Messages

You can use the external IP address of the OPNsense, split DNS is not necessary.

Would a reflection or hairpin NAT be needed so that various internal LAN subnet clients can connect back to the external IP address?

Bump.

Any advice would be appreciated.

I was thinking to perhaps create a new VLAN  and use VIP's for any service hosted on the OPNsense itself.

Is this the right design approach or should a different design be used?

Hi all,

If I have multiple LAN subnets, and I want my clients in each subnet to be able to resolve/route to NGINX running on OPNSense, and then NGINX forwards to a server IP running in a DMZ subnet, what is the correct way to configure the DNS.

Do you setup a single Unbound DNS override entry to point to a single LAN gateway that you designate for NGINX, or do you somehow setup each LAN to have the DNS name of the server resolve to their respective LAN Gateway interfaces? 

Do you actually see blocked websites or are these just random log entries? One that you posted is from Google and it has a FIN-ACK state.

Therefore, potentially, you see artifacts from QUIC traffic - I see those, too.

You can test if you allow HTTP3/QUIC traffic and see if the test triggers those log entries. Wait a bit, it may be that the TCP stream must be closed to cause a log entry.

Thanks for your suggestion. I was able to browse to the cloudflare page without issues. Looking in the live view log, I don't see a blocked entry for it either.

It's prodominately tcp 443, but have noticed other ports too; 5223 and 6159.

I haven't put my finger on anything that is not working that I can consistently use as a test. Everything seems to be working.

I'm seeing the blocked traffic originate from multiple different clients.

Just checked the details of the log file, and can see it's for protocol 6, which is IPv6.

I added in a specific interface rule for IPv6, however I'm still seeing traffic being blocked in the Live Logs.

Do I need to setup IPv6 somewhere else as well?

What's strange is that the source address is in IPv4 format, not IPv6.

Click on the details for one of those blocking incidents and post them.

The most common cause of unexpected "default deny" is asymmetric routing. So a diagram of your network would also be helpful.

Here's a basic network diagram:

Please attach here. I categorically block so called "image hosting services".

Hi,

I'm looking in the Live Firewall logs for my LAN interface, and I can see that the default deny rule is periodically blocking 443 traffic, even though my firewall policy for that interface has a rule that allows all ports and protocols.

How can I track down what is causing this?
Is there a way to run a debug trace, and see what object in OPNsense is triggering this and determine why it's not being allowed out based on the interface rule?

Most tcp 443 traffic is being allowed, just randomly some of it is being blocked. It's also happening on other ports too, not just tcp 443.

Thanks!

Just wondering if OPNsense can run a SOCKS5 proxy server and then route the received traffic to a specific outbound route?

Any guidance would on how to configure would be very much appreciated.

Thanks!

Different OpenSSL versions.

Indeed, macOS is running 3.5.1.1 and OPNsense is running 3.0.17.

Will try that shortly. Thanks!

If you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?

If you pick "Save on this firewall" instead and after issuing the certificate click on the download button to the right, you can pick PKCS#12 and enter a password.

If you want to only download it right away you need to apply encryption after the fact with e.g. openssl.

Next issue - I created the client certificate and selected "Save on this firewall", however...

After generating a client certificate within OPNsense that's signed against the OPNsense CA, and downloading the PKCS12 file and setting a simple password such as "password", when I try to open that on a client computer (macOS) it prompts for the password, but won't accept the password. Even if I download the PKCS12 file without setting a password, it prompts for the password, and when entering nothing, it won't accept and import to Keychain.

I'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?

Correct.

If you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?

I see, so the private key is created on the client, then the CSR is created from the private key, the CSR is signed by the OPNsense CA and then I can download the certificate, create the PKCS#12 file from the certificate and the private key on the client via openssl.

Thanks for clearing that up Patrick!

I'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?

Thanks Patrick, so if I import the certificate to the client, I'm guessing I can export the PKCS#12 file from the client that issued the CSR.

Thanks for confirming. AI LLM's we're telling me to export it from the OPNsense firewall, I guess they're still not that good afterall!

Hi - I've provided a CSR and signed a certificate against the opnsense internal CA.

I would like to download the PKCS#12 file format file, however after clicking on download, nothing happens.

I've tried different browsers and computers, rebooted the firewall, but it just doesn't provide a prompt to save the file.

Same issue occurs when trying to download the private key.

Downloading the "Certificate" does work! But I need the private key :)

Any ideas why it's not working?

Cheers!