Messages

hello Ahmedbasma1,
You can load balance different WANs based on latency https://docs.opnsense.org/manual/how-tos/multiwan.html.
Also you can look into Traffic shaping to make sure traffic is distributed evenly between users https://docs.opnsense.org/manual/how-tos/shaper_share_evenly.html.

[A possible workaround:]

Squid proxy can do kerberos authentication, however there's a couple of catches:

• Neither squid nor opnsense officially support it(not sure if there's an enterprise plugin for it or not), so you'll need to install custom packages (samba, heimdal-clients\MIT, overwrite  your custom changes to squid by using templates to survive updates, join the machine to the domain and get a keytab with HTTP principal, have a second system to test for updates compatibility, Frankly lots of work
• you can't run the proxy in transparent mode, you have to configure clients to use the proxy(MITM is PITA anyway)

A possible workaround:

• Dynamically assign clients DHCP based on group membership (if your DHCP server supports that, or if you have a NAC), if your environment is small or you can't do DHCP based on Role you can give out static IPs to known clients, and put unknown clients in a separate VLAN/IP range behind a captive portal
• Segment your network into VLANs (Guest VLAN, Accounting VLAN, Marketing VLAN, etc) and assign clients to each VLAN based on role/known client mac (static mapping)
• From CLI configure squid to have separate ACL for each segment of network/VLAN, Here's a link to get started: https://forum.opnsense.org/index.php?topic=16171

I can't see how to mark this as solved... anyone know?

just edit your post and add [Solved] before the post's subjet.

With that said, I advise you to consider changing your network topology, your setup is really confusing and not recommended (I don't think you would be able to find a single professional who's willing to support your setup) having everything in the same subnet (DMZ included) and using firewall rules to control traffic between them by ip is a horror story for future upgrades\expansion you might get away with it since everything is virtualized and it works kinda of like a managed switch and the fact that this is a home lab, but I recommend you learn good practices and deploy them to get a feeling for them.
Here's a couple of ideas to start from:
- since your host has 4 physical NIC, I would leave 1 for proxmox (management port in case something horrible happens and you need emergency access to the hypervisor for example opnsense is down and you can't reach proxmox from LAN)
- pass the rest to the firewall (opnsense) and create WAN, LAN and DMZ with a separate subnet each on a separate port -since this a virtual environment you can even create virtual interfaces to use for DMZ, or any other service that's virtualized on the same host- (ex: 192.168.1.0/24, 192.168.2.0/24, 192168.3.0/24) open the required ports between LAN and DMZ host, then attach your other VM\application to the specific physical\virtual interface, I did a similar setup in my homelab once but I no longer use proxmox so can't help you right now with config examples.

hello wincent,
Can't give you a full answer right now, but I can give a couple of hints of how to do it.

I'd like to ask if there is any way to set up the opnsense auto download the CRL?

• Setup Windows to export the CRL to a share, FTP/HTTP server periodically.
• Grab the CRL with tools like wget, smbget, CURL, etc (Opnsense is based on freeBSD so search how to install the required package)
• Add a cron job that imports the CRL every week

Is there a better way to keep the file persistence?

templates overrides persist over updates but they are harder to configure and if your override wasn't compatible with the new update -for example the new squid version deprecated a configuration directive ex: cache_peer - then it'll most likely break.
Opnsense provide three directories that are included in squid.conf and doesn't get overwritten by updates:

• /usr/local/etc/squid/pre-auth
• /usr/local/etc/squid/auth
• /usr/local/etc/squid/post-auth

you can drop a conf file in these directories and they will persist (you need too back them manually tho, with a cron job, or better yet use a configuration management software)

ps: parent proxy is called cache_peer in squid's docs.

What's the distinction between an 'allowed' subnet, and an 'unrestricted' ip?

• 'allowed' subnet: the subnet(s) that's allowed to Access the proxy's service for example if u have VLANS: 10.0.1.0/24 and 10.0.2.0/24, you could allow the first by adding in the list and block access to the later by simply not adding it.
• 'unrestricted' ip: an IP that ACLs don't apply to (blacklists don't apply to it, so it can access any website)

it would be helpful to link to documentation somehow to illustrate the difference.

you can check the conf file at /usr/local/etc/squid/squid.conf or squid.conf.documented.

Anyone know if this way works?

it would work if the whitelisted website doesn't change IPs frequently (big providers like google do, for load balancing), if it does be ready to experience breakage.
- I would go the DNS route if you are okay with the fact that users (malicious or not) can subvert the access control (by using VPN/Tor or any other method) you can pair this method with IPS(intrusion prevention system) that subscribe to a VPN block list or something, plus periodically reviewing logs and adding firewall rules that allow users http(s) only.
-else you need to deploy an MITM (transparent proxy) but that's a PITA to configure, good luck.

here's a couple of hints:

• Does the website work normally without using squid, it could be that the certificate is no longer valid/incorrect, and squid is refusing the connection, also check the TLS version the website is using.
• The website could be referencing 3rd party resources: ex: Javascript, try whitelisting these
• It may be using Certificate pinning and squid still cache a generated MITM so try resetting cached certs in support Tab

PS:MITM is a pain in the ***, good luck

If you want to overwrite the auto generated config (and the option is not in the GUI ) then you need to use the template system as your modification won't persist -any update will revert the config back to the original state-  https://docs.opnsense.org/development/backend/templates.html
however if you want to add some config, opnsense provides two directories for custom persistent modifications

• /usr/local/etc/squid/pre-auth/
• /usr/local/etc/squid/post-auth/

for example you can make a header.conf file inside pre-auth and drop the rules you want in it and then restart squid (service squid restart)

by WiFi phones you mean VOIP phones right?
Well VLAN is the way to go, but if it's not an option (you don't have a VLAN capable switch or your AP don't support VLAN -consider buying a used one?- and you don't plug the AP directly into opnsense), you could try installing openwrt on your hardware and using a guest wifi instead (also check if your AP supports guest networks) but I'm not sure if that will work.

Usually to keep your sanity you want to run from NAT not use it ;D (may I ask why did you enable NAT on the TP-link?, U already have a VLAN -NAT doesn't mean security- )
Well back to your question if you want to access your wireguard server from within the network (LAN side), then you can either use

• Use NAT reflection:https://docs.opnsense.org/manual/nat.html ( an explanation here : https://www.reddit.com/r/PFSENSE/comments/fp9h1f/can_someone_explain_to_me_what_is_nat_reflection/)
• or you can use spilt-horizon DNS (External queries are replied to with the public ip, while the internal queries with the private ip, u can achieve this with unbound's override -given that you have a public domain ofcourse-)

Is there a cli way of changing which cert is used for the admin UI?

From the CLI chose the second option (Set interface IP) then choose LAN, follow the steps at the end it'll ask you if you want to revert back to HTTP and then if you want to regenerate a new self-signed cert choose either.

I need to statically set the IP, subnet, gateway, and DNS settings for the WAN adapter,

you can set the static IP in the and the gateway in [Interfaces] (gateways can also be configured in [System: Gateways: Single]), DNS is under System: Settings: General.

and then assign it to a specific LAN adapter.

• pmhausen's solution should work after setting the gateways, but you'll need to add a couple of rules at top (for example if you use unbound DNS you don't want DNS traffic to go through the gateway but your firewall first, I recommend you read about Gateway groups in the Docs)
• An alternative solution is to add manual outbound NAT rules [Firewall: NAT: Outbound] so that you can translate a private subnet into one of your WAN public IPs, for example you can add a rule like so:
  
  
  
  • Interface: WAN_Office
  • Source address: LAN_Office NET
  • Translation / target: WAN_Office address
  Again consult docs on how to configure them properly.

PS:  You should have posted that in general discussion ;), make sure to post in the right forum to have a higher chance of people responding to you.

Here you go https://forum.opnsense.org/index.php?topic=32642.0

For future references, there's an alternative approach here: https://forum.opnsense.org/index.php?topic=32642.0

Kind of late but for future references, you can achieve what you want in several ways:

• Or should i think about filtering specific URLs through a VPN? Is that even possible?

  Sure you can, you need to configure a parent proxy and send these specific links to it and then route the parent through the VPN tunnel (read more on cache_peer)
• You can also route all proxy traffic through the VPN.

For a how to you can read the tutorial I wrote: https://forum.opnsense.org/index.php?topic=32642.0