Messages

1

24.7 Production Series / Re: Opening 993 and 25 for Email Ports

« on: November 25, 2024, 03:19:57 pm »

I run my own mail server at my house, and utilize Proxmox Mail Gateway in an LXC container, and Axigen mail server in another LXC.

I use aliases for this to help keep this clean and organized.  I have one inbound rule (Firewall / Rules / WAN) for port 25 that says from Any - to the mail gateway, and a linked NAT rule for it. You shouldn't need anything setup for outbound unless you modified your any rule outbound, which nothing is blocked by default outbound.

My outbound mail port 25 is blocked by my ISP.  So, I use an SMTP relay host (SMTP2GO) that allows 1000/mo for free.  I have a template in the mail gateway that allows me to utilize outbound mail through the mail gateway using an authenticated smarthost. This also helps with your mail reputation for your domain. My mail server is setup to send all mail through the mail gateway. Inbound, everything is sent to the mail gateway first, then it passes it along to the mail server once it has been scored.

None of this kind of hosting is as hard as everyone makes it out to be - if you have the free time to set it up and monitor it, I encourage anyone to at least try it. I think a lot of people just don't have the time to stay on top of people trying to relay, but using things like a mail gateway that utilizes spamhaus and other checks can help out a lot, along with using things like Crowdsec and such on OPN.

Other alias rules I have in place that you are going to want at the top of your list (they are applied in an order from top to bottom) are blocking ASNs and blocking IPs, because you will have bad actors trying to relay off you.  OPN allows you to block by ASN number, which can be fantastic to use, but it may also block some services you want to access and cannot. This takes just a few seconds of adding an ASN number or an IP to the alias list and applying.  I only bother with the morons that are trying to ping my mail every minute - the small few checks every now and then I don't worry about and are already listed in an RBL 99.9% of the time.

2

24.7 Production Series / Re: OPNsense needs periodic reboot since updated to 24.7.9_1-amd64

« on: November 25, 2024, 03:01:04 pm »

Did you check the server list under System / Settings /General?

Modify or remove these servers and see what happens. It sounds like you might have some old entries there that it's trying to reach and creating the error.

3

24.7 Production Series / Re: User with read only or monitor capabilities

« on: October 18, 2024, 04:32:35 pm »

As far as the traffic graph goes, that might be more of a browser issue I suspect.  I have a friend who can log in as root and has the same issue with not seeing any graphs, but the values are changing.

Did you try to change the theme to see if it's related or a different browser? (Saw you did that, lol)

4

24.7 Production Series / Re: i210 and SFP GPON Modul

« on: October 14, 2024, 11:28:42 pm »

In order to get to the WebUI for the PON, you have to create a Virtual IP address.  From their discord:

-----------------------------
Firewall -> Virtual IPs -> Add.
Select the "IP Alias" type
Select interface
Select single address
Address(es): 192.168.11.100 / 24 (Or whatever IP range you used)
Description: Management
Save

Firewall -> NAT -> Outbound
Select "Hybrid Outbound NAT"
Select "Add (down/up, depending on what you want)"
Ensure "disable this rule" is NOT selected"
Select the same interface as above
Select IPv4
Protocol: Any, Source: Any
Destination: Network or Alias: 192.168.11.0 / 24
Translation
Address: 192.168.11.100 (Management)
Misc
Description: Management NAT
Save (edited)
-----------------------------
Works for me, even if I disable the NAT rule, I can still get to the interface.

5

General Discussion / Re: Odd occurence I am having with LAN...

« on: September 23, 2024, 07:47:36 pm »

I believe I found the issue, and it was Unifi Controller software monitoring the OPN IP address. 

The software wants to monitor an IP address to be able to say that there's connectivity... kind of silly, but I get it.  I had that pointed at my OPN LAN IP, so anytime I'd reboot, the controller believed connectivity was down, so I'd lose ALL connectivity. 

Just switched it over to a server IP that I have on all the time, solved this issue.

6

24.7 Production Series / Re: i210 and SFP GPON Modul

« on: September 23, 2024, 03:17:29 am »

Thats the Idea. I don't want make external fiber to copper sind use it directly as WAN in opnsense.

My setup is a little different, as I have the ONT transceiver connected into my OPN box.  Works great, but I can't reach the IP you assign it to access the web GUI.  It doesn't do like it does with the BGW modem connected, as you get an internal address from the modem to access it.  The ONT doesn't give you the one assigned and only the WAN IP.

The only way I've found so far to get access, is unplug it, change the IP on my fiber card in my windows server to something in the same subnet, and update it that way accessing the GUI.  Then unplugging it and putting it back into my OPN box.  I've tried creating SNAT, and had no luck accessing

If this is even the issue you are having - gaining access to thhe GUI.

7

24.7 Production Series / Re: OPNsense web gui through reverse proxy

« on: September 17, 2024, 10:34:56 pm »

IMO, this is dangerous to open your firewall GUI to this exposure.  But, if you want to keep this, then I would consider changing your GUI port to something like 9443, because what's most likely happening is your 443 traffic that should just be pointed to NGINX is interfering with your same port as the GUI.

You can change the firewall admin GUI port in your interface, but on NGINX, you would identify the port in your destination address.
So, if you want to go to badidea.myfirewall.com:443, your destination address in NGINX would read: badidea.firewall.local:9443.

8

24.7 Production Series / Re: i210 and SFP GPON Modul

« on: September 17, 2024, 10:29:58 pm »

Are you using this to bypass the BGW series ATT modem for fiber connectivity?

9

24.7 Production Series / Re: Firewall blocking legit traffic for one host

« on: August 07, 2024, 07:37:12 pm »

It looks like you have a DNS issue, port 53 is DNS.

Are you blocking DNS in/out to be redirected to a Pihole or something?

10

24.7 Production Series / Re: Minor UI Issue - cannot add widgets when using vicuna theme

« on: July 26, 2024, 05:33:36 pm »

This was the same post I made about Rebellion, which of course also needs updating so I went to another theme (Cicada) and like it better, lol.

Something I did notice with Cicada, is the widget sizing doesn't save, at least on Announcements.  I drag to make it longer to read more announcements, save it, then log out.  If I go back in, it's the default smaller window before I saved it.

11

24.7 Production Series / Re: 24.7 Upgrade from 24.1-8

« on: July 25, 2024, 02:58:08 pm »

Ah yes, I didn't switch that back to OPN before the update. 

It does work fine on the default theme.   

12

24.7 Production Series / [Solved- I'm an idiot] 24.7 Upgrade from 24.1-10

« on: July 25, 2024, 02:47:45 pm »

Hi Franco,

The upgrade went flawless as near as I can tell.  There's one issue I've seen right away and that is the widgets.

When you try to edit a widget (or try to add a widget), the pulldown menu for selection items appears behind the edit, so you cannot select items to add/remove. If you try to move the window over, it will just deselect the pulldown and you can't select anything near the top.

Looking great so far!  I love the new dashboard!

13

General Discussion / Re: Lawrence Systems!

« on: June 13, 2024, 08:59:59 pm »

That guy is so blatant in his preferred software, I stopped listening to him a long while ago.  He is nothing more than a front runner mouthman for pfSense and any 'sponsor' he has that gives him money or product, IMO.  Which, by the way, even if they were the last firewall appliance on earth, I still wouldn't use them.

The way they do their community is just absolute trash, and the whole thing with the pf/OPN battle just made them completely hated and made themselves look bad in the process.

14

General Discussion / Re: Odd occurence I am having with LAN...

« on: June 06, 2024, 08:32:38 pm »

Yeah, like I said, I don't believe this is an OPN problem, it's just something that's been plaguing me for some time.

I think I'll try a separate DHCP server and see what that does this evening and go from there.

Not seeing any storms at all, my LAN isn't even close to being saturated, and nothing weird, it's running actually really well. 

15

General Discussion / Re: Odd occurence I am having with LAN...

« on: June 06, 2024, 06:24:24 pm »

But that makes no sense to me why my LAN connectivity would drop off.  I should have a completely functioning LAN if I had no WAN access.  If my internet connection drops, I lose all connection locally - to my NAS, my APs drop off, my clients lose connection, etc.

I do have the router assigning the same IP, I can either do it as a static address, or DHCP, and I've just left it at DHCP and tied the MAC to the IP so it's always the same address.

OPN assigns all of my internal addresses, I am wondering if this is the issue as it's the only constant between both setups with Sophos and OPN.  If I create my DHCP scope to an internal server and off OPN, I wonder if that would change something...