Messages

Hi there,

In fact, you'd want to avoid a tunnel down from "remote office", although what are the risks:
1 -- "Remote Office" ISP line/hardware down/bricked.
2 -- OPNsense cluster down.
3 -- local Layer2 devices (switches etc) down.
4 -- "Home Office" unreachable.

In the occurrence of either 1, 2, 3 (and/or); there won't be any connectivity to anything at all from "Remote Office" anyways.
Hence, how many times a year is the "Home Office" unreachable?

If I'd be in your shoes, I'd raise a few questions and would try to get their real answers:
-- do we really "need" all the "remote office" traffic to "break out" at "home office" ? Wouldn't internal resources be enough I.E: 10.0.0.0/8
-- Connectivity behind a FW typically means Layer3, does it make sense to cross a tunnel to get the needed Layer3 remote endpoints setup (DHCP over IPsec)?
-- what is the "remote office" sustained bandwidth need at an average ?
-- what about adding a cheap LTE 4G/5G local break out at "remote office" ?

I would go for a backup "line" with LTE 4G/5G if sustainable.
Also, is IPsec a compliance tied item? WireGuard tunnels would come up extremely fast from which ever source IP coming from your "Remote Office".

Hope this helps a bit.
Cheers

Hi team,

Been wondering if matching hosts from the host header in HTTP would be possible in order to address different upstream servers, obviously serving different purposes.

so the idea would be:
nginx:443 --> host header = host1.domain.suffix --> upstream_1
nginx:443 --> host header = host2.domain.suffix --> upstream_2
and so on.

The backend is not using TLS, so TLS is terminated at the NGINX level. In my testings, it seems that within the "location" I can match URL but not the requested hostname, maybe i'm missing something really obvious here. I succeeded at such a config using caddy but if ever possible I'd like to couple that with NGINX + Naxsi WAF.

Let me know,
regards,
m.

Hey there,

Not an extreme specialist onto multi-wan, though have a few of these in my setup.

Onto your modem uplink, have a check on the followings when connected to OPNsense:
-- interfaces>overview --> you'll directly check if an IP stack is bound to your vtnetX "wan2" interface.
-- system>gateways>configuration --> you need a gateway per uplinks, one for your WAN2 should be present.
-- system>gateways>group --> you'll need a GW group to pool your uplinks (I do this in Tier1 + weight if needed (asymmetrical uplink bandwidth etc..)

As for NAT, obviously depending on what is behind the OPNsense wan2 port, you either need to do NAT at the OPNsense level or you can leave it to the upstream device if it does NAT. IE: LTE modems are usually per default doing NAT in between their LAN port and the LTE uplink.. However, I do prefer to have NAT under my control, so whenever addressing an entity labeled as WAN within OPNsense, I'd apply NAT and in a old school manner: Manual outbound NAT rule generation.

Hope this helps a bit.
Cheers,

Yes, same experience here, just actually wanted to donate again (did so last year) and saw PayPal and card payments with a form that looked like my resume (although just empty) --> backpedaled as well. I won't say anything bad about PayPal though, my only concern is that I can logon that thing once out of ten attempts, effectively locking my own account, needing a landline, a mobile phone, my grand mother ID on top of mine and god knows what else.. This is in fact technology that doesn't work and I prefer to spend my time on things that does; work. An alternative would be welcome, yes

Hi there,

I'm trying to figure out how could I conditionally redistribute static routes (present on ONS_2 in my uploaded representation) within BGP.
The static routes at ONS_2 are tied to a gateway entry (=host ip_forward=1 in my representation), gateway entry which has a Monitor IP set.

You cannot view this attachment.

My goal would be to possibly redistribute these routes within BGP only and if the Monitored IP is up.
Any hints at enabling this?

Thanks a lot,
Regards

I guess that one explanation would be that the adjacent switch DOES NOT have the MAC entries from the involved local subnet IP's (host down/decommissioned etc) and is in fact flooding these frames to all other port except the receiving port.

The witnessed destinations are always the same set of destination IPs with the annoyance that some of the given frames involved seems to trigger Suricata with: ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag...

Not much I can do I guess..

[not]

Hi all,

I have tested a root server @Hetzner with opnsense and I have the feeling that I'm witnessing all the traffic within the given /26 of the root server assigned public IP address... Had anyone seen this as well? Have I perhaps missed any "opnsense" settings on my WAN interface?

In example:

Code Select Expand

Interface     Time                       Source             Destination             Proto     Label
-------------------------------------------------------------------------------------------------------------------
WAN1        2025-09-20T09:42:11      65.109.83.177:51040    xx.xx.xx.14:9060    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:41840    xx.xx.xx.14:9901    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:51246    xx.xx.xx.14:9100    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      45.142.193.63:56217    xx.xx.xx.13:22363    tcp    CrowdSec (IPv4) in   
WAN1        2025-09-20T09:42:11      65.109.83.177:44502    xx.xx.xx.14:9113    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:38206    xx.xx.xx.14:9903    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:37934    xx.xx.xx.14:5054    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:37532    xx.xx.xx.14:9902    tcp    WAN1_DENY_ALL   

I do not own any of the destination IP listed above...

Let me know,
Kind regards,
m.

EDIT: the OPNsense wan interface is not in promiscuous mode / IPS is enabled on the interface in IPS mode

Hi,

Sorry to necrobump this one but there are only a very few WG/BGP posts. If possible could you share anonymized sharing of the setup you've enabled here? I also would like to know if each of your distinct local WG instances are listening on a dedicated UDP port, which according to my current testings seems to be the case.

Thanks,
regards,
m.

Hi all,

I would like to be able to "double" the access logs whenever possible:

1 - per Syslog facility and further sent to remote log aggregation.
2 - per File (/var/log/squid/access.log) to crawl the logs with SARG locally.

Perhaps I could do the point #2 using syslog datas but I wouldn't know "how" just yet.
If anyone could give some hints, thanks a lot.

Let me know,
Kind regards,
m.

Had the same issue, here is what fixed it for me:

• updated the vCPU scheme of the VM from "kvm64" to "Haswell-noTSX".
• VM power off/power on.
• shifted the IPS engine from "Aho–Corasick Ken Steele variant" to "Hyperscan" (only possible post point #1 here).

According to the docs, Hpyerscan seems to be the best options whenever supported, I'll leave it at that here.
https://docs.opnsense.org/manual/ips.html

Kind regards,
m.

Hi team,

Has anyone already implemented this Squid feature on OPNsense?
https://wiki.squid-cache.org/ConfigExamples/Portal/Splash

Roughly, this would use a "squid.conf" directive to present a "captive portal" web based authentication form for example.
using directive like:

Code Select Expand

deny_info 511:/etc/squid/splash.html session_is_activeI have to reckon that I haven't completely understood that Squid feature yet and what is needed behind it (backend auths, session state, time management etc..)

I was wondering if perhaps something like this could be implemented jointly with the OPNsense Captive Portal facility in fact, this in Explicit Proxy use cases.

Let me know,
Kind regards,
m.

Hi sy,

Thanks for your update, I'll check to do so.
Meanwhile, ZA "does" see the traffic, the issue being that "Web Controls" doesn't pick it up on CONNECT tunnel requests. This while the requested URL's are at disposal in clear text on the LAN side:

Code Select Expand

root@prx1:/home/bobby # tcpdump -i vtnet0 -np | grep CONNECT
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:02:54.074027 IP PROXY-CLIENT.46618 > PROXY-SERVER.8080: Flags [P.], seq 1:257, ack 1, win 502, options [nop,nop,TS val 57998426 ecr 1936303233], length 256: HTTP: CONNECT manyvids.com:443 HTTP/1.1
21:02:54.348588 IP PROXY-CLIENT.46632 > PROXY-SERVER.8080: Flags [P.], seq 1:257, ack 1, win 502, options [nop,nop,TS val 57998701 ecr 1409233581], length 256: HTTP: CONNECT manyvids.com:443 HTTP/1.1
21:04:14.658498 IP PROXY-CLIENT.41590 > PROXY-SERVER.8080: Flags [P.], seq 1:257, ack 1, win 502, options [nop,nop,TS val 58079013 ecr 3706001154], length 256: HTTP: CONNECT manyvids.com:443 HTTP/1.1
21:04:15.019787 IP PROXY-CLIENT.41618 > PROXY-SERVER.8080: Flags [P.], seq 1:257, ack 1, win 502, options [nop,nop,TS val 58079374 ecr 3162541456], length 256: HTTP: CONNECT manyvids.com:443 HTTP/1.1

In the above example, only the Squid initiated "WAN" connectivity request to "manyvids.com" would be caught as "Pornography" (not part of the above tcpdump filter as fired from vtnet1). IMPOV, the CONNECT requests are never matched to any potentially in place filters at all, although they're seen.

I'd say it's an easy use case to reproduce and if needed I could hand you out a PII free OPNsense config XML file, you'd just need to restore it and adapt to your IP schemes and test on your own..

Let me know,
Cheers,
m.

Found a plausible explanation / need to test without SSL Bump'in :

https://stackoverflow.com/questions/45084436/squid3-proxy-server-ssl-bump-blocking-web-socket-connections

----
Squid doesn't support websocket natively, only through CONNECT tunnel, which your client has to be aware of -- which it won't be if you are MITMing connections.
----

EDIT: just tested, without SSL Bump, WebSocket is working all fine..

Hi there folks,

A quick question / setup feasibility check on my side.

I've setup the followings to satisfaction:

• Squid on Loopback only
• ZenArmor in L3 emulated mode

To force a software hop, I've enabled Squid on Loopback only, thus requiring a NAT port forward rule for the Explicit Proxy port (8080) in my example.
Clients would connect through WPAD/wpad.dat with a return "PROXY VTNET0:8080" directive.

You cannot view this attachment.

My concern is that in such a setup, it seems to me that ZenArmor is missing the "vtnet0/LAN" based 8080 CONNECT requests sent towards the Squid Proxy daemon.

Without enabling the WAN interface "vtnet1" in the ZenArmor configuration, Web Controls doesn't catch offending bits/categories.
With the WAN interface enabled, it does, obviously so as Squid would initiate the requested connections through that interface for egress traffic.

I've tested as well using Squid directly bound to the "vtnet0" interface with the same results. I had hoped that perhaps adding a software HOP (loopback) would trigger ZenArmor Web Controls while monitoring the "vtnet0/LAN" interface only. It's not the case.

All in all, it's not a big issue, the real concern is that any offending bits would trigger as being sourced as/from the WAN interface IP, thus rendering analysis a bit more complex in order to find the originating host behind any potential ZA blocks. I'd also vouch that I'd prefer blocking the clients requests rather then the Squid initiated connections.

Is there anything I could do to get full CONNECT requests visibility sent towards the Squid daemon while monitoring the "vtnet0" interface only?
Or have I perhaps missed something obvious?

Let me know,
Thanks a lot,
m.

Hi there all,

I have a simple explicit proxy setup in which I didn't exclude (yet) a Guacamole host used for Remote Access (internal/external).
While connecting to that system through the OPNsense/Squid setup, I could log on with no issue although any Remote Access connection wouldn't work.
These are WebSocket based, is this possible through Squid? Have I missed some config options?

I have for now updated my wpad.dat with a DIRECT directive to that host and all is fine, just more for my knowledge.

Let me know,
Kind regards,
m.