Messages

Hi Patrick. It works. Thanks so much for your help and support.

Excellent. I will try this and report back.

God bless you and all the developers and authors of Opensource software and systems. Keep doing good work.

Thank you so much Patrick for excellent explanation. I will try this sometime later today and confirm. Though I only wished to access SSH on a non-standard port, but this is interesting at least for me to try and keep in back pocket just in case.

I assume this still uses port 22 for the establishment of SSH tunnel that carries within it the forwarded ports between http/https server and local machine. so OPNSense firewall needs to expose port 22 for SSH on WAN interface.

Can I have underlying SSH tunnel to use something like port 54321? 

Appreciate all your help.

Hi @newsense, how do I access http over SSH using SSH tunneling please?

Thanks

Thanks again @newsense.

I have enabled syncookies as adaptive with 60% start and 30% end for state table entries. Hope that is good enough for my use case.

But I am not able to comprehend the use of SSLH and how will it help in strengthening the SSH posture for WAN side access. SSLH as I read allows sharing of a single port for say https and SSL if say only https is allowed in by ISP. I don't have any such blocks.

fail2ban is one measure, but that requires it looking into logs and then take action. But to limit the CPU and memory consumption, I have disabled all kinds of logging to the extent that even syslog-ng service is disabled. In that case fail2ban will also not work.

Will SSH on non-standard port with key based authentication not be robust enough for my needs of just a Guest Wi-Fi outbound access (no inbound access and no need, other than for me to login sometimes to check the usage etc.)? I might simply add an old PC inside and then setup openvpn to get to it and then manage the firewall from there.

Thanks @newsense for your advice. I am not a company. This is all for a community events wifi. ISPs do offer DDoS service packages but that does cost a lot. With no inbound port forwarding or NAT mappings, only thing to protect is firewall itself against unauthorized login attempts. I have seen that changing SSH port to a high port does help reduce this by a big degree. Second will be to use SSH keys to use and not passwords for SSH.

Yes 2 factor authentication is too much as it is tied to a phone that could be misplaced / or certain areas with no cell coverage, may not work. I will look into SSH / SSL multiplexer and see if this will help in my situation.

Thanks again

Thanks Patrick. That is a great idea. I will follow your recommendation on that and that then also allows effortless connections when needed.

There are some advanced options under rule for max concurrent connections etc. Do they help against DDOS attempts?

Changed destination to This firewall rather than the WAN IP address and it works now.

I will only have SSH access on a non-standard port with a strong password. I cannot limit it to source Public IPs as my home IP changes. I can look into SSH lockout feature, which I believe is enabled by default.

Please advise.

Thanks

Thank you Patrick and @tron80.

I have all of this done right. As I mentioned, I replicated this on another OPT interface with exact same procedure and that works every single time. SSH and http on the non standard ports work on LAN as well as Mgmt / OPT interface. Listen interface is default All.

The ISP service is commercial with no ports blocked by ISP. And I forgot to mention that when I added a non-standard http port to the alias of ports allowed (which includes non standard SSH also, like 33123 for SSH and 33125 for http), then admin login page shows up but when I type in the username / password, nothing happens and task bar shows waiting for ----. And after doing refresh on page, does not bring up the admin login page again for me to try once more. After few minutes, I timeout on page.

And WAN has public IP address. I do have HA of two boxes and then I have HA IP also for CARP and I also have a NAT range of IPs for NAtting traffic out. All these IPs are from a block of Public IPs provided by ISP. I tried individual WAN public IPs, the HA Public IP with same results.

Under the rule, I have tried changing state type to various options and nothing makes this work.

Essentially rule has Action of Pass, interface is WAN, direction in, TCP/IP type v4, protocol TCP, source any, destination WAN address, destination port range is the alias of two ports described above. reply-to is disabled, was default before and I have tried going back and forth, source OS is Any.

Thanks so much for your help in trying to troubleshoot this issue.

Looks like this issue does not bother other users of Captive Portal or it does not have practical impact on working / resource usage so no one is concerned. But there must be a way for OPNSense to reject these unneeded cluttering messages on display.

Hello All,

I needed to have SSH access on WAN port so I changed port to non-standard, added suitable rule to allow this over to the firewall. It does not work. Then I changed the port back to 22 and adjusted the rule accordingly. Still did not work. Then I changed system GUI port to a high port and updated the rule for that. Again no luck.

For each of these actions, I added same rule on a management port  and that works every single time. I even disabled reply-to under the rule but still no joy. I am running latest 27 code.

Is there something special to turn on to allow management access on outside? I just need SSH on a high port.

Thanks

Hello All,

When we have captive portal turned on, clients send TLS Hello messages that are not responded to and console keeps logging those as a side effect from how FreeBSD treats these messages. And when you will have dozens of clients connect to portal, there is a clutter of so many messages from each client periodically to cause a mess on the terminal. And this may even have a effect on CPU utilization.

If anyone was able to get rid of these messages popping up on console, please help me as well. Thanks so much in advance.

@franco, I know you are always super busy, but I also know that you can point me to a configuration file wherein we can shut this noise up. Please advise when you can. Thank you and other devs for great work.

Thanks again @franco. Just did my part by donating my $105 and some change via PayPal transaction ID 4W1450995K203081D

I agree to not complicate and let aggressive option do its work.

As to ZFS and RAM usage, with ZFS enabled, but logs written to disk, I have almost fixed 135MB of RAM used for ARC. When I disable logs writing to disk (so it starts writing to memory), then I see close to 1.2GB of RAM used as ARC cache. I was not sure if this 1.2GB  (with little traffic) will remain about the same or it will grow too large over time. As long as ARC is not a consumed memory, and is available for other things when needed, I will be okay.

Thanks again and keep doing great work. I will donate another about $100 in two weeks.

Another thing just noticed is that before changing the logging away from disk, it must then be logging to RAM. And before I had 4% RAM used, now it is stuck at 18% with  1.2GB used by ARC. I dont much understand ARC or ZFS, but not sure if this cached memory is an issue or will become an issue. If RAM is still idle, then no issues, but I will like to know if there is a way to periodically delete this cache.

Hi @franco.

I already have aggressive settings for optimization. I was looking under firewall / diagnostics / sessions / states tables and it had long hanging sessions and I thought maybe tcp close / wait etc could be tweaked downward in a configuration file. I assume then I can ignore the table and aggressive script takes care of killing the hung sessions periodically.

Thanks. And money will be in bank tomorrow evening my time and I will do my part.