Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - JRC

#1
Eh, I gave up on this, and just spun up a VM with openVPN on it, and did a port forward. I'll use Firewall rules to control which VLAN/Service/Servers remote clients can and cannot get to.
#2
I do have a public IPV4, and the firewall logs where not showing anything from my test setup (hotspot off my phone, also had a public IPV4).

When I tried to access my other services, I could see the traffic flowing (I was filtering by source IP), but when I tried to connect to the VPN I saw nothing.

It's possible that my cell provider is blocking VPN traffic, but I think this is very unlikely (Andoid phone on GoogleFi).
#3
The client is not able to finish the handshake and I cannot work out why.

I followed the instruction here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html and I have double and triple checked my settings and they match these settings, but I am unable to connect from any client, I am getting errors about the handshake not completing.

At this point I am at a loss as to what to do to get this working. I am not entirely sure what I need to post here to help work this out.

The interface I created in step 4(a) is called "Wireguard"

Outbound NAT Rule:
WAN Wireguard net * * * Interface address * NO Wireguard NAT Rule


WAN Rule:
  IPv4 UDP * * WAN address 51820 * * Open Wireguard Port

Wirguard Interface FW Rule:
    IPv4 * Wireguard net * * * * * Allow Traffic from Wireguard Clients

Normalization Rule:
WireGuard (Group), Wireguard any any Wireguard MSS Clamping IPv4

OpnSense V24.1.4


Any suggestions?


Also, some notes in the documentation:

  • The numbering referenced in the article is wrong. When the instruction reference step 5(a) it actually means 4(a) (I think), this made parsing it pretty difficult.
  • It would be nice if there were some more information about the keys and how to use them and/or how they relate to each other. Step 2 just tells you to insert a public key, and to go to step 7 (doesn't exist) in order to get info on how to generate said key.
  • Step 5a tells you to use the interface Wireguard (Group) instead of the interface you created in step 4(a). Is this correct? (I tried both, but things still don't work)
#4
Well it turns out that I was using the wrong port (443) instead of 8443. I found this out by going into the /conf/config.xml file, then locating the webui section and seeing what it was set to there.

It works now, with the expired cert and all.

Going to leave this here rather than deleting it. Hopefully it'll help someone in the future.
#5
It was working, then it stopped working, no changes were made on the opnSense box, the only thing that changes was the possible expiration of the self signed cert used for the webui, but I would expect that to give me a security error and not a time out. I get the same timeout when I try non-ssl traffic, but I believe that is to be expected.

As near as I can tell Lighttpd is running:


cat /var/log/lighttpd.log
Dec 21 18:24:06 OPNsense lighttpd[57191]: (server.c.2057) server stopped by UID = 0 PID = 64556
Dec 21 18:24:06 OPNsense lighttpd[44915]: (server.c.1551) server started (lighttpd/1.4.61)
Dec 21 18:34:33 OPNsense lighttpd[14335]: (server.c.1551) server started (lighttpd/1.4.61)
Dec 23 20:45:36 OPNsense lighttpd[14335]: (server.c.2057) server stopped by UID = 0 PID = 8414
Dec 23 20:45:36 OPNsense lighttpd[2156]: (server.c.1551) server started (lighttpd/1.4.61)
Feb 22 16:19:44 OPNsense lighttpd[8847]: (server.c.1551) server started (lighttpd/1.4.61)
May 12 20:21:31 OPNsense lighttpd[8847]: (server.c.2057) server stopped by UID = 0 PID = 24361
May 12 20:21:31 OPNsense lighttpd[30999]: (server.c.1551) server started (lighttpd/1.4.61)
May 12 20:33:02 OPNsense lighttpd[30999]: (server.c.2057) server stopped by UID = 0 PID = 1781
May 12 20:33:02 OPNsense lighttpd[14785]: (server.c.1551) server started (lighttpd/1.4.61)
May 12 20:40:55 OPNsense lighttpd[14785]: (server.c.2057) server stopped by UID = 0 PID = 31149
May 12 20:40:55 OPNsense lighttpd[40665]: (server.c.1551) server started (lighttpd/1.4.61)
May 12 20:55:12 OPNsense lighttpd[60294]: (server.c.2057) server stopped by UID = 0 PID = 96360
May 12 20:55:12 OPNsense lighttpd[8095]: (server.c.1551) server started (lighttpd/1.4.63)
May 12 21:02:27 OPNsense lighttpd[75562]: (server.c.1551) server started (lighttpd/1.4.63)



ps aux | grep light
root          75562    0.0  0.0   17684    6824  -  S    21:02    0:00.01 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
root          15614    0.0  0.0 1060888    3116  0  R+   21:07    0:00.00 grep light


I tried restarting lighttpd
configctl webgui restart

and when that did not work I ran:
configctl webgui restart renew

curl also times out, on from the local cli on the opnsense box aswell:



*** OPNsense.domain.tld: OPNsense 21.7.8 (amd64/OpenSSL) ***

LAN (lagg0)     -> v4: <lan_ip>/24
WAN (bce3)      -> v4/DHCP4: <public_ip>/23


curl https://<lan_ip>

curl: (28) Failed to connect to 192.168.2.1 port 443 after 75018 ms: Operation timed out


Not sure where to go from here. So any help would be greatly appreciated.

I am running 21.7.8, and plan to go to 22 as soon as I can get this fixed. Oh, and I can ssh in just fine, form a machine that has a firewall rule that allows all traffic to get to the opnsense box itself (again, this was all working not too long ago, before the cert expired).
#6
Zenarmor (Sensei) / Re: Time base policy
December 05, 2021, 07:11:21 AM
Thanks @mb - I worked out how to do that after I posted here. Looking forward to hearing back from them.
#7
Zenarmor (Sensei) / Time base policy
December 04, 2021, 02:27:21 AM
I am trying to create a policy that restricts certain things during specific hours. Essentially disable certain sites and categories during homework time.

Here is how I have it set to block midnight to 4pm on Fridays and midnight to 6pm Su - Th and not enforced on Saturdays (see the attached image). There are a few blacklisted sites in this policy.

Well it is currently 514pm on Friday and yet this policy is in effect, and the real time log clearly shows that the site is being blocked by the policy that should not be enforced. If I disable the policy the blocking stops. So it is as if the Zenamor is simply ignoring my schedule for some reason.

Here is the log:

Block status Time Source hostname Source port Destination hostname Destination port Block message Interface VLAN Policy
Blocked 12/3/2021 17:22 <int IP> 53570 gateway.discord.gg 443 Blacklisted site access <kids_vlan> 0 Timed Blocking


discord.gg (not set as universal) is on the black list in the policy I call "Timed Blocking" which has the schedule setup as per the image attached. It's notable that the web and app controls are also enforced by this policy outside of the set schedule.

What is that I am doing wrong here?

EDIT: I confirmed that my opnSense is set to the correct timezone, and confirmed that the local time on the box is correct.

#8
I am migrating my hardware from one server to another for opnSense and this includes Sensei. I backed up my config from the old server, then re-stored it on the new server. I am running the latest versions of both the Sensei engine (1.10) and opnSense (21.7.5).

When I add my VLAN interface into the Protected interface list I get a popup about the driver having known incompatibilities with Netmap, and gives me a link to an old post these forums, and from digging around it seems that this issue should be taken care of in this version of opnSense?

I am running this on a Dell R610, with the Broadcom NICs (bce) and I have two interfaces configured as an LACP LAGG for the LAN interface, with VLANs using that as their parent interface. I am only trying to filter the internet on a single VLAN, the others need not be filtered.

So is this a concern? Or am I doing something wrong here?

Thanks in advanced for the help!

#9
The issue appears to be flowd.log in my logs folder, it's nearly 30Gb in size.

How do I set it so that this log is rotated at a much smaller size, say 10mb?
#10
So I went to install a plugin on my opnSense box, and got an error that I did not have enough free space, that I had -4Gb free.

The DF commend returns:

:/ % df -h
Filesystem                     Size    Used   Avail Capacity  Mounted on
/dev/ufs/OPNsense               50G     50G   -4.0G   109%    /
devfs                          1.0K    1.0K      0B   100%    /dev
tmpfs                          8.2G    564K    8.2G     0%    /tmp
devfs                          1.0K    1.0K      0B   100%    /var/dhcpd/dev
devfs                          1.0K    1.0K      0B   100%    /var/unbound/dev


So I am using more than 100% of the drive??

How do I clean this up?
#11
20.7 Legacy Series / How to Migrate to new hardware?
December 28, 2020, 03:07:33 AM
Hello everyone,

I am sure there is an easy answer to this, but I wanted to ask to make sure. I want to move my opnSense install from one machine to another (an intel based server, to a Dell R610) and I was wondering what the best way to migrate the setting over would be as the network cards would be different.

Currently I have a pair of NICs in a LAG for my LAN side of things and a single NIC for the internet side. I have several VLANs setup on the LAN side as well. The R610 has 4 NICs and I would like to have a similar setup there as well (though I may add the unused NIC to the LAGG and make it have 3 members, not sure yet).

So am I right in guessing that I need to:

1. Install opnSense on the R610
2. Back up the config from the Intel Server
3. Restore it to the R610
4. Do something with the network setup?

Or do I need to do the network interface setup, then restore the config?

Thanks in advance for the help!
#12
Here is a picture of the FW Live View. This is with the explicit allow rule in place on the interface.
#13
General Discussion / Re: Firewall rules
June 04, 2020, 11:52:25 PM
Quote from: marjohn56 on June 04, 2020, 11:16:38 PM
if its client to client on the same subnet it has S.F.A to do with the firewall, it's point to point. Check the managed switch settings & firewall settings on your clients, start by pinging one from the other, if that works yet something like a web server doesn't then there's an issue with firewall or server settings... windows firewall for example can be an absolute P.I.T.A at times.

It is client to client on the same subnet, but the firewall is blocking it. It shows up in the Firewall live view. There is nothing on the switch that is blocking it and the clients do no have firewalls enabled. On other subnets the client to client traffic does not even touch the firewall, but for some reason in this case it does, and when it does the FW blocks.

But, none of this explains why opnSense is ignoring the rule when it is allowed, but processing and executing it when it is blocked.

And for the record I am able to ping between these two clients just fine. Not other clients have issue communicating directly on this subnet.
#14
General Discussion / Re: Firewall rules
June 04, 2020, 10:36:02 PM
Quote from: marjohn56 on June 04, 2020, 10:06:20 PM
As you are saying VLANs, are these clients connected via a managed switch?

Yes, a Cisco 3560x, but the traffic is being blocked by the firewall on opnSense (they are coming in on the same VLAN interface), so I am not sure this is the issue.
#15
I am sure this is just my lack of understanding but I seem to have this odd situation where opnSense is ignoring an explicit allow rule, but if I toggle it to a deny rule, then it evaluates.

I have client 172.17.100.51, trying to talk to client 172.17.100.50. They are both on the same VLAN interface on opnSense.

This traffic is being denied by the default deny rule, so I went in and created a first match explicit allow rule. Any type of traffic from 51 -> 50 is set to be allowed, the rule is enabled and set to log.

OpnSense appears to completely ignore this rule, it never shows up in the live view, and the default deny rule blocks the traffic.

Here is where it gets odd. If I change the rule from pass to block and jump back to the live view the rule works, and I can see the traffic being blocked by that rule. Switch it back allow, and once again the default deny rule kicks in and traffic is blocked.

I have other allow rules on other VLAN interfaces that do work, so I am baffled by this. Any ideas on what I am doing wrong?