Messages

Hmm.. wasnt this last big update as well that Zenarmor was looking for php 8.1 when OPNSense updated to php 8.2.
Maybe doublechecking dependency versions would be a good one for their checklist ;D

Hi,

This is not the expected behavior, but Zenarmor excludes the firewall itself from any blocking rules. Even if your PC is blocked by a policy, you can still access the OPNsense UI or manage your policies through the Zenconsole (Cloud Management Portal) if Zenarmor is registered there.

Ah, thank you for the confirmation.
Can't hurt to be sure even if nothing will ever happen so its simply good to hear that I can't fully lock myself out :D

"Apologies for taking so long. I was hoping some of the other maintainers would step in while I was away, looks like that didn't happen. :("

Hehe, welcome to open-source. Whereby the creators better never go on a holiday, because the moment the creator is unavailable for a while the entire idea of "being maintained by a community" only goes as far as "Does it affect any of the contributors? Nope.. ok.. guess none of them will mind the issue for now then", none of the creators fault ofcourse but funny how it always ends up somewhere along those lines :D

Though I will be fully honest that I dont really have any credentials to be able to judge anyone ofcourse. Everyone has their expertise and mine certainly is not contributing to Perl script XD
Did make a bash script for myself to have dynamicdns with an directadmin portal (didnt want to have an third-party like noip or some of the other options in between) as that doesnt seem to be built into the ddclient, but thats about the extend of my possibilities XD

Not gonna say I dont trust Zenarmor updates.. but if I have my network and selected the correct devices as trusted and afterwards ill turn on block connection for all untrusted devices.
What is best practise to make sure that if Zenarmor somehow clears the Trusted list, I still have a way into my router outside of physically connecting a screen to it :P

EDIT:

Ok.. so "parameters" going to %s only means 1 word goes to %s, not all of it. And if your %s's in the configd is lower than the amount of words filled it, it simply doesnt work. You can have more %s's than parameters and it will still work though.

So all I had to do was adjust the configd and change it to
[test.dyndns]
command:/scripts/test.sh
parameters:%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s
type:script_output
message: Running dynamic DNS check on domain
description: Run dynamic DNS check on domain

ORIGINAL:

So.. basically to facilitate some dynamic dns for me which cant get through the plugin .. I made myself a bash script that doesn exactly as I want.
Now I am incorporating it into the cron job interface in OPMSense, but its not exactly working as planned.
Basically.. (some of these will be templates and not my actual setup, but its the same idea.
/scripts holds an script (lets say test.sh) that checks IPs and then changing my DNS names through Directadmin .. this script works as I can run it manually as well as through cron and it works like that.
However, I want to make it so that I can edit my cron job so I can always change which subdomains it updates through the UI and not have it hardcoded in the script
If I run the command "test.sh test test2" in the CLI .. it works, updating those 2 subdomains.. meaning the parameters do work.



However... if I set it up as shown above and then have this as configd .. it doesnt work

[test.dyndns]
command:/scripts/test.sh
parameters:%s
type:script_output
message: Running dynamic DNS check on domain
description: Run dynamic DNS check on domain

So basically.. If I hardcode the subdomains, it works manually and through the webui Cron
If I parameter the subdomains it works manually, doesnt work through webui Cron (and only thing I change in the configd is at parameters I add %s
Anyone has any idea?

Edit: Solved.. sorta. Issue found!
After doing more testing I found out my issue was that the opnsense had issues retrieving geo ip for a geolocation block rule. This started happening after last update.
Somehow this made it so that it blocked all countries instead of the ones I set up in the settings.
Disabling that rule allows my reverse proxies to work untill I fix or find the cause of the geo ip issue

Issue:
Using the nginx plugin in which ive made a good few http servers -> Location and then the 2 upstream parts.. default reverse proxies
My reverse proxies are not able to be reached anymore by domain URLs. Neither form the outside nor the inside.
The only way it does work from the INSIDE is to put domains in Unbound DNS Overrides and refer them to any of my LAN interface gateways.
Firewall does not show any blocks, neither does Zenarmor.
Everything worked fine (domains were reachable from outside as well as inside my network simply with  the nginx plugin) at 24.7_9 .. only after 24.7.1 it stopped working.
There is nothing in front of my OPNsense.

Any ideas?

Can confirm this. While I never used it myself I can at least say that this seems to not work as intended atm.

Welp, if anyone finds this thread.
Not solved the initial issue, but made it bearable by simply having all the stuff enabled on the main domain and then create Basic Rules to whitelist the IDs that kept blocking stuff. (regardless of the location of the policy trying to block it and whether its active on either domain/subdomain or both)

So.. basically I have my nginx like this. Simple reverse proxy for a main website that is the domainname and then a few sites that contain a subname.domainname... nothing special.


Now I have been turning on and editing WAF policies to make sure its all fully secured, but im walking against an issue.
WAF policies active on the main domain name are blocking stuff happening on the subdomainnames within nginx.

So lets say it like this.. sub2.domainname.com has issues with something due to the SQL injections policy of WAF. I then turn off only the SQL injections policy for sub2.domainname.com. It still gets blocked.
However when I then also turn off the SQL injections policy on the domainname, it works.
In the logging I can see that rules/policies only active on the domainname site also seem to block stuff on the subdomains.

How can I try to seperate it so that WAF rules from the main site dont affect the subdomains (which are totally seperate sites)?

As additional info ... http access logs dont actually show anything for the last few hours regardless of me opening the website on multiple devices.
When I turn off nginx however, none of the websites are available so not sure how/where it is actuallly allowing in the other subdomains

[So basically wondering why its proxying more than im telling it to?]

Good day,

There is no doubt that I am doing something wrong, but I would like to figure it out.
I used to use the reverse proxy on my Synology NAS which basically was an extremely simple UI whereby you point 1 thing to another :P
Due to the fact that im setting up some services on another device as well I imagined the best way to handle this is  reverse proxy it from the router.

Now.. ive used the tutorials online to at least set up a basic setup, however I am running into an annoying issue already. Even though at http server ive got the servername set to aaa.domain.com, it also proxies domain.com, bbb.domain.com etc. etc. so basically.. all the other subdomains as well.

My setup right now looks like this:
httpserver


location:


Upstream:


Upstream server:


traffic stats screen:


firewall rule:


I also have Unbound set up with all the subdomains so I could access them from inside LAN. Not sure if that influences anything.

So basically wondering why its proxying more than im telling it to?

Any general tips on setting it up with a good few subdomains that will need to be directed to different IPs would be appreciated as well.

If I figure anything out in the meantime ill be sure to update.

If you go to Interfaces -> WAN there should be the option: Block private networks. Any chance thats turned on?
That basically blocks LAN IPs to do anything with the WAN port.