1
23.1 Legacy Series / Re: Do I need to create block rules for traffic between interfaces?
« on: May 29, 2023, 02:17:05 pm »
Ah, that explains it. Thanks!
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
23.1 Legacy Series / Do I need to create block rules for traffic between interfaces?
« on: May 29, 2023, 01:35:17 pm »
Hi everyone,
stupid question I know, but somehow I either messed up my config or I didn't understand something right.
Do I need to create a block rule to disable traffic between interfaces? I thought this happens automatically, but since I have seen traffic going from one interface (LAN2) to another (LAN1) without having a rule to allow it I am kind of confused.
stupid question I know, but somehow I either messed up my config or I didn't understand something right.
Do I need to create a block rule to disable traffic between interfaces? I thought this happens automatically, but since I have seen traffic going from one interface (LAN2) to another (LAN1) without having a rule to allow it I am kind of confused.
3
23.1 Legacy Series / Maltrail alerting
« on: May 12, 2023, 12:27:08 pm »
Hi everyone,
I am just about finished with deploying OPNsense. Really enjoyed the process, really a great piece of software that makes our network much safer.
The last step is a bit of "nice to have". I installed maltrail and I am using the fail2ban rule to block the hosts that make weird traffic. Since the entry is dynamic I would like to set up a notification using monit when the list of hosts has changed. However since its not a file but rather a url I am not so sure how to do that.
Any tips would be appreciated.
I am just about finished with deploying OPNsense. Really enjoyed the process, really a great piece of software that makes our network much safer.
The last step is a bit of "nice to have". I installed maltrail and I am using the fail2ban rule to block the hosts that make weird traffic. Since the entry is dynamic I would like to set up a notification using monit when the list of hosts has changed. However since its not a file but rather a url I am not so sure how to do that.
Any tips would be appreciated.
4
23.1 Legacy Series / Re: Windows Updates and SSL inspection
« on: May 11, 2023, 03:21:46 pm »
You Sir,
deserve a medal. I thought I was going crazy. I have no mentioning of the certificates in the error logs of the proxy, so I didn't event think about that.
How this isn't a wiki entry or even a result when searching for those error codes is beyond me.
Thank you so much!
deserve a medal. I thought I was going crazy. I have no mentioning of the certificates in the error logs of the proxy, so I didn't event think about that.
How this isn't a wiki entry or even a result when searching for those error codes is beyond me.
Thank you so much!
5
23.1 Legacy Series / Windows Updates and SSL inspection
« on: May 11, 2023, 01:03:20 pm »
Hi everyone,
I am still in the process of deploying my OPNsense and have hit a big bump: Using the Web Proxy and SSL inspection (which is needed for AV filtering) I am unable to download Windows Updates and Updates from the Microsoft Store, getting the Error Code 0x801901f7.
Now I spent the last hours going through the Microsoft Documentation and everything that I could find on the internet and added all those URLs to the no bump site, but it still doesn't work. Now I checked the forums here and all I could find are old threads that basically stop in 2018.
Is there really no one who managed to get it working? Or is it really just a "feature" that doesn't work?
I would really like to use ClamAV as a feature, but since 95% of the net traffic today is SSL encrypted I need the SSL proxy, but I also need Windows Updates. So how do you guys solved it?
Any help would be appreciated as I am going a bit crazy at this point, having done a very deep dive into the mess that is Microsoft URLs without any solution.
Greetings
Sam
I am still in the process of deploying my OPNsense and have hit a big bump: Using the Web Proxy and SSL inspection (which is needed for AV filtering) I am unable to download Windows Updates and Updates from the Microsoft Store, getting the Error Code 0x801901f7.
Now I spent the last hours going through the Microsoft Documentation and everything that I could find on the internet and added all those URLs to the no bump site, but it still doesn't work. Now I checked the forums here and all I could find are old threads that basically stop in 2018.
Is there really no one who managed to get it working? Or is it really just a "feature" that doesn't work?
I would really like to use ClamAV as a feature, but since 95% of the net traffic today is SSL encrypted I need the SSL proxy, but I also need Windows Updates. So how do you guys solved it?
Any help would be appreciated as I am going a bit crazy at this point, having done a very deep dive into the mess that is Microsoft URLs without any solution.
Greetings
Sam
6
23.1 Legacy Series / Traffic to proxy gets blocked
« on: May 10, 2023, 10:46:18 am »
Hi everyone,
I have a weird issue: I am using NAT to route HTTPS traffic to the proxy. Now that works, but the firewall seems to be blocking traffic to it under the "default rule" instead of letting it trough to the proxy server as configured. See screenshots below.
Why does it not work? I thought the rule created by the NAT should be enough, but even with my own rules i still get that error. Rebooting didn't work either.
As a side note:
I did an update to the newest version yesterday and just realized that one application (Spotify) was not working properly on my network anymore. So I am not sure if the issue persists longer or just since the update because I didn't check it before.
I have a weird issue: I am using NAT to route HTTPS traffic to the proxy. Now that works, but the firewall seems to be blocking traffic to it under the "default rule" instead of letting it trough to the proxy server as configured. See screenshots below.
Why does it not work? I thought the rule created by the NAT should be enough, but even with my own rules i still get that error. Rebooting didn't work either.
As a side note:
I did an update to the newest version yesterday and just realized that one application (Spotify) was not working properly on my network anymore. So I am not sure if the issue persists longer or just since the update because I didn't check it before.
7
Zenarmor (Sensei) / Re: Could not verify your mail configuration
« on: May 09, 2023, 07:06:28 pm »
Just did that. Lets see what come from it
8
Zenarmor (Sensei) / Could not verify your mail configuration
« on: May 08, 2023, 04:36:25 pm »
Hi everyone,
I am currently installing Zenarmor on my OPNsense Firewall and found that - even with the 14 days test license - I can't test my mail connection. Instead of telling me if something is wrong (server not reached, Credentials wrong etc.) it just immediately bring the error "Could not verify your mail configuration. Please try again later." I tried reinstalling Zenarmor, but the issue still persist.
However, reports are still getting send. Might be a bug?
I am currently installing Zenarmor on my OPNsense Firewall and found that - even with the 14 days test license - I can't test my mail connection. Instead of telling me if something is wrong (server not reached, Credentials wrong etc.) it just immediately bring the error "Could not verify your mail configuration. Please try again later." I tried reinstalling Zenarmor, but the issue still persist.
However, reports are still getting send. Might be a bug?
9
23.1 Legacy Series / DNS resolves firewall for wrong subnet
« on: May 08, 2023, 01:41:33 pm »
Hi everyone,
I have set up my opnsense with 3 networks: 192.168.X.X/24. The Web-Interface for my firewall "fw01" is only reachable under the 192.168.1.1 interface, yet somehow when I'm using the hostname it either resolves to 192.168.2.1 or 3.1. Is there a way to prevent the DNS server from doing that? I would like to be able to only server answers for the specific interface, not all of them.
Greetings
Sam
I have set up my opnsense with 3 networks: 192.168.X.X/24. The Web-Interface for my firewall "fw01" is only reachable under the 192.168.1.1 interface, yet somehow when I'm using the hostname it either resolves to 192.168.2.1 or 3.1. Is there a way to prevent the DNS server from doing that? I would like to be able to only server answers for the specific interface, not all of them.
Greetings
Sam
10
Web Proxy Filtering and Caching / Valid SSL Proxy certificate
« on: May 08, 2023, 01:35:18 pm »
Hi everyone,
probably a stupid question but since i'm rather new to this whole topic: Is it possible to get a valid, trusted, proxy certificate for the ssl proxy or do i have to install my certificate manually? Using ACME I have a valid web certificate for my domain from Let's encrypt, but I can't use that for the man-in-the-middle inspection of the traffic.
Right now I have installed the certificate manually, but I would love to be able to install a actually valid certificate.
Any tips or hints would be appreciated.
Greetings
Sam
probably a stupid question but since i'm rather new to this whole topic: Is it possible to get a valid, trusted, proxy certificate for the ssl proxy or do i have to install my certificate manually? Using ACME I have a valid web certificate for my domain from Let's encrypt, but I can't use that for the man-in-the-middle inspection of the traffic.
Right now I have installed the certificate manually, but I would love to be able to install a actually valid certificate.
Any tips or hints would be appreciated.
Greetings
Sam
11
General Discussion / Re: Simple rule not working
« on: October 07, 2022, 04:36:01 pm »
Ah, well that explains it.
But what would be the correct way of setting it up?
Allow all and then block all other networks?
But what would be the correct way of setting it up?
Allow all and then block all other networks?
12
General Discussion / Simple rule not working
« on: October 07, 2022, 02:30:36 pm »
Hi everyone,
I am new to opnsense and stuck on a seemingly simple problem: I can't get the internet working. At least not in the way I want it.
My internet is provided by a fritzbox router that connects to hn0 on my opnsense. I have multiple interfaces set up for the different separate networks I want to use, but I want to start learning by just using the LAN interface.
Now if I set up a rule with:
- Source: LAN
- Port: *
- Destination: *
- Port: *
then all works well, I am able to use the internet and ping the devices in the other networks.
(no rules have been set on anything other than the LAN interface. That also goes for the WAN interface as I am not sure what I would want there)
However, when I change it to:
- Source: LAN
- Port: *
- Destination: WAN net
- Port: *
then no connection is possible. To make any rule changes I always have to go and reset the state table, otherwise all connections stay open, even if I disable the rule (which should prevent any connection other than to the gui, right?)
I don't really know why I am not able to make such a simple thing work, maybe my install is bad somewhere?
Does anyone have an idea what could be the reason?
I am new to opnsense and stuck on a seemingly simple problem: I can't get the internet working. At least not in the way I want it.
My internet is provided by a fritzbox router that connects to hn0 on my opnsense. I have multiple interfaces set up for the different separate networks I want to use, but I want to start learning by just using the LAN interface.
Now if I set up a rule with:
- Source: LAN
- Port: *
- Destination: *
- Port: *
then all works well, I am able to use the internet and ping the devices in the other networks.
(no rules have been set on anything other than the LAN interface. That also goes for the WAN interface as I am not sure what I would want there)
However, when I change it to:
- Source: LAN
- Port: *
- Destination: WAN net
- Port: *
then no connection is possible. To make any rule changes I always have to go and reset the state table, otherwise all connections stay open, even if I disable the rule (which should prevent any connection other than to the gui, right?)
I don't really know why I am not able to make such a simple thing work, maybe my install is bad somewhere?
Does anyone have an idea what could be the reason?
13
22.1 Legacy Series / Re: No Webinterface after bridge activation
« on: July 20, 2022, 06:35:48 pm »
No, it was a clean install and i did not start to change any rules or anything else appart from the interfaces.
My understanding was that the rules are applied to interfaces and not to individual hardware so a change in assignment wont affect the rules and setup. Or am I wrong here?
My understanding was that the rules are applied to interfaces and not to individual hardware so a change in assignment wont affect the rules and setup. Or am I wrong here?
14
22.1 Legacy Series / No Webinterface after bridge activation
« on: July 20, 2022, 04:34:05 pm »
Hi everyone,
I am trying to setup OPNsense for my homelab but i seem to struggle to make a working network bridge. Since i am a total network beginner i don't really know what else to do so i hope someone here as an idea:
OPNsense is running on a Hyper-V machine with four network connections.
hn0 is my internet input from my ISP router
hn1 is my output from OPNsense to switch
hn2 is a virtual connection to other Hyper-V machines on the same server
hn3 is a output to a notebook
If i set hn0 as my WAN and hn1 as my LAN everything works. I can access the the Web GUI and DHCP gives out IPs in the range that i want.
Now what I want to do basically is to connect the virtual connection to my LAN. I just don't want an extra connection to the switch for my VMs since I don't want to create unnecessary traffic that could be handled right on the server.
My idea was to bridge hn2 and hn3 and set this bridge0 as my LAN interface. My thinking was that i can then access the Web GUI from the VMs or my Notebook and can add hn1 to the bridge, which was my actual goal.
I did everything as noted in https://docs.opnsense.org/manual/how-tos/lan_bridge.html but failed after step 3.
I lost the ability to connect to the Web GUI from any of the connections to do any more changes. And I don't really know why or where to look. I did the configuration straight after install so apart from the install wizard nothing was changed.
Am I doing something wrong, forgot something or is this just not how bridging works.
Thank you for any tips and tricks!
I am trying to setup OPNsense for my homelab but i seem to struggle to make a working network bridge. Since i am a total network beginner i don't really know what else to do so i hope someone here as an idea:
OPNsense is running on a Hyper-V machine with four network connections.
hn0 is my internet input from my ISP router
hn1 is my output from OPNsense to switch
hn2 is a virtual connection to other Hyper-V machines on the same server
hn3 is a output to a notebook
If i set hn0 as my WAN and hn1 as my LAN everything works. I can access the the Web GUI and DHCP gives out IPs in the range that i want.
Now what I want to do basically is to connect the virtual connection to my LAN. I just don't want an extra connection to the switch for my VMs since I don't want to create unnecessary traffic that could be handled right on the server.
My idea was to bridge hn2 and hn3 and set this bridge0 as my LAN interface. My thinking was that i can then access the Web GUI from the VMs or my Notebook and can add hn1 to the bridge, which was my actual goal.
I did everything as noted in https://docs.opnsense.org/manual/how-tos/lan_bridge.html but failed after step 3.
I lost the ability to connect to the Web GUI from any of the connections to do any more changes. And I don't really know why or where to look. I did the configuration straight after install so apart from the install wizard nothing was changed.
Am I doing something wrong, forgot something or is this just not how bridging works.
Thank you for any tips and tricks!
Pages: [1]