Messages

1

Web Proxy Filtering and Caching / Re: Can I create specific rules per Active Directory group within the Proxy?

« on: September 07, 2023, 05:08:49 am »

Do you mean to create rules for different users/user groups in AD's group policy?

2

Web Proxy Filtering and Caching / Re: squid graphs?

« on: September 07, 2023, 04:44:48 am »

Can I syslog them somewhere else and then generate graphs?

You can try customizing the squid log format and sending it to the log server to analyze the data using the GUI.
There are many log servers can do this, such as Graylog,Splunk,Grafana,etc...

3

Chinese - 中文 / Re: Why does it happen that the internal server IP address?

« on: August 04, 2023, 10:00:13 am »

You should try to check your NAT rules if there is a One-to-One or Port Forwarding rule target to 192.168.1.40

By default, the WAN port is block all inbound traffic.

4

Chinese - 中文 / Re: opnsense 提示，请高人解答！

« on: August 04, 2023, 09:52:09 am »

opnsense 提示 ：
arp ：192.168.3.102  moved from mac地址1 to mac地址2 on vmx0
arp ：192.168.3.102  moved from mac地址2 to mac地址1 on vmx0
路由器是小米AX3600，IP192.168.3.102。
mac地址1是小米路由的mac地址，mac地址2是2.4G接入点的mac。
就这样来回交替。。。求解，家里只有一台PC。

家里有烂苹果设备吧,这是正常的消息,烂苹果会一直监控网络,告知设备可以休眠,把MAC映射到另一台设备上,然后上线之后就告诉网络我上线了,把MAC地址映射回来,如此反复...

如果你不想收到这些烦人的消息,就把它关掉.

CLI:

Code: [Select]

sysctl -w net.link.ether.inet.log_arp_movements=0
WEB UI:
System: Settings: Tunables: net.link.ether.inet.log_arp_movements: 0

cheer
wincent

5

Chinese - 中文 / Re: 希望OPNsense插件os-ddclient能支持国内的服务商

« on: August 04, 2023, 08:23:10 am »

希望OPNsense插件os-ddclient能支持国内的服务商，比如DNSPOD，阿里，3322，花生壳等。谢谢！

我用阿里的域名,所以自己写了一个自动更新ADSL本地IP的脚本,你也是阿里的域名我可以贴脚本出来给你参考.

6

Web Proxy Filtering and Caching / Re: About the CRL expiration and parent proxy feature

« on: August 02, 2023, 08:27:44 am »

hello Amr,

Thanks for your hints.

• Setup Windows to export the CRL to a share, FTP/HTTP server periodically.
• Grab the CRL with tools like wget, smbget, CURL, etc (Opnsense is based on freeBSD so search how to install the required package)
• Add a cron job that imports the CRL every week

Yes, I added a CRL distribution point for Microsoft CA and used IIS to expose the CRL file, on Opnsense created a sh script CURL update the '/var/etc/openvpn/server1.crl-verify' file, good for me now

you can drop a conf file in these directories and they will persist

Looks like that's the way, will do it manually and make a backup before packages update!

Thanks again!

7

Web Proxy Filtering and Caching / About the CRL expiration and parent proxy feature

« on: July 26, 2023, 05:18:38 am »

Hello guys,
I am new for opnsense and this is my first topic.
I was using CP firewall for a long time(maybe 8 years), when I played VM and installed the opnsense, I found it's amazing and powerful...
Now I am planning to replace the CP, the opnsense now is all-in-one FW,VPN,DNS,AD-BLOCK,AV,PROXY... and one more important thing is that I can easily customize all the settings
And I do need some advice on two difficult problem. The first is about certificate, I set a windowd AD CA to the Authorities and issued some certificates from the AD CA, configured the openvpn to use windows AD users auth + certificate, it works perfectly. But the CRL makes me crazy the windows CA CRL published every 7 days, so I need to update the CRL data in opnsense every week. I'd like to ask if there is any way to set up the opnsense auto download the CRL?
The second is about web proxy, the parent proxy feature setting is not what I want, this settings allow all traffic to the parent proxy exclude the local domain or IPs, but I want to invert this, I only want some domains or IPs going to the parent proxy. My question is if I make changes to the config file '/usr/local/opnsense/service/templates/OPNsense/Proxy/parentproxy.conf' , will it be overwrite in the next packages update? Is there a better way to keep the file persistence?

Thanks and good day!