Messages

1

24.7 Production Series / Banwidth Control

« on: November 03, 2024, 06:59:49 pm »

How can I limit the bandwidth on a single interface? I have a gigabit interface, but want to limit it too 100 meg.

Also is it possible to give one interface priority over another to get to the WAN interface, If so how?

2

24.7 Production Series / Re: DNS Rebind attack

« on: September 06, 2024, 06:54:30 pm »

Both sites have their own SSL form lets encrypt

Server (Running Ubuntu, and Apache) and all software is up to date

3

24.7 Production Series / DNS Rebind attack

« on: September 06, 2024, 06:52:42 pm »

I am running my own webserver behind OPNSense. It is currently hosting two websites, my personal and business

When I go to my personal site whether on the local network or outside of it the website loads just fine.

When I go to my business sit I get the following error

A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration.

When I try to go to my business site, it appears to be trying to load the router page as the tab has the OPNSense icon just like it would if I typed the IP address of the router.

I have checked both the public and local (private) DNS settings for both sites and they are all correct. Locally both sites point to the local address of the server, remotely both sites point to a static public IP that I have set up in OPNSense as a virtual IP.

Any one have any idea what could be causing this

4

24.7 Production Series / Anti-Virus on OPNSense

« on: September 04, 2024, 05:51:41 am »

I would like to enable an anti-virus on my OPNSense "router" to scan all incoming (at a minimum) and outgoing traffic. However a guide I was looking at last week said I had to configure OPNSense as a proxy server. I do not want to use a proxy server.

Is there another way to scan all incoming and outgoing traffic for virus'?

5

24.7 Production Series / Filtering or blocking spam

« on: August 23, 2024, 05:39:40 am »

I have followed the guide below to create a firewall rule to block spam using spamhaus. Are there additional services or sites like spamhaus that I can use in a similar way. I want to maximize spam blocking as much as I can.

https://docs.opnsense.org/manual/how-tos/edrop.html

Thank You

6

24.7 Production Series / Re: Block Port 25 with Exchange Server on Network

« on: August 23, 2024, 04:43:08 am »

Yep works. No connection from my notebook, connection from mail server.

THANK YOU

7

24.7 Production Series / Re: Block Port 25 with Exchange Server on Network

« on: August 23, 2024, 04:02:30 am »

I have attached images of both the firewall rule and alias that I created. Again I want to make sure this is done right. If you don't mind please verify everything is correct.

I want to make sure this issue is resolved so I don't have to worry or deal with it again in the future.

8

24.7 Production Series / Re: Block Port 25 with Exchange Server on Network

« on: August 22, 2024, 06:01:19 am »

If I create the rule you suggest it will rejected port 25 inbound form the mail server. Correct?

The issue as reported by SpamHaus is NOT my mail server, it was my notebook, which also had the infection.

The only device I want to allow to use port 25 is the email server (in or out), all others will be blocked.

9

24.7 Production Series / Block Port 25 with Exchange Server on Network

« on: August 21, 2024, 07:21:55 am »

I have an Exchange server (Ex 2019 on Server 2022) running behind OPNSense version 24.7.1. I have been black list due to a non-mail server system being infected with malware using port 25. Infection has been removed. SpamHaus has unblack listed my public IP. However, I still received an error when trying to send an email to a trusted email server.

So, to hopefully fix this error and prevent it in the future, I want to block all outbound traffic on port 25 from all devices on the network (including guest network) with the lone exception being the Exchange Server? What is the best way to do this. I am asking here so that I not only get it right but get it right the first time.

Details are:
I have a 5 public IP block
WAN port is configured with X.X.X.105
I have added a virtual IP of X.X.X.106
Public DNS points to and required ports for Exchange (443) come in on X.X.X.106. There is currently no rule (allow or block – in or out for port 25)

Main Network X.X.107.0/24
Mail Server X.X.107.10
Guest Network X.X.214.0/24

I believe that the rules should look as follows on the WAN port

Two rules

1st rule to allow Exchange to send data out on port 25

Code: [Select]

Allow
Direction - Out
Protocol - TCP
Source - X.X.107.10 /24
Port - 25 or should it be any
Destination * (any)
Port 25
2nd rule to block everything else trying to use port 25

Code: [Select]

Block
Direction - Out
Protocol - TCP
Source – * (any)
Port - 25 or should it be * (any)
Destination *  (any)
Port 25
Rule 1 comes before Rule 2 of course

Please let me know if I am correct, if not please let me know what would be correct.

Thank You

10

Hardware and Performance / System recommendations

« on: July 03, 2024, 03:33:53 am »

I have a client that two stores with Verizon FIOS. Both stores are currently down due to one of Verizon's trunk fiber cables being "cut". Service is estimated to be restored in about 4 1/2 plus hours. They process credit cards over the net.

I found out the other day that they had gotten cellular service for such a situation, but did not let me know so it was connected correctly to be usable. I am now looking for an inexpensive but reliable system to connect two Internet services, LAN and WLAN (future expansion space would be nice).

He currently has 3 stores and will be adding at least 2 more in the near future. I am thinking he will want to have back up Internet at all his stores now.

Anybody have recommendations?

11

24.1 Legacy Series / Using WWAN with OPNSense

« on: March 28, 2024, 01:10:10 am »

I do not see why want I want to do (at least thinking about) wouldn't work, but I want to make sure it will before I spend any money.

I want to have Internet access in my vehicle. Having such access in my vehicle would make my job and running my business easier. However most solutions I have found are for commercial fleets and / or the devices are very expensive

I am thinking about is getting a notebook with a WWAN slot, then using the WLAN to set up a wireless network. Would this work? A representative for my cellular provider told me adding a WWAN device would be about $10, although they don't know what I want to do. Seems too good to be true to get such a set up for $10 a month.

I won't be streaming movies or anything like that on a regular basis. Maybe a YouTube video now and then, maybe remote support once in a while. Mostly updating tickets, uploading images to tickets.

12

23.1 Legacy Series / Re: Forward the same port to two different systems

« on: July 17, 2023, 08:14:30 pm »

The destination address needs to be a single host, i.e. 50.78.239.106 or 50.78.239.106/32 - if you specify /29 for the destination, that means all 8 addresses in that prefix are matched by the first rule.

Awesome!

Thank you. I have only tested it once, but it did work. I had an tab open to Exchange and one to the web site.

Thank You much

I tried Googling this but everything I found was the more simple port forwards.

13

23.1 Legacy Series / Re: Forward the same port to two different systems

« on: July 17, 2023, 06:51:24 pm »

I have created NAT rules for both, but all traffic still goes to the exchange server.

I attempted to add an image of the two NAT rules, not sure why it was not added

14

23.1 Legacy Series / Forward the same port to two different systems

« on: July 17, 2023, 06:36:05 pm »

I posted this in 22.7 Legacy Series but didn't get much traction. I have upgraded to 23.1.11 in part hoping that an update would get it to work, but it is still not working.

I have an Exchange server and now a webserver on the same network, both use 443 for HTTPS.

I have a block of five static IPs from my ISP. Is it possible to have the Exchange server coming in on 443 on one public IP and the webserver coming in on 443 on another public IP?

I have created a virtual IP for each of the IPs I want to use.  I have created the port forward rules in the image below but all traffic from both IPs is forwarded to the exchange server.

Can anybody provide insight or provide a link on how to do this?

15

22.7 Legacy Series / Re: Forward the same port to two different systems

« on: July 10, 2023, 06:22:04 am »

Ok so I have partially figured this out. I need to create virtual IPs.

Problem now is that port 443 is forwarded to the mail server no matter if the url typed into a web browser. IE if the user types in www.mydomain.us or mydomain.us both are forwarded to the mail server even though it is mail.mydomain.us

Port 80 is directed to the web server.