Messages

Have you made any progress on this? 25.4.3 was released today but I suspect it will not change the situation you've seen with 25.4.2.


Cheers,
Franco

Hi Franco,

I've upgraded today the appliance to the version 25.4.3_4 and it works like a charm.
I don't understand, what was the problem with the version 25.4.2.
Regards,

Joel

Dear Community,

right now for us there's some penetration tests from an external company in progress on our opnsense appliance and we need a possibility to remove ip addresses from the blacklist without any whitelisting, because they will attack again with another kind of attack.
Is there any possibility to remove the ip address from the blacklist "on demand"?

Thank you ahead.
Regards

Joel.

Hi Franco,

sorry for the moment, I need to do other things for our customers and ourselves (system migrations).

I will try when my colleagues won't be in vacation anymore.

Regards,

Joel.

To me, it seems to be something like (not identical, but similar) in this post:
https://forum.opnsense.org/index.php?topic=48640.0
And I think that "no one else" is no longer accurate.

I'm vague because, I don't have time to mess around and figure out why it isn't working. I will do this in my own time, not during our company's working hours with coworkers who aren't working at that time.

The only thing I can say. With the version 25.4.1 -> the communication with our cisco main (incl. the connection with the management software) gateway is working flawlessly. We can access our web application located in our DMZs with a resolution through our own DNS Server (inside). The DMZs are located on the cisco and the opnsense is bridged on the inside of the cisco interface to assure the ips/ids security of our internal network. All IPs of the DMZs are NATed on the cisco and the opnsense has a route to send everything unknown to the cisco main gateway (0.0.0.0/0). LAN/WAN are bridged. After the Upgrade 25.4.2 we cannot access the management software of the cisco gateway (the inside IP of the cisco is in the same segment as the problematic opnsense), the colleagues are receiving timeouts in browser when the try to access our web applications in the DMZs. I cannot explain here everything because the topology is much more complex and every tier (DMZs / outside network segment) we have one OPNsense Business on an OPNsense Hardware. It's a star topology with the cisco gw in the middle and the satellites / tiers are OPNsense appliances if you want.
To sum up with 25.4.2 the forwarding of the request to the NATed addresses (on the cisco gw) and the cisco gw itself aren't done anymore - The routing rule with 0.0.0.0/0 through the cisco gw isn't correctly applied when the ip addresses are on the same network segment.

Now, I can no longer describe in detail what happened with the help of the logs. This is because I had to use the snapshot function really quickly because the project managers had directed calls/complaints to our department. All I can say is that nothing was displayed in the live part of the firewall (request also made on the Cisco gateway), and I am sure that this is the case with version 25.4.1.

For me, paid business support makes sense when we need an additional feature or something we don't understand technically. But not to fix problems where everything was working fine before and suddenly stopped working after the update/upgrade without any further changes. That can't be part of any business plan. The logic of having a paid stable business version is not followed here. Please don't take us the wrong way, we are OPNsense customer. But anyway... it's not here the subject.

I'll try again when no one is working on our internal network. I just need to plan it now.

Regards,

Joel.

I can guarantee that this is a problem with version 25.4.2 -> version 25.4.1 works and we will keep using it!

It would be good if the OPNsense team would improve its business version before releasing it.

Dear OPNsense community,

for us it's not the first time that nevertheless a Business Edition after an Upgrade we are loosing some of our connection to our dmz application for our company (for example with suricata which broke some our communications if IPS mode wasn't deactivated) .
This time, we have simply lost the access management on our main GW (cisco) and the communication with our NATed systems to our DMZs. The NATed systems are done on our main Gateway (cisco)

The routing configuration is really simple by us Network 0.0.0.0/0 to our main GW (cisco) and we have a bridge LAN/WAN to use IPS/IDS/Proxy possibilities of OPNSense. Until now this setting has worked flawlessly, but after the upgrade, we cannot manage our main GW anymore and the resolution of our dmz web app aren't accessible.

On our side it's critical because every colleagues here cannot work anymore on any our app. I cannot check anything on the main GW because it's not accessible too.

Could something give me a hint?
We used to believe that the Business Edition is well tested and tailored for the Business environment.

Thank you in Advance for your information,

Regards,

Joel.

Many thanks!

Regards,

Joel

Thank you.
I will try this. I had another fight with the OPNWAF - the timeout parameter on the Proxy balancer is missing and every time after an apply I need to change the config file like this
BalancerMember https://xx.xx.xx.xx connectiontimeout=xxx timeout=xxx

I will try as soon as our customer will be less aktiv on the application server.
And one question about the use of modsecurity_ruleid.json
If we update/upgrade our appliance and the system won't this file change or will be rewritten? because right now it's our main problem

Thank you ahead.

Hi,

right now I'm pretty busy with system migrations. We are still using the proxy as simple as we could get (http) no opnproxy and no sso. We are using the OPNsense like we could use a Pfsense. I mean with almost no plugin.
Have you any answer of the support on this topic? After the migrations I will find the alternative (maybe I will setup myself a server with all options that I need), because it's, for my opinion, really to light as it's configured.

Regards,
Joel.

Dear Opnsense Community,

Is there a way, as with NGINX and Naxsi, with the OPNWAF Web Application Business plugin to limit the simultaneous connections of an IP for the proxied applications?
As it's a well-knows needed security feature of the web application proxies. It's possible that is in the plugin present, but I've found nothing. Maybe it's possible on another layer of the OPNsense Firewall or in another plugin.

Thank you ahead,

Regards,

Joel.

Hi,

there is no output.
The Version is: 25.4
-> the only output with grep is in apache24 level folder -> modsecurity.conf
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

On GitHub and in many forums, it is pointed out that this rule triggers many false positives. Why is this rule not set up as information only by default?
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827
https://community.sophos.com/sophos-xg-firewall/f/discussions/136863/false-positive-which-can-t-be-skipped
https://stackoverflow.com/questions/77583424/modsecurity-multipart-boundary-false-positives

Thank you for your help.

Regards,

Joel.

Hello WireShire,

We have disabled the business functionality because it is simply useless to us.
With the new version 25.4.1, we are experiencing even more problems and cannot find a solution ourselves, as there is no useful documentation on this topic.
We are considering using another solution that we can rely on more. I think that this is unfortunately just one example of how the modularity of a solution is not always an advantage.

Hello Joel,

we also buy a Deciso Appliance. And we also want to you squid as a forward proxy. With the opn-proxy buisness plugin we think, it have the complete function that we want.

But we also dont udnerstodd it full. we try different settings , but we see also policy fallback allow, and dont know where it come from.
we have a * block and test one single site allow, but when we change ip or diffenret , policy falllback allow rule comes.

when we delete custom rules. apply, restart or stop the plugin and start it again, policy tester ,s how the old custom rules and say allow.
how can we clear the cache from the tester?  i though its a buisness solution not , one time its function, one time not.

the wiki is not good for the product. it must have examples for a default buisness like sceneraio with block all, and allow custom different sites.

do you have a final resolution? or can someone thats used the buisness proxy settings , can share pictures?

For us, there was no other solution than to disable the transparent proxy and use the proxy with the simplest options on IPs.
The proxy with username and password does not work at all (LDAP AD), can import the users but does not recognize the user's password when they try to log in.
We had this feature and it worked flawlessly with Sophos for almost 7/8 years without any interruptions,
we had a presentation that OPNsense could easily replace the Sophos appliance, I'm not sure anymore.

This is already the third time I have had to change the proxy configuration after an update/upgrade was performed on the proxy, and each time we lose functionality.
@elenagilbert: I will dig this, but I cannot only focus on OPNsense right now.

Thank you all for your help.
Regards,
Joel.

Thank you for your reply, Patrick.
I will continue to try to use all communication channels. I don't consider this forum to be a support platform. Perhaps someone else has already had this problem.
We purchase business appliances in order to have stable versions and fewer or no problems with troubleshooting. The support channel would be intended for us if we needed to set something up and it wasn't working, but that wasn't the case this time.
Regards.

Dear Community and OPNsense Team,

we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.

The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)

here the infos on the warning message:

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault

segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen

We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.

Thank you ahead for you help.

Regards,

Joel.