Topics

1

23.1 Legacy Series / Answers from Proxy on WAN-Gateway disappear

« on: May 26, 2023, 06:49:41 pm »

My OpnSense is configured to use an outgoing web proxy on the default gateway of the WAN interface.
That works fine.

Now the servers behind the OpnSense (different LANs) should also use this proxy, and I configured incoming and outgoing firewall rules to allow that.

The connections from the LAN clients behind the OpnSense to the proxy time out.
On the OpnSense every single firewall rule (also the auto created ones) is configured to log, and the Live View shows show the connection as passed on both interfaces (LAN and WAN). No block/drop logged there, no matter how I filter.
The packet capture shows the request to the proxy incoming on the LAN interface and outgoing on the WAN interface and the proxy's answer incoming on the WAN interface, but not anywhere else.

It looks as if the proxy's answer simply disappears between WAN interface and LAN interface without the firewall intercepting - but if I disable the firewall (pfctl -d in terminal), the proxy traffic works successful.

How can I find out why that happens?

Thanks for any hint or help.

2

19.1 Legacy Series / sendto failed: Permission denied errno=13

« on: May 08, 2019, 02:01:17 pm »

I have a new install of OpnSense 19.1.4 installed in a VM on KVM with lots of subnets behind it and WAN interface attached to a bridge where I can use iptables / ebtables, to log passing network packets.

Routing and similar stuff works fine, but local requests originating from the OpnSense are not leaving the OpnSense.

Example for unbound in forwrding mode reqesting the upstream server:
unbound: [25365:0] notice: sendto failed: Permission denied

Using telnet or openssl in the shell of the OpnSense leads to the same error.

I can see that
- these packages are logged in the firewall logs as leaving through the WAN interface
- these packages never show up on the bridge of the KVM server
- requests to the same targets from behind the OpnSense (from "inside") are routed to these target IPs perfectly and can be seen on ebtables / iptables as passing.

Funny thing is that Intrusion Detection is disabled, but these "permission denied" messages seem to always come from there if you google them.

Any hint or help would be appreciated.

Dirk

3

16.1 Legacy Series / Adding tun0 interface for tinc to GUI for creating firewall rules?

« on: June 07, 2016, 08:01:04 pm »

Hi all,

I have successfully setup and configured tinc via command line - now I would like to add firewall rules but see no way to add tinc's tun0 interface to the GUI.

Is there a way to trick tun0 into the GUI or do I have to add tinc related firewall rules via the command line?

Any hint or help is appreciated.

Cheers,

Dirk