"
Just found another issue with OpnSense. I tried to workaround the issue, but creating another alias, using IP addresses. However, when editing the firewall rule, it insists on putting the previous alias (using domain names) first, then the 2nd alias using IP addresses second. I tried to remove the 1st, save/apply, then edit, adding back the other alias, but it keeps insisting on the "order" of creation on the alias (I tried renamed them, but that does not work. It's the order of creation I believe. There is no way that I can change the order). It appears I have to create another rule/
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
General Discussion / Re: Inconsistent firewall using alias hosts
February 28, 2025, 04:48:52 PM
I am not sure what you meant by that. This is a firewall rule blocking access, not the DNS (such as Unbound) override, so it's not DNS look up related. But that's just how I understand, not sure if it's correct.
#3
General Discussion / Re: Inconsistent firewall using alias hosts
February 28, 2025, 05:07:24 AM
More information, the site in question has many numeric IP addresses. I ping the IP address and it keeps giving me a different IP address (3 so far). Maybe it is hosted on a cloud.
The list of IP addresses for this particular site are shown in the diagnostic page of OPNSense. However, it still does not work. If I type in the IP address, versus the domain name in the web browser, it gets blocked. However, using the domain name, it works.
I am guessing OPNSense maybe having logical issue with this. Anyone mind showing where the code for this is located?
The list of IP addresses for this particular site are shown in the diagnostic page of OPNSense. However, it still does not work. If I type in the IP address, versus the domain name in the web browser, it gets blocked. However, using the domain name, it works.
I am guessing OPNSense maybe having logical issue with this. Anyone mind showing where the code for this is located?
#4
General Discussion / Inconsistent firewall using alias hosts
February 28, 2025, 05:01:08 AMFor a firewall alias, with about 20 different hosts (fully qualified domain name), and a rule blocking traffic using that alias as destination, I could not access each of the sites using a web browser.
But moment later, I was able to access 1 site. Clear cache, using different devices that never get into that site, different browser, etc., I was still able to access the site.
I looked under diagnostic, alias for the created alias, and the IP address for the particulate problematic site is shown in the list. (I obtained the IP address using an IP address look up web site).
Please help.
#5
General Discussion / Re: Need help with port forwarding setup
January 09, 2025, 12:43:13 AM
Good news! When flush the cache on the client with Netskope VPN, I am able to get to the server with or without "www" in front. This is with the overrides disabled.
When the overrides are enabled (I just made sure to have two overrides, with and without "www", versus using *), flushing the dns and pinging would timeout.
When the overrides are enabled (I just made sure to have two overrides, with and without "www", versus using *), flushing the dns and pinging would timeout.
#6
General Discussion / Re: Need help with port forwarding setup
January 09, 2025, 12:37:12 AM
[update]
When I add the override, a local machine cannot get to the server (ping says could not find the host ..., please check the name and try again).
With Netskope VPN, it does not work either. However, when I disabled/deleted the override, I was able to get to the server without "www" in front with Netskope VPN. It still does not work with www.<mysever...>.com
When I ping with the client that has Netskope VPN, it shows the external IP for for the host name without "www", and it shows the "local" IP for the host name with the "www".
Did I set up something wrong somewhere?
Let me try to flush the client DNS cache and see how it goes.
When I add the override, a local machine cannot get to the server (ping says could not find the host ..., please check the name and try again).
With Netskope VPN, it does not work either. However, when I disabled/deleted the override, I was able to get to the server without "www" in front with Netskope VPN. It still does not work with www.<mysever...>.com
When I ping with the client that has Netskope VPN, it shows the external IP for for the host name without "www", and it shows the "local" IP for the host name with the "www".
Did I set up something wrong somewhere?
Let me try to flush the client DNS cache and see how it goes.
#7
General Discussion / Re: Need help with port forwarding setup
January 08, 2025, 11:57:13 PM
Thank you. I had something like that before. I am doing it again, but with the flush DNS cache. I am not sure the correct way, but I checked the box for "Flush DNS Cache during reload" in General setting, Apply, and Restart the server. That didn't work though.
Locally, I still have this message:
"A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration"
And the SSL certificate is still the generated one from OPNSense.
Accessing via Netskope still does not work (site can't be reached). It still points to local address, not the external address.
Accessing via Phone's mobile network still works fine.
Locally, I still have this message:
"A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration"
And the SSL certificate is still the generated one from OPNSense.
Accessing via Netskope still does not work (site can't be reached). It still points to local address, not the external address.
Accessing via Phone's mobile network still works fine.
#8
General Discussion / Need help with port forwarding setup
January 08, 2025, 10:36:33 PM
For a local host port forwarding to be both accessible inside and outside, I have some issue.
If I use my mobile phone mobile network, I can access the server without issue, with correct SSL certificate.
This server has a certificate and using DDNS for domain name lookup.
However, things don't work from here.
1. From Interfaces->Diagnostics->Trace Route, the server host name return the local address (192.168.x.x), versus the external address.
2. From a local client machine, I pint the server, and I got domain name not found.
3. When I edit local client's network settings to use Google's DNS 8.8.8.8, I see the machine, but I got "rebinding DNS attack message", and the certificate is an OpnSense generated, not my host's certificate
4. I played with port forwarding reflection->enabled, or override, etc., without much success, either getting to see OpnSense WEB GUI config vs. my server, or re-binding attack notice, or not working (I enable OpnSense GUI only for LAN in the System settings).
5. Restarts does not help
6. When using Netskope VPN on one client machine, I tried to access the DMZ server, without success. When I ping it, it shows the "local" 192.168.x.x address instead. However, I was able to use the IP (numeric) address and see the site with security warning due to the SSL certificate issue.
If I change "hosts" file to use local address, everything would work. But this is not a good option (just for testing), because I don't have access to this file, such as android devices, etc.
The configuration is somewhat similar to PFSense. With PFSense, I managed to get "outside" to work property, but internal, I have to use the raw IP, which is fine.
Somehow with OPNSense, external network appears to work with mobile phone network, but not Netskope. PFSense works externally.
Thanks.
If I use my mobile phone mobile network, I can access the server without issue, with correct SSL certificate.
This server has a certificate and using DDNS for domain name lookup.
However, things don't work from here.
1. From Interfaces->Diagnostics->Trace Route, the server host name return the local address (192.168.x.x), versus the external address.
2. From a local client machine, I pint the server, and I got domain name not found.
3. When I edit local client's network settings to use Google's DNS 8.8.8.8, I see the machine, but I got "rebinding DNS attack message", and the certificate is an OpnSense generated, not my host's certificate
4. I played with port forwarding reflection->enabled, or override, etc., without much success, either getting to see OpnSense WEB GUI config vs. my server, or re-binding attack notice, or not working (I enable OpnSense GUI only for LAN in the System settings).
5. Restarts does not help
6. When using Netskope VPN on one client machine, I tried to access the DMZ server, without success. When I ping it, it shows the "local" 192.168.x.x address instead. However, I was able to use the IP (numeric) address and see the site with security warning due to the SSL certificate issue.
If I change "hosts" file to use local address, everything would work. But this is not a good option (just for testing), because I don't have access to this file, such as android devices, etc.
The configuration is somewhat similar to PFSense. With PFSense, I managed to get "outside" to work property, but internal, I have to use the raw IP, which is fine.
Somehow with OPNSense, external network appears to work with mobile phone network, but not Netskope. PFSense works externally.
Thanks.
#9
General Discussion / Re: OPNSense startup issue with USB drive and fix
January 06, 2025, 06:59:04 AM
I can confirm that once I log in and get into Shell, appending the /boot/loader.conf file as mentioned above works when restarted. This is mentioned here.
https://forums.freebsd.org/threads/booting-from-usb-error-19.57429/#post-327585
So, I stumbled on the first boot after installation, and using "?" command to find out various partitions, and using it to manually enter: ufs:/dev/<partition name>
helps moving forward.
https://forums.freebsd.org/threads/booting-from-usb-error-19.57429/#post-327585
So, I stumbled on the first boot after installation, and using "?" command to find out various partitions, and using it to manually enter: ufs:/dev/<partition name>
helps moving forward.
#10
General Discussion / OPNSense startup issue with USB drive and fix
January 06, 2025, 04:37:56 AMAfter successful installation, I got the following error when rebooted:
Code Select
Mounting from ufs:/dev/da1p2 failed with error 19.
Loader variables:
vfs.root.mountfrom=ufs:/dev/da1p2
Manual root filesystem specification:
<fstype>:<device> [options]
Mount <device> using filesystem <fstype>
and with the specified (optional) option list.
eg. ufs:/dev/da0s1a
zfs:zroot/ROOT/default
cd9660:/dev/cd0 ro
(which is equivalent to: mount -t cd9660 -o ro /dev/cd0 /)
? List valid disk boot devices
. Yield 1 second (for background tasks)
<empty line> Abort manual input
I typed in ? and press enter, the following (among many others) are shown:
ada0p2
ada0p1
ada0
da0p2
da0p1
da0
I typed in: ufs:/dev/da0p2 and press enter and it started up.
It would be nice if this is fixed so I don't have to do this. I am not sure if adding to /boot/loader.conf would work, but I can give it a try.
vfs.root.mountfrom="ufs:/dev/da0p2"
This does not happen with PfSense, but I would like to move my devices to OPNSense.
Pages1
