Messages

1

23.7 Legacy Series / Re: OpenVPN CSO what happened to custom_options

« on: August 21, 2023, 04:41:06 pm »

Yes, but you need to put the correct subnet size.


Cheers,
Franco

If on version 23.1.11 we used the line

ifconfig-push 192.168.yyy.xxx 255.255.255.0

Now in the IPv4 Tunnel Network field, you need to set the value

192.168.yyyy.xxx/24 ?

Did I understand correctly?

2

23.7 Legacy Series / Re: OpenVPN CSO what happened to custom_options

« on: August 10, 2023, 12:59:25 pm »

Thanks for the hint, yes that works just fine.
/J

Hello!

If I put in the field "tunnel network IPv4" IP

192.168.56.12/32

Then it will work, the VPN client will be assigned a static address 192.168.56.12 and it will work fine?

3

23.7 Legacy Series / OpenVPN and static IP

« on: August 08, 2023, 12:54:28 pm »

Good afternoon

In OPNsense version 23.1.11, I set a static IP in the Client Specific Overrides section by entering the line in the Advanced field

ifconfig-push 172.28.25.2 255.255.254.0

In the new version, I did not find how to set a static IP for VPN clients.

Can you tell me how, after the upgrade, you can specify a static IP for clients and how it can be imported from the old version?

Thank you in advance.

4

General Discussion / Re: How to upgrade crowdsec ?

« on: December 14, 2022, 05:42:08 pm »

Hi!

While Linux and Windows versions are released automatically, the FreeBSD one must follow a separate review/approval process (it's an official distribution package), so it lags a few days to get to the freebsd ports + a few days to land in the opnsense repository.

See the related ticket at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267808
and the package status page at https://www.freshports.org/security/crowdsec

If you need it now, I can send you a binary for testing.

Hello!

I am interested in the same question.
The current version is "v1.4.1" and the latest stable version is "v1.4.3". How to update Crowdsec?

5

Web Proxy Filtering and Caching / Re: NGINX Reverse Proxy - Upload performance [Nextcloud]

« on: November 03, 2022, 08:58:27 am »

Hi all!

I have the same problem, how do I set up NGINX under OPNSense to work with Nextcloud?

No one will write step by step what and how to do?

6

22.7 Legacy Series / Re: CrowdSec

« on: August 10, 2022, 11:36:00 am »

Hi!

I do not know where to write, so I write here.

In my Firewall:Log Files:Live View, when blocking IP using CrowdSec, a line is displayed indicating only the date and time without any details, and only this is reflected in the details:

__timestamp__   2022-08-10T12:25:00
action   0x0
anchorname   match
dir   
interface   in
interface_name   in
ipversion   240
label   
reason   4
rid   
rulenr   crowdsec
subrulenr   em1

At the same time, it is not clear whether the IP address is blocked or not (action   0x0).

7

22.7 Legacy Series / Re: CrowdSec

« on: August 10, 2022, 10:45:22 am »

We have not written anything about HA with opnsense yet because we have not tested that configuration.

Good afternoon!
Thanks a lot for your answer!
I apologize for the bad English, I use computer translation.

Previously, I protected our servers using a Fail2ban, LogWatch and my own scripts that kept a blacklist, as well as sent the IP of the attackers to AbuseIPDB and blocklist.de.

Your system is built on the same principle, but it is much more advanced and has more features.
Therefore, as soon as your plugin appeared in OPNSense, I decided to switch to it.

In our organization, between an external router with Internet access and servers on the internal network, including the DMZ, there are two OPNSense firewalls operating in the «High Availability» mode. We don't have an external LAPI.

I've installed the CrowdSec plugin on an OPNSense firewall running in Master mode, and I'm setting up two test servers to run everything in multiserver mode.

I registered the OPNSense firewall and servers in the console (https://app.crowdsec.net), the servers were registered in the OPNSense firewall using LAPI. Executed the command on the servers
cscli papi register -u http://10.0.0.1:8080
Run a command in OPNSense
cscli machines check xxxxxxxxx

It remains only to configure the bouncers, but here I have not yet figured out what and how to configure on OPNSense, and what and how to configure on the servers. I would like more detailed instructions than described at https://www.crowdsec.net/blog/multi-server-setup, there is a different network diagram.

I would be grateful to you for instructions on setting up bouncers.
I will also be happy to help you develop and test the CrowdSec plugin in the “High Availability” mode on OPNSense.

With respect

8

22.7 Legacy Series / CrowdSec

« on: August 08, 2022, 04:52:33 pm »

Hi all!

Version 22.7 has a new plugin CrowdSec.

Unfortunately, there is not enough documentation for it.
I'm primarily interested in how to configure this plugin on the server with "High Availability" enabled and how to add devices using LAPI in this case.

No one will tell?

9

22.7 Legacy Series / Re: After the update synchronization HA between the master and the backup not work

« on: July 29, 2022, 02:19:30 pm »

# pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/MINT/22.7_4/OpenSSL/All/opnsense-22.7_4.pkg

Thank you! Earned!

10

22.7 Legacy Series / Re: After the update synchronization HA between the master and the backup not work

« on: July 29, 2022, 09:48:04 am »

@rsk I was just trying to understand if this issue appeared on 22.7 talking to 22.7 or on 22.1 talking to 22.7.

This question appeared on 22.7 in a conversation with 22.1.

I first updated the master, and he had already lost contact with the backup, on which there was 22.1

11

22.7 Legacy Series / After the update synchronization HA between the master and the backup not work

« on: July 28, 2022, 06:43:09 pm »

Hi all!

Updated from version 22.1.10 to 22.7, first through the web interface, then through reinstallation from the CD and restoring the saved settings.

Did not help.

On the previous version, synchronization between the master device and the backup worked fine and without problems.
After the update, synchronization stopped working, when I go to the menu item "System - High Availability - Status" I get the following line:

The backup firewall is not accessible or not configured.

12

Web Proxy Filtering and Caching / WAF NAXSI API documentation

« on: July 04, 2022, 05:42:57 pm »

Hi all!

I can't find good documentation on the OPNSense API.

For example, to the downloadrules command (controller settings, nginx module, POST method, SettingsController.php resources).

How to pass this command, what does it pass as arguments, what does it do?

The same goes for many other commands for using NAXSI.

PS Sorry for bad english, I use computer translation.

Who has experience in this topic, who can I turn to for advice?

Thanks in advance.

13

Web Proxy Filtering and Caching / Re: WAF nginx - add rules naxsi

« on: July 01, 2022, 11:28:45 am »

There is an API in the background.

Hello!

One more question.
I installed OPNSense version 22.1.9_1 and NGINX version 1.28_1.
With the NAXSI learning option enabled, the error log contains the rule codes from naxsi_core.rules (NAXSI_FMT, NAXSI_EXLOG), ignoring the fact that some of the policies were disabled, including those policies, rule codes that were found in the error log.

Is it supposed to be like this or is it a bug?

14

Web Proxy Filtering and Caching / Re: WAF nginx - add rules naxsi

« on: June 30, 2022, 10:35:09 am »

There is an API in the background.

Hello!

Thanks a lot for the quick response.
I'm learning settings /usr/local/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php

And where can I find the description of the fields in order to correctly convert the rules?

15

Web Proxy Filtering and Caching / Re: WAF nginx - add rules naxsi

« on: June 29, 2022, 08:38:24 pm »

Convert every rule to a main rule (some are likely already there if you import the standard ruleset) and assign them.

Some of those rules are totally nonsense for a default WP installation like blocking phpmyadmin since it is not there unless you install it or blocking file extensions that should not exist in a WP installation.

Hi!

I'm just learning the ins and outs of configuring WAF (naxsi) and have a lot of questions.

There are several sets of rules in the following format:
MainRule  "str:${" "msg:log4j attack detection " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000086;

How do I import them into OPNSense? It takes a long time to create rules manually through the web interface and not everything is clear either.

Is there another way to import these rules?