Messages

Ah sorry. Total shortcircuit over here ;)

Ofcourse someone needs to port it to *BSD first. This question should be directed at on the forums of *BSD. But I guess when and if the Linuxmodule is released the work on *BSD should be fairly easy since OpenVPN has already been restructured to accomodate the kernel module which is the largest part according to discussions earlier on the internet.

Will this kernel module be implemented in OPNSense?

https://openvpn.net/openvpn-hackathon-2019/

I have LAN subnet of 10.0.0.1/24 and it seems to collide with 10.129.0.0/16 which is transfer network of VPN from the vpn-provider before it reaches internet. When looking in firewall log it thinks the stuff coming in from openvpn on 10.129.*.* is coming in on LAN. Any ideas?

Here is status of routes...
ipv4   10.0.0.1   link#1   UHS   0   16384   lo0       
ipv4   10.129.0.0/16   10.129.0.1   UGS   0   1500   ovpnc2   OVPN_DHCP   
ipv4   10.129.0.1   link#9   UH   0   1500   ovpnc2   OVPN_DHCP   
ipv4   10.129.113.134   link#9   UHS   0   16384   lo0       

And here is example log of icoming connection from internet via OpenVPN
lan   Feb 1 21:16:34   31.11.121.72:55093   10.0.0.20:6112   tcp   let out anything from firewall host itself

Is it possible to somehow specify options not visible in the gui?
Like this....

https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients


Split-DNS can be implemented for iOS 10.3.1 and newer with the INTERNAL_DNS_DOMAIN attribute and the INTERNAL_IP4_DNS or INTERNAL_IP6_DNS attributes.
Support for MAC OSX isn't known at the moment.
For older versions, all traffic has to be tunneled (full-tunnel).
However, the latter doesn't work for any application, because none honor scoped DNS servers. A magic number for the INTERNAL_DNS_DOMAIN has been assigned by IANA and is supported by iOS 10.3.1 and newer.
Alternatively, the the DNS domains can be supplied in the client configuration.

Assigning DNS servers without full-tunnel can only be achieved by sending an INTERNAL_DNS_DOMAIN to the responder (for iOS 10.3.1 and nwer) or
by supplying it in the client configuration.

What happened to this, does it work yet?

Is it possible to block all connections LAN to WAN and only allow from LAN to VPN for certain LAN-ip-clients?

Aha ok Thanks..Got it working. Seems it doesn't disable the job just the rule is omitted if time is out.

Would be nice if one could enable/disable rule by crond job.

I run the newest build of 16.7 (11 I think).
I added a schedule and attached it to a floating rule, the is not enabled or disabled and traffic still floats. If I toggle enable/disable manualy it works. Do I need to do anything more to get it running? Any logs to look in?

Should the enable/disable change when schedule is used?

I mas as well build this as a normal plugin, I have the example of hello-world. I post it here when finished.

Seems browsers think it is a phising site if I use this syntax...

https://key:secret@ip-number/url/document.php?var1=val1


Is it possible to somehow do something like this?

https://ip-number/url/document.php?var1=val1&key=api-key-value&secret=api-secret-value

Oh thanks I will read that!
Only thing left is user auth which I prefer to be public on lan.
this is the code I cam up with since all these blockrules apply on floating rules it was relatively easy to adapt it.

Code Select Expand

<?phprequire_once("guiconfig.inc");require_once("filter.inc");if (!isset($config['filter']['rule'])) {    $config['filter']['rule'] = array();}$a_filter = &$config['filter']['rule'];if ($_SERVER['REQUEST_METHOD'] === 'POST') {    $pconfig = $_POST;    if (isset($pconfig['id']) && isset($a_filter[$pconfig['id']])) {        // id found and valid        $id = $pconfig['id'];    }    if (isset($pconfig['act']) && $pconfig['act'] == 'toggle' && isset($id)) {        // toggle item        if(isset($a_filter[$id]['disabled'])) {            unset($a_filter[$id]['disabled']);        } else {            $a_filter[$id]['disabled'] = true;        }        write_config();        filter_configure();        header(url_safe('Location: /block.php?rand=%s', rand()));        exit;    }}include("head.inc");?>

<body>
<script type="text/javascript">
$( document ).ready(function() {
    // link toggle buttons
  $(".act_toggle").click(function(event){
    event.preventDefault();
    var id = $(this).attr("id").split('_').pop(-1);
    $("#id").val(id);
    $("#action").val("toggle");
    $("#iform").submit();
  });

});
</script>


            <form action="block.php?rand=<?=rand();?>" method="post" name="iform" id="iform">
              <input type="hidden" id="id" name="id" value="" />
              <input type="hidden" id="action" name="act" value="" />
                <table class="table table-striped table-hover" id="rules">
                  <thead>
                    <tr>
                      <th>&nbsp;</th>
                      <th>&nbsp;</th>
                  </tr>
                </thead>
                <tbody>

<?php                foreach ($a_filter as $i => $filterent):                if ((isset($filterent['floating']))):                  // select icon                  if ($filterent['type'] == "block" && empty($filterent['disabled'])) {                      $iconfn = "glyphicon-remove text-danger";                  } elseif ($filterent['type'] == "block" && !empty($filterent['disabled'])) {                      $iconfn = "glyphicon-remove text-muted";                  }  elseif ($filterent['type'] == "reject" && empty($filterent['disabled'])) {                      $iconfn = "glyphicon-remove-sign text-danger";                  }  elseif ($filterent['type'] == "reject" && !empty($filterent['disabled'])) {                      $iconfn = "glyphicon-remove-sign text-muted";                  } else if ($filterent['type'] == "match" && empty($filterent['disabled'])) {                      $iconfn = "glyphicon-ok text-info";                  } else if ($filterent['type'] == "match" && !empty($filterent['disabled'])) {                      $iconfn = "glyphicon-ok text-muted";                  } elseif (empty($filterent['disabled'])) {                      $iconfn = "glyphicon-play text-success";                  } else {                      $iconfn = "glyphicon-play text-muted";                  }?>

                  <tr class="rule" data-category="<?=!empty($filterent['category']) ? $filterent['category'] : "";?>">
                    <td>
                      <a href="#" class="act_toggle" id="toggle_<?=$i;?>" data-toggle="tooltip" title="<?=(empty($filterent['disabled'])) ? gettext("disable rule") : gettext("enable rule");?>"><span class="glyphicon <?=$iconfn;?>"></span></a>
                    </td>
                    <td>
                      <?=htmlspecialchars($filterent['descr']);?>
                    </td>
                  </tr>

<?php                  endif;                  endforeach;?>

                </tbody>
              </table>
          </form>

<?php include("foot.inc"); ?>

I was thinking maybe to adapt firewall_rules_edit.php to show two rules and only show the description and Enable/Disable switch. I looked at the sourcecode, but couldnt really figure how it applies changes, is it database ? Or does it hold the whole rule-set in memory and writes out a pf.conf?

Hello,

I searched forums and found out that I cannot use the API to turn off a specific rule. Can I use SSH or directly via some kind of weburl/post or whats my options?

I want to setup a simple webpage for my wife to be able to shut internet off for the kids so they can go to bed ;)