Messages

I would like to realize this scenario:

• FW1 with OPNsense and WAN with static IP.
• FW2 with software not under my control; it can be OPNsense or something else or even a simple router.
• Both have Wireguard.
• FW2 WAN is with Dynamic IP and a DDNS.
• FW1 must create a VPN to FW2 (not vice versa, from FW2 to FW1).

Is it possible to achieve it?
What precautions should I take into consideration?

[it is OPNsense+Zenarmor blocking it]

A server in DMZ sends error messages to an external email address.
The server that should receive them rejects them on port 25.
From a first check it would seem that the ISP does not block port 25 on incoming, but only on outgoing.

While waiting for their confirmation, I wonder if it is OPNsense+Zenarmor blocking it.

WAN, LAN, DMZ networks do not have my own blocking rules. On the contrary, there is still a Protocol Any / Ports Any / Sources Any / Destinations Any rule.

I would like to use filters based on User Groups and I would like to register users on FreeRadius, but the OPNsense plugin of FR does not provide User Groups. These are present only for the local database.

What can I do?

In attach the screenshot of "top -ao res" command.

I'm just doing some testing at the moment and have only secured em0-WAN and em1.
In default policy I only have:
* in Security Malware/Virus, Phishing, hacking, Potentially Dangerous.
* In Web control Adult, Dating, Pornography, Social Networks.

If I open a well-known porn site I get an error page "This page is blocked".
Instead, if I open a well-known adult magazine, a dating site and the most well-known social network, an ERR_CONNECTION_CLOSED error appears with the message "WEBSITE has closed the connection unexpectedly".
Why is there no error page for these?

About the devices, they are all wrong.
The switch is Android, Win 11 is another Android, the router is Win10, ...
I'll send a log tomorrow.

Thanks for the reply.
I'm sorry, but it's still not clear to me how the two policies overlap.

If I didn't misunderstand:

• In configuration I only protect em0 (WAN) and em1 (on which there are VLANs).
• In default policy I establish which options to activate that can also be valid for all VLANs.
• In Policy1 and Policy2 I instead define the options that I intend to enable only for specific VLANs.

It's correct?

Furthermore, it is not clear to me the overlap between the protection of em0 and em1. If I protect the WAN from malware, for example, I shouldn't need to also protect the LAN and VLANs.
I can only think of the case in which a laptop infected elsewhere is then connected to the LAN.

Then, I have a Quad Core i5 and 8GB RAM, after installing Zenarmor (still configuring superficially) and I have CPU peaks at 95% and stable RAM at 81%. It's correct?

I installed Zenarmor with a Home license.
Over time I had already configured Suricata on the WAN and a rule to block all countries outside my own.
Now with Zernarmor I will have to change something.

• Is there a filter by countries? Or do I keep my rule in WAN that uses GeoIP d MaxMind?
• Should I keep Suricata on the WAN? If yes, with what rules? Or rather protect the WAN from Zenarmor?
• If I enable options in the Default policy, for example block Malware/Virus or the "Adult" category, do all the other policies have these options even if not explicitly activated or do I have to enable them in the other policies too
• Are the three policies provided by the license additional to the Default?
• On one interface I have VLANs called LAN, Home, Guests which have different uses. However, I read that it would be useful to configure Zenarmor on the interface and not on the VLAN. What should I do?
• In the device list I find my PC and the switch. Hours later, "Initial identification in progress" still appears. It's correct?
• My PC is with Win11 Pro on ASRock Motherboard. Yet it is identified as Lanix Android; instead the HP switch is identified in the Mobiles category as Google OS: Android OS.

If you take a very short look into the tutorial section, you will most likely find a guide that is always in the top ten because the thread is very active.

If you're referring to the "A+" tutorial, it didn't work for me.
In any case, I don't like it much because it adds a complexity that in my opinion is unnecessary.

Besides that I don't think there are any other tutorials.

[Real Server]

Is there no official guide to set up HA Proxy?
I'm following several unofficial guides, but I can't make any progress.

I have a NAS on LAN (192.168.100.100) reachable with port 55555 that I would like to reach remotely using HA Proxy.

• The DNS domain points to the router's static public address
• With a ping the my-domain can be reached.
• A Let's Encrypt certificate is configured on this domain and is recognized and active.
• On the router, port 55555 is configured with a forward to the OPNsense WAN address.

In HAProxy Settings I configured (with the other default options):
Real Server
* Type = Static
* FQDN or IP = 192.168.100.100
* SSL = On

Backends
* Mode = TCP (Layer 4)
* Servers: The RealServer created

Condition
* Condition type = SourceIP: TCP source port
* Comparison = equal
* Source port = 55555

Rule
* Test type = IF
* Select conditions = The Condition created
* Execute function = Use Specific Backend Pool
* Use backend pool = The created Backend

Public Service
Listen Addresses = 192.168.100.1:55555
* Type = TCP
* Detailed Logging = On
* Selected rule = The rule created

NAT rule
* Source = Any/*
* Destination = This Firewall
* Destination Port = 55555
* NAT Address = Interface address
* NAT Port = *
* Static Port = No

WAN rule (with loggin)
* IPV4 TCP protocol
* Source = Any/*
* Destination = WAN Address
* Destination port = 55555


From a second PC connected to the Internet, if I type https://my-domain:55555 I get a connection Time Out error.
In Logs Live View the WAN rule is accepted
There are no errors in HAProxy Log File.

I had previously configured the various options with HTTP/HTTPS (SSL Offloading) [default] and with the host matches = FQDN option (with and without port 55555).
But the result is always the same. The WAN rule is OK, and no errors in HA Proxy.

Thanks in advance

I just tried this and it works as expected.

Did you create the test users as FreeRadius users (OK) or as System -> Access -> Users (not OK)?

Did you set the type of the authentication server to Radius?

Is the Freeradius Service running?

Now it still doesn't work and I've rechecked everything, screen by screen.
From System - Access - Tester the user is accepted.
From Browser, on VLAN, I have Authentication Failed.

I am demoralized and disappointed.
It's a continuous Doing and Undoing.

Penelope, with her cloth, was an apprentice in comparison.

I'm wasting time trying to understand why the Captive Portal login page appears with a new session, but then it doesn't appear again.
I'm realizing that in reality the session is never closed and therefore that user continues to be able to access the VLAN without being asked for a login anymore. This also happens when I turn off and restart the PC.

Is that so? Is it wanted?

The list of C.P. sessions doesn't help, which is not updated and in some cases is empty.

The firewall was installed again from scratch with all the default options, while for the creation of the VLAN and the C.P. The official documentation pages were used, so no errors should have been entered.

[Alias]

I have a VLAN and a VPN and these are working.
However, I have entered some rules to limit VPN use and one doesn't seem to work, but I can't figure out why.
Alias

• Home1_TechDevices: Technicians PCs
• Home1_WorkingDevices: Devices accessible to users in the VLAN
• Home1_NoVPN: PC whose traffic must not pass through the VPN, but through the WAN
• Private_Networks: Networks as RFC 1918

The sequence of rules should be

• The technicians do what they want
• All users access devices in the VLAN
• All users invoke Captive Control
• All users who do not belong to the NoVPN group go into the VPN (excluding Private Networks)
• All remaining users of the VLAN access the OPNsense DNS
• All remaining users of the VLAN cannot access other networks
• All remaining users of the VLAN cannot access the firewall
• All remaining users of the VLAN cannot access the Private Networks (rule disabled because redundant)
• All remaining users of the VLAN access the Internet via the WAN.

Captive Portal login is never required and rule number 3 (in red) never appears in the log.

There is obviously something blocking it, but I can't figure out what.

My network is... complicated. It needs to be explained better.

Multiple "home" sections coexist on the same wiring, attributable to three different families where some members work in the same company which has its own office.
So I can't have just one "IoT" network or just one "Home" network.
I can't even manage the connections of each family, for privacy reasons.

I solved it by creating 3 VLANs "Home1/2/3", one VLAN for the company, one for its guests and one for IoT devices of company.

In each Home VLAN I am not going to differentiate the use that is made of their IP addresses which will therefore concern both their PCs, SmartTVs, gaming consoles or IoT devices.
On the other hand, those who live in the 3 homes are already used to configuring their devices autonomously and creating specific VLANs, for example for their IoT devices, it would only be a complication that then they are not able to manage.

Following your advice, all traffic coming out of the 3 Home VLANs and the Guest VLAN is routed to the VPN.
Only LAN traffic goes directly to the WAN.

However, for testing purposes and specific needs, I have to release some address blocks of the 3 Homes from the WAN and not from the VPN.

My questions arise from these considerations.

For example, a Home network is 192.168.100.0/24, but the subnet 192.168.100.64/28 is allowed to bypass the VPN and go directly to the WAN.

From what you suggested, I let all the IPs on the network go to the VPN, excluding only those present in the subnet.

About the log, mine is unreadable because it is constantly filled with "let out anything from firewall host itself (force gw)" and "Block private networks from WAN" messages.
In the documentation I find that I could enable the "Disable force gateway" option, but it is not clear to me if and what consequences this could have.

...
Also, the Guest network has full unhindered internet access (i.e. no transparent HTTPS proxy). If I was to mistrust my Guests, I could use VPN provider and route all of the Guest network traffic over that provider. If anybody misuses this, the traffic does not originate from my "official" IPs.
...

Hello and happy new year.
I'm continuing my testing where we left off and following your suggestion to use a VPN for the home and guest VLAN.
I need some advice from you.
1) Do all the hosts on your VLAN use the VPN? I would like to differentiate the hosts without creating additional VPNs. I'm finding my way around using subnets. Subnets A and B use VPN, subnets C and D use WAN.
2) In your opinion, what types of devices should not pass through the VPN? Can printers, SmartTVs and IoT only pass through the WAN?
3) How can I understand from OPNsense if a device/PC is using the VPN? I use "ProtonVPN Free" and have no indication in its dashboard that the VPN is being used at that moment. In OPNsense I see traffic in the graph, but the data is generic. I would like something related to the specific host "XYZ".

SWG is a product from Zenarmor that I found on their site.
https://www.zenarmor.com/zenarmor-secure-web-gateway

It would appear to be a separate product from NGFW, with different features.
https://www.zenarmor.com/zenarmor-next-generation-firewall

The FAQ located on the same page as SWG lists the differences between NGFW and SWG
It is also written:

Is secure web gateway a firewall?
No, a Secure Web Gateway (SWG) is not the same as a firewall. While both security solutions play essential roles in an organization's cybersecurity strategy, they have different primary functions..

But then I see that there is a single license price and, above all, only one plugin to install in OPNsense.
This confuses me. Are they two different products or not?

Thanks for your answer.

What does "in bridge mode" mean?
Where can I find documentation?

If SWG is an independent product, how do you install it?
In OPNSense with a plugin, as an alternative to Zenarmor, or is it a product that can be installed as an alternative to OPNSense?