Messages

My goal is to allow students/staff to bring their own device but be able to block malicious sites, reverse proxies, porn, etc.

Then I would have other networks with different proxy rules.

These are already segmented by vlan. 

IP blocklists seems to defeat the point.  I can't possibly block all of the bad sites by an ip blocklist.

So one more question...

How do people handle BYOD situations for say like student cell phones were we can't install a certificate?

We have some DNS filtering in place but were hoping to proxy that traffic also.

The general approach today is a transparent proxy, so we took that as a given. What's your approach?

The approach is a transparent proxy.

The client needs to be presented a trusted certificate matching each of the host names it wants to connect to. These are generated on the fly by your trusted CA.

Ok thanks.  I guess I just didn't understand how it worked.  I thought as long as the browser trusted the certificate on the proxy that it would work.  Because with a self-signed CA cert the browser is presented the certificate for the self-signed cert, and not the certificate of the destination domain.  The concept of the CA generating the destination domain on the fly is new to me. 

Breaking and inspecting TLS is what the proxy is supposed to do, correct. But this requires every machine which uses the proxy to explicitly agree with this. You do this by installing a custom CA certificate on the proxy and on each machine. If breaking TLS would be possible without installing a custom certificate, TLS would be completely pointless. Everyone could just break TLS everwhere.

This is not specific to OPNsense, this is just how TLS proxies (and TLS in general) work.

Yes I get all that.  But I would just think it would be possible for me to purchase an SSL certificate for my domain (ex. opnsenseproxy.testdomain.com) and install it on the proxy.  Then the clients would already have a chain of trust because I purchased it from a reputable CA.  For example, Entrust.  Which would prevent me from having to install/manage certificates on every machine.  Because the browser has root certs installed for Entrust and the proxy is using an Entrust certificate.

It just feels like there has to be a better way than installing certificates on every machine.

If this would be possible, you could inspect and modify encrypted traffic coming from any machine without ever touching that machine. That's exactly what TLS is supposed to prevent.

The proxy needs valid certificates for every website your machines visit. So it needs its own CA certificate to issue these certificates. All of your machines have to trust this CA. You could use the certificate of a trusted public CA, but they won't give you the matching private key. Even if you ask very nicely.

Yeah,exactly.  It's a proxy server.  So if you don't break and inspect SSL, how is it supposed to categorize websites or any other function of a proxy?  It's a fairly common practice these days since everything is TLS based.  But I don't want to install a certificate on every machine.  I want to install a certificate that would already be trusted by the clients are part of installed root CA's on the major browsers.  But it seems that Opnsense wants me to use it as it's own CA, which would still require me to install a certificate on every machine.

Thanks for the responses.  I'm just going to move on from this.  I'm not having any problems since removing the rule and all seems to be working as expected at the moment.  The behavior just seemed odd to me.

I will also look into the other solutions for the UI access as well.

Is there any documentation on running the Webproxy with signed certificates?  I don't want to install a certificate on every machine. 

It's not clear to me since my only option is to use a CA.  I would have assumed I could just install a certificate that's signed and is already in the client trust chain.  But i'm not a certificate expert.

So I was just wondering if there were any videos or documentation on how to do it?  The only thing I could seem to find was doing an internal CA.

hat do you mean, "remote GUI access"?

I have ports 443 and 22 opened inbound from the internet so I can access the GUI/Console remotely from my ISP.

What are your actual goals for using OPNSense?

An appliance was purchased for a small campus environment.  I've managed Cisco, Fortinet, Juniper firewalls in the past.  This is my first time with Opnsense.

The entire network is not opened to the internet.  Like I said I've restricted the incoming access.  And as far as I can ascertain there are preconfigured rules that allow anything outbound from an interface by default.  So what I'm trying to figure out is why if I create a manual any/any outbound rule on my WAN interface that breaks my DNS resolution.  Obviously that rule was not meant to stay there long term, but at this point I'm questioning if this is some sort of a bug or if I just don't understand how this thing is supposed to work.  Because even removing the rule doesn't restore my DNS resolution until I revert the configuration to a previous configuration before the rule was put in. 

I've worked around this for now, but like I said I would like to understand it before moving forward in case there is something I'm not understanding.

I was hoping someone could help me understand why a particular firewall rule would be breaking my internet access.

I have a pretty standard setup with some vlans and a single WAN interface.  Just to get some initial connectivity I basically had an out of the box config and created a floating rule that was an any/any rule. Everything worked as expected and all vlan's had internet access.

However the first time I removed the floating rule I lost remote GUI access because I didn't have an inbound rule.  So then I went in after I got console access and created two rules on my WAN interface.  1 inbound rule that was an any/any on any port and an outbound rule that was an any/any on any port.

When I create the outbound rule it breaks my internet and it seems that it breaks DNS.  I immediately start getting "SERVFAIL" responses from a device behind on of my VLANS.  As soon as I restore the configuration back to the original before creating the outbound rule on my WAN interface my internet is restored. 

Can someone help me understand why this would happen?  I'm new to Opnsense and I would like to understand this problem because it might help me understand the platform a little better.

19:39:02.535884 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.36720: 12803 ServFail 0/0/0
19:39:21.318508 IP unifi-cloudkey.xxxx.xxx.49905 > 10.10.60.1.domain: 44740+ A? trace.svc.ui.com
19:39:21.334670 IP unifi-cloudkey.xxxx.xxxl.40905 > 10.10.60.1.domain: 25148+ AAAA? trace.svc.ui.com.
19:39:26.325140 IP unifi-cloudkey.xxxx.xxx.40905 > 10.10.60.1.domain: 25148+ AAAA? trace.svc.ui.com. (34)
19:39:26.325278 IP unifi-cloudkey.xxxx.xxx.49905 > 10.10.60.1.domain: 44740+ A? trace.svc.ui.com. (34)
19:39:30.280028 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.49905: 44740 ServFail 0/0/0 (34)
19:39:30.280246 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.49905: 44740 ServFail 0/0/0 (34)
19:39:30.296466 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.40905: 25148 ServFail 0/0/0 (34)
19:39:30.296681 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.40905: 25148 ServFail 0/0/0 (34)

Thanks I did read through that article.  However, it doesn't seem like NAT reflection is what I need here.  I just need it to do the basic function of a router and NAT the packets from the different VLAN's coming in to the WAN interface address. 

Doing a tcpdump on the WAN interface I can see I'm sending the RFC1918 sources to the ISP.  I'm sure it's something simple, but I'm new to OpnSense and something just isn't lining up for me.  Here is a tcpdump output from my WAN interface.  Kind of gives you an idea of what I'm talking about.  I don't know why Opnsense isn't NAT'ing the 10.10.40.52 to my WAN address.

20:46:57.457090 IP 10.10.40.52.28616 > 4.4.4.4.domain: 23404+ A? fireoscaptiveportal.com. (41)

I have a new OpnSense appliance.  My internet was working, but has since stopped and I can't figure out why.

I did a packet capture on my WAN interface which seems to show RFC1918 addressing going to my WAN provider. 

f4:90:ea:00:b8:19   00:01:5c:8d:fd:e4   IPv4, length 78: 10.10.10.4.51368 > 208.67.222.222.53: UDP, length 36

The SRC MAC address from the packet capture is the IP of my WAN interface and the destination MAC is the default gateway from my WAN provider.  So that all seems correct.  I've checked all the gateway, outbound NAT, and route settings that I can find.  I'm running out of idea of what to do next. 

Any ideas why it wouldn't NAT the traffic before sending it out my WAN interface?