Messages

1

19.1 Production Series / Enhancement Req - Enhance GUI logging for Service Failures

« on: February 28, 2019, 03:47:03 pm »

I upgraded to the latest Prod version of OPNsense yesterday, and Squid no longer started. Squid logs were completely blank, so I had to resort to starting squid via console, which showed the error. It was unhappy with a nobump entry. I see that under System->Log File->General, we do have logs for the services, however it doesn't provide detail on the error and I had to resort to attempting to start the service via console. Can we enhance the GUI logging to include the detailed errors for a failure. Below I show the difference in logs from GUI and manually starting the Service:

Logs from GUI:

Code: [Select]

Feb 28 09:30:07 root: /usr/local/etc/rc.d/squid: WARNING: failed to start squid
Feb 28 09:30:07 squid: Bungled /usr/local/etc/squid/squid.conf line 30: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
Logs from console:

Code: [Select]

root@OPNsense:/var/log # service squid start
Starting squid.
2019/02/28 09:30:07| ERROR: '.site.com' is a subdomain of 'site.com'
2019/02/28 09:30:07| ERROR: You need to remove '.site.com' from the ACL named 'bump_nobumpsites'
FATAL: Bungled /usr/local/etc/squid/squid.conf line 30: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
Squid Cache (Version 3.5.28): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.013 user + 0.007 sys
Maximum Resident Size: 67200 KB
Page faults with physical i/o: 0
/usr/local/etc/rc.d/squid: WARNING: failed to start squid
root@OPNsense:/var/log #

Thanks!

2

18.7 Legacy Series / Re: [EnhancementRequest] Web Proxy SSL NoBump sites and Bypass proxy

« on: November 29, 2018, 06:20:48 pm »

ATM it only works best when you have a large text file managing all domains separated by comma so you can just paste it.

Thanks, I guess I can make do with that method for now. I'd still like to see my enh for groups for organization reasons though. But that brings up another issue I had forgotten about: Different NoBump lists for different source Subnets/VLANs. There is no option to accomplish this, so I added it to my original post.

Regarding "no-proxy" you'd need a nat exception not to push it to proxy.

Yes, I am using a No RDR (aka Do not Nat) rule for now to prevent Nat of the specific device/destination, but as I don't allow anything to Internet by default on my 4 server and DMZ VLANs, it actually requires a minimum of 2 rules: 1 for No RDR and 1 for firewall allow (No RDR doesn't have the option for auto-FW rule). Then for Destinations I want to prevent Proxy on for multiple VLANs, it requires a No RDR rule for each VLAN.

So it gets very messy very fast, so you can see why it would be far better to have it managed in one location with one setting. Less mess equates to better security because there's far less likelihood for it to get done wrong when removing or changing things.

3

18.7 Legacy Series / [EnhancementRequest] Web Proxy SSL NoBump sites and Bypass proxy

« on: November 28, 2018, 11:38:46 pm »

1) For the SSL Nobump sites list, if you have a deployment of any size, this list can quickly become un-manageable with the current implementation the site list. I would like to see something like the firewall Aliases for these where I can create multiple Groups with lists of sites not to bump. For example, I would create a list of Banks, UserApplications, InternalSites, etc.

2) For the SSL Nobump, as well as the Groups suggested above, allow import/export of the list, with sites separated by a newline for the import/export.

3) I would also like to request No-Proxy settings for specific SourceIPs or DestinationIPs or URLs. For example, say I want a site not to be proxied, or a host server not to be proxied, or a destination IP range not to be proxied. Currently this is difficult and must be managed by creating NAT rules which have limitations and don't cover all 3 options above. These would also need a per-Subnet/Interface setting, with the ability to select multiple Subnets/Interfaces.

4) Separate NoBump lists for separate source Subnets/Interfaces which are using the proxy, or alternatively support multiple proxy processes so we can have fully separate proxy configurations for each Subnet/Interface.

Note that #1 is by far the more pressing need.

Thanks!

4

18.7 Legacy Series / Re: Version 18.7.8 went down

« on: November 27, 2018, 10:55:28 pm »

Maybe this will help: https://forum.opnsense.org/index.php?topic=7747.0

5

18.7 Legacy Series / Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix

« on: November 16, 2018, 09:16:19 pm »

Ok, another SSL issue with Squid. This one looks like Squid doesn't like something about the Server Hello. Not browser specific. The site is prosper.com

It seems obvious that it's an unknown cipher, but here we see the client hello having the same cipher, ID 0xcca8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

See attachment.

Message is below

Code: [Select]

The following error was encountered while trying to retrieve the URL: https://104.16.112.58/*

Failed to establish a secure connection to 104.16.112.58

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned

6

18.7 Legacy Series / Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix

« on: November 07, 2018, 01:01:24 am »

I assume you meant from OPNsense? If so, here's the result. So on a whim I also tried IE and FireFox; seems to only be Chrome which has this issue.

Code: [Select]

root@OPNsense:~ # curl https://www.youtube.com/ -vkI
*   Trying 172.217.164.46...
* TCP_NODELAY set
* Connected to www.youtube.com (172.217.164.46) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
*  start date: Oct 23 16:54:00 2018 GMT
*  expire date: Jan 15 16:54:00 2019 GMT
*  issuer: C=US; O=Google Trust Services; CN=Google Internet Authority G3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x6499fa8d000)
> HEAD / HTTP/2
> Host: www.youtube.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< expires: Tue, 27 Apr 1971 19:44:06 EST
expires: Tue, 27 Apr 1971 19:44:06 EST
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< x-content-type-options: nosniff
x-content-type-options: nosniff
< strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000
< p3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
p3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
< cache-control: no-cache
cache-control: no-cache
< x-xss-protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
x-xss-protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
< date: Tue, 06 Nov 2018 23:48:22 GMT
date: Tue, 06 Nov 2018 23:48:22 GMT
< server: YouTube Frontend Proxy
server: YouTube Frontend Proxy
< set-cookie: VISITOR_INFO1_LIVE=gjFq7WYssGA; path=/; domain=.youtube.com; expires=Sun, 05-May-2019 23:48:21 GMT; httponly
set-cookie: VISITOR_INFO1_LIVE=gjFq7WYssGA; path=/; domain=.youtube.com; expires=Sun, 05-May-2019 23:48:21 GMT; httponly
< set-cookie: YSC=zLHS8Ul1c_4; path=/; domain=.youtube.com; httponly
set-cookie: YSC=zLHS8Ul1c_4; path=/; domain=.youtube.com; httponly
< set-cookie: GPS=1; path=/; domain=.youtube.com; expires=Wed, 07-Nov-2018 00:18:21 GMT
set-cookie: GPS=1; path=/; domain=.youtube.com; expires=Wed, 07-Nov-2018 00:18:21 GMT
< alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
< accept-ranges: none
accept-ranges: none
< vary: Accept-Encoding
vary: Accept-Encoding

<
* Connection #0 to host www.youtube.com left intact
root@OPNsense:~ #


7

18.7 Legacy Series / Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix

« on: November 06, 2018, 06:18:08 pm »

I have a 2nd outbound proxy that all web browsing traffic passes through, but it isn't set to do SSL scanning so shouldn't be messing with the SSL connection - and again this works with most sites.

I tried bypassing the 2nd outbound proxy and get a similar but different result, again, only on specific sites like youtube:

Code: [Select]

The following error was encountered while trying to retrieve the URL: https://172.217.3.238/*

Failed to establish a secure connection to 172.217.3.238

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

8

18.7 Legacy Series / Re: 18.7.6 - Edited Alias Port Range seems not to be applied to the firewall

« on: November 06, 2018, 02:13:01 am »

I have the same issue. If I edit an alias (ports or Hosts), the changes do not take effect until I edit and save a firewall rule so I get the Apply Settings button and click it. Once clicked, the firewall applies the settings.

9

18.7 Legacy Series / Squid Error on some SSL Sites, possibly need Squid upgraded to fix

« on: November 06, 2018, 01:19:48 am »

Here's the error I am getting on certain sites like Youtube:

Code: [Select]

The following error was encountered while trying to retrieve the URL: https://www.youtube.com/*

Failed to establish a secure connection to 64.233.185.93

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=us/L=Nowhere/O=TG/CN=TG Proxy CA/emailAddress=##@##.com

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
I have attempted to add the site to the SSL no bump sites as well as setting the site in the Whitelist to no avail. Google search has stated the fix to this is upgrading Squid: https://serverfault.com/questions/867380/squid-configured-for-ssl-chokes-on-some-sites

Any recommendations?

10

18.7 Legacy Series / Re: Packet capture on all interfaces

« on: November 03, 2018, 02:08:42 pm »

Deal.

https://github.com/opnsense/core/issues/2871

11

18.7 Legacy Series / Re: Packet capture on all interfaces

« on: November 02, 2018, 04:52:44 pm »

Example of NetScaler (now called ADC) trace extra details in a packet capture which make life far easier when tracing a device with multiple interfaces and VLANs, especially when you add the NIC, VLAN, and Operation (rx/tx) items as columns.

12

18.7 Legacy Series / Re: Packet capture on all interfaces

« on: November 02, 2018, 04:17:41 pm »

Well, I resorted to using TCPdump, which worked and I fixed my asynchronous route.

Def. would like to see the ability to capture all Interfaces in the GUI in the future, as well as capturing in the NetScaler format for easier parsing of what came in and went out on what Interface/VLAN.

13

18.7 Legacy Series / Re: Routing problems between none NAT LAN and WAN

« on: November 01, 2018, 09:51:49 pm »

You can't use an out-of-scope Gateway. Gateways have to be within the subnet they are routing for, so the /32 is wrong.

14

18.7 Legacy Series / Packet capture on all interfaces

« on: November 01, 2018, 07:55:21 pm »

Is there any way to capture packets on OPNsense for multiple interfaces simultaneously, rather than resorting to command line?

TCPdump can select multiple interfaces, but why can we not select multiple interfaces when taking a trace? I'm troubleshooting an issue where I apparently have asynchronous routing on one subnet and it would be far more helpful to capture the two interfaces I suspect rather than one which misses half the data I'm looking for.

EDIT: Also, how do I know if the traffic I'm seeing is the traffic ingress or egress for the VLAN captured?

NetScaler has a cool packet capture format which lets you see the VLAN it came in/went out on, if the packet was Rx or Tx, and more. Sure makes reading their traces easier compared to other network devices.

EDIT 2: What? I attempted to capture VLAN 1 and VLAN 99, simultaneously, using 2 tabs. The traces are identical. Did it lose the 1st capture when I tried to start the 2nd? If so, how do I capture these two interfaces at the same time? Do I have to resort to CLI? If so, please consider this my feature request.

15

18.7 Legacy Series / Re: [SOLVED] Disabling Outbound NAT has no effect

« on: October 31, 2018, 02:51:35 am »

LOL nevermind. I figured out my problem as soon as I posted this.

Web Proxying occurs before outbound NAT, and the test subnet was set to use the proxy.