Messages

Thanks for the tip :-) I will try this.

Seems like a first need to fix the DynDNS settings with the fritzbox and OPNsense...

Hello,

until recently, I had a pure modem in front of my OPNsense and the VPN via Wireguard worked like a charm.
Because I changed my employer, I had to switch from pure modem to a Fritzbox (the opnsense won't connect to the company VPN..... The admin also had no clue why... This was easy solution).

The problem is that I can't access my LAN network anymore.
In the Fritzbox, OPNsense is marked as "Exposed Host" with additional port access.
In OPNsense, I added a rule in WAN (* * * Dest. Wireguard net - Port Wireguard)

What am I missing?

Sorry for hijacking this thread but I ran into the same situation.
I tried the solution from Github but I still get this error message in OPNsense https://github.com/bsmithio/OPNsense-Dashboard/issues/57

#0 {main}
  thrown in /usr/local/bin/telegraf_pfifgw.php on line 13
[17-Mar-2024 10:34:40 Europe/Berlin] PHP Fatal error:  Uncaught Error: Call to undefined function get_interfaces_info() in /usr/local/bin/telegraf_pfifgw.php:13

This is the beginning of the code

Code Select Expand

#!/usr/local/bin/php-cgi -f

<?phprequire_once("config.inc");require_once("interfaces.inc");require_once("plugins.inc.d/dpinger.inc");require_once("util.inc");# Added function get_interface_info. Function was removed from interface.in in OPNsense version 24.1function get_interfaces_info($include_unlinked = false){    global $config;    $all_intf_details = legacy_interfaces_details();    $all_intf_stats = legacy_interface_stats();    $gateways = new \OPNsense\Routing\Gateways();    $ifup = legacy_interface_listget('up');    $result = [];    $interfaces = legacy_config_get_interfaces(['virtual' => false]);    $known_interfaces = [];    foreach (array_keys($interfaces) as $ifdescr) {        $interfaces[$ifdescr]['if'] = get_real_interface($ifdescr);        if (!empty($interfaces[$ifdescr]['if'])) {            $known_interfaces[] = $interfaces[$ifdescr]['if'];        }        $interfaces[$ifdescr]['ifv6'] = get_real_interface($ifdescr, 'inet6');        if (!empty($interfaces[$ifdescr]['ifv6'])) {            $known_interfaces[] = $interfaces[$ifdescr]['ifv6'];

I don't know what I missed and why there is still an error.....

When comparing the original file and the file from Github, there are a lot more lines between the #Added function and the original compared to the solution mentions in this thread. Could some of you maybe explain?

I use Unbound and is listening on the default port 53.

Note: As the uppermost rules do allow traffic to DMZ IP that does not mean they allow traffic to any other OpnSense IP.

After that info I created a rule: DMZ net + port any -> OPNsense_IP + port 53
It works this way but I am unsure if this "safe"?

LAN: 192.168.1.1 --> IP of OPNsense
DMZ: 192.168.10.1 --> DHCP Range x.100 - x.200 // Webservices in Range < .100
Internal: 192.168.20.1 --> Same DHCP config

Note: As the uppermost rules do allow traffic to DMZ IP that does not mean they allow traffic to any other OpnSense IP.

Hmmm... okay this is new to me as it was never mentioned in any tutorial. I thought this is a basic setting  ???
Should I add a rule with Destination "This Firewall" or rather DMZ net to IP OPNsense any port? Or only the ports that I really need?

I just used sqlite which worked quite well.
But in the meantime a did a complete fresh install of opnsense to better fit my needs

Hello  :) ,

recently, I did a complete fresh install of my opnsense following this guide: https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/
I wanted to start all over again after my previous setup got quite nasty and I didn't fit to my needs anymore.

For my webservices I have a proxmox server (LAN) with different LXCs and VMs (VLANs)
My problem is that all the services in the VLAN have DNS problems....
For example, I created the rules for the DMZ like in the screenshot. If the allow-any rule in the end is enabled, I can ping, dig, nslookup, traceroute, ... from within the VLAN (makes sense because everything is allowed)
If it is disabled then the clients can't even ping the firewall (ping 192.168.1.1 --> 100% paket loss) or do some other network diagnostics

dig www.google.com
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> www.google.com
;; global options: +cmd
;; no servers could be reached

I did quite some research but I didn't find an answer that worked for me. I don't know what I am missing and I am starting not to see the forest for the trees....

Thanks for the example. This is one of the best "picutre" that I read about the whole inbound/outbound logic and makes it easier for me to understand all of it :-)

I will tinker with this (and all my other stuff) keeping your example in mind and consider this thread as solved.

Thanks for all your time and input.

DCC is a file transfer mechanism on top of IRC that needs a direct data channel between both parties similar to FTP. Difficult behind NAT devices and firewalls. The OP probably needs to port-forward a certain range from their external address to their PC. I don't know if DCC for multiple devices behind a NAT is possible at all. These are protocols from the stone age of the Internet. BTDT.

That's what I remember from the top of my head. More detailled help would require more research on my part, so for now I'm just bouncing these hints back to you.  ;)

Yeah, I haven't dealt with DCC before.  I'm just trying to understand what they currently have configured, what is and isn't working, etc.  People love to twiddle 15 different knobs and only tell you about one.

Yeah that sounds like me :-D  trying to much stuff in the same time..... if I have some....  ::)

DCC is a file transfer mechanism on top of IRC that needs a direct data channel between both parties similar to FTP. Difficult behind NAT devices and firewalls. The OP probably needs to port-forward a certain range from their external address to their PC. I don't know if DCC for multiple devices behind a NAT is possible at all. These are protocols from the stone age of the Internet. BTDT.

That's what I remember from the top of my head. More detailled help would require more research on my part, so for now I'm just bouncing these hints back to you.  ;)

That's what I thought. It is quite old but at the same time it is quite fast.

Regarding the security risks: If I open all ports on the source but only some on the destination what will an attacker see? Open doors? Slightly open doors? Nothing unless the connection is used?
I am trying to understand what would happen because I don't need a firewall if I open everything up just out of convenience ::)

I attached a quick network diagramm. The client in question is the PC in the LAGG_Switch network.

The IRC channel itself are working, so i can send and receive messages in the channels. But if I make a DCC request, there is a timeout. The LiveView is the same as the screenshot.
First I thought it has something to do with Suricata or Zenarmor but there is nothing. I only get a connection when I activate the NAT forward rule to allow any source port to the destination IRC alias.

"LAGG_Switch" is the parent interface for my vlans. I first started with guest, IoT, work in vlans but could move the rest because I need to change my homeserver first. (and I currently don't have the time to do this)

I tried it like you said but unfortunatly it is still blocked by the "default deny" rule...

From what I have read about a DCC request it first sends a message out to owner of the file. So the first interaction comes from my side. So i tried the same rule but in "out"- direction... nothing. Then with WAN as source to destination "any"... still nothing.
Am I missing something?

I attached the Screenshot of:

• the LiveView unblocked (rule enabeld)
• the LiveView blocked (rule disabled)
• the LAN rule (the interface has a different name but it is LAN)
• the Alias with the known ports of IRC

That means the the Alias itself should be fine.
But should it be handled as a port forward rule or a rule in WAN/LAN/both?

Hello,

when I started locking down my opnsense (Adguard, IPS, Zenarmor), I noticed that IRC/DCC request suddenly get blocked. After checking the IPS, Zenarmor logs I found no entry.
So, I created an alias with the known IRC ports (6660:6669) and a pass rule in the LAN interface (screenshot) but it still got blocked.
In the Log LiveView, I saw that the source port is something completly different, something in the dynamic area 5xxxx and not something between 6660:6669. Is this a normal behaviour?

After some reading I tried a NAT Port Forward rule with source port any to destination port IRC Alias. Then it worked but it doesn't sound very safe to open all ports to the internet.

I want to learn where I did it wrong and how I can improve it.

One week should be fine for my use case. Thanks for the info  :)