Messages

OK, thank you for your advice. I'll give it another try.

Hi PMHausen,

Thank you for replying...

No PPPoE, Comcast provider 1gb dn/40mb up. DHCP to Netgear CM1200 modem. AX88U wifi router. I'm trying to drop the transparent firewall between the Netgear modem and AX88U router. My appliance is DELL SFF pc, SSD, 2x add-in NICs totalling 4 eth (eventually want to link-agg). OPNsense 21.1 installed on SSD.

Currently have IP-SEC firewall script running on router, but it just can't keep up at 1gb.

Recommendations? TIA

I tried this several years ago following the Wiki official instructions without success. Searching the forum for updated information I find others are having the same issue still, some posts from as far back as 2018 asking for guidance without replies.

Does transparent firewall work? If so, is there a clear set of instructions on how to successfully set it up? I followed the Wiki again yesterday without success. https://docs.opnsense.org/manual/how-tos/transparent_bridge.html There are some bloggers with slightly different instructions, tried a couple, still no success.

My goal is set up an OPNsense appliance between the modem and wifi router in home env for IPS/IDS. TIA

What would be nice is when the info windows pops up there is a button to create an allow firewall rule

I miss this functionality... hope it finds its way back into production.

Re Search field - it would be nice to have some examples in an advanced help button like some of the other fields...

Yes. This setup works for me and only takes about 30 seconds to put in place. It will block casual attempts. TOR gets past it easily.

The down side is this blocks for all users 100% of the time. I don't see a way to selectively block users or set a block schedule.

I have tried to block youtube for a while now and was unsuccessful because Youtube is now part of Google. Blocking Youtube has resulted in blocking access to Google services. It is important for me to allow use of Google services, i.e. docs, so I haven't been able to selectively block Youtube until now.

This seems to have worked for me. Youtube is not accessible but Google Docs are. Does anyone foresee an issue with the following approach?

Services >> Unbound DNS >> Overrides.

"+" to Add New

Domain:  www.youtube.com
IP Address: 127.0.0.1
Desc: Youtube Block

Save

I have tried to get around it by going to www.youtube.de and it is still blocked. I haven't tried facebook or twitter, but they seem to be other sites people frequently want to block.

Is there a way to make this subject to a schedule? TIA

Not sure what's up then. I litterally did this 2 days ago... wrote the VGA img to a usb with USB Image Tool, then booted to the 'live' installation, then typed in user "installer" password "opnsense" at the log-in prompt and followed the prompts and it installed.

From the Wiki:

Nano Image

If you have used a Nano image, your system is already up and running as it is designed as such. It is set to read-write attempting to minimise write cycles by mounting relevant partitions as memory file systems. If you should require an installer anyway, log in as user "root", select option 8 from the menu and type "opnsense-installer". The "opnsense-importer" can be run this way as well should you require to run the import again.

Create a bootable USB flash drive with the downloaded and unpacked img file. Configure your system to boot from USB.

Installation Steps

The installation process involves a few simple steps.

Note

To invoke the installer login with user installer and password opnsense

Link: https://wiki.opnsense.org/manual/install.html

He does not write a bootloader for Iso

Oh, in that case, you install it as usual...

Let it boot the live cd.

At the logon prompt, instead of typing 'root' user, type 'installer' user, then 'opnsense' as the password. It will install to the HD.

They changed the installation process a couple of revs back.

I just did this yesterday...


USB Image Tool for windows.

here: http://www.alexpage.de/usb-image-tool/download/

In my upgrade from 17.1.12_1 to 18.1.1 I used a backup config file to reinstall my settings. In those settings I had the Snort/VRT rules tagged and had my ID and rules version file input.

On inspection, I noted the packages for Snort VRT and PT Research rulesets were not checked in the packages. Checking the IDS rules, they were not present.

After installing the packages my Snort user ID and rules file version were present. I was able to download and install those rules.

It looks like restoring a prior config is not capturing the all of the installed packages.

Version 18.1.2 is showing up in the firmware upgrade list, but it is not 'available' for update as yet. Maybe that's the confusion. It will most likely be tagged for update later this afternoon.

The patch resolved the issue for me. Here's what I did:

On 17.7.12_1
Saved Config 1 with OpenVPN disabled
Saved Config 2 with OpenVPN enabled
Fresh install 18.1 over 17.7.12_1
Restored Config 1
Firmware Update, installed 18.1.1
Ran Patch above
Reboot
Restored Config 2
Checked ipLeak, other sites, installation performing as expected.

Thank you! Will continue to monitor as it has only been running about 15 minutes.

Hi Franco,

Thank you for the reply! No worries, just checking on the .13 update. I'll spend a little time over the weekend and follow your recommendations.
Can't thank you and the team enough for what you do.

Is the update from .12_1 to .13 as noted in the version messages still in the works? I reverted to 17.7.12 until I can sort out the issue I've had with OpenVPN.

BTW - thank you for all the hard work OpnSense team, it is appreciated and it is recognized that there's bound to be hic-ups in major version transitions. TIA

Be sure the DNS is configured properly too.
https://imgur.com/a/Bi4Wp

Thank you! Will check this. Might be the issue.