Messages

Hello all.

I have an 26.1 installed under QEMU/KVM to firewall and monitor some malicious VMs. Im not 100% familiar with 26.1 and it brings some changes to my previous knowledge of 25.1. I would very much appreciate if someone could provide some insight on how to achieve the following things:

- Force cleartext DNS to go through the UnboundDNS server
- Ensuring that guests behind the OPNsense firewall cannot talk to the VM host or its network.

The force DNS redirect HOW-TOs I have found are all pretty out of date.

What confused me with the private network firewalling was that, under the interfaces > LAN section, enabling the Block Private Networks and Bogon network switches resulted in the clients on this network not being able to reach the internet. With them disabled the machines can reach out fine, but they can obviously reach the VM host and its network.

Thanks in advance for your time.

I have a fresh 26.1 install under a qemu/kvm virtual machine on arch linux (not proxmox).

I have previously been using 25.1 with no hiccups and no initial config errors from what I can remember. Using that 25.1 image there are no errors and I can reach the WAN (just a NAT bridge) and then the internet just fine - making me certain this is not a DHCP server issue.

I have read and read the install docs and watched countless install videos, so I am pretty sure this is not just a trivial problem. I hope I dont waste everyones time and that someone is able to help.
 
Thanks :)

Edit:
After some more troubleshooting, what makes me to believe this is actually a virtual networking setup issue and not something with OPNsense itself is me reinstalling 25.1, then importing a backed up config into it. Everything else works, just no WAN DHCP IP.

If you're using wireshark on a linux desktop (not sure about the windows version) you can use the 'ssh remote capture' option to bring it straight in to wireshark near realtime.

Just to add, best way I find to configure the capture in wireshark:
Server: appropriate opnsense interface address.
authentication: username and private key.
capture: select 'other' and put a full tcpdump command. e.g. tcpdump -i pppoe0 -w - 'udp port 53 or tcp port 80'
(Use actual device interface names rather than aliases lan, wan etc.)
check 'save parameters on capture start'.
HTH

Exactly what I needed! Thanks a bunch :)

  Hello all!
 
I have been using the packet capture feature in OPNsense for a bit now, but I am tired of having to click through menus and such and was wondering if someone has made a script which automates the downloading of a pcap file from the firewall appliance to the local machine for use in wireshark and so on. I have my router on its own MGMT VLAN and would ideally like to be able to plug in an ethernet cable, run a command and within a few seconds start seeing traffic in wireshark from a VLAN specified. If this hasnt already been developed I would like some pointers as to scripting in OPNsense! Maybe what I am looking for is in something like zenarmor but I have never gotten around to trying it.
 
 All the best :)

Ive recently got into home lab'ing by running a few local-only services using docker on a spare machine I have. I have some experience with OPNsense but have never used docker before so there maybe a few crossover questions. Here is what I want to do:

Host some services on one linux machine, say 10.0.0.2 with an on device hostname of myserver. I would like to run multiple webpages and be able to connect to them by visiting different local domains. For example http://search.mylan would lead to port 80 on the server, and http://nextcloud.mylan would lead to 8080 etc.

I managed to configure a static DHCP lease to point the myserver.mylan domain to 10.0.0.2 but this still requires me to specify port numbers and I see no options to direct a domain to a certain port. Would solving this require me to tinker with docker containers or is there a solution which is built into OPNsense?

And one more thing...
I have not read much into the CA that OPNsense can run, but I assume I can use that to create my own TLS certs for my services and get https up and running. I have seen other people use a domain they have purchased in their LAN but dont really want that. Ideally I want something fully local.

Any help would be appreciated and thanks in advance.

Hello.

I am looking to add a few WAPs to my LANs but dont know how to go about doing it. Ideally I would like the APs to be 'dumb' and be able to flash OpenWRT onto them. I then do not know how I would go about managing them. Would this be done over the network or would there be an physical interface I can plug into to configure.  The latter would be ideal.
Basic network topology of my subnets, interfaces and where I want an AP deployed

eth0 - WAN <-- DHCP from ISP
eth1 - LAN1 <-- 192.168.10.1/24 + AP ACCESSIBLE
eth2 - LAN2 <-- 192.168.20.1/24 + AP ACCESCIBLE
eth3 - MGMT <-- 192.168.99.1/24

Firewall ip is 192.168.99.1

Can anybody point me in the right directions as to how one can setup a dumb ap with opnsense.

Thanks in advance!

[not]

On my system that auto-generated rule is only there for 'LAN'.  The other interfaces don't have it.

You're 100% correct indeed. The anti-lockout rule seems to be hard-coded in the code within the function: 

Code Select Expand

filter_core_get_antilockout()

https://github.com/opnsense/core/blob/7373985f3b2b0344c1e2596bdbbb5b0870cadb57/src/etc/inc/filter.lib.inc#L113 (looking at this code, its unclear to me when this rule is actually created automatically and when not). My general understanding is that this anti-lockout rule will be applied to only the "LAN" interface (no matter how you rename it).

However you normally do NOT (never) want to have a management interface on a WAN interface. Only on one or more LAN ports.

The "Automatically generated rules" are actually generated for both LAN and WAN interfaces. However, I was confused myself with the default "sshlockout" rule is auto-generated  :-X. But this is of course to block access to SSH secure shell and HTTP web management interface, which is the opposite of anti-lock rule of course :).

Long story short. Let's create our own dedicated management interface on OPNsense including an anti-lockout rule:

• In Interfaces -> Assignments. I added the device (port) to the list. And press save.
• Go to Interfaces -> [YOUR_INTERFACE]. Select "Enable interface" and select "Prevent interface removal". And maybe give it a better description something like: "LAN_MANGEMENT". Then I also set IPv4 Configuration Type to: Static IPV4. And down below under Static IPv6 configuration. I give the OPNsense firewall a static IPv4 address: 192.168.2.1, with 24 subnet mask (so not 192.168.1.1 in case you were using this already on another interface).
• For easy of use, I also enabled DHCPv4 on this management interface. So go to: Services -> ISC DHCPv4 -> [LAN_MANGEMENT] interface. Select "Enable DHCP serv on the LAN_MANAGEMENT interface. And I gave it a range from: 192.168.2.100 to: 192.168.2.199. And press Save.
• In Firewall -> Aliases -> New alias. Name: "anti_lockout_ports". Type: "Port(s)". Content: 80 (enter), 443 (enter) and 22 (enter). Description: "Anti-lockout ports".
  
• Finally, I go to Firewall -> Nat -> Port forward. In my case the anti-lockout rule was there already. If not, create a new rule -> Select the interface (eg. "LAN_MANAGEMENT"). Protocol: TCP. Destination: "LAN_MANAGEMENT address". Destination port select: "anti_lockout_ports" (our alias we created earlier). As Redirect target IP, I provided: 192.168.2.1 (the firewall static IP address I gave it in step 2.) Give it a description like: "Anti-Lockout Rule". And press Save.
  
• And press "Apply changes".

If you are sure you have the correct firewall rule in place (see my steps above). You could optionally disable the default anti-lockout rule on the LAN interface, by going to: Firewall -> Settings -> Advanced -> "Disable anti-lockout" by checking "Disable administration anti-lockout rule". Which thus disables the default anti-lockout rule on the LAN interface like you mentioned before.

If I said something wrong, please let me know. I will update this post.

Thanks for the reply!

I followed your steps and they should work, but now my problem is that in my firewall logs, My MGMT device (192.168.99.100) is getting blocked when trying to access 192.168.1.1:443 (WebGui). It is being caught by the 'Default Deny / state violation rule' which cannot be disabled on that interface, unless there is another way that I do not know. Any ideas on how to remedy this? Again, thanks for taking the time to answer my post!

[Here is a quick diagram I diagram to visualize my topology:]

I am new to this forum, so the subject tag may not be correct and I was in a hurry when making this post!

I'm using OPNsense in a QEMU virtual machine with 3 interfaces. I would like to make the WebGUI only accessible from the MGMT interface, and also have the MGMT interface blocked from accessing the internet.

Here is a quick diagram I diagram to visualize my topology: 
https://0x0.st/Xhb5.png

I have assigned address ranges to these interfaces, added an allow all rule to the MGMT interface, and verified that I can access the internet and the WebGUI from the MGMT network. But when I change Settings > Administration > Listen Interfaces from "All" to "MGMT", I cannot access the webgui anymore from the MGMT interface. I am very new to OPNsense and am migrating from Mikrotik so the new terminology and procedures are confusing me!

Any help would be greatly appreciated.