Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Shayoo

Pages1
#1
25.1, 25.4 Production Series / Portal Admin feedback
April 17, 2025, 10:35:43 AM
Hi there,

Very happy that there is finally a simple way for users to manage their own TOTP tokens and Openvpn file downloads.

There are a few things that could be improved though.

  • If users authenticate via LDAP, it's not possible to hide the "Account" tab, which would be preferable to prevent them from having the impression that they can change their password when they can't.
  • The "welcome message" doesn't take line breaks into account; it would be interesting if it did, for better legibility and maybe html links.
  • End users do not need to access the online resources (Help) visible in the left-hand menu. Unless this can be configured for OpenVPN configuration, for example.

It's all about the details, but it's for a better user experience.
Do you have any other ideas for improvement or feedback?
#2
24.7, 24.10 Legacy Series / Re: Stalled upgrade to 24.7.6 shutting down crowdsec
February 06, 2025, 03:36:30 PM
Hi, the problem is still there Opnsense business when ugprade from 24.10.1 to 24.10.2
More than half of my installations are blocked on

Code Select
Stopping crowdsec.
Waiting for PIDS: 14449.
Waiting for PIDS: 92556
On the crowdsec thread it says it's been fixed since community 24.7.6
https://discourse.crowdsec.net/t/bug-opnsense-24-7-5-crowdsec-1-6-3/2057

Business 24.10.2 is based on community 24.7.12, so this should be fixed, but it doesn't seem to be the case.

Does anyone else have the problem?
#3
General Discussion / Re: DNS wildcards in Alias (Hosts)
December 19, 2024, 01:49:47 PM
Hi, there,

The post is old, but I'll take the liberty of replying to it as I've been faced with the same problem. I was able to solve it based on other forum user entries.
Unfortunately it requires some tweaking to use wildcard domains.

References
- https://github.com/opnsense/core/issues/4145
- https://gist.github.com/PiDroid-B/078198bc84c1e8451d5fd331b46b332d

1. Create Aliases for Each wildcard

For each domain that uses a wildcard, create two aliases "External (advanced)" (e.g., _a and _b).
Then create a "Host(s)" alias containing the two externals created above.

Example Aliases for Multiple Domains:

- Microsoft_IPs_a External (advanced)
- Microsoft_IPs_b External (advanced)
- Microsoft_IPs Host(s)

2. Configure DNSMASQ on Port 53530

  •   Navigate to Services > DNSMASQ in the OPNsense web interface.
  •   Set DNSMASQ to listen on port `53530`.

Edit the DNSMASQ Configuration File

Access the firewall via CLI/SSH and edit the DNSMASQ configuration:

Code Select
vi /usr/local/etc/dnsmasq.conf.d/dnsmasq-ipset.conf
Example Configuration File:
Replace the domain names and alias names with those relevant to your environment.

Code Select
# Add the response for certain A/AAAA lookups to an OPNsense alias
ipset=/microsoft.com/windowsupdate.com/windows.net/Microsoft_IPs_a,Microsoft_IPs_b

# Uncomment these if Unbound is still your primary DNS server; otherwise, it may cause a loop
no-resolv
server=1.1.1.2
server=1.0.0.2
server=9.9.9.9
server=149.112.112.112
3. Configure Unbound DNS to Use DNSMASQ for specific domain resolution

Unbound DNS will forward specific queries to DNSMASQ to handle the aliases.
Navigate to Services > Unbound DNS > Overrides and create an entry in "Domain Overrides".

Example Entry:

Domain: microsoft.com
IP: 127.0.0.1@53530

Domain: windowsupdate.com
IP: 127.0.0.1@53530

Domain: windows.net
IP: 127.0.0.1@53530

4. Create a Cron Job to Flush Alias Entries

To prevent aliases from growing indefinitely and containing obsolete data, set up a cron job to flush the alias entries periodically (e.g., every 48 hours).
Create the Action Configuration File

Code Select
vi /usr/local/opnsense/service/conf/actions.d/actions_alias-flush.conf
Add the Following Content:**

Code Select
[flush]
command:/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables_blk.lock /usr/home/alias-flush.sh
parameters: %s
type:script_output
message:Alias IPs flushed
description:Flush IPs from alias
Reload the system to make the cron job task appear

Code Select
service configd restart
5. Create the Flush Script

This script will handle flushing the IPs from the specified alias.

Code Select
vi /usr/home/alias-flush.sh
Add the Following Content:

Code Select
#!/bin/sh
# Check if the alias name is provided as a parameter
if [ -z "$1" ]; then
    echo "Error: No alias name provided."
    exit 1
fi

ALIAS_NAME="$1"

pfctl -t "$ALIAS_NAME" -T flush

if [ $? -eq 0 ]; then
    echo "Alias '$ALIAS_NAME' flushed successfully."
    exit 0
else
    echo "Error while flushing alias '$ALIAS_NAME'."
    exit 1
fi
Make the Script Executable

Code Select
chmod 755 /usr/home/alias-flush.sh

6. Schedule the Cron Jobs for Each Alias

Create cron job for each alias to flush them alternately (e.g., *_a` and *_b`) every 48 hours.
This rotation ensures that the aliases do not accumulate obsolete data.

Example Cron jobs:
Code Select
enabled: Check
Minutes: 4
Hours: 3
Days of the months: *
Months: *
Days of the week: 1,3,5,7
Command: Flush IPs from alias
Parameters: Microsoft_IPs_a (Must be the exact name of you external alias)
Description: Flush -  Microsoft_IPs_a


Code Select
enabled: Check
Minutes: 5
Hours: 3
Days of the months: *
Months: *
Days of the week: 2,4,6
Command: Flush IPs from alias
Parameters: Microsoft_IPs_b (Must be the exact name of you external alias)
Description: Flush - Microsoft_IPs_b
7. Configure Firewall Rules Using the Aliases

Create firewall rules based on your requirements and use the combined aliases.
When users perform DNS resolutions, the aliases will dynamically populate with the relevant IPs.

If Unbound has a cached resolution, the request might not be forwarded to DNSMASQ, preventing the client from communicating with the desired IP.
To resolve this issue, restart the Unbound service to clear the cache.


#4
General Discussion / Blocklist/extended Blocklists - blocklist.site project unmaintained ?
October 21, 2024, 02:33:14 PM
Hi,  :)

I use the Business version and the Extended Blocklists function.

Would it be possible to add Blocklists manually as in "Services > Unbound DNS > Blocklist"?
If at least it were possible to add lists yourself, that wouldn't be a problem, but unfortunately it's not possible at the moment. Or at least I haven't found out where.

The main lists on offer today come from blocklistproject, some of which haven't been updated in over a year or more. The project no longer seems to be actively maintained

Would it be possible to add (via the CLI) additional blacklists for Extended Blocklists?

Open to any proposal other than the use of Zenarmor  :P

This project seems to be up to date
https://github.com/hagezi/dns-blocklists

Regards
Pages1