Messages

Hello,

I have a failover connection with Fiber and LTE as backup, and because the LTE have a maximum of GB I want to use the backup gateway only for a "important" traffic, and block some aggressive traffic protocol like torrent.
Its possible to apply different firewall rules depending on the gateway?

Thanks!

Hi,

Because the NAT policy act as a AND, so if I put as source !NoSCRProxy and destination !NoDSTProxy then it only will do NAT when source is different AND destination is different.

I'm testing with the option "No RDR" or "no redirect" and seems that this is the correct solution

Happy new Year!

I have problems with squid transparent proxy and telegram, telegram is working but I can't download any picture, so I want to avoid telegram subnets (I don't find any domain) to use squid.
Seems that bump list only support IPs and domais, but not subnets (or my be I'm doing something wrong).

One way is to configure NAT policy to NAT all but these ranges using inverse destination, the problem is i'm using this method to avoid some source IPs to go to  the proxy, so I think that it's not possible use both methods at the same time because NAT redirection take effect on the first rule, and "bypass" the next policy in this case.

May be I have to use the NAT option "No RDR" with the SRC and DST aliases?

Regards

There's a solution, sadly there's no GUI yet, so if you don't mind here's a couple of posts u can reference.
https://forum.opnsense.org/index.php?topic=24388.msg117029#msg117029

thanks for your answer Amr, I have followed some examples, this is the most useful that I found to make it with categories:
https://www.sbarjatiya.com/notes_wiki/index.php/Configuring_squid_to_block_websites_based_on_categories
But sometimes I get a descriptive error that I can solve, and sometimes I only get an error without any description (reloading squid service), do you know where is the path of squid logs?

I think this will be a easy way to implement source based ACLs on the GUI, this a basic feature with is very useful

thanks

Yes, this plugin is only for user ACL not IP ACL (If something not changed), authentication in general is not a common practice on home networks.

Searched many times and always got 2 posts, one from the brazilian discontinued plugin, and other with the same question:

https://forum.opnsense.org/index.php?topic=8695.0

Hello,

Coming from bussines firewalls on my work (Forti, Sonic, etc...) I tried to move the perimeter security from my house to something like enterprise firewalls at minimum cost posible.

Over last 2 years I go from mikrotik to OPNsense to Sophos to OPNsense and to pfsense.
I migrated from MK to OPNsense because I want "real" firewall UTM on my home network but OPNsense lacks the possibility to apply webfilter by source. Then I discovered a free full version of sophos SG for home users, after some months, sophos have all filters, IPS, etc out of the box, but its management is terrible slow, and lacks of things like wireguard, so went back to OPNsense. I found a webfilter plugin ported from squidward but is not updated for the last 2 years, have many limitations and the blocked page redirects to the Portuguese developers
Finally I migrated to pfsense, it have all I want but... Is working at half, squid have many problems on transparent proxy and https (OPNsense is more "transparent"), and the gui is not polished as OPNsense.

I'm going to migrate to OPNsense again, but I want to know if there is a way, or if it's planed (for example a squidguard plugin) to use transparent proxy webfilter by source. I want to have all my home network protected from malicious sites and block adult sites to my son (Yes I don't want to block porn to myself :D )

How do you solve this "problem"?

I have the same issue but IMO this is some kind of API issue in 21.1.* . I can't even access it using curl method https://docs.opnsense.org/development/how-tos/api.html#using-curl

Does your GUI work? See, API not broken... ;)


Cheers,
Franco

You're right, my mistake :D

Hi QBANIN, I have the same problem, API Working but I get home assistant error. Have you solve it?

Hello,

I have an alarm touch panel that connects to the alarm server IP. This touch panel is locked and I can't change the server IP. I've changed the IP from the server (its a static lease DHCP) from 192.168.20.189 to 192.168.20.144 and the touch panel lost the connectivity. So now I want to redirect the xxxx tcp destination from 192.168.20.189 to 192.168.20.144.
What I've made is create a VIP alias mode with the IP 192.168.20.189 and then made a port forward from 189 to 144 but that don't works.
It is possible to do this? If yes, how?

Thanks

Hi Fright,

Seems that the method on the link doesn't work for some users, and I'm one of these.
I have done a "dirty" workaround editing the script on '/usr/local/share/examples/acme.sh/dnsapi/dns_duckdns.sh'
and changed all "fulldomain=$1" lines by "fulldomain=*****.duckdns.org", and that works...

Hope it will be solved on the future.

Thanks!

Hello,

I have a little problem trying to register with letsencrypt and duckdns.

I configured the challenge type with DNS-01, DuckDNS API and the API token.

Certificate Options:
Common Name *******.duckdns.org
Description
Alt Names:

Let's Encrypt Settings
LE Account: Firewall WEB GUI Cert Acc
Challenge Type: Firewall WEB GUI Cert
Auto Renewal
Renewal Interval 60

Security Settings
Key Length 4096 bit
OCSP Must Staple "unchecked"
   
Advanced Settings
Automations
DNS Alias: Mode Not using DNS alias mode


When I try to register the certificate, I get the following error:

Code Select Expand

Trying to add TXT record
param='domains=_acme-challenge.********.duckdns.org&token=******&txt=*****'
url='https://www.duckdns.org/update?domains=_acme-challenge.******.duckdns.org&token=*****&txt=******'
GET
url='https://www.duckdns.org/update?domains=_acme-challenge.******.duckdns.org&token=*********&txt=*********'
timeout=
_CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
ret='0'
Errors happened during adding the TXT record, response=KO
Error add txt for domain:_acme-challenge.******.duckdns.org


Any ideas what it's wrong?

thanks