Messages

1

21.7 Legacy Series / Re: OPNSense blocking legit sites, not idp or web filtering

« on: December 08, 2021, 10:58:34 pm »

I know this is a bit vague, I'm looking for ideas as to what may be blocking these sites/connections.

2

21.7 Legacy Series / OPNSense blocking legit sites, not idp or web filtering

« on: December 08, 2021, 08:48:13 am »

Hi all,

I'm working on an issue where several websites won't work. they resolve dns and everything, they just won't connect. It's as if opnsense is blocking them. I can;t see t in routes, firewall, web filtering etc.
If I curl from the console those sites load fast and fine. Anything behind that though has issues. It's only a half dozen sites.

3

General Discussion / Re: Anyone using DoT or recommend added security for my new OPNsense install?

« on: April 01, 2021, 04:23:08 am »

I have been through dnscrypt, pihole and now I'm on AdGuard home. I use it on my raspi and on my opnsense router for primary and secondary. I really like it, it's quick and supports anything you need. Only thing missing is clustering, but if your requirements are simple then double entering isn't the end of the world.
There's an AdGuard plugin for OPNsense, also for Home Assistant.

4

General Discussion / Re: Suggestion: Backup destinations

« on: April 01, 2021, 04:19:35 am »

Hi,

Would be rather helpful if there were more options to send backups.
Couple of suggestions:

• FTP
• Onedrive/Sharepoint

Thank you

Second for OneDrive. I currently use rsync for all of my boxes and have yet to tackle this for opnsense. I prefer to keep third party code to a minimum to reduce attack surface.

5

High availability / Re: haproxy endpoint monitoring

« on: March 31, 2021, 09:20:54 am »

Yeah, already have a TIG stack in action. The existing influxdb db is called telegraf.

6

High availability / Re: haproxy endpoint monitoring

« on: March 28, 2021, 01:11:10 pm »

Hey buddy, this is awesome thanks. Just trying to get this going and when imported the dash complains about telegraf not found. Changing queries fixes graphs but not showing data.

7

21.1 Legacy Series / Re: NGINX Public access no working but LAN ok

« on: March 28, 2021, 12:52:32 pm »

So, once I got my head around the ha proxy deal, all i had to do was bind to the external ip on the real servers page. But for enginx plugin I cannot see anywhere this is possible other than perhaps editing the nginx.conf file directly.

8

21.1 Legacy Series / NGINX Public access no working but LAN ok

« on: March 27, 2021, 12:22:43 pm »

Hi All,

I have nginx set up on my opnsense router. It works on the lan no problems at all, however, I cannot access the one server I want to be public accessable from the internet.

I see the client in the firewall logs coming from the test client's public ip going to the wan ip, but I don't see that in the access logs for nginx.
So nginx works from lan, traffic is getting to the firewall and should be getting to nginx.

Code: [Select]

IPv4 TCP * * WAN address 443 (HTTPS) * * Public SSL

Code: [Select]

IPv4 TCP * * LAN address 443 (HTTPS) * * Local HTTPS LAN to NGINX
Fiddler shows this:

Code: [Select]

fiddler.network.https> HTTPS handshake to home.norgan.net (for #399) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.
Curl shows this:

Code: [Select]

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection
Firewall WAN rule log shows traffic:

Code: [Select]

clientpubip:53810 wanip:443 tcp Public SSL NGINX

I do have multi-wan, thinking maybe nginx isn't binding to the public interface and therefore we get an ss; handshake failure.

9

Tutorials and FAQs / [TIP] IPSEC Azure with multi-wan, route firewall rule needed

« on: March 26, 2021, 01:58:08 pm »

https://imgur.com/gallery/PWsbmjN

After much battling and trial and error, I finally cracked this last step of the azure routebased ipsec vpn.\

Basically, follow this https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html then add the above rule. Left the wan links in for context with multi-wan.

10

21.1 Legacy Series / Re: Open NAT possible for Xbox gamers?

« on: March 26, 2021, 03:34:54 am »

All you should need is to port forward port 3074, don't need uPNP.

11

High availability / [Guide - WIP]WAN failover to mobile hotspot

« on: March 25, 2021, 07:43:58 am »

Hi All,

Thought I'd share this config that I had struggled with for a few weeks. Something that OPNsense has finally provided a solution for.

The use case:
You have an internet connection, you have a fancy mobile phone with a super-fast 4g or 5g network. You are already paying for a bunch of data and live service. Why not just use that if your primary link goes down instead of paying for another service with separate data and monthly cost, only to be used on a handful of occasions throughout the year.

The solution:

Configure the wireless interface on your hardware hosting opnsense (and assume this also works on pfsense?).

Essentially, if you assign the wireless interface to the wan declaration in opnsense, it puts it into client mode and you can configure the interface to just connect to the access point, in this case, your phone's hotspot function, and use it as an upstream provider of internet connectivity.

All you need to do is turn on your hotspot and opnsense will connect to it and show it as a live gateway. 

How is it done:

WIP - sorry, I am working on the details for you. I will provide links to guides i used and the stuff I had to figure out. I will come back and put some details in. If you are interested let me know and i'll see what I can do to get info to you. Also, let me know if you found somewhere that showed how to do this, I wasn't able to find a concise guide for this particular use case.

12

21.1 Legacy Series / [SOLVED]IPV6 address drops when dhcp renews

« on: March 24, 2021, 09:30:58 am »

Code: [Select]

2021-03-24T18:11:56 opnsense[5694] /usr/local/etc/rc.routing_configure: The command '/sbin/route add -'inet6' default ''' returned exit code '71', the output was 'route: : Name does not resolve'
2021-03-24T18:11:56 opnsense[5694] /usr/local/etc/rc.routing_configure: ROUTING: creating /tmp/re0_vlan99_defaultgwv6 using ''
2021-03-24T18:11:56 opnsense[5694] /usr/local/etc/rc.routing_configure: ROUTING: removing /tmp/re0_vlan99_defaultgwv6

If i reboot it works fine for a few minutes then this happens and I lose the ipv6 address on the wan interface and no routing to public ipv6 endpoints.

This seems to have been caused by the addiional of the DHCP_IPV6 interface in the gateway group. My intention was to failt to v4 if v6 fell over. It actually caused the v6 address to drop at dhcp renewal.

13

21.1 Legacy Series / Re: IPSEC VPN inbound fine, outbound not working

« on: March 24, 2021, 04:39:54 am »

reserved

14

21.1 Legacy Series / IPSEC VPN inbound fine, outbound not working

« on: March 24, 2021, 04:30:21 am »

Hi all,
Things are humming pretty well, now time to iron out some wrinkles. I have a site 2 site IPSEC VPN to Azure set up. The Azure machines can get to the LAN on-prem but I can't seem to get back to them.

UPDATE: Guide followed, found one option I was missing. Everything is now in place, the link comes up, and my azure vm can send logs as per the inbound firewall rule.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route-azure.html

The route is there, I've double-checked it. but I can't get traffic back to azure. It just routes out to the internet.

not sure what config or log is most useful. Still figuring opnsense out

15

21.1 Legacy Series / Re: IPV6 Link monitor can't ping

« on: March 24, 2021, 04:13:32 am »

And now i can't even ping that lol I think my provider is having ipv6 issues as well but those quad9 servers don't seem to ping. I like using quad9 as a link monitor because that's my DNS forwarder target.