Messages

Do you actually see blocked websites or are these just random log entries? One that you posted is from Google and it has a FIN-ACK state.

Therefore, potentially, you see artifacts from QUIC traffic - I see those, too.

You can test if you allow HTTP3/QUIC traffic and see if the test triggers those log entries. Wait a bit, it may be that the TCP stream must be closed to cause a log entry.

Thanks for your suggestion. I was able to browse to the cloudflare page without issues. Looking in the live view log, I don't see a blocked entry for it either.

It's prodominately tcp 443, but have noticed other ports too; 5223 and 6159.

I haven't put my finger on anything that is not working that I can consistently use as a test. Everything seems to be working.

I'm seeing the blocked traffic originate from multiple different clients.

Just checked the details of the log file, and can see it's for protocol 6, which is IPv6.

I added in a specific interface rule for IPv6, however I'm still seeing traffic being blocked in the Live Logs.

Do I need to setup IPv6 somewhere else as well?

What's strange is that the source address is in IPv4 format, not IPv6.

Click on the details for one of those blocking incidents and post them.

The most common cause of unexpected "default deny" is asymmetric routing. So a diagram of your network would also be helpful.

Here's a basic network diagram:

Please attach here. I categorically block so called "image hosting services".

Hi,

I'm looking in the Live Firewall logs for my LAN interface, and I can see that the default deny rule is periodically blocking 443 traffic, even though my firewall policy for that interface has a rule that allows all ports and protocols.

How can I track down what is causing this?
Is there a way to run a debug trace, and see what object in OPNsense is triggering this and determine why it's not being allowed out based on the interface rule?

Most tcp 443 traffic is being allowed, just randomly some of it is being blocked. It's also happening on other ports too, not just tcp 443.

Thanks!

Just wondering if OPNsense can run a SOCKS5 proxy server and then route the received traffic to a specific outbound route?

Any guidance would on how to configure would be very much appreciated.

Thanks!

Different OpenSSL versions.

Indeed, macOS is running 3.5.1.1 and OPNsense is running 3.0.17.

Will try that shortly. Thanks!

If you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?

If you pick "Save on this firewall" instead and after issuing the certificate click on the download button to the right, you can pick PKCS#12 and enter a password.

If you want to only download it right away you need to apply encryption after the fact with e.g. openssl.

Next issue - I created the client certificate and selected "Save on this firewall", however...

After generating a client certificate within OPNsense that's signed against the OPNsense CA, and downloading the PKCS12 file and setting a simple password such as "password", when I try to open that on a client computer (macOS) it prompts for the password, but won't accept the password. Even if I download the PKCS12 file without setting a password, it prompts for the password, and when entering nothing, it won't accept and import to Keychain.

I'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?

Correct.

If you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?

I see, so the private key is created on the client, then the CSR is created from the private key, the CSR is signed by the OPNsense CA and then I can download the certificate, create the PKCS#12 file from the certificate and the private key on the client via openssl.

Thanks for clearing that up Patrick!

I'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?

Thanks Patrick, so if I import the certificate to the client, I'm guessing I can export the PKCS#12 file from the client that issued the CSR.

Thanks for confirming. AI LLM's we're telling me to export it from the OPNsense firewall, I guess they're still not that good afterall!

Hi - I've provided a CSR and signed a certificate against the opnsense internal CA.

I would like to download the PKCS#12 file format file, however after clicking on download, nothing happens.

I've tried different browsers and computers, rebooted the firewall, but it just doesn't provide a prompt to save the file.

Same issue occurs when trying to download the private key.

Downloading the "Certificate" does work! But I need the private key :)

Any ideas why it's not working?

Cheers!

Hi OPNsense community!

The Live Log view (Firewall > Logs Files > Live View) is great! It allows you to filter easily and find what traffic is passing through the firewall easily.

I'm wondering if there is a similar view that can be used to filter the firewalls historical logs (syslogs)?

Any advice would be great!

Thanks!

I've configured Mullvad via Wireguard and am using a PPPoE WAN connection.

I have it working, but find that when a client is connecting to various internet webpages, it takes more time to load, and some of the content or functionality does not work.

E.g. Speedtest.net doesn't find the optimal server, and is extremely slow to start the test.

I've installed wireshark on my client computer and can see a fair amount of TCP retransmission messages in the traffic.

I get the sense that this is related to MTU/MSS, but I've changed it to different settings and can't seem to get it working properly.

My WireGuard instance MTU is 1412, the WAN PPPoE MTU is default (1500) but I think opnsense reduces it automatically to 1492, I have Normalization rule set to Max Mss 1352.

Would appreciate some help to determine what's causing this?

I've got a squid forwarding proxy running on my LAN interface (gateway IP) on default port 3128.

What firewall/NAT rule settings must be configured to route squids outbound traffic via a different WAN interface?

For example:

1. Can I create a firewall rule that filters traffic sent to the squid destination service port 3128, and then NAT that to a different WAN interface default gateway?

Or

2. Run squid proxy on a LAN sub-interface (Unique IP), and then create a firewall rule that specifies that any traffic originating from the sub-interface address routes via different WAN inteface gateway?

Cheers!