Messages

1

General Discussion / Help with Port Forwarding, Please?

« on: November 15, 2020, 06:47:38 pm »

Hi, guys.  I've been at this for hours and just can't figure it out.  What's worse is that I don't know if it's an opnSense issue or other.  I hope you can help.

My setup:

• opnSense running on a computer with a 4-port NIC
• TrueNAS box connected to the LAN interface w/ IP address 192.xxx.xxx.10, assigned by opnSense
• Nextcloud plugin installed in TrueNAS w/ IP address 192.xxx.xxx.11, also assigned by opnSense
• opnSense Dynamic DNS is set up to use DuckDNS, routing xolocrafts.duckdns.org to my public IP address

Basically, when I try to connect to 192.xxx.xxx.11 via the xolocrafts.duckdns.org host name, I get this:



I set up the NAT Forwarding this way:



I assume that I can NAT Forward from WAN to LAN, but if this is incorrect, then it's part of the problem.  I have tried to temporarily stop the Web Proxy, but I get a similar error: "Hmm. We’re having trouble finding that site.  We can’t connect to the server at xolocrafts.duckdns.org."

Note that I used external Port 1080... that was just to see if there was any difference in results, since I initially used Port 80.

It seems that the Dynamic DNS setting is correct, since it IS routing it to the correct public IP address.  From there, I don't know what is happening.

I haven't even set up SSL for this (my next step), but can't even get it working without it.  Now..., if I simply type "http://192.xxx.xxx.11 in my browser, while connected to the LAN interface, everything works fine.

Do you see what I'm doing wrong?

Thanks for your help!

2

Intrusion Detection and Prevention / Re: What's Blocking my Programs' Access to the Internet?

« on: November 07, 2020, 02:22:02 am »

OK... solved one of the issues.

I disabled the Web Proxy "Traffic Management" which had a default Maximum Download Size (kb) of 2048.  This allowed TrueNAS to download and install the plugin.

Now to solve the issue with MATLAB.

3

Intrusion Detection and Prevention / Re: What's Blocking my Programs' Access to the Internet?

« on: November 07, 2020, 01:41:35 am »

I have Unbound enabled, but just realized that Blacklists are disabled, so it seems to take Unbound out of the equation.  For IDS, Suricata is used and I have 11 rulesets under the "Download" tab that are enabled for "Download and Update Rules", but there are over 78,700 actual rules that are enabled (didn't realize that either).  It's not feasible to go through every one, obviously.

I was hoping that I could look at some log to see who/what is blocking these programs and go from there.

I guess I can try to disable IDS entirely (momentarily) to see if that does anything. As mentioned earlier, I had tried that with the web proxy, but didn't resolve the problem.

I know of Wireshark, but haven't actually used it.  I might try to see if I can figure it out.  Thanks for the feedback so far.

4

Intrusion Detection and Prevention / What's Blocking my Programs' Access to the Internet?

« on: November 06, 2020, 06:46:29 pm »

Hi everyone.  I am new to opnSense and quite the beginner with firewalls and networking.  Nevertheless, I have opnSense running happily on an old PC with a quad-port NIC.  The version I'm running is below:

OPNsense 20.7.4-amd64
FreeBSD 12.1-RELEASE-p10-HBSD
OpenSSL 1.1.1h 22 Sep 2020

My problem is that I have two programs (TrueNAS and MATLAB) that are being denied access to the internet by one the opnSense services I have enabled and I have no clue which one it is.  What's interesting to me is that for TrueNAS, it's allowed to check for updates just fine, but is prevented from installing plugins from pkg.freebsd.org (I even white-listed it in the web proxy ACL with no success).

Is there a smarter, more methodical way to figure out who is blocking them and how to allow their access?  So far, I've completely disabled the web proxy, with no luck.

These are the services I have enabled:

- C-ICAP server
- ClamAV Daemon
- freshclam daemon
- Universal Plug and Play (although I don't think it's properly set up, or set up at all)
- Squid Web Proxy
- Suricata Intrusion Detection

Thanks in advance for your help, guys!