Messages

Hi,

We have a network setup with two ISPs: Airtel and Spectra, both providing static and public IPs along with gateways. We have configured load balancing and failover with Airtel set as Tier 1 and Jio set as Tier 2.

Problem:
We are trying to ensure that speed test requests are routed through the correct gateway:

When Airtel is active, the speed test request should route through Airtel's gateway.
When Spectra is active, the speed test request should route through Spectra's gateway.
However, despite configuring the gateways in a failover setup with both gateways under Tier 1, this behavior is not occurring.

We would appreciate any advice or insights on making the speedtest request route through the correct active gateway, depending on which ISP is active.

Thanks!

Hi all,

I have a setup where two gateways are configured in a failover group and are assigned the same Tier (Tier 1) when creating the Gateway Group. I would like to understand how traffic is routed in this scenario:

Is traffic always routed through the currently active gateway in the failover setup?
Or could it still be routed through either gateway despite the failover configuration?
What I need to ensure is that traffic is routed strictly through the Active Gateway only, even during tests such as a speed test. In other words, I want the inactive gateway to not be used at all.

Could someone guide me on the correct configuration to achieve this behavior? Any help would be greatly appreciated!

Thanks!

Best,
VivekSP

Hi,

With reference with this thread

can anyone tell me how do I modify the installer repository and use it in the build? Like I have to add a extra dialogue box in the installer option which will help me store some info about device, I currently do the same by running a python script to ask questions and store their answers where I want.

but adding this in the installation script will help me make it more streamlined. I cloned the whole installer repo and modified it wherever needed
Then after that I did

make makesum

and run make install clean

with this Im getting error in make core : >

You may want to add user openvpn and group openvpn when creating your
configuration files, the example configuration shows this only as comments.
Could not find package: opnsense-installer
*** Error code 1

Stop.
make: stopped in /usr/tools

Any help or guidance on this would be much appreciated. Thanks in advance.


Best,
VivekSP

Hi,

I have configured an Alias (Hosts type) in the firewall to allow access to specific websites such as Stack Overflow and GeeksforGeeks, while blocking all other network traffic. However, when attempting to access these sites under this configuration, I observe the following issues:

Slow Response Time: Unlike unrestricted access, the websites take significantly longer to load.
Partial Page Rendering: Only the HTML body is rendered, while CSS stylesheets and JavaScript resources fail to load.
Domain Resolution Issue: External dependencies (e.g., CDNs, scripts, styles from third-party domains) are not being resolved correctly when using the Alias-based allow rule.

What additional configurations are required to ensure that websites load fully when using Alias (Hosts type) filtering in OPNsense? Could this be a DNS resolution or firewall handling issue?

Looking forward for a solution

Thanks,
Best,
VivekSP

How do I bring nano inside the build itself? so that upon fresh install of dvd/serial I get nano preinstalled in there?

Hi,

One of my partners required me to add a custom dialogue box in the opnsense-installer menu where it asks to change the root password | exit and reboot option after installation. The requirement is to add some questions there, and the answers would be stored in a file in the/usr/local/etc/ directory.

While I changed the Makefile of opnsense-installer to fetch it from my fork, it didn't work in make ports, and it said opnsense-installer no such pkg

can someone guide me on how to use my custom fork of the opnsense-installer? inside the build machine? any reference or documentation would be appreciated

Thanks in advance!

Best,
VivekSP

Hi,

I recently came across a feature in enterprise-level firewalls like Fortinet, where virtualized firewalls (virtual domains or VDOMs) can be used to isolate and manage different network segments or configurations. This concept seems incredibly useful, and I was wondering if OPNsense supports something similar, either through a virtual machine (e.g., using bhyve) or a containerized approach (e.g., Docker).

Has anyone tried implementing a virtualized firewall or additional OPNsense instance within an OPNsense setup? If so, I'd love to hear your recommendations or any guidance on how to configure this effectively.

Thanks!
Best,
VivekSP

Thank you for the suggestion, but unfortunately, I cannot afford Zenarmor at the moment. The free plan they offer doesn't provide many features, which is why I am exploring other options for content filtering and MiTM. Additionally, Squid requires at least mid-2025 for my needs, so I'm looking for an alternative that fits better within my current requirements and budget.

Appreciate your understanding!

Thanks for reverting! Does it mean there is no way to achieve this custom API blocking (For Gmail send | Linkedin Upload) without SSL bumping ? But as we know Squid will be resolved in June almost. and I don't find any other solution for SSL bumping. Until then no other way?

Hi,

I am seeking guidance on implementing the following configurations in OPNsense:

Restricting Gmail Send while Allowing Gmail Access

In our LAN setup, I plan to restrict the "Send" functionality for Gmail (SMTP traffic to smtp.gmail.com on port 587), while ensuring Gmail access is still allowed. My approach involves:
Creating an Alias for smtp.gmail.com.
Adding a block rule for the destination port 587, with the Alias set in the destination field.
Could you confirm if this is the correct approach? Additionally, how should I implement the same restriction for a WireGuard Full Tunnel configuration?

Blocking File Uploads on Facebook and LinkedIn Messengers

We want to allow access to Facebook and LinkedIn but block file uploads specifically in their messaging platforms.
Could you guide me on how to achieve this?
Are there specific rules, protocols, or plugins to use in OPNsense for such granular control?
I would greatly appreciate your assistance and recommendations. Thank you for helping me enhance our network's configuration and security!

Looking forward to your valuable insights.

Hi,

I tried installing mitmproxy on opnsense but couldn't as I didn't found any pkg in the repositories. Then I created a new Debian server with mitmproxy and added a NAT rule from Firewall> NAT> Port Forward. My certificate is created on the debian server using mitmproxy > certs. Still clients not able to trust the installed certificate even when I have put the certificate in the Trusted root C A in certmgr.msc.

Any idea on what might be going wrong here? or How can I do MITM in opnsense as I think maybe squid will require its v7 which will be released in June '25. I was hoping MITM can solve the SSL bumping for me meanwhile squid gets stable.

I've been working with the OPNsense build tools to create a custom ISO and have successfully built one. However, I'd like to include the nDPI package in the ISO itself so that it's pre-installed when installed.

I've gone through the build tools documentation, but I'm unsure about the best way to add an additional package like nDPI into the build process. Specifically:

Do I need to add nDPI to config/ports.conf or modify other build scripts?
If nDPI isn't available as a standard FreeBSD package, would creating a FreeBSD port be the right first step?
Are there any additional configurations needed to ensure the package works seamlessly after installation?
I'd greatly appreciate any guidance or references from the community. If someone has experience customizing OPNsense builds with additional packages, I'd love to hear your thoughts.

Thanks in advance!

Best,
VivekSP

Hello everyone,

I'm currently working on a project where I need to set up a transparent proxy to intercept and decrypt HTTPS traffic. My goal is to analyze and block specific API calls in applications, such as preventing LinkedIn's file upload API calls, to achieve custom packet filtering.

What I've Tried So Far
1. Squid Proxy
I attempted to use Squid with SSL bumping to handle decryption and filtering. While it worked initially, I ran into endless segmentation faults (segfaults) and other stability issues.

2. Privoxy
I also tried using Privoxy for filtering, but it didn't meet my needs either—it lacked proper support for HTTPS traffic handling and wasn't reliable for my use case.

Current Approach

Due to these challenges, I'm exploring the idea of building a custom Python-based transparent proxy. Here's the implementation plan:

Intercepting Traffic: Use a Python proxy server (e.g., mitmproxy or a custom implementation) to intercept HTTP/HTTPS traffic. Configure the OPNsense firewall to redirect traffic from LAN devices to this proxy.

Decrypting Traffic: Utilize OPNsense's built-in Certificate Authority (CA) to generate a trusted root certificate for SSL decryption. Install the root CA on client devices to enable seamless HTTPS decryption in the proxy.

Analyzing and Blocking: Inspect traffic to identify specific API calls (e.g., LinkedIn file uploads).
Use filtering rules to block unwanted API requests selectively while allowing other traffic.

Traffic Forwarding to Suricata: Pass decrypted traffic to Suricata for deep packet inspection (DPI) and rule-based filtering. Write custom Suricata rules to block traffic matching specific patterns or endpoints.

I want guidance from the community on:

a. Are there any pitfalls or challenges with this method that I should be aware of?
b. Can a Python-based proxy handle moderate traffic loads effectively, or should I consider alternative technologies?
c. Are there better tools or frameworks for achieving transparent proxying, decryption, and custom API filtering?
Looking forward to your response.
Thanks!

Best,
VivekSP

Hi,

I have created a custom FreeBSD package that functions as a regular FreeBSD service. I can start and stop it using the standard FreeBSD service commands (e.g., service <myservice> start).

However, after installing the package, I couldn't find my service listed in the /ui/core/services menu. I'd like to know how to properly register this service so it appears in the services menu and can be controlled via the UI.

After some investigation, I found the /usr/local/etc/inc/<service-name.inc> file, where I added a PHP script similar to how other services like nginx are configured. Despite this, I'm still unable to start, stop, or restart my service from the UI.

Is there a guide or checklist available for this process? Any help or pointers would be greatly appreciated.

Thanks in advance!

Best,
VivekSP

Hii,

Please Refer this post to see how I am implementing the app filter on my OPNsense machine in my lab, this is just my weekend project but I am looking forward for guidance in here, I am missing on a small configuration part which has become untraceable for me, although this method needs refinement, but it can get my work done for smaller seating areas.

https://forum.opnsense.org/index.php?topic=44230.msg220600#msg220600

looking forward for help

Best,
VivekSP