Messages

If you're using clicks, you're not a modern OPs.
Its not a Windows Machine where you Click anything and hopefully not build a SecurityFlaw....

If you wan't to administer OPNSense over a modern Way (like API) I suggest to read the Manual.
There's a way to use the API for that (that's how I do it with versioning and a Git repo in my local Network only for this task).
It Takes 2-3 Minutes and voila a new VLAN is there.

Here's an Example on how to do it:

Code Select Expand

curl -X POST "https://OPNSENSE-IP/api/interfaces/vlan/addVlan" \
  -H "Content-Type: application/json" \
  -u "APIKEY:APISECRET" \
  -d '{
        "vlan": {
            "enabled": "1",
            "tag": "30",
            "description": "LAN_Prod",
            "if": "igb0",
            "priority": "0"
        }
      }'

Its a simple curl Post Call with a json file:

| Field         | Description                                 |
| ------------- | ------------------------------------------- |
| `enabled`     | 1 = enable VLAN                             |
| `tag`         | The VLAN ID (e.g., 30)                      |
| `description` | Description visible in GUI                  |
| `if`          | Parent physical NIC (e.g., igb0, igb1, em0) |
| `priority`    | Optional (0–7)                              |

To verify:

Code Select Expand

curl -X GET "https://OPNSENSE-IP/api/interfaces/vlan/searchVlan" \
  -u "APIKEY:APISECRET"

What exactly is your problem? Your statement doesn't make sense.

Hell Yeah, it works.
But I didn't use Interface Rules instead of them I have a floating rule for have a clean ruleset on my interfaces.

I see many Events on WAN / LAN but what I miss is a description of the Event.

@Q-Feeds what do you mean, is there a way to get more Information out of that?

Which Options do I have to play with (if possible) the API of this plug?
For deeper insights, which logs can I check?
How can I see these events in a SIEM/XDR like Sentinel or WAZUH?

And one thing: I don't know why but login with UserName on Q-Feeds Site isn't possible anymore.
Also I didn't get any email when ordering a new password.... ;(

@Seimus which block rules do you mean exactly? I have different rules (floating and because of micro segmentation of my vlans some special rules depending on my needs).
So for it only Interesting for LAN / WLAN / WAN.

But wait I need to check the Docs first, as far as I know its already in the OPNSense Docs....

ah now I see what you mean .... I let you know if it changed something after I set the rule (I think its easier to create a floating rule in my case ) but thank you, after a day of coding my heady bangs too hard and I oversee things ;)

Ok I installed it, made the registration, add the api thing and nothing happens, I didn't see anything under Events.
Under Feeds I see two entries:
Malicious IP addresses
Malicious domain names
domains
2025-10-26T00:00:00Z
2025-10-26T00:00:007
2025-10-27T00:55:277
2025-10-27700:55:277

everything with a checkmark.

So my question is, what exactly should I expect?

Normally I use crowdsec (which is definitively extremely a money made machine....)

sounds very nice, I wrote a message to test it in the entire thread ;)

I would be very happy to test it.
Only an IT Consultant with some gained Security Experience ;)

@EricPerl
curios, in my configuration it works as described.
The Block Rule RFC1918     *    Block LANDMZ to internal without anything else block all traffic in my entire lan, how I test it?

ping 192.168.11.1    --> no ping allowed
traceroute 192.168.11.1 --> no tracerout possible

also:

nmap -p 22,80,443 192.168.11.1 --> says everything is filtered
nc -zv 192.168.11.1 22 --> says for all the ports its unreachable

no web interface is useable from one of the dmz hosts.

On OpNSense:

Firewall > Log Files > Live View

Filter:

Interface: LANDMZ

Action: Block

Destination: RFC1918 IPs

so why should it not working?

@Patrick M. Hausen,
oh my god.... it works...
you are my hero of the day ;)
Thank you!

Hey together,

I configured a DMZ in my vlan.

everything works except the firewall rule for DNS which should be the Interface Address.

I Use Unbound for everything.

I set an ACL in Outbound for it.
My Firewall Rules are:

Protocol   Source   Port   Destination   Port   Gateway   Schedule      Description
IPv4 TCP/UDP   LANDMZ net   53 (DNS)   dmz_ns    53 (DNS)   *   *      Forward DNS       
        IPv4 ICMP   LANDMZ net   *   *   *   *   *      Allow ICMP to OPNsense       
        IPv4+6 *   LANDMZ net   *   RFC1918    *   *   *      Block LANDMZ to internal       
        IPv4+6 *   LANDMZ net   *   ! RFC1918    *   *   *      Allow access to Internet and block access to all local networks       
        IPv4 *   LANDMZ net   *   FLUX_IPs    *   *   *      Allow to admin PC only       
        IPv4 *   LANDMZ net   *   *   *   *   *      Block all other

Why can't the dmz reach the DNS?
I'm confused about that.

Of course:

Code Select Expand

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}

servers {
protocols h1 h2 h3
trusted_proxies static 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
}

dynamic_dns {
provider cloudflare
domains {
zerot3ch.de *
zerot3ch.de remotely
}
ip_source interface igc0
update_only
}

email xxx@gmail.com
grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


*.zerot3ch.de {
log {
output file /var/log/caddy/access/bb35164d-3b13-4c5c-a47e-6499b75c76da.log {
roll_keep_for 10d
}
}
tls {
issuer acme {
dns cloudflare
}
}

@258c701d-7862-4552-b894-d961cdbab7e4_zerot3chde {
not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
}
handle @258c701d-7862-4552-b894-d961cdbab7e4_zerot3chde {
abort
}
}

remotely.zerot3ch.de {
log {
output file /var/log/caddy/access/2b8651a0-b5db-41f6-9d3b-9a8f1109f3e1.log {
roll_keep_for 10d
}
}

@258c701d-7862-4552-b894-d961cdbab7e4_remotelyzerot3chde {
not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
}
handle @258c701d-7862-4552-b894-d961cdbab7e4_remotelyzerot3chde {
abort
}

handle {
reverse_proxy 192.168.11.60:5000 {
transport http {
}
}
}
}

This is the only reverse proxy entry which works.

Curiously if I remove the Access List from other entries than the remotely entry, it works.

Can someone explain why?

I use this described at https://docs.opnsense.org/manual/how-tos/caddy.html#restrict-access-to-internal-ips

Options Values
Access List Name: private_ipv4
Client IP Addresses: 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
Description: Allow access from private IPv4 ranges

Thanks guys for your comments for completeness.

Ok nevertheless, it's curious that after the newest update of opnsense and caddy,
That none of my reverseproxied entries in the caddy plugin are working except one.

If I try to, as an example invoice ninja, add it like ip/port 192.168.11.60:8035 http,
It doesn't work.
Where and that's really confusing only one entry is working (I have remotely an remote support tool configured without custom config).


So to get back to my previous question:

Why are my reverse proxy settings aren't work if I configure them over the caddy plugin in the webui?

My Nextcloud installation is rated A+ for SSL by Qualys and A+ by the Nextcloud security scan.

I fail to see what else I could do to harden the installation. In the hosting environment we sell the entire OS and "middleware" (installed packages) is mounted read-only into the customer jail.

What else? As an operator, not a developer!

Kind regards,
Patrick

I suggest to take a look at the following sites:

First is relative easy, also with a free account
https://www.cisecurity.org/

Take a look on the security benchmarks.

Second is made by multiple guys who are working on a tool named hardn.

It simplifies the art to get a system hardened.


https://undercodetesting.com/hardn-the-linux-security-project/


Also they are working on a BSD hardn project.

With that you get a quiet good score in different benchmarks.


Also not bad to have because it's free and gives you a little deep dive what's going on in your systems is an siem/xdr tool like wazuh.  It could help you to find out more deeply off your systems.


It isn't a dev thing I think. I'm not a dev, simply a tech guy who works in the it and appreciates to share my knowledge.

@meyerguru
you bring in the words I was searching for.
There isn't only one way. But many ways to reach a goal.

Hey Patrick,

this is named by two technics:

1.) Client Side Security Audit
and
2.) Browser Based Security Inspection.

The Problem with sites like Qualys is, that you get an A+ also if you have misconfigurations which are used by attackers to get into.

What they check:

Qualys SSL Labs scores sites primarily on TLS configuration, not holistic web security. The main factors include:

1.) Supported TLS versions (e.g., only TLS 1.2 and 1.3 = higher score)
2.) Cipher suites (strong, forward-secret ciphers = higher score)
3.) Certificate strength (2048+ bit key, valid chain, no weak signature algos)
4.) HSTS with long duration and preload
5.) No support for insecure renegotiation, compression, or SSLv3
6.) OCSP stapling and other TLS extras

What sites like qualys don't do:

- Web app misconfigurations
- CSP or other headers
- WAF or rate limiting
- Cookie security flags
- Auth schemes / access control
- Firewall rules
- Malware / phishing risks
- Backend exposure / IP leaks

And much more.

So bringing a site ( it doesn't matter if as reverse proxy or a site server config) isn't all and of course isn't secure by default.

You mentioned next cloud, which has a good implementation of a Security Scan.
But it gives you only some of the ways to harden a System.

Its not only about caddy but that would go too far here.

I scrambled my head on how you could do it easily.

I think much easier is to use something like Mozilla HTTP Observatory https://developer.mozilla.org/en-US/observatory.

Here you can check it easier and you would see that an A+ is more an B or something.

Patrick please check the dev console also with your entire browser.

A+ isn't everything as I mentioned before.
It means literally that you have a certain "better" basic protection. However, this does not mean that the bar has been reached.

And this is exactly my goal! Get it hard harder as hardest possible hardening also for my sites.

It's a decision everyone should make.