Messages

1

General Discussion / Re: Firewall Source or destination

« on: August 23, 2024, 06:16:33 pm »

 Why? I want to block just two IPs of attackers. All others are allowed.
1 rule block list
2 rule allow all requests

2

General Discussion / Re: Firewall Source or destination

« on: August 23, 2024, 06:10:12 pm »

Agree, most of the IP are cloude machines used for spam, attacks,etc..

The external network is outside my local network.

For WAN, I want to add rule:
 - block request from external network (web). Who attempt to send ping for example to my router. Which is source and which is destination? For example: source is blocked_ip, destination is any.

3

General Discussion / Re: Firewall Source or destination

« on: August 23, 2024, 04:26:46 pm »

I do not want to block vpn clients who trying to connect to my VPN server. I want to block all request from external web to internal network. I do not understand direction (source: BLOCK_IP_LIST, destination:any) or reverse?

Block_ip_list is firewall aliase with ip list of attackers(hackers list).

What is not ALLOWed on your VPN interface is blocked by default. No need for a specific block rule. Simply only allow clients/ports you want to happen and it should work.

4

General Discussion / Firewall Source or destination

« on: August 23, 2024, 03:17:29 pm »

I do not know how to block list of IPs? I want to block attacker from outside?
I have OpenVPN interface for external vpn clients. Plase take a look what I have made. Is this the correct way?

I just want to block external request to vpn clients (from external clients to internal vpn client).

On router OpenVPN server is running and OpenVPN interface is part of the entire network workflow.

5

General Discussion / Re: ERR_CONNECTION_TIMED_OUT after change MACs of all interfaces

« on: March 18, 2024, 07:20:50 pm »

revert back old mac
then restart

then call from cli:

Code: [Select]

ifconfig em0
dhclient em0
still can not get interface to be shown in opensense top interfaces list. Then add new redundancy virtual interface as second wan. After rebooting I can get enter into router and switch back to original interface from em1 to em0.

At the end remove em1.

It was really hard... Something is totally wrong with this mac updates. 

6

General Discussion / Re: ERR_CONNECTION_TIMED_OUT after change MACs of all interfaces

« on: March 18, 2024, 05:35:11 pm »

How this is related to hardware problem as missing entire interface - WAN?
Now WAN is assigned to different interface, different hardware. My emu0 is missing at all.
Also, how to clean this arp with command?

Delete the ARP cache on the systems you are using to access the firewall.

7

General Discussion / ERR_CONNECTION_TIMED_OUT after change MACs of all interfaces

« on: March 18, 2024, 04:51:29 pm »

192.168.1.1 took too long to respond
Try:

Running network diagnostics with Get Help
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_TIMED_OUT

What? Just change virtual mac address to all interfaces and everything complete gone. Can not even access web  on 80 port. How to fix from cli command?

It seems emu0 interface is gone? What? Entire interface can not work at all. How to fix this with cli command?

8

General Discussion / Your file is too large? Two phone android snapshots only

« on: March 03, 2024, 10:24:12 am »

I try to attach images but give me error:"Your file is too large. The maximum attachment size allowed is 256 KB."

We can not upload simple image. Make 10MB max file size.

256KB is too small for modern world

9

Virtual private networks / Re: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your net

« on: March 03, 2024, 10:15:41 am »

OpenVPN with DDNS return error when client trying to connect:

It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. I  am now seeing  my ISP external IP in DDNS config table.

The IP is 78.83.81.* This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

 source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
 Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
 All is made in my router.



I located those comment. Still what is the correct way to resolve the problem?



You can change it permamently in OpenSSL configuration. Just modify file /etc/ssl/openssl.cnf

Find the [default_sect] section and change it to:

[default_sect]
activate = 1
[legacy_sect]
activate = 1
Then find the [provider_sect] and use:

[provider_sect]
default = default_sect
legacy = legacy_sect
Save file.

10

Virtual private networks / Re: OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default li

« on: March 03, 2024, 10:06:16 am »

It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. Show me that my external IP from ISP is OK.

The IP is 78.83.81.101. This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

 source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
 Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
 All is made in my router.

Best is to:

- Update OPNsense to latest version
- Set the config of OpenVPN server to best practice (opnsense docs)
- Recreate certficates for the users (no p12)
- Export new profiles
- Install latest OpenVPN on the clients https://openvpn.net/community-downloads/
- Import profile and enjoy

11

Virtual private networks / Re: OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default li

« on: March 03, 2024, 09:56:40 am »

I did that and now I have new error which I am not sure it is related with any problem with OpenSense.

Today error is "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"


https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/


OpenVPN says, the error is may related to:"A NAT gateway on the server's network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server machine."

I did make firewall rule, port forwarding also and the error was not fix. One reason for that may be due to ISP block all port.
I send request to my ISP and hope soon to find out the resone for the problem.

12

23.7 Legacy Series / Re: I can't find instructions for freedns.afraid.org

« on: February 28, 2024, 11:41:56 pm »

Great help. How to check if it is work?

Took a while to get it working. You get the data from https://freedns.afraid.org/dynamic/v2/?style=2 (v1 is not usable with ddclient). Also, the "native" backend is crucial, otherwise it will not work.

General settings:
Backend: Native

Service: custom
Protocol: DynDNS 2
Server: sync.afraid.org
Username/Password: Your FreeDNS username/password
Hostname(s): Your FreeDNS FQDN there
Check IP Method: FreeDNS
Interface to monitor: WAN
Force SSL: ticked

13

Virtual private networks / TLS Error: TLS key negotiation failed to occur within 60 seconds (check your net

« on: February 28, 2024, 10:34:04 pm »

OpenVPN with DDNS return error when client trying to connect:

It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. Show me that my external IP from ISP is OK.

The IP is 78.83.81.101. This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

 source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
 Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
 All is made in my router.



I located those comment. Still what is the correct way to resolve the problem?



You can change it permamently in OpenSSL configuration. Just modify file /etc/ssl/openssl.cnf

Find the [default_sect] section and change it to:

[default_sect]
activate = 1
[legacy_sect]
activate = 1
Then find the [provider_sect] and use:

[provider_sect]
default = default_sect
legacy = legacy_sect
Save file.

14

General Discussion / Virtual Macine FIN_WAIT State

« on: February 11, 2024, 09:04:53 pm »

Only one machine can not access web gui of the router.
In firewall for that machine the last log is:
state: FIN_WAIT_2:FIN_WAIT_2 Arule: anti-lock rule

Machine have ping to router.
When try to access port 80 to open web gui of opensense router it is just loading in browser client machine  and not returning any response from router. Stay that, just loading. From other machine not have the problem and I can access web gui. This is how I see logs.

15

Virtual private networks / Re: WAN, LAN, OPT and What is the Next One?

« on: January 25, 2024, 06:42:57 pm »

I did and not work.  Something with firewall ?
All interface are set with rule to pass any to any.