Messages

1

23.1 Legacy Series / Re: Upgraded from 22 to 23.1 - Web Gui now inaccessible

« on: May 09, 2023, 06:51:33 pm »

We had a similar issue, though we were on 23.1 and upgrading to 23.1.7.  The web UI failed to start, but all else seemed to be working.  We physically rebooted it and it came back up fine.

2

General Discussion / Re: Installing a CA Bundle

« on: January 05, 2023, 07:31:42 pm »

cookiemonster and Vilhonator, I'm not sure you understand the issue.  I've imported the bundle into Authorities as suggested by franco, but that doesn't seem to translate to HAProxy.  You can't import the certificate with the bundle (by combining the text files) as OpnSense won't accept it in response to the CSR.

3

General Discussion / Re: Installing a CA Bundle

« on: January 04, 2023, 10:40:25 pm »

Sorry for the delay Franco.. vacay.  From what I get from the certificate provider (NameCheap), I'm suppose to combine the bundle and the cert into a single file, such as described here for Nginx. https://www.namecheap.com/support/knowledgebase/article.aspx/9419/33/installing-an-ssl-certificate-on-nginx/

OpnSense doesn't appear to allow this in Trust / Certificates.  After submitting my CSR and getting the returning files, it will only accept the certificate (not a combination of cert and bundle).  Instead, I've added the bundle to the Trust / Authorities.

So, what am I doing... I have a web server that I'm hosting and using HAProxy to reverse proxy to that.  I've defined the certificate as the TLS cert.  However, this only offers the cert to the client, not the cert chain.  So my partners are having connection issues.

As to your question regarding wget, it was just the first tool I tried for figuring out the problem (as it appears to work fine in my local browser).  I can try to use fetch, but I think I know what the problem is.. just not how to fix it.  It's a public CA, so not even sure why a bundle is needed (but I expect this is my ignorance about what is going on).

4

22.1 Legacy Series / Re: Dashboard Failure

« on: March 02, 2022, 03:39:36 pm »

Thanks, I just renamed it from ids_log.widget.php to ids_log.widget.php.bak and everything started working.  Guess it's probably safe to delete it then.  @franco, I'm not sure where I picked it up, but I don't think I created it myself. lol.  IDS log is nice to have on the dashboard if it can be adapted to the latest version. Here is the contents of the "ids_log.widget.php" for reference:

Code: [Select]

<?php/*    Copyright (C) 2015 S. Linke <dev@devsash.de>    All rights reserved.    Redistribution and use in source and binary forms, with or without    modification, are permitted provided that the following conditions are met:    1. Redistributions of source code must retain the above copyright notice,       this list of conditions and the following disclaimer.    2. Redistributions in binary form must reproduce the above copyright       notice, this list of conditions and the following disclaimer in the       documentation and/or other materials provided with the distribution.    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE    POSSIBILITY OF SUCH DAMAGE.*/require_once("guiconfig.inc");$ids_logfile = '/var/log/suricata.log';if (!$config['widgets']['idslogfiltercount']){  $syslogEntriesToFetch = isset($config['syslog']['nentries']) ? $config['syslog']['nentries'] : 20;} else {  $syslogEntriesToFetch = $config['widgets']['idslogfiltercount'];}if (is_numeric($_POST['logfiltercount'])) {   $countReceived =  $_POST['logfiltercount'];   $config['widgets']['idslogfiltercount'] = $countReceived;   write_config("Saved Widget IDS Log Filter Setting");   header(url_safe('Location: /index.php'));   exit;}require_once('diag_logs_common.inc');?>

<div id="ids_log-settings" class="widgetconfigdiv" style="display:none;">
  <form action="/widgets/widgets/ids_log.widget.php" method="post" name="iform">
    <table class="table table-striped">
      <tr>
        <td><?=gettext("Number of Log lines to display");?>:</td>
        <td>
          <select name="logfiltercount" id="logfiltercount">
           

<?php for ($i = 1; $i <= 50; $i++) {?>

            <option value="<?= html_safe($i) ?>"

<?php if ($syslogEntriesToFetch == $i) { echo "selected=\"selected\"";}?>

><?= html_safe($i) ?></option>
           

<?php } ?>

          </select>
        </td>
        <td>
          <input id="submit_ids_log_widget" name="submit_ids_log_widget" type="submit" class="btn btn-primary formbtn" value="<?= gettext('Save') ?>">
        </td>
      </tr>
    </table>
  </form>
</div>

<div id="ids_log-widgets" class="content-box" style="overflow:scroll;">
  <table class="table table-striped" style="cellspacing:0; cellpadding:0">
   

<?php dump_clog($ids_logfile, $syslogEntriesToFetch); ?>


  </table>
</div>

<!-- needed to display the widget settings menu -->
<script>
//<![CDATA[
  $("#ids_log-configure").removeClass("disabled");
//]]>
</script>




5

22.1 Legacy Series / Dashboard Failure

« on: March 01, 2022, 09:38:39 pm »

I'm getting a dashboard problem after upgrading to the latest opnsense, which prevents the entire dashboard from loading.

Code: [Select]

[01-Mar-2022 12:40:07 America/New_York] PHP Fatal error:  require_once(): Failed opening required 'diag_logs_common.inc' (include_path='/usr/local/etc/inc:/usr/local/www:/usr/local/opnsense/mvc:/usr/local/opnsense/contrib:/usr/local/share/pear:/usr/local/share') in /usr/local/www/widgets/widgets/ids_log.widget.php on line 47
[01-Mar-2022 12:41:37 America/New_York] PHP Warning:  require_once(diag_logs_common.inc): failed to open stream: No such file or directory in /usr/local/www/widgets/widgets/ids_log.widget.php on line 47

I can't find "diag_logs_common.inc" on the host.  I tried changing it to "diag_logs_settings.inc" which does exit, but that didn't work.  Also tried to comment line 47, but that didn't resolve the loading issue.

6

Virtual private networks / Re: Wireguard - Local & Destination Network Same IP Range

« on: February 27, 2022, 04:19:23 am »

Thank you both for the comments!  I'll have to think about which option would work best for us. 👍

7

Virtual private networks / Wireguard - Local & Destination Network Same IP Range

« on: February 24, 2022, 09:04:23 pm »

Setting up Wireguard and having a routing issue I suspect.  We unfortunately used a common 192.168.1.0 address scheme in our office, but most home networks use a similar IP subnet.  I have the WG network on 10.10.10.0, but can't seem to route out of the VPN to the local or external network on the destination.  Is there any way to make this work with some type of 10.10.10.0 NAT?   I rather not have to readdress the entire office to allow a few people to VPN in.

8

Web Proxy Filtering and Caching / Re: web filtering https without mitm

« on: May 04, 2021, 01:51:42 am »

Thanks, I'm trying to move to the unbound dns via DNSBL, but the lists are not as extensive as those for the proxy.  If I wanted to block all video streaming sites, it would be a very difficult task via DNSBL.  I just can't find good lists like you can with squid. 

9

Web Proxy Filtering and Caching / web filtering https without mitm

« on: April 27, 2021, 02:06:05 am »

I want to use the web proxy filtering for ssl without doing the entire ca ssl mitm.  I don't need to inspect, cache or authenticate anything.  I just want to block people from going to youtube and social media sites.  That shouldn't require me doing anything within SSL.  However, I can't get it to work.  When I do the transparent proxy forward on the ssl port, it just breaks the internet.

help please
thanks

10

General Discussion / DHCP Registration (DNS) vs Dynamic DNS (DHCP)

« on: March 16, 2021, 01:31:37 am »

I want the client names to be automatically registered in DNS.  It seems both of these seem to do that, but what is the difference?  Are both needed?

Under DHCP, we have Dynamic DNS.
"Enter the dynamic DNS domain which will be used to register client names in the DNS server. Note: Leave blank to disable dynamic DNS"

Under DNS, we have DHCP Registration
"If this option is set, then machines that specify their hostname when requesting a DHCP lease will be registered in Unbound, so that their name can be resolved."

11

General Discussion / Unbound DNS - Register DHCP leases

« on: January 26, 2021, 06:56:18 am »

Is there any place to see the dynamic DNS added via DHCP leases in Unbound DNS?  I created a static reservation and now Unbound has both the old and new IP.  I can't see what all the dynamic entries are or how to delete one.

12

19.1 Legacy Series / Re: WAN admin - Firewall Allow but Blocked

« on: April 18, 2019, 09:15:29 pm »

I'm not sure if this is normal, but I got it to work and I'll explain. 
My WAN was set with an IP of 10.x.x.1 and my LAN 192.168.x.1.  I disabled the option that would block private or bogon networks.  I allowed any any to access 10.x.x.1 any.  I was not able to connect to the web admin unless I went to the console and did a 'service pf onestop'.

I changed the WAN IP to a internet facing ip range and put it online.  Now it works without issue and I've tightened up the source ip and destination port in the rules.  Why would it not work with a 10.x.x.x assignment?  I was accessing it from that network.  Anyway.. figured I'd post in case others had a similar issue.

13

19.1 Legacy Series / WAN admin - Firewall Allow but Blocked

« on: April 17, 2019, 05:25:34 am »

I have a situation where I need to enable web administration on the WAN.  I've done this before without issues.  Go to console, shut down packet filter, set WAN firewall to allow my source IP to destination WAN address port 443.  Restart pf.

I just installed a new install of opnsense yesterday, but I can't get this to work.  I'm able to stop pf from a remote console and then access the WAN web admin, but after adding the WAN firewall rule (even to the point of ANY ANY), when pf restarts, I'm blocked by the default fw block rule.  Any thoughts why this would happen?

I know best practice is to vpn or something and access via the lan (and I'll get to that), but I need this to work on the wan first to set everything up properly.  Also, web admin is enabled for all interfaces.

14

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 23, 2019, 02:30:32 pm »

It is enabled when you enable HTTPS as well as you can configure it under security headers.

fabian, can you point me to what I need to select to disable HSTS under security headers?  I see a couple options, but they seem more like configurations for HSTS, not on enabling or disabling it.  It's not clear how to do this unless you're speaking of editing the nginx.cfg directly - thanks.

15

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 22, 2019, 02:43:54 pm »

Here is the error in the log for trying to delete the IP ACL.  Running 18.7.10_4

[20-Feb-2019 17:15:58 America/New_York] PHP Fatal error:  Uncaught Error: Call to undefined method OPNsense\Nginx\Nginx::find_ip_acl_entry_uuids() in /usr/local/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php:505
Stack trace:
#0 [internal function]: OPNsense\Nginx\Api\SettingsController->delipaclAction('575a2aad-e5ff-4...')
#1 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Nginx\Api\SettingsController), 'delipaclAction', Array)
#2 [internal function]: Phalcon\Dispatcher->dispatch()
#3 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#4 {main}
  thrown in /usr/local/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php on line 505