Messages

1

21.1 Production Series / Unbound views

« on: February 12, 2021, 09:10:16 pm »

Hello.

I am trying to resolve an issue that I am having with DNS resolution after I connect to the firewall via OpenVPN server:

OpenVPN server configuration:
  I supply a "DNS Default Domain" and "DNS Server," and have "Force DNS cache update" and "Prevent DNS leaks" selected.

After I successfully establish the VPN using the Viscosity client, when I try to connect to the firewall GUI using its DNS name, it stalls for a few seconds and then works for a few seconds.  After a few more seconds of working, it stalls again and then works again, and so on.

Wireshark shows me that my web browser's DNS query goes to the machine that I specified in my OpenVPN server "DNS Server" configuration (the firewall's own Unbound service), but the DNS response contains the entire list of IPs assigned to ALL of the interfaces on the firewall.  And, apparently?, depending on the order of the IP addresses in the response, the web browser tries to connect to TCP port 443 (the firewall GUI) using one of the IP addresses that is not authorized in the firewall rules associated with VPN interface.

Does that sound right?  I assumed Unbound would return the DNS response that corresponds to the interface from which the query came instead of every IP for every interface on the firewall.

Am I missing something in the current OPNsense GUI that would help me with this?

Otherwise, it sounds like Unbound supports something like this now called "views."  I don't think OPNsense supports these options in the current GUI.  Is that right?  If I want to purse this option, I guess I need to use the "Advanced" configurtation.

2

20.1 Legacy Series / Re: How to Configure Wireguard for Remote users

« on: June 06, 2020, 03:10:37 am »

Thank you for this guide!  I really appreciate you sharing this with the community.

I hope this or something built from this will be added to the official online documentation.

 

3

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: December 06, 2019, 05:57:02 pm »

@mb

Please consult the attached picture...

Is this message normal?  What does it mean?

Thanks.

4

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: November 10, 2019, 11:39:18 pm »

@mb

I just upgraded my firewall from 19.1.10_1 to 19.7.6 again, and I'm having the same problem with elasticsearch.  It's not starting.  In fact, I don't think it's even installed.  It looks like engine 1.1_3 is used, so I assumed the issue would be fixed.

Are you aware of this?  Did I misunderstand the fix?

Also, if I just upgrade the 19.1.10 components (and not go to 19.7.x), it seems to break Sensei too in the same way.

5

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: November 05, 2019, 03:55:32 pm »

I just noticed some messages on the console that don't look good either.  I don't know if they are related to my Sensei issue or not, but I thought I'd post them in case they were.

See attachment.

6

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: November 05, 2019, 03:47:52 pm »

I just updated from 19.1.10 to 19.7.6.  Now I'm getting the following message every time I click on the Dashboard:

Elasticsearch service is not running!  In order to view reports, you need to start Elasticsearch service. Do you want to start it?

And when I click "Yes," it doesn't seem to start.  I just get a

Waiting for database service to come up

bar.

This used to work fine.  Any ideas?

7

19.1 Legacy Series / Re: OPNsense 19.1.x and DNSoverTLS with Hostname Verification

« on: July 01, 2019, 01:16:20 am »

I *think* the configs need to be adjusted slightly...

NOTE the additional "dns" in the "dns.quad9.net" string.

Code: [Select]

forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

NOTE the removal of "1dot1dot1dot1dot1" in the "cloudflare-dns.com" string.

Code: [Select]

forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com

Maybe someone can confirm this or not.

8

19.1 Legacy Series / Re: OPNsense 19.1.x and DNSoverTLS with Hostname Verification

« on: June 30, 2019, 05:18:00 am »

Good stuff!  Thanks!
 

9

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: June 04, 2019, 06:08:42 pm »

@mb

Looks like this issue wasn't completely resolved afterall...

Code: [Select]

User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
FreeBSD 11.2-RELEASE-p10-HBSD  5e5adf26fc3(stable/19.1) amd64
OPNsense 19.1.8 dff8692b8
Plugins os-arp-scan-1.1 os-ftp-proxy-1.0_1 os-sensei-0.8.0.rc1 os-sensei-updater-0.8.0_21 os-vmware-1.5
Time Tue, 04 Jun 2019 11:05:35 -0500
OpenSSL 1.0.2r  26 Feb 2019
PHP 7.2.18
PHP Errors:
[04-Jun-2019 11:02:51 America/Chicago] Exception: Cannot connect to 127.0.0.1 on port 4343 in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(155): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4343, 1, '', 0.5)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(138): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4343, 'ballyhoo#Recons...', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(93): OPNsense\Sensei\Sensei->runCLI(Array, 'ballyhoo#Recons...')
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main}
[04-Jun-2019 11:03:24 America/Chicago] Exception: Cannot connect to 127.0.0.1 on port 4343 in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(155): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4343, 1, '', 0.5)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(138): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4343, 'ballyhoo#Recons...', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(93): OPNsense\Sensei\Sensei->runCLI(Array, 'ballyhoo#Recons...')
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main}


10

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: May 29, 2019, 06:18:58 pm »

Hello @mb.

Yes, I can confirm the fix in rc1 did resolve the error I saw with the Sensei CLI API and OPNsense Crash Reporter.

Thank you!

11

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: May 28, 2019, 06:11:31 pm »

I got the crash to happen again.

Note that "Rainbow#Bicycle" is the password I was using for the test.  Does Sensei handle the "#" symbol in a password?

Code: [Select]

[28-May-2019 11:08:17 America/Chicago] PHP Fatal error:  Uncaught Error: Class 'OPNsense\Sensei\Exception' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(151): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4346, 1, '', 1)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(134): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4346, 'Rainbow#Bicycle', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(89): OPNsense\Sensei\Sensei->runCLI(Array)
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php on line 111

12

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: May 28, 2019, 05:35:02 pm »

2) Installed Sensei 0.8.0.beta10.

13

Sensei / Re: Sensei on OPNsense - Application based filtering

« on: May 28, 2019, 05:28:35 pm »

I'm new to Sensei, but I'm loving it so far!  Great work!

I do occasionally get a "crash report" notification though.

Here is the sequence of events:

0) Sensei was not installed.
1) Upgraded OPNsense from 18.7.10_4 to 19.1.8.
2) Installed Sensei 0.8.0.beta10.
3) Successfully completed the initial Sensei configure wizard.
4) Noticed a "crash report" when I went to the OPNsense Dashboard.

Unfortunately, I don't have the crash report in front of me at the moment, but I *did* submit it, so hopefully you'll get it from the OPNsense team eventually.  It was something about PHP crashing with bad data related to the "TCP Service Security" password.  I'll keep you posted if I see it again.

14

19.1 Legacy Series / Re: OpenVPN DNS DHCP options not pushed to clients

« on: April 17, 2019, 04:05:26 pm »

No, you are not the only person to experience this.  I have the same issue, but I am still running 18.7.x.

15

18.7 Legacy Series / Re: 18.7.10 and Suricata

« on: January 23, 2019, 05:49:28 pm »

Well, after reverting, I seem to be getting alerts again.  And the rules lists are downloading again.

Thanks, Franco.

I assume if this gets sorted out in the future, when I upgrade to 19.1.x, the reverted version will upgrade at that time too?