Messages

I've found there is no ProxyPass Timeout global parameter. Is it possible to implement the parameter?
Is there a command to restart only one of the proxy and not all at once?

Thank you ahead.

Regards,

Joel.

Dear OPNsense Community,

for one week every request that are longer as 30 sec are reset or finalized and we are receiving an AH00989 from the OPNWAF Business plugin. The service is active on an official Deciso OPNsense appliance. If it's less than 30 sec, it will work. I've setup on the location a connection timeout of 300 secs. I've no clue what could reset the connection every time after 30 secs. It seems that some FIN packets are send from the OPNsense OPNWAF to quickly. There's another error but it's less often: AH01102: error reading status line from remote server xx.xx.xx.xx:xxx. My colleagues have confirmed that there's an error in Edge browser 502 proxy error after 30 secs.
I've checked the status of the application server. The server responds and is available for the OPNWAF. The system has flawlessly worked without OPNsense during more than 3 years (It was an apache proxy-system too), that's why I'm a little perplex with this case. The worst for us. That's a system already in production.

Could you please give me a hint where I can look in OPNsense to fix this?

Thank you ahead,
Regards,
Joel.

Dear OPNSense Community,

I'm trying to use one of our Business OPNSense in transparent bridge mode in one of our DMZ. The Bridge will work until I reboot the system. The appliance is an official Deciso OPNSense DEC3842.
The topology is not so complex but more complex than what we find on internet and forums in general. It's a 3-tier environnement and OPNSense isn't used for NATing. I've tried to integrate the OPNSense to scan the traffic (IPS/IDS, CrowdSec and the firewall) between the 1st and 2nd HOP of our Networks.
Every time I restart the appliance, I have to save the bridge interface again to restore to connections behind the OPNSense. If I don't do that, I can't access the various applications, remote sessions and https interfaces. It works for about 2 or 3 days then the connection is lost again. I press the "save" button and it works again.
The online applications are working without that because they're proxied by the OPNSense, but our intern connection between the network not. What is really strange and that's why I believe that's a problem from the OPNSense, I can access the UI of the OPNSense and nothing behind (the last time), sometimes I can access some of the UIs / RDP.

I've found a second problem and I think it's an effect of this bridge's problem. If I don't save the parameter from suricata again (IPS/IDS) the logs are filled with thousands of those lines: [101142] <Error> -- bridge0: error reading netmap data via polling: No buffer space available
Some times it's written also with bridge0^. I've found something about on internet but it doesn't match my case.
I just need to save the suricata configuration and it's gone and works as it should.

The topology looks something like this: 1st Hop Router (with NAT) -> OPNSense as transparent bridge + proxies connected to some Web Apps -> 2nd Hop Router (with NAT) -> application servers etc...

It seems that OPNSense is interfering with something in the communication between the routers. I've suspected something with ARP, but the last test with some static ARP entries (neighbors) has failed. Before the OPNSense we had a Sophos XG (in bridge mode too) and it has worked flawlessly. But with the EOL it was the time to change.

The only solution for me was to save the bridge and the IPS/IDS configuration again(interface bridge+lan).

Could you please help me?
I'll go into detail, when some information is needed. But it could be a really long topic, so I made this summary.

All the best

Regards

Joel T.

Dear Community / OPNsense Team,
actually we are trying to publish our own web application through the OPNWAF (Apache + ModeSecurity) and we have a problem the remains event with the latest version unsolved.
 There is a core rule that block our web application and we cannot upload anything bigger than 8MB with the web application.
The triggered core rule is the id 200004. We have found now that often this rule generate false positive (example https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827), but with the OPNWAF Business we have no possibility to disable this rule (thanks, by the way, for the "disable security rules by id" combo box). We are trying to use the Business OPNsense functions (paid functions) as professional. What are our possibilities in this case?
-> We know that we can edit the conf and comment the rule, but this isn't really a professional solution and the next time that we will update our firewall, those comments will be gone.

I hope you can provide us a solution or give us a hint to avoid this kind of problems.

Thank you ahead
Regards,

Joel T.

I have some news, here. I've tried to activate the proxy in windows with the fqdn and port of the OPNSense and somehow it "works". The problem is that the websites are randomly blocked and I cannot understand which of the rules is triggered, when the website is blocked.
For example... I've put the website of thomas-krenn.com in the whitelist ACL of squid and in the custom whitelist (allow) ACL of the OPNSense Advanced PROXY (os-OPNProxy) and I'm still blocked on the computer where I've setup the proxy in Windows. How it's possible... I don't know.

In the Log (Access Log) I have something like that:
IP - MAC ADDR USERNAME@DOMAIN "GET https://www.thomas-krenn.com/favicon.ico HTTP/1.1" 403 24992 "https://www.thomas-krenn.com/de/wiki/OPNsense_Plugins" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" NONE_NONE:HIER_NONE
IP - MAC ADDR USERNAME@DOMAIN "CONNECT www.thomas-krenn.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE
USERNAME@DOMAIN is in a group in a custom allow rule

Policy tester:
{
  "message": "OK user=\"User\"\n",
  "user": {
    "uid": "User",
    "id": "2020",
    "applies_on": [
      "u:User",
      "g:Group One",
      "g:Group Two"
    ]
  },
  "policy": {
    "action": "allow",
    "policy_type": "fallback"
  }
}




I'm sure that this website isn't in a blacklist.

Is there a possibility to have a log that write which of the rule is triggered?

It's pretty hard to administrate the webfilter like that.

I've followed this to implement the OPNProxy: https://docs.opnsense.org/manual/opnproxy.html
But it seems to be not enough the become that the web proxy will be fully configured.

Thanks ahead.

Joel T.

Dear OPNSense Community,

We have purchased a DECISO appliance with a Business license to replace our Sophos UTM. We thought that it would be possible to replace the Sophos UTM Webfilter (transparent with LDAP) with the OPNSense plugins (WEB PROXY + OPNPROXY + SSO). But it doesn't work for us right now. The Business plugin OPNPROXY could be the solution. It seems that the plugin cannot work with the SSO plugin. That's really sad. We have setup the Access control but nothing is applied as it should. The policy tester is working, but in reality im browser nothing is filtered. It's like that the OPNPROXY plugin isn't enable or present and I've setup lot of rules. The WEB PROXY is working as it should.
Is it right that this Business plugin cannot work with SSO? (AD)
If yes, I think that's the biggest lack of feature in this plugin. If no, what could I've missed, please?

Thanks ahead,

Regards,

Joel T.

I've no OPNsense in a vm. We have Deciso full hardware and we had the same problem.
I've juste add the WAN interface in the Intrusion Detection settings and now the log went silent about this problem.

I hope it'll help

I've started another thread about that because I had a combination of problem after the upgrade:

https://forum.opnsense.org/index.php?topic=44178.0

Update:
In the Intrusion Detection I have to choose the WAN interface even I've use only a bridge.
Is this a bug or a design problem?
Now the log has gone silent.

Someone can explain me? and I repeat there was  nothing like that before the upgrade.

Dear OPNSense community,

I've found that as the disk where full. The OPNsense wasn't really available anymore for the rest of the network. I've received some E-mail alerts that to processor of the appliance overloaded. The appliance was bought this year it's a Deciso 3842 AMD EPYC 8GB 256GB M.2.

The communication between our cluster and backup NAS were broken. Problems cascaded from one to the next.

I think something wrong is happened after the upgrade on the version 24.10_7 suricata is indeed integrated in OPNsense. I've deleted the old log, but we still have a problem with the IDS - a flooding of the following information.
bridge0^: error reading netmap data via polling: No buffer space available

Now it could be really interesting to know why this have change between the version of the OPNsense system.

Regards,

Joel.


Ps: I've already setup the log for the IDS to get really smaller but it's not the solution.

Dear OPNSense community,

we have a Business license, that's normally to receive a stable version after every update / upgrade, but it's not the case. Last Upgrade from the 24.4.3 to the version 24.10_7 (amd)
os-OPNWAF Version 1.6 - os-crowdsec 1.0.8_1 and Intrusion Detection is activated
After the upgrade the Logs from Suricata went full (and the disk too) -> Resource limit succeeded Service RootFs

Topology:
we have a bridge the firewall is in our DMZ behind the 1. HOP where there is an another router./firewall The OPNSense is there for his WAF / PROXY functions (OPNWAF / SURICATA / Crowdsec)

We have some Nextcloud and we are securing the traffic to Nextcloud with OPNSense.
Since the last upgrade the logs went full with Suricata. I've deleted some logs they were bigger than 100GB.

Now the Firewall is simply blocking the traffic from the Nextcloud to everything, event if I've made some rules like Nextcloud to everything with any ports.

All the services are green.

I cannot explain what is happen, but for a Business license, I think this version has a bug!

I've restarted already nothing is working and I don't where to beginning with this kind of Stuff. In the OPNWAF the logs won't show any problem. It seems to be a problem with the firewall!

example:
__timestamp__   2024-11-22T08:31:43
ack   3809070810
action    [block]
anchorname   
datalen   0
dir    [in]
dst   XX.X.XXX.XXX (OPNSense Firewall/PROXY)
dstport   48012
ecn   
id   4409
interface   bridge0
interface_name   BRG
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   52
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   4
seq   
src   XX.X.XXX.XXX (Nextcloud)
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   506

The worst I've change nothing. Everything is going wrong after the ugprade of the version 24.10_7

Could please help me

Thank you in advance!

Regards,

Joel.

Hello Franco, Hi dear community,

no misunderstood I like to use the OPNSense and
I've found some solutions on the UI
Firewall -> Web Application -> Gateways -> Virtual servers
But I don't think that disabling a whole rule because of a parameter on the rule is an enhancement on the security of the WAF. An Exception for a certain URL would be a great improvement.
Maybe I'm wrong.

Regards,

Joel.

Hello Franco,

could you please explain how?
We had a maintenance on the OPNsense and an update (Version 24.10_7 and os-OPNWAF 1.6). Now it's even worst there's no exception anymore for Nextcloud and Nextcloud cannot show the files on the UI.
My workflow before the update as worked, now I must repeat all from the start. Because the rules were changed.

Thanks ahead for your help

Regards,
Joel.

Every time I restart the plugin / service, I loose all the changes in the conf files. Is there a special way to do this with OPNsense? Because I need to fix this asap.

Hello,
thank you for your fast answer.
Is there some possibility to apply the new parameters and that the modsecurity keep them? (I mean in the console mod / shell)
I've found the parameters in this file:
/usr/local/etc/apache24/modsecurity.conf
But if I change something, the next restart of the plugin / service, it resets the parameter to the original values ( 13107200 and 131072). I can't change anything. The "App Specific Rule Exclussions" nextcloud in Firewall -> Web Application-> Settings -> Web protection ist doing nothing. There's no effect on the nextcloud.

I've find the rules Set files for Nextcloud too, but nothing works.
I've deactivated the Web protection, because with, nobody can really use Nextcloud. From now I'm using only the gateway webserver. I was thinking that a business solution like this waf plugin would work.

I've forgot to write that we are using the version OPNsense 24.4.2-amd64 with the os-OPNWAF 1.5

Can I add the parameters in the gateway_vhosts.conf?

Thx ahead.

Regards,

Joel Timm.

Dear OPNsense community,

We bought the 3-year package to have business capabilities on our firewall in our company. But as soon as we started configuring OPNWAF (Web Application) Business, it didn't work as expected. We can't upload any documents or photos, regardless of file size (error 413). Some nextcloud applications generate errors (such as "photos", or we lose the ability to change profile status). On the firewall, in the Web Protection tab, I've configured Nextcloud-specific rule exclusions, but that doesn't seem to do anything...

We have found that there's is a limitation in the modsecurity on the OPNWAF. The info is in the Web Error Log.
ModSecurity: Request body no files data length is larger than the configured limit (131072).. Deny with code (413) [hostname "xxxxxxxxx"] [uri "/remote.php/dav/files/

The problem with this plugin is that we couldn't find any documentation of the plugin paths on the hard disk. We have no idea how to set up this plugin, and there's no way of changing anything in the user interface. That's sad for a Business tool.

If someone with experience on this plugin can explain to me where I can change the configured limit, I'd be very happy not loose my time with this kind of stuffs.

Thank you ahead.

Regards,

Joel. T