Messages

I'm not an expert myself but I got this excerpt from online:

"Tor Snowflake relies on Network Address Translation (NAT) types to determine the best way to establish connections between clients and proxies. NAT types are categorized into different categories such as unrestricted, restricted, and symmetric. The NAT type determines how well a proxy can connect to clients, especially in regions with heavy internet censorship.

Unrestricted NAT: This type allows bidirectional communication without any restrictions, making it ideal for running a Tor Snowflake proxy. Proxies with unrestricted NAT can establish connections more reliably and efficiently.
Restricted NAT: These proxies can initiate connections but cannot accept incoming connections without additional configuration. This can limit their effectiveness in helping clients circumvent censorship.
Symmetric NAT: This type is less common and more restrictive, often requiring complex configurations to establish connections. It is not ideal for running a Tor Snowflake proxy.
To ensure your proxy operates effectively, it's important to configure your NAT settings to be unrestricted if possible. If you are running a proxy in a Docker container or on a VPS, you may need to open specific UDP ports and configure your firewall to allow bidirectional communication."

Here are further details on what my setup goal is: Tor Standalone Snowflake proxy.

I identified my local and external IPs by entering <ip addr show> in the terminal and then made some test web searches but that external IP doesn't show up in OPNsense's firewall live view. My topography is Modem > ISP router > firewall > personal router. (I know that the ISP's router is unnecessary here but that's the one that my roommate uses).

• How can I find my IP in the firewall traffic?
• How can I unblock <http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomod.xml>?

[Edit:]

Hi, I'm trying to run a standalone Tor snowflake (proxy) and would like to make my firewall's NAT unrestricted only on the unpriviledged VLAN. If
this is possible, how can I achieve it? Also if my network layout is modem > ISP router > OPNsense > personal router (in bridge mode), would it matter if I set OPNsense's NAT to unrestricted if the ISP router has a restricted NAT? Also, how much of a security risk is it to have an unrestricted NAT?

Edit: I read that my ISP uses carrier-grade NAT and opting out of it would require a business account (which is more expensive). I'm assuming there's no way around this?

I get the following error message when I try to update my OS connected to OPNsense but not when I'm off the firewall. I've tried analysing the firewall traffic to to identify the false positives and try to allow list them but have struggled. How can I get this connection to work? Here is the update output:

Updating fedora-41-xfce
Refreshing package info
Errors during downloading metadata for repository 'google-chrome':
  - Curl error (28): Timeout was reached for http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomd.xml [Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds]
Failed to download metadata for repo 'google-chrome': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

Everyone, nominate OPNsense and FreeBSD Foundation as beneficiaries for Proton's 2024 Charity Fundraiser https://proton.me/blog/lifetime-fundraiser-survey-2024! It just takes a minute and you can do so here, just click on the purple "Tell us who to support" button near the upper middle of the page or click here: https://form.typeform.com/to/kRGE7inV. The charities being nominated will receive tens of thousands of USD each. Share the link!

Everyone, nominate OPNsense and FreeBSD Foundation as a beneficiaries for Proton's 2024 Charity Fundraiser https://proton.me/blog/lifetime-fundraiser-survey-2024! You can do so here, just click on the purple "Tell us who to support" button near the upper middle of the page or click here: https://form.typeform.com/to/kRGE7inV. The charities being nominated will bring in tens of thousands of USD to each. Share the link!

Hello, I'm new to firewalls and have a few questions.

1. I run a commercial VPN locally on my devices and use encrypted DNS (DoH & DoT). Since my traffic is encrypted, what free and open source tools and settings are recommended to fortify my network's security? From my understanding, IDS/IPS and next gen firewall solutions aren't useful with encrypted traffic and getting them to work with a VPN is complicated and prone to issues. Are there any other tools or settings that are recommended?

2. What method is the recommended method to segment the the LAN and OPT1 interfaces so that LAN can communicate with OPT1 but OPT1 can't contact LAN? I plan on reserving OPT1 as a guest/untrusted network and assume this is the optimal setup. Please correct me if I'm wrong.

Any input is much appreciated!

I've tried setting the IP manually as you recommended yesterday although still didn't work.

However, I just reset my settings to default again and the LAN being swapped with WAN (igb0 & igb1), now by plugging into my WAN port, I am able to access the web GUI. I think my physical LAN port may have some issue -- it was also giving me trouble on pfSense but I thought it was due to a misconfiguration. Thank you everyone for your assistance!

Apologies for any confusion, I'm new to all of this and didn't know what double NAT-ed even meant. After looking it up, it seems that it has to do with two routers being present? If that's the case, I don't have any routers connected to the FW4B - just the RJ45 to the computer and the power cable. Yesterday I briefly connected the FW4B to the internet (WAN to router) to check for updates. The changeset came up but I am not sure if it actually updated since I didn't see any confirmation. I have rebooted the device multiple times since then and the device has remained disconnected from my router. Don't know if this could make any difference.

When you say to Change the Lan Interface to 192.168.22.1/24, could you please clarify, are you asking to change...
1. Windows' IP from DHCP automatic to manual
2. "Option 1) - Assign interfaces" this seems to only be for changing the assigned RJ45 ports to my understanding.
3. "Option 2) Set interface IP address" in the OPNsense interface

I have once again set the interfaces as is recommended in the Protectli guide: https://kb.protectli.com/kb/how-to-install-opnsense-on-the-vault (WAN = igb0    LAN = igb1   OPT1 = igb2   OPT2 = igb3   N/A   N/A)

I tried "Option 2) Set interface IP address" but am not sure what to enter after the IPV4 upstream gateway addresses prompt as shown in the attached image.

I've been following this guide: WAN = igb0    LAN = igb1   OPT1 = igb2   OPT2 = igb3   N/A   N/A
I just swapped LAN and WAN (WAN = igb1    LAN = igb0   OPT1 = igb2   OPT2 = igb3   N/A   N/A)
but I still can't connect to the web interface.

I just tried both methods but neither worked. Since the Ethernet port on my computer only lights up when connected to any other port but the LAN, I thought that there might be something physically wrong the FW4B LAN port so I tried swapping the LAN and OPT1 assignments via option 1 in the interface but this didn't seem to change anything. Despite this, the LAN port stays lit up on the FW4B but never lights up the one on the computer, much less grant access to the web GUI.

Do you have any more ideas?

This was the result in Windows 11 on all four ports:

Pinging 192.168.1.1 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


How do I check with the WAN cable and see where I get an IP from the ISP?

I was previously using pfSense and just installed OPNsense on a Protectli FW4B twice but still when I plug any computer to its LAN port, the port stays lit on the FW4B but the RJ45 port doesn't light up on my computer and it doesn't detect the wire connection on the OS either. However, when I connect the computer to any of the other ports on the FW4B (OPT2, OPT1, or WAN), then the computer's I/O shield lights up on the RJ45 connection but it still doesn't allow me to connect. When I open up Brave or Mullvad browsers, I can't reach 192.168.1.1 – Brave says "This site can't be reached https://192.168.1.1/ is unreachable. RR_ADDRESS_UNREACHABLE."

I've tried to connect on two different computers, on Windows 10, 11, and Fedora Workstation Linux. The first time I installed I followed the instructions as stated on this guide: https://kb.protectli.com/kb/how-to-install-opnsense-on-the-vault. When connected via RJ45, my computers are able to connect to 192.168.1.1 on my ISP router and personal router without a problem.

How can I get the computer to recognize the connection so that I can access the OPNsense web browser GUI? I have attached a picture of the FW4B's interface confirming the IP assigned to LAN. Any help is much appreciated!