Messages

Hi,

there is no output.
The Version is: 25.4
-> the only output with grep is in apache24 level folder -> modsecurity.conf
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

On GitHub and in many forums, it is pointed out that this rule triggers many false positives. Why is this rule not set up as information only by default?
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827
https://community.sophos.com/sophos-xg-firewall/f/discussions/136863/false-positive-which-can-t-be-skipped
https://stackoverflow.com/questions/77583424/modsecurity-multipart-boundary-false-positives

Thank you for your help.

Regards,

Joel.

Hello WireShire,

We have disabled the business functionality because it is simply useless to us.
With the new version 25.4.1, we are experiencing even more problems and cannot find a solution ourselves, as there is no useful documentation on this topic.
We are considering using another solution that we can rely on more. I think that this is unfortunately just one example of how the modularity of a solution is not always an advantage.

Hello Joel,

we also buy a Deciso Appliance. And we also want to you squid as a forward proxy. With the opn-proxy buisness plugin we think, it have the complete function that we want.

But we also dont udnerstodd it full. we try different settings , but we see also policy fallback allow, and dont know where it come from.
we have a * block and test one single site allow, but when we change ip or diffenret , policy falllback allow rule comes.

when we delete custom rules. apply, restart or stop the plugin and start it again, policy tester ,s how the old custom rules and say allow.
how can we clear the cache from the tester?  i though its a buisness solution not , one time its function, one time not.

the wiki is not good for the product. it must have examples for a default buisness like sceneraio with block all, and allow custom different sites.

do you have a final resolution? or can someone thats used the buisness proxy settings , can share pictures?

For us, there was no other solution than to disable the transparent proxy and use the proxy with the simplest options on IPs.
The proxy with username and password does not work at all (LDAP AD), can import the users but does not recognize the user's password when they try to log in.
We had this feature and it worked flawlessly with Sophos for almost 7/8 years without any interruptions,
we had a presentation that OPNsense could easily replace the Sophos appliance, I'm not sure anymore.

This is already the third time I have had to change the proxy configuration after an update/upgrade was performed on the proxy, and each time we lose functionality.
@elenagilbert: I will dig this, but I cannot only focus on OPNsense right now.

Thank you all for your help.
Regards,
Joel.

Thank you for your reply, Patrick.
I will continue to try to use all communication channels. I don't consider this forum to be a support platform. Perhaps someone else has already had this problem.
We purchase business appliances in order to have stable versions and fewer or no problems with troubleshooting. The support channel would be intended for us if we needed to set something up and it wasn't working, but that wasn't the case this time.
Regards.

Dear Community and OPNsense Team,

we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.

The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)

here the infos on the warning message:

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault

segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen

We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.

Thank you ahead for you help.

Regards,

Joel.

I've found there is no ProxyPass Timeout global parameter. Is it possible to implement the parameter?
Is there a command to restart only one of the proxy and not all at once?

Thank you ahead.

Regards,

Joel.

Dear OPNsense Community,

for one week every request that are longer as 30 sec are reset or finalized and we are receiving an AH00989 from the OPNWAF Business plugin. The service is active on an official Deciso OPNsense appliance. If it's less than 30 sec, it will work. I've setup on the location a connection timeout of 300 secs. I've no clue what could reset the connection every time after 30 secs. It seems that some FIN packets are send from the OPNsense OPNWAF to quickly. There's another error but it's less often: AH01102: error reading status line from remote server xx.xx.xx.xx:xxx. My colleagues have confirmed that there's an error in Edge browser 502 proxy error after 30 secs.
I've checked the status of the application server. The server responds and is available for the OPNWAF. The system has flawlessly worked without OPNsense during more than 3 years (It was an apache proxy-system too), that's why I'm a little perplex with this case. The worst for us. That's a system already in production.

Could you please give me a hint where I can look in OPNsense to fix this?

Thank you ahead,
Regards,
Joel.

Dear OPNSense Community,

I'm trying to use one of our Business OPNSense in transparent bridge mode in one of our DMZ. The Bridge will work until I reboot the system. The appliance is an official Deciso OPNSense DEC3842.
The topology is not so complex but more complex than what we find on internet and forums in general. It's a 3-tier environnement and OPNSense isn't used for NATing. I've tried to integrate the OPNSense to scan the traffic (IPS/IDS, CrowdSec and the firewall) between the 1st and 2nd HOP of our Networks.
Every time I restart the appliance, I have to save the bridge interface again to restore to connections behind the OPNSense. If I don't do that, I can't access the various applications, remote sessions and https interfaces. It works for about 2 or 3 days then the connection is lost again. I press the "save" button and it works again.
The online applications are working without that because they're proxied by the OPNSense, but our intern connection between the network not. What is really strange and that's why I believe that's a problem from the OPNSense, I can access the UI of the OPNSense and nothing behind (the last time), sometimes I can access some of the UIs / RDP.

I've found a second problem and I think it's an effect of this bridge's problem. If I don't save the parameter from suricata again (IPS/IDS) the logs are filled with thousands of those lines: [101142] <Error> -- bridge0: error reading netmap data via polling: No buffer space available
Some times it's written also with bridge0^. I've found something about on internet but it doesn't match my case.
I just need to save the suricata configuration and it's gone and works as it should.

The topology looks something like this: 1st Hop Router (with NAT) -> OPNSense as transparent bridge + proxies connected to some Web Apps -> 2nd Hop Router (with NAT) -> application servers etc...

It seems that OPNSense is interfering with something in the communication between the routers. I've suspected something with ARP, but the last test with some static ARP entries (neighbors) has failed. Before the OPNSense we had a Sophos XG (in bridge mode too) and it has worked flawlessly. But with the EOL it was the time to change.

The only solution for me was to save the bridge and the IPS/IDS configuration again(interface bridge+lan).

Could you please help me?
I'll go into detail, when some information is needed. But it could be a really long topic, so I made this summary.

All the best

Regards

Joel T.

Dear Community / OPNsense Team,
actually we are trying to publish our own web application through the OPNWAF (Apache + ModeSecurity) and we have a problem the remains event with the latest version unsolved.
 There is a core rule that block our web application and we cannot upload anything bigger than 8MB with the web application.
The triggered core rule is the id 200004. We have found now that often this rule generate false positive (example https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827), but with the OPNWAF Business we have no possibility to disable this rule (thanks, by the way, for the "disable security rules by id" combo box). We are trying to use the Business OPNsense functions (paid functions) as professional. What are our possibilities in this case?
-> We know that we can edit the conf and comment the rule, but this isn't really a professional solution and the next time that we will update our firewall, those comments will be gone.

I hope you can provide us a solution or give us a hint to avoid this kind of problems.

Thank you ahead
Regards,

Joel T.

I have some news, here. I've tried to activate the proxy in windows with the fqdn and port of the OPNSense and somehow it "works". The problem is that the websites are randomly blocked and I cannot understand which of the rules is triggered, when the website is blocked.
For example... I've put the website of thomas-krenn.com in the whitelist ACL of squid and in the custom whitelist (allow) ACL of the OPNSense Advanced PROXY (os-OPNProxy) and I'm still blocked on the computer where I've setup the proxy in Windows. How it's possible... I don't know.

In the Log (Access Log) I have something like that:
IP - MAC ADDR USERNAME@DOMAIN "GET https://www.thomas-krenn.com/favicon.ico HTTP/1.1" 403 24992 "https://www.thomas-krenn.com/de/wiki/OPNsense_Plugins" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" NONE_NONE:HIER_NONE
IP - MAC ADDR USERNAME@DOMAIN "CONNECT www.thomas-krenn.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE
USERNAME@DOMAIN is in a group in a custom allow rule

Policy tester:
{
  "message": "OK user=\"User\"\n",
  "user": {
    "uid": "User",
    "id": "2020",
    "applies_on": [
      "u:User",
      "g:Group One",
      "g:Group Two"
    ]
  },
  "policy": {
    "action": "allow",
    "policy_type": "fallback"
  }
}




I'm sure that this website isn't in a blacklist.

Is there a possibility to have a log that write which of the rule is triggered?

It's pretty hard to administrate the webfilter like that.

I've followed this to implement the OPNProxy: https://docs.opnsense.org/manual/opnproxy.html
But it seems to be not enough the become that the web proxy will be fully configured.

Thanks ahead.

Joel T.

Dear OPNSense Community,

We have purchased a DECISO appliance with a Business license to replace our Sophos UTM. We thought that it would be possible to replace the Sophos UTM Webfilter (transparent with LDAP) with the OPNSense plugins (WEB PROXY + OPNPROXY + SSO). But it doesn't work for us right now. The Business plugin OPNPROXY could be the solution. It seems that the plugin cannot work with the SSO plugin. That's really sad. We have setup the Access control but nothing is applied as it should. The policy tester is working, but in reality im browser nothing is filtered. It's like that the OPNPROXY plugin isn't enable or present and I've setup lot of rules. The WEB PROXY is working as it should.
Is it right that this Business plugin cannot work with SSO? (AD)
If yes, I think that's the biggest lack of feature in this plugin. If no, what could I've missed, please?

Thanks ahead,

Regards,

Joel T.

I've no OPNsense in a vm. We have Deciso full hardware and we had the same problem.
I've juste add the WAN interface in the Intrusion Detection settings and now the log went silent about this problem.

I hope it'll help

I've started another thread about that because I had a combination of problem after the upgrade:

https://forum.opnsense.org/index.php?topic=44178.0

Update:
In the Intrusion Detection I have to choose the WAN interface even I've use only a bridge.
Is this a bug or a design problem?
Now the log has gone silent.

Someone can explain me? and I repeat there was  nothing like that before the upgrade.

Dear OPNSense community,

I've found that as the disk where full. The OPNsense wasn't really available anymore for the rest of the network. I've received some E-mail alerts that to processor of the appliance overloaded. The appliance was bought this year it's a Deciso 3842 AMD EPYC 8GB 256GB M.2.

The communication between our cluster and backup NAS were broken. Problems cascaded from one to the next.

I think something wrong is happened after the upgrade on the version 24.10_7 suricata is indeed integrated in OPNsense. I've deleted the old log, but we still have a problem with the IDS - a flooding of the following information.
bridge0^: error reading netmap data via polling: No buffer space available

Now it could be really interesting to know why this have change between the version of the OPNsense system.

Regards,

Joel.


Ps: I've already setup the log for the IDS to get really smaller but it's not the solution.

Dear OPNSense community,

we have a Business license, that's normally to receive a stable version after every update / upgrade, but it's not the case. Last Upgrade from the 24.4.3 to the version 24.10_7 (amd)
os-OPNWAF Version 1.6 - os-crowdsec 1.0.8_1 and Intrusion Detection is activated
After the upgrade the Logs from Suricata went full (and the disk too) -> Resource limit succeeded Service RootFs

Topology:
we have a bridge the firewall is in our DMZ behind the 1. HOP where there is an another router./firewall The OPNSense is there for his WAF / PROXY functions (OPNWAF / SURICATA / Crowdsec)

We have some Nextcloud and we are securing the traffic to Nextcloud with OPNSense.
Since the last upgrade the logs went full with Suricata. I've deleted some logs they were bigger than 100GB.

Now the Firewall is simply blocking the traffic from the Nextcloud to everything, event if I've made some rules like Nextcloud to everything with any ports.

All the services are green.

I cannot explain what is happen, but for a Business license, I think this version has a bug!

I've restarted already nothing is working and I don't where to beginning with this kind of Stuff. In the OPNWAF the logs won't show any problem. It seems to be a problem with the firewall!

example:
__timestamp__   2024-11-22T08:31:43
ack   3809070810
action    [block]
anchorname   
datalen   0
dir    [in]
dst   XX.X.XXX.XXX (OPNSense Firewall/PROXY)
dstport   48012
ecn   
id   4409
interface   bridge0
interface_name   BRG
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   52
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   4
seq   
src   XX.X.XXX.XXX (Nextcloud)
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   506

The worst I've change nothing. Everything is going wrong after the ugprade of the version 24.10_7

Could please help me

Thank you in advance!

Regards,

Joel.