Topics

I need to copy out all the IPs in an alias. Is there any way to alter how it displays the IPs? I really, really dislike the auto-blocking format used because:

• It's impossible to organize
• It's impossible to copy
• It's impossible to see all the items
• It prevents editing the IP (or any item) once it becomes 'blocked'

Can we at least have an option to disable the auto-blocking and maybe use a CSV or 1 entry per line format?
Also in the interim, is there any way to copy all the IPs it has in it now from the config?

Every few days I have to manually restart SQUID. It comes right back up, but why is it stopping and not automatically restarting? It's incredibly fustrating!

How do I determine why that is happening?
Can we get an auto-heal feature for all services?

If this auto-heal of services already exists, then either

1) How do I set it up ?

OR

2) If service restart is automatically there, how can i determine why my manual restart of SQUID works when auto doesn't?

Edit: Upgrading but highly doubt that will fix as this has been ongoing since version 17.

Multiple Alias based and firewall rule based feature requests:

1. Built-in Aliases for InternetIPv4 addresses and InternetIPv6 addresses. This would basically make it easier to specify all Internet IP ranges in a rule which would automatically exclude all other address types such as RFC1918, multicast, etc.

2. Alias Groups. This is an Alias which contains multiple other Alias names. Useful when you want to create multiple hosts like GoogleDNS1 GoogleDNS2 Level3DNS1 Level3DNS2, then create a group PublicDNS which would contain those 4 alias' names. This also applies to services, such as a "HTTP" group for ports 80 and 8080, and "HTTPS" group for ports 443 and 4443, so a Service Group Alias would contain both "HTTP" and "HTTPS" as entries in the Alias Service Group.

3. DNS Alias' and DNS Groups. If a DNS name can be an alias that the firewall resolves, this would be very helpful for making rules to internet applications, and would need to also account for the fact that some FQDNs resolve to multiple IPs. Then a DNS Group would be an Alias with multiple FQDNs.

4. Rules to allow multiple Sources, Destinations, and Services. This makes rules much easier to manage. If I can create one rule like below examples it's much more concise, less error prone, and easier to manage. I'd otherwise have to create multiple Alias' and multiple rules or both which quickly becomes confusing for an environment with many VLANs and many restrictions.

Example:
Source: Host1 or Host2 or AliasGroup1
DST: AliasGroup2 or AliasGroup3
Services: WebBrowsing or SSH

Another example:
Source: AliasGroup
DST: InternetIPv6 or InternetIPv4
Services: WebBrowsing

5. Ability to reverse priority of Floating rules and interface specific rules. I like to use the Floating rules as General Purpose Allow rules which apply to most of my network, and the specific interface rules for more specific denials or allows which I want to override the floating rules. This helps keep the Floating rules limited to smaller numbers of rules which makes management easier and less error prone, as the alternative is to create Floating deny rules above the general purpose allow which gets messy fast. Thus if I could have the Interface rules have priority over the Floating rules, this would work much better for this sort of design.

Thanks!

Version:
OPNsense 19.7.3-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019

Issue Logs:
Sep 10 13:54:30   (squid-1): FATAL: Received Segment Violation...dying.
Sep 10 13:54:30   (squid-1): FATAL: The /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB helpers are crashing too rapidly, need help!

Those logs keep repeating approximately every minute. Squid service does show running. A restart has no affect on the issue. The symptom is inaccessibility of all webpages as if the proxy is not running.

Thanks for any help!

I upgraded to the latest Prod version of OPNsense yesterday, and Squid no longer started. Squid logs were completely blank, so I had to resort to starting squid via console, which showed the error. It was unhappy with a nobump entry. I see that under System->Log File->General, we do have logs for the services, however it doesn't provide detail on the error and I had to resort to attempting to start the service via console. Can we enhance the GUI logging to include the detailed errors for a failure. Below I show the difference in logs from GUI and manually starting the Service:

Logs from GUI:

Code Select Expand

Feb 28 09:30:07 root: /usr/local/etc/rc.d/squid: WARNING: failed to start squid
Feb 28 09:30:07 squid: Bungled /usr/local/etc/squid/squid.conf line 30: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

Logs from console:

Code Select Expand


root@OPNsense:/var/log # service squid start
Starting squid.
2019/02/28 09:30:07| ERROR: '.site.com' is a subdomain of 'site.com'
2019/02/28 09:30:07| ERROR: You need to remove '.site.com' from the ACL named 'bump_nobumpsites'
FATAL: Bungled /usr/local/etc/squid/squid.conf line 30: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
Squid Cache (Version 3.5.28): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.013 user + 0.007 sys
Maximum Resident Size: 67200 KB
Page faults with physical i/o: 0
/usr/local/etc/rc.d/squid: WARNING: failed to start squid
root@OPNsense:/var/log #


Thanks!

1) For the SSL Nobump sites list, if you have a deployment of any size, this list can quickly become un-manageable with the current implementation the site list. I would like to see something like the firewall Aliases for these where I can create multiple Groups with lists of sites not to bump. For example, I would create a list of Banks, UserApplications, InternalSites, etc.

2) For the SSL Nobump, as well as the Groups suggested above, allow import/export of the list, with sites separated by a newline for the import/export.

3) I would also like to request No-Proxy settings for specific SourceIPs or DestinationIPs or URLs. For example, say I want a site not to be proxied, or a host server not to be proxied, or a destination IP range not to be proxied. Currently this is difficult and must be managed by creating NAT rules which have limitations and don't cover all 3 options above. These would also need a per-Subnet/Interface setting, with the ability to select multiple Subnets/Interfaces.

4) Separate NoBump lists for separate source Subnets/Interfaces which are using the proxy, or alternatively support multiple proxy processes so we can have fully separate proxy configurations for each Subnet/Interface.

Note that #1 is by far the more pressing need.

Thanks!

Here's the error I am getting on certain sites like Youtube:

Code Select Expand

The following error was encountered while trying to retrieve the URL: https://www.youtube.com/*

Failed to establish a secure connection to 64.233.185.93

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=us/L=Nowhere/O=TG/CN=TG Proxy CA/emailAddress=##@##.com

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

I have attempted to add the site to the SSL no bump sites as well as setting the site in the Whitelist to no avail. Google search has stated the fix to this is upgrading Squid: https://serverfault.com/questions/867380/squid-configured-for-ssl-chokes-on-some-sites

Any recommendations?

Is there any way to capture packets on OPNsense for multiple interfaces simultaneously, rather than resorting to command line?

TCPdump can select multiple interfaces, but why can we not select multiple interfaces when taking a trace? I'm troubleshooting an issue where I apparently have asynchronous routing on one subnet and it would be far more helpful to capture the two interfaces I suspect rather than one which misses half the data I'm looking for.

EDIT: Also, how do I know if the traffic I'm seeing is the traffic ingress or egress for the VLAN captured?

NetScaler has a cool packet capture format which lets you see the VLAN it came in/went out on, if the packet was Rx or Tx, and more. Sure makes reading their traces easier compared to other network devices.

EDIT 2: What? I attempted to capture VLAN 1 and VLAN 99, simultaneously, using 2 tabs. The traces are identical. Did it lose the 1st capture when I tried to start the 2nd? If so, how do I capture these two interfaces at the same time? :( Do I have to resort to CLI? If so, please consider this my feature request.

This happened on 17.7 and now also on 18.7.6. I am using the OPNsense as an internal firewall, with 6 interfaces, where one interface is a transit Subnet from the OPNsense firewall to the external firewall. OPNsense uses the external Firewall's Interface IP as the default route for OPNsense. I do not want any outbound NAT to occur. The external router should see the source IP as the real IP of the server that sent the packet.

Example:
192.168.1.1/24 is the OPNsense Interface 1 and is set to use 192.168.1.254/24 as it's default gateway. This is an internal subnet used as a transit VLAN for access to the external WAN router.
192.168.1.254/24 is the external firewall's interface IP.
192.168.100.1/24 is OPNsense Interface 2 and is another subnet for servers.
192.168.100.232/24 is the real server's IP in this example, which the external firewall should be able to see as the source IP of any packets

Routing works fine, but for some reason all traffic the OPNsense sends to it's default gateway is NATed and the external firewall sees the source IP as the OPNsense Interface IP (192.168.1.1) instead of the real server's IP of 192.168.100.232.

I have tried setting Outbound NAT to use Manual rules and set the 192.168.100.0/24 source subnet to NONAT and have also tried Disabling Outbound NAT rules. In both cases the IP seen on the external firewall is the OPNsense NATed IP of 192.168.1.1.

Please assist. Am I doing this wrong in OPNsense perhaps?

Thanks!

It was working fine, and after an upgrade it no longer starts. Nothing in the proxy logs.

However in shell, I found this:

Code Select Expand

root@OPNsense:/var/log # cat squid.syslog.log
Feb 28 11:28:57 OPNsense (squid-1): Bungled (null) line 3: sslproxy_cert_sign signTrusted all
Feb 28 11:29:04 OPNsense (squid-1):     Failed to verify one of the swap directories, Check cache.log   for details.  Run 'squid -z' to create swap directories         if needed, or if running Squid for the first time.
Feb 28 11:29:12 OPNsense (squid-1):     Failed to verify one of the swap directories, Check cache.log   for details.  Run 'squid -z' to create swap directories         if needed, or if running Squid for the first time.
Feb 28 11:29:19 OPNsense (squid-1):     Failed to verify one of the swap directories, Check cache.log   for details.  Run 'squid -z' to create swap directories         if needed, or if running Squid for the first time.
Feb 28 11:29:27 OPNsense (squid-1):     Failed to verify one of the swap directories, Check cache.log   for details.  Run 'squid -z' to create swap directories         if needed, or if running Squid for the first time.
Feb 28 11:29:38 OPNsense (squid-1):     Failed to verify one of the swap directories, Check cache.log   for details.  Run 'squid -z' to create swap directories         if needed, or if running Squid for the first time.
Mar  8 09:48:43 OPNsense (squid-1): Bungled (null) line 3: sslproxy_cert_sign signTrusted all
CLOG▒▒▒root@OPNsense:/var/log # cat cache.log
cat: cache.log: No such file or directory


And upon running squid -z I got this:

Code Select Expand


root@OPNsense:/var/log # squid -z
2017/11/06 18:50:40| ERROR: '.tg.local' is a subdomain of 'tg.local'
2017/11/06 18:50:40| ERROR: You need to remove '.tg.local' from the ACL named 'bump_nobumpsites'
FATAL: Bungled /usr/local/etc/squid/squid.conf line 27: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
Squid Cache (Version 3.5.27): Terminated abnormally.
CPU Usage: 0.015 seconds = 0.007 user + 0.007 sys
Maximum Resident Size: 46000 KB
Page faults with physical i/o: 0
root@OPNsense:/var/log #


Thanks!

I asked this question on the 16.7 forum, got no help, and have since upgraded to 17.1 so am re-posting with a little more detail here.

So I have 1 interface, and only 1 interface. I have no way to create more. Think of it as if there is a VM and it's only allowed one interface. And I cannot use VLANs because my VMs are contained in a virtual one and I'm only given 1 to work with.

So I need to be able to use subnets to simulate disparate networks - keeping it all on the one VLAN. Therefore, I need to do routing for those multiple subnets using 1 interface. Basically a router on a stick without VLANs...

Is this possible on OPNsense? I know a NetScaler can do this because their design flexibility does not bind IPs to interfaces unless you tell it to.

Please let me know if this is possible and if it is, how I can accomplish it.

Hi there,

I am trying to use OPNsense to setup a firewall between multiple subnets. Unfortunately, I cannot utilize VLANs as this is a multi-tenant setup.

In addition, I am running as a Virtual instance, so I also cannot put multiple Interfaces in my one network. So this is essentially to be a router on a stick, with No VLANs.

Think of it like this:
Interface 1 will be used for all of this:
Gateway IP: 10.0.0.1/26
OPNsense IP: 10.0.0.2/26
OPNsense 2nd Subnet: 192.168.1.1/24
Windows VMs will be on the 192.168.1.0/24 subnet and have their gateway set to 192.168.1.1. They will need to access Internet by getting PNATed through OPNsense which will forward traffic to the Gateway IP 10.0.0.1.

So my questions is, how? I see how to add a Virtual IP. But I can't seem to get the firewall to respond on that new IP. It doesn't ping. I do see some traffic in the logs, but no ping response even after ensuring the traffic is allowed.

Thanks!

It was a bit difficult figuring all this out, but with the help of a few admins here I got it all working.

Here's the URL to the guide, have fun!

http://www.tcptechs.com/opnsense-transparent-caching-filtering-proxy-with-virus-scanning/

I've been hitting my head against a wall on trying to implement ICAP for AV scanning...

Here's the Howto I wrote after getting this all working: http://www.tcptechs.com/opnsense-transparent-caching-filtering-proxy-with-virus-scanning/

Been reading through a few guides... but it's a little confusing and some parts of the guides out there haven't worked so have gotten stuck.

Anyway, my end goad is to use CentOS 7 x64 for the ICAP/ClamAV system, and leave SQUID on OPNsense. Problem is most all the guides I've found talk about having SQUID with CLAM on the same box. Not sure how that will work with Squid on OPNsense... Also most of the guides have stuff that doesn't work and some I can figure out and fix some I haven't been able to yet. Would really like to get this working. I'll do a full write-up if we get it working, start to finish configuring the Proxy and AV system.

This guide seems to have gotten CLAM working ok: https://www.server-world.info/en/note?os=CentOS_7&p=clamav
This guide talks about setting up squidclamav but I'm not sure if I need to do that???: https://www.server-world.info/en/note?os=CentOS_7&p=squid&f=5

Here's a guide for setting up C-ICAP server, but I got stuck at the clamav service failing with an error that is not helpful. http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html

Anyway, anyone got this AV scanning fully working that would be willing to help me along with the above guides and what I need to follow to make this work? And then what do I need to do in OPNsense?

Thanks!

I used the basic Setup Web Filtering guide (https://docs.opnsense.org/manual/how-tos/proxywebfilter.html) and bound it to my VLAN2 interface. I did not do Step 6 as I was just testing. Everything else is exactly the same as per defaults or as per the guide.

Proxy is started. I set a browser to use it and get Proxy not responding for any page, http or https. Firewall rules are same as pics from post here: https://forum.opnsense.org/index.php?topic=4582.msg17627#msg17627

If I telnet from a PC on Vlan2 to the VLAN2 Firewall Interface IP (192.168.2.1) on port 3128, it connects with a blank screen.

Is something missing from the guide? Do I need to do something extra since I have multiple VLANs?

You can see from the trace the packets are received and there is no reply from OPNsense.

Thanks!

So I have OPNsense as a firewall between 2 VLANs. I have 2 Win 2012 R2 servers that since upgrading to 17.1 cannot communicate over Kereros, LDAP, etc. However SMB currently works fine, which is weird because they are all the same firewall rule (using aliases). I did packet traces on both servers and checked the logs on the firewall. Screenshot attached. You see the firewall logs passed traffic, which the receiving server gets, but the SYN ACK reply is lost.

In this test, I initiate port 88 traffic from server s1 to server lic1. lic1 receives the SYN, sends a SYN ACK. s1 does not receive the SYN ACK.

Any ideas? How do I verify if the firewall received the SYN ACK from lic1? Do you have a GUI tcpdump utility?


Here is the network details:

VLAN1: 192.168.1.0/24
OPNsense Interface: 192.168.1.1
Server s1: 192.168.1.220
Firewall disabled.
s1 default gateway: 192.168.1.254 but has a permanent route to 192.168.2.0/24 via 192.168.1.1, verified working with tracert.

VLAN2: 192.168.2.0/24
OPNSense Interface: 192.168.2.1
Server lic1: 192.168.2.230
Firewall disabled.
lic1 default route is 192.168.2.1

Thanks!

PS the image max attachment of 192kb is way too small; makes it hard to post multiple screenshots.

So I have read the CARP how-to at https://docs.opnsense.org/manual/how-tos/carp.html and understand everything except:

1) If my ISP is only providing a /30 subnet (1 usable IP), what would be the proper way to configure the WAN side? I'd prefer to avoid double-natting the system...

2) If I am also setting up dual WAN, I assume I just create another VHID group for the 2nd WAN and also it would have to be a different subnet. From the example the WAN is 172.18.0.x/24 so following the example I'd make the 2nd WAN 172.18.1.x/24, correct?

3) Is there any way to make the CARP system Active/Active instead of Active/Passive?

Thanks!

See screenshot. I need to specify TCP, UDP, or Both in the Ports Alias for each port. Is there any way to do this? I do see I can set it in the firewall rule, however that's either inefficient (have to use up to 3 different rules and 3 different Alias') or it's less secure (specify both in the firewall rule).

Sophos UTM resolves this by allowing you to specify the TCP/UDP/Both in their "Network Group" which is similar to your Alias, but not everyone can afford a UTM.

Ok, so coming from pfSense I used the GUI log pages quite often to help identify firewall issues. Where do I find such logs in OPNsense? Am I missing it or are they not there yet?