Messages

Hi!

I have a Vlan (IOT, 10.77.73.0) which has a rule to allow port 80 & 443 TCP.

Block    IPv4 *    IOT net    *    All_Interfaces net    *    *    *    Block inter VLAN    
Allow   IPv4 TCP    IOT net    *    *    Webports     *    *    Http(s)

The Webports Alias is a port alias for 80, 443.


In livelog I can see the rule is working and allows severall requests to port 80 as well as 443.
But there are some requests which are blocked by the default rule which means the Http(s) rule is not matching.

e.g. 10.77.73.25:45804   54.225.172.93:80   tcp   Default deny rule

The Details are the following:

__timestamp__   Jan 4 12:50:08
ack   3469399858
action   [block]
anchorname   
datalen   0
dir   [in]
dst   54.225.172.93
dstport   80
ecn   
id   40189
interface   igb1_vlan73
interface_name   IOT
ipflags   DF
ipversion   4
label   Default deny rule
length   52
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   19
seq   2446294116
src   10.77.73.25
srcport   45804
subrulenr   
tcpflags   FA
tcpopts   
tos   0x0
ttl   64
urp   1369


Can anyone tell my why my rule isn't matching? As far as I understand the my rule should match?
If you need more info just tell me - would be happy to solve that "problem" ;-)

Thanks
Alex

HI!

I've finally solved my problem, I had to tick the box for

    System: Settings: General ->  DNS server options -> Do not use the local DNS service as a nameserver for this system

otherwise the dns requests timed out and that was why the transfer timed out...

With the box ticked, everything works normally.

Hope this helps?

Regards alex

Hi!
I have just installed opnsense on an Thinkcentre m720q (i5, 16GB RAM) with a intel quad nic.
Installation was fine and I also installed some plugins:

Code Select Expand

os-adguardhome-maxit (installed) 1.6_1 32.5MiB mimugmail AdGuardHome
os-dmidecode (installed) 1.1_1 2.83KiB OPNsense Display hardware information on the dashboard
os-dyndns (installed) 1.25 170KiB OPNsense Dynamic DNS Support
os-sensei (installed) 1.10 126MiB SunnyValley Next Generation Firewall Extensions for OPNsense (ZENARMOR / Sensei)
os-sensei-updater (installed) 1.10 4.79KiB SunnyValley OPNsense Sensei Plugin Updater
os-smart (installed) 2.2 22.0KiB OPNsense SMART tools
os-speedtest-community (installed) 0.9_2 36.3KiB mimugmail Speedtest
os-sunnyvalley (installed) 1.2_1 652B OPNsense Vendor repository for Sensei (Next Generation Firewall Extensions)
os-vnstat (installed) 1.2_1 21.5KiB OPNsense vnStat is a console-based network traffic monitor
os-wireguard (installed) 1.7 47.2KiB OPNsense WireGuard VPN service

wireguard & dyndns is not active
adguard is running on port 53 with admin on 999
unbound is running on 53530
the prim dns is 1.1.1.1 (and for the clients the fw ip -> addguard)
Sensei is active but if I switch it to monitoring only the problem is still there

The problem is that Firmware -> Update Tab and Status slowed down.

It always tells me

Code Select Expand

Fetching change log information, please wait... fetch: transfer timed out

The Update works but takes at least 3 times longer than before.

I have removed every ipv6 references because I have read that this can be an issue.
In the console I tried the fetch cmd and it is working (but slow until the dl occurs!)

Code Select Expand

root@fw:~ # fetch -v https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig
resolving server address: pkg.opnsense.org:443
SSL options: 82004854
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
TLSv1.2 connection established using ECDHE-RSA-CHACHA20-POLY1305
Certificate subject: /CN=*.opnsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
requesting https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig
remote size / mtime: 1332 / 1635331129
changelog.txz.sig                                     1332  B   13 MBps    00s

I tried switching the mirrors but the problem is still the same.

Maybe some can point me to the right direction ;)

Regards
alex