Messages

To me, it seems to be something like (not identical, but similar) in this post:
https://forum.opnsense.org/index.php?topic=48640.0
And I think that "no one else" is no longer accurate.

I'm vague because, I don't have time to mess around and figure out why it isn't working. I will do this in my own time, not during our company's working hours with coworkers who aren't working at that time.

The only thing I can say. With the version 25.4.1 -> the communication with our cisco main (incl. the connection with the management software) gateway is working flawlessly. We can access our web application located in our DMZs with a resolution through our own DNS Server (inside). The DMZs are located on the cisco and the opnsense is bridged on the inside of the cisco interface to assure the ips/ids security of our internal network. All IPs of the DMZs are NATed on the cisco and the opnsense has a route to send everything unknown to the cisco main gateway (0.0.0.0/0). LAN/WAN are bridged. After the Upgrade 25.4.2 we cannot access the management software of the cisco gateway (the inside IP of the cisco is in the same segment as the problematic opnsense), the colleagues are receiving timeouts in browser when the try to access our web applications in the DMZs. I cannot explain here everything because the topology is much more complex and every tier (DMZs / outside network segment) we have one OPNsense Business on an OPNsense Hardware. It's a star topology with the cisco gw in the middle and the satellites / tiers are OPNsense appliances if you want.
To sum up with 25.4.2 the forwarding of the request to the NATed addresses (on the cisco gw) and the cisco gw itself aren't done anymore - The routing rule with 0.0.0.0/0 through the cisco gw isn't correctly applied when the ip addresses are on the same network segment.

Now, I can no longer describe in detail what happened with the help of the logs. This is because I had to use the snapshot function really quickly because the project managers had directed calls/complaints to our department. All I can say is that nothing was displayed in the live part of the firewall (request also made on the Cisco gateway), and I am sure that this is the case with version 25.4.1.

For me, paid business support makes sense when we need an additional feature or something we don't understand technically. But not to fix problems where everything was working fine before and suddenly stopped working after the update/upgrade without any further changes. That can't be part of any business plan. The logic of having a paid stable business version is not followed here. Please don't take us the wrong way, we are OPNsense customer. But anyway... it's not here the subject.

I'll try again when no one is working on our internal network. I just need to plan it now.

Regards,

Joel.

I can guarantee that this is a problem with version 25.4.2 -> version 25.4.1 works and we will keep using it!

It would be good if the OPNsense team would improve its business version before releasing it.

Dear OPNsense community,

for us it's not the first time that nevertheless a Business Edition after an Upgrade we are loosing some of our connection to our dmz application for our company (for example with suricata which broke some our communications if IPS mode wasn't deactivated) .
This time, we have simply lost the access management on our main GW (cisco) and the communication with our NATed systems to our DMZs. The NATed systems are done on our main Gateway (cisco)

The routing configuration is really simple by us Network 0.0.0.0/0 to our main GW (cisco) and we have a bridge LAN/WAN to use IPS/IDS/Proxy possibilities of OPNSense. Until now this setting has worked flawlessly, but after the upgrade, we cannot manage our main GW anymore and the resolution of our dmz web app aren't accessible.

On our side it's critical because every colleagues here cannot work anymore on any our app. I cannot check anything on the main GW because it's not accessible too.

Could something give me a hint?
We used to believe that the Business Edition is well tested and tailored for the Business environment.

Thank you in Advance for your information,

Regards,

Joel.

Many thanks!

Regards,

Joel

Thank you.
I will try this. I had another fight with the OPNWAF - the timeout parameter on the Proxy balancer is missing and every time after an apply I need to change the config file like this
BalancerMember https://xx.xx.xx.xx connectiontimeout=xxx timeout=xxx

I will try as soon as our customer will be less aktiv on the application server.
And one question about the use of modsecurity_ruleid.json
If we update/upgrade our appliance and the system won't this file change or will be rewritten? because right now it's our main problem

Thank you ahead.

Hi,

right now I'm pretty busy with system migrations. We are still using the proxy as simple as we could get (http) no opnproxy and no sso. We are using the OPNsense like we could use a Pfsense. I mean with almost no plugin.
Have you any answer of the support on this topic? After the migrations I will find the alternative (maybe I will setup myself a server with all options that I need), because it's, for my opinion, really to light as it's configured.

Regards,
Joel.

Dear Opnsense Community,

Is there a way, as with NGINX and Naxsi, with the OPNWAF Web Application Business plugin to limit the simultaneous connections of an IP for the proxied applications?
As it's a well-knows needed security feature of the web application proxies. It's possible that is in the plugin present, but I've found nothing. Maybe it's possible on another layer of the OPNsense Firewall or in another plugin.

Thank you ahead,

Regards,

Joel.

Hi,

there is no output.
The Version is: 25.4
-> the only output with grep is in apache24 level folder -> modsecurity.conf
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

On GitHub and in many forums, it is pointed out that this rule triggers many false positives. Why is this rule not set up as information only by default?
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827
https://community.sophos.com/sophos-xg-firewall/f/discussions/136863/false-positive-which-can-t-be-skipped
https://stackoverflow.com/questions/77583424/modsecurity-multipart-boundary-false-positives

Thank you for your help.

Regards,

Joel.

Hello WireShire,

We have disabled the business functionality because it is simply useless to us.
With the new version 25.4.1, we are experiencing even more problems and cannot find a solution ourselves, as there is no useful documentation on this topic.
We are considering using another solution that we can rely on more. I think that this is unfortunately just one example of how the modularity of a solution is not always an advantage.

Hello Joel,

we also buy a Deciso Appliance. And we also want to you squid as a forward proxy. With the opn-proxy buisness plugin we think, it have the complete function that we want.

But we also dont udnerstodd it full. we try different settings , but we see also policy fallback allow, and dont know where it come from.
we have a * block and test one single site allow, but when we change ip or diffenret , policy falllback allow rule comes.

when we delete custom rules. apply, restart or stop the plugin and start it again, policy tester ,s how the old custom rules and say allow.
how can we clear the cache from the tester?  i though its a buisness solution not , one time its function, one time not.

the wiki is not good for the product. it must have examples for a default buisness like sceneraio with block all, and allow custom different sites.

do you have a final resolution? or can someone thats used the buisness proxy settings , can share pictures?

For us, there was no other solution than to disable the transparent proxy and use the proxy with the simplest options on IPs.
The proxy with username and password does not work at all (LDAP AD), can import the users but does not recognize the user's password when they try to log in.
We had this feature and it worked flawlessly with Sophos for almost 7/8 years without any interruptions,
we had a presentation that OPNsense could easily replace the Sophos appliance, I'm not sure anymore.

This is already the third time I have had to change the proxy configuration after an update/upgrade was performed on the proxy, and each time we lose functionality.
@elenagilbert: I will dig this, but I cannot only focus on OPNsense right now.

Thank you all for your help.
Regards,
Joel.

Thank you for your reply, Patrick.
I will continue to try to use all communication channels. I don't consider this forum to be a support platform. Perhaps someone else has already had this problem.
We purchase business appliances in order to have stable versions and fewer or no problems with troubleshooting. The support channel would be intended for us if we needed to set something up and it wasn't working, but that wasn't the case this time.
Regards.

Dear Community and OPNsense Team,

we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.

The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)

here the infos on the warning message:

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault

segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen

We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.

Thank you ahead for you help.

Regards,

Joel.

I've found there is no ProxyPass Timeout global parameter. Is it possible to implement the parameter?
Is there a command to restart only one of the proxy and not all at once?

Thank you ahead.

Regards,

Joel.

Dear OPNsense Community,

for one week every request that are longer as 30 sec are reset or finalized and we are receiving an AH00989 from the OPNWAF Business plugin. The service is active on an official Deciso OPNsense appliance. If it's less than 30 sec, it will work. I've setup on the location a connection timeout of 300 secs. I've no clue what could reset the connection every time after 30 secs. It seems that some FIN packets are send from the OPNsense OPNWAF to quickly. There's another error but it's less often: AH01102: error reading status line from remote server xx.xx.xx.xx:xxx. My colleagues have confirmed that there's an error in Edge browser 502 proxy error after 30 secs.
I've checked the status of the application server. The server responds and is available for the OPNWAF. The system has flawlessly worked without OPNsense during more than 3 years (It was an apache proxy-system too), that's why I'm a little perplex with this case. The worst for us. That's a system already in production.

Could you please give me a hint where I can look in OPNsense to fix this?

Thank you ahead,
Regards,
Joel.

Dear OPNSense Community,

I'm trying to use one of our Business OPNSense in transparent bridge mode in one of our DMZ. The Bridge will work until I reboot the system. The appliance is an official Deciso OPNSense DEC3842.
The topology is not so complex but more complex than what we find on internet and forums in general. It's a 3-tier environnement and OPNSense isn't used for NATing. I've tried to integrate the OPNSense to scan the traffic (IPS/IDS, CrowdSec and the firewall) between the 1st and 2nd HOP of our Networks.
Every time I restart the appliance, I have to save the bridge interface again to restore to connections behind the OPNSense. If I don't do that, I can't access the various applications, remote sessions and https interfaces. It works for about 2 or 3 days then the connection is lost again. I press the "save" button and it works again.
The online applications are working without that because they're proxied by the OPNSense, but our intern connection between the network not. What is really strange and that's why I believe that's a problem from the OPNSense, I can access the UI of the OPNSense and nothing behind (the last time), sometimes I can access some of the UIs / RDP.

I've found a second problem and I think it's an effect of this bridge's problem. If I don't save the parameter from suricata again (IPS/IDS) the logs are filled with thousands of those lines: [101142] <Error> -- bridge0: error reading netmap data via polling: No buffer space available
Some times it's written also with bridge0^. I've found something about on internet but it doesn't match my case.
I just need to save the suricata configuration and it's gone and works as it should.

The topology looks something like this: 1st Hop Router (with NAT) -> OPNSense as transparent bridge + proxies connected to some Web Apps -> 2nd Hop Router (with NAT) -> application servers etc...

It seems that OPNSense is interfering with something in the communication between the routers. I've suspected something with ARP, but the last test with some static ARP entries (neighbors) has failed. Before the OPNSense we had a Sophos XG (in bridge mode too) and it has worked flawlessly. But with the EOL it was the time to change.

The only solution for me was to save the bridge and the IPS/IDS configuration again(interface bridge+lan).

Could you please help me?
I'll go into detail, when some information is needed. But it could be a really long topic, so I made this summary.

All the best

Regards

Joel T.