Messages

If you're using wireshark on a linux desktop (not sure about the windows version) you can use the 'ssh remote capture' option to bring it straight in to wireshark near realtime.

Just to add, best way I find to configure the capture in wireshark:
Server: appropriate opnsense interface address.
authentication: username and private key.
capture: select 'other' and put a full tcpdump command. e.g. tcpdump -i pppoe0 -w - 'udp port 53 or tcp port 80'
(Use actual device interface names rather than aliases lan, wan etc.)
check 'save parameters on capture start'.
HTH

Exactly what I needed! Thanks a bunch :)

  Hello all!
 
I have been using the packet capture feature in OPNsense for a bit now, but I am tired of having to click through menus and such and was wondering if someone has made a script which automates the downloading of a pcap file from the firewall appliance to the local machine for use in wireshark and so on. I have my router on its own MGMT VLAN and would ideally like to be able to plug in an ethernet cable, run a command and within a few seconds start seeing traffic in wireshark from a VLAN specified. If this hasnt already been developed I would like some pointers as to scripting in OPNsense! Maybe what I am looking for is in something like zenarmor but I have never gotten around to trying it.
 
 All the best :)

Ive recently got into home lab'ing by running a few local-only services using docker on a spare machine I have. I have some experience with OPNsense but have never used docker before so there maybe a few crossover questions. Here is what I want to do:

Host some services on one linux machine, say 10.0.0.2 with an on device hostname of myserver. I would like to run multiple webpages and be able to connect to them by visiting different local domains. For example http://search.mylan would lead to port 80 on the server, and http://nextcloud.mylan would lead to 8080 etc.

I managed to configure a static DHCP lease to point the myserver.mylan domain to 10.0.0.2 but this still requires me to specify port numbers and I see no options to direct a domain to a certain port. Would solving this require me to tinker with docker containers or is there a solution which is built into OPNsense?

And one more thing...
I have not read much into the CA that OPNsense can run, but I assume I can use that to create my own TLS certs for my services and get https up and running. I have seen other people use a domain they have purchased in their LAN but dont really want that. Ideally I want something fully local.

Any help would be appreciated and thanks in advance.

Hello.

I am looking to add a few WAPs to my LANs but dont know how to go about doing it. Ideally I would like the APs to be 'dumb' and be able to flash OpenWRT onto them. I then do not know how I would go about managing them. Would this be done over the network or would there be an physical interface I can plug into to configure.  The latter would be ideal.
Basic network topology of my subnets, interfaces and where I want an AP deployed

eth0 - WAN <-- DHCP from ISP
eth1 - LAN1 <-- 192.168.10.1/24 + AP ACCESSIBLE
eth2 - LAN2 <-- 192.168.20.1/24 + AP ACCESCIBLE
eth3 - MGMT <-- 192.168.99.1/24

Firewall ip is 192.168.99.1

Can anybody point me in the right directions as to how one can setup a dumb ap with opnsense.

Thanks in advance!

[not]

On my system that auto-generated rule is only there for 'LAN'.  The other interfaces don't have it.

You're 100% correct indeed. The anti-lockout rule seems to be hard-coded in the code within the function: 

Code Select Expand

filter_core_get_antilockout()

https://github.com/opnsense/core/blob/7373985f3b2b0344c1e2596bdbbb5b0870cadb57/src/etc/inc/filter.lib.inc#L113 (looking at this code, its unclear to me when this rule is actually created automatically and when not). My general understanding is that this anti-lockout rule will be applied to only the "LAN" interface (no matter how you rename it).

However you normally do NOT (never) want to have a management interface on a WAN interface. Only on one or more LAN ports.

The "Automatically generated rules" are actually generated for both LAN and WAN interfaces. However, I was confused myself with the default "sshlockout" rule is auto-generated  :-X. But this is of course to block access to SSH secure shell and HTTP web management interface, which is the opposite of anti-lock rule of course :).

Long story short. Let's create our own dedicated management interface on OPNsense including an anti-lockout rule:

• In Interfaces -> Assignments. I added the device (port) to the list. And press save.
• Go to Interfaces -> [YOUR_INTERFACE]. Select "Enable interface" and select "Prevent interface removal". And maybe give it a better description something like: "LAN_MANGEMENT". Then I also set IPv4 Configuration Type to: Static IPV4. And down below under Static IPv6 configuration. I give the OPNsense firewall a static IPv4 address: 192.168.2.1, with 24 subnet mask (so not 192.168.1.1 in case you were using this already on another interface).
• For easy of use, I also enabled DHCPv4 on this management interface. So go to: Services -> ISC DHCPv4 -> [LAN_MANGEMENT] interface. Select "Enable DHCP serv on the LAN_MANAGEMENT interface. And I gave it a range from: 192.168.2.100 to: 192.168.2.199. And press Save.
• In Firewall -> Aliases -> New alias. Name: "anti_lockout_ports". Type: "Port(s)". Content: 80 (enter), 443 (enter) and 22 (enter). Description: "Anti-lockout ports".
  
• Finally, I go to Firewall -> Nat -> Port forward. In my case the anti-lockout rule was there already. If not, create a new rule -> Select the interface (eg. "LAN_MANAGEMENT"). Protocol: TCP. Destination: "LAN_MANAGEMENT address". Destination port select: "anti_lockout_ports" (our alias we created earlier). As Redirect target IP, I provided: 192.168.2.1 (the firewall static IP address I gave it in step 2.) Give it a description like: "Anti-Lockout Rule". And press Save.
  
• And press "Apply changes".

If you are sure you have the correct firewall rule in place (see my steps above). You could optionally disable the default anti-lockout rule on the LAN interface, by going to: Firewall -> Settings -> Advanced -> "Disable anti-lockout" by checking "Disable administration anti-lockout rule". Which thus disables the default anti-lockout rule on the LAN interface like you mentioned before.

If I said something wrong, please let me know. I will update this post.

Thanks for the reply!

I followed your steps and they should work, but now my problem is that in my firewall logs, My MGMT device (192.168.99.100) is getting blocked when trying to access 192.168.1.1:443 (WebGui). It is being caught by the 'Default Deny / state violation rule' which cannot be disabled on that interface, unless there is another way that I do not know. Any ideas on how to remedy this? Again, thanks for taking the time to answer my post!

[Here is a quick diagram I diagram to visualize my topology:]

I am new to this forum, so the subject tag may not be correct and I was in a hurry when making this post!

I'm using OPNsense in a QEMU virtual machine with 3 interfaces. I would like to make the WebGUI only accessible from the MGMT interface, and also have the MGMT interface blocked from accessing the internet.

Here is a quick diagram I diagram to visualize my topology: 
https://0x0.st/Xhb5.png

I have assigned address ranges to these interfaces, added an allow all rule to the MGMT interface, and verified that I can access the internet and the WebGUI from the MGMT network. But when I change Settings > Administration > Listen Interfaces from "All" to "MGMT", I cannot access the webgui anymore from the MGMT interface. I am very new to OPNsense and am migrating from Mikrotik so the new terminology and procedures are confusing me!

Any help would be greatly appreciated.