 26666 GET http://idahoparcels.us/favicon.ico - ORIGINAL_DST/104.238.74.120 image/x-icon
2020-07-07T20:33:31.330000 128 192.168.0.110 TCP_MISS/200 1007 GET http://idahoparcels.us/ - ORIGINAL_DST/104.238.74.120 text/html

If I search for  104.238.74.120, I get:
Code Select

2020-07-07T21:03:14.520000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T21:03:14.340000 0 192.168.0.110 NONE/403 3682 GET https://104.238.74.120/* - HIER_NONE/- text/html
2020-07-07T21:03:14.340000 2 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:59:14.370000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:59:13.780000 0 192.168.0.110 NONE/403 3682 GET https://104.238.74.120/* - HIER_NONE/- text/html
2020-07-07T20:59:13.760000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:59:09.630000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:59:09.570000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:59:09.360000 2 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:59:05.370000 6 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:59:05.120000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:56:03.640000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:56:03.500000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:55:35 0 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:53:42.760000 2 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:53:07.950000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:53:07.900000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:52:56.720000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:52:56.430000 0 192.168.0.110 NONE/403 3682 GET https://104.238.74.120/* - HIER_NONE/- text/html
2020-07-07T20:52:56.410000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:52:50.160000 2 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:52:49.940000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:44:21 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:44:20.780000 2 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:40:40.450000 4 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:40:39.280000 3 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:40:33.780000 95 192.168.0.110 TCP_MISS/404 629 GET http://www.idahoparcels.us/ - ORIGINAL_DST/104.238.74.120 text/html
2020-07-07T20:40:31.150000 105 192.168.0.110 TCP_MISS/404 629 GET http://www.idahoparcels.us/ - ORIGINAL_DST/104.238.74.120 text/html
2020-07-07T20:40:26.060000 91 192.168.0.110 TCP_MISS/404 629 GET http://www.idahoparcels.us/favicon.ico - ORIGINAL_DST/104.238.74.120 text/html
2020-07-07T20:40:25.630000 115 192.168.0.110 TCP_MISS/404 629 GET http://www.idahoparcels.us/ - ORIGINAL_DST/104.238.74.120 text/html
2020-07-07T20:34:09.710000 0 192.168.0.110 NONE/403 3729 GET https://104.238.74.120/favicon.ico - HIER_NONE/- text/html
2020-07-07T20:34:09.690000 5 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:09.660000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:09.290000 0 192.168.0.110 NONE/403 3729 GET https://104.238.74.120/* - HIER_NONE/- text/html
2020-07-07T20:34:09.270000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:09.170000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:08.130000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:07.090000 2 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:06.050000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:05.010000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:03.910000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:03.740000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:03.540000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:00.220000 3 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:34:00.080000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:56.910000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:56.770000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:54.430000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:54.140000 3 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:54.050000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:45.330000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:45.290000 5 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:45.060000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:44.870000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:43.830000 2 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:42.790000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:41.750000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:39.280000 3 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:39.090000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:38.970000 2 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:33.530000 13 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:33.150000 1 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:32.990000 175 192.168.0.110 TCP_DENIED/200 0 CONNECT 104.238.74.120:443 - HIER_NONE/- -
2020-07-07T20:33:31.910000 154 192.168.0.110 TCP_MISS/200 26666 GET http://idahoparcels.us/favicon.ico - ORIGINAL_DST/104.238.74.120 image/x-icon
2020-07-07T20:33:31.330000 128 192.168.0.110 TCP_MISS/200 1007 GET http://idahoparcels.us/ - ORIGINAL_DST/104.238.74.120 text/html

Does anyone have any ideas?
Pages1