Topics

I feel like I should have gotten this to work by now but I am misunderstanding a setting and cant seem to get nginx to work properly.

I have a server hosting two webpages behind opnsense. They are www.mydomain.com/one and www.mydomain.com/two.

The server accepts incoming connections on 443. My current working opnsense configuration to access these webpages from external IPs is to forward all 443 connections going to WAN-IP to MyServer-IP. This works but there is a quite large volume of port sniffing and random access attempts when I do this.

I would like nginx to filter for and forward only requests for www.mydomain.net/(one or two) to MyServer-IP/(one or two). A fairly standard use case for nginx, that I somehow cant get working right. I have ssl certs stored on MyServer for the domain, so in my current setup where I forward all requests on 443, MyServer will do the filtering for any request to www.mydomain.com/(one or two) and serve the correct ssl cert.

I believe the system I am looking for is transparent reverse proxy, where all nginx does is look for a request using my domain name and forwards it without modifying data or serving certs.

These are my current rules to port forward all 443 to MyServer
Firewall > NAT > Port Forward: Interface WAN, IPv4, Protocol TCP/UDP, Destination WAN net, Destination Port Range HTTPS, Redirect target IP MyServer, Redirect Target Port HTTPS

i also have one for internal subnets to reach this server using the domain name

Firewall > NAT > Port Forward: Interface subnet1 subnet2 subnet3, IPv4, Protocol TCP/UDP, Destination WAN net, Destination Port Range HTTPS, Redirect target IP MyServer, Redirect Target Port HTTPS

and then in Firewall: Rules: WAN there is an autogenerated rule for IPv4 TCP/UDP, source/port any, destination MyServer(alias), port 443

The Nginx configuration I have tried is this, based on most write ups I have found
Upstream Server
   Description: MyServer
   Server: (MyServer IP)
   Port: 80
   Priority 1
   Max Conns: 1000
   Max Fails: 10
   Fail Timeout: 60

Upstream
   Description: MyServer Backend
   Server Entries: MyServer
   LoadBalancing: WRR
   Enable TLS: False

Location
   Description: MyServer Root
   URL Pattern: /
   match type: none
   url rewriting: nothing selected

HTTP Server
   HTTP Listen 80
   HTTP Listen 443
   Server Name: www.mydomain.com
   Locations: MyDomain Root
   URL Rewriting: nothing selected

Firewall: WAN: Rules
Protocol IPv4, TCP/UDP, source/port *, Destination WAN Address 443(and same rule with 80), Gateway/schedule *

Whenever I try and connect I get a "Cannot Complete Request" error. Nginx logs show a connection attempt  by my device in http access logs with a status 404 error. I am a little confused here because it seems like I made pretty much the same forwarding rules as I did with NAT forwarding with nginx rules. But for whatever reason these requests aren't getting forwarded the same way. Hopefully it is something simple enough that someone who knows more about this can point me in the right direction.

Thanks,

I would like to block the IP addresses in the various "IP Groups" from this list but I cant seem to get the policy correct. Some remain allowed, and others are blocked.

I have CINS selected in the tag drop down menu and "new action" set to drop but for this one list that does not seem to be enough to get suricata to actually drop everything from this ET CINS list.

The IPs involved arent being flagged by other lists first, it just seems like something about this list is still overriding my attempts to drop the connection.

I have a computer on my network hosting a webpage at www.mydomain.com. External requests were forwarded to the host computer using opnsense port forward rules and I had the nat 1:1 reflection option enabled to allow other devices on my network to reach the website using www.mydomain.com instead of having to use the IP address of the host machine.

Strangely, after the most recent update of opnsense the host computer can no longer reach its own website using www.mydomain.com. It can get there using its own IP address. Every other computer on the network can still get to the page using www.mydomain.com, as can devices from external IPs.

So did something change with the way NAT reflection or forwarding rules work recently? I need an API on the host machine to be able to contact the website using the www.mydomain.com address so the ssl certs are valid.

The host computer is on its own subnet, all other machines are on various other subnets. The host is running debian stable with a LAMP stack. I am not seeing requests on the firewall from the host machine trying to reach itself, but can see other local subnet addresses communicating with the host machine, as well as external addresses. So it seems like a setting somewhere is blocking domain name resolution for this one machine all of a sudden.

I just got a 1gbps connection and a new sb8200 modem to handle that speed upgrade. It has two NICs for link aggregation for use on connections over 1gbps.
But I was wondering if there was any benefit at all if I used both lines on my 1gbps connection. Maybe like a load balancer or to help decrease latency if a bunch of devices are communicating through my opnsense box at the same time.

Most of the stuff I could find online was for intranetwork speed improvements for a NAS or commercial access points. Its a new concept to me so I am just looking to get up to speed on any capabilities this could bring to the table.

It kind of seems like LAG would be helpful on my PCs that are using wired connections but that would require quite a few hardware upgrades and I only have one free ethernet port on my router and one on the sb8200 for now to play with.

I have a Sierra EM7565 LTE modem I use on a laptop for roaming around and for whatever reason I wanted to try passing it to a KVM of OPNsense.

I am using Virt-Manager to do this and I am passing just the USB device to OPNsense. Then when I log into OPNsense via the terminal(in the KVM window) I can see under /dev that there is a cuau0 device being added. The OPNsense webgui also sees the /dev/cuau0 device under PPP devices. Unfortunately I cant get OPNsense to communicate via AT commands to the modem.

I tried configuring the modem settings between MBIM(USBIF) and Legacy-Generic, as well as switching from qmi to mbim mode for the data link but none of the settings seem to communicate in OPNsense. For whatever reason the device does not seem to want to talk to OPNsense but will talk to Debian just fine.

The error I get in the webgui is "failure to issue AT command" and in terminal I can use

Code Select Expand

cu -l /dev/cuau0 which gives me a CONNECTED status, but I cant enter anything after that.

I was thinking I might need to pass the whole USB bus, but there is only one bus and that would take all of my USB ports, touchscreen, etc. with it.

Does anyone have any experience doing this? I don't have any other modems to try so I cant be too sure it isn't a BSD issue with this particular modem.

I upgraded to 21.1, im using the libressl flavor, and then went to install the sensei plugin(first time). After it installed it never showed up in the menu tab. When I looked at the plugins page it said both the sensei plugin, and the chrony plug in were outdated. It also listed no packages or plugins besides those two. When I tried to check for new updates it said it could not contact the repository.

Uninstalling the sensei plugin reverted everything back to normal. Pretty strange, my guess is that's not supposed to happen.

I currently have the opnsense ntpd setup to provide time sync for all connected clients and to force any client trying to use its own ntp address to sync with the opnsense ntp.

I would like to do a similar thing using chrony so that I can also take advantage of NTS since that is now available. 

This is how I configured it

enabled: true
listen port: 123 (it defaulted to 323 for some reason)
nts client support: true
ntp peers: time.cloudflare.com
allowed networks: 192.168.1.1 , 192.168.2.1 (my subnets)

Then I stopped the ntp service, there seemed to be no way to explicitly disable ntpd in the gui.

Is this set up correct?

how can I disable ntpd in opnsense? I assume it will just restart after a reboot.

I really have no clue what I did here. And its bugging the crap out of me. I have my OpnSense running in a VM, it has been this way for quite a while with no issues.

My LAN was hooked up to an access point to provide WIFI.
Another NIC(on the same network card) was plugged in to a computer for VPN access.

At some point I have lost internet connection with the clearnet LAN, it does log into the WebGUI fine but cant access any external pages.

Anything attached to the VPN works fine. I switched the accses point to the VPN NIC and that worked fine, so its not the AP. I swapped the ethernet interfaces in the WebGUI and the problem didnt stay with one interface. It just stays in whatever is connected to the LAN.

Unplugging the AP and plugging a computer directly with the ethernet cable also only allows access to webGUI and nothing else. So, again, Im doubting its the AP but rather some configuration that broke somewhere.

I appreciate the strict security measures but it is pretty annoying.

I have Opnsense in a xen HVM. I have passed several realtek 8111 NICs to Opnsense with no issues. But I have 1 card with two Intel 82576 NICs on it that has issues.

Opnsense 'sees' these NICs and identifies them as igb0 and igb1 which implies to me that the correct drivers are also loaded. But when I plug in a device to a NIC it is unable to get DHCP configuration from Opnsense and cannot communicate through the card(one orange light and one green light). Plugging in the same device into one of the Realtek NICs works fine.

All rules are the same between an 8111 NIC and the 82576 NICs as far as I can tell.
Each device has its own static IPv4 addy.
A firewall rule of let ipv4 from (yournamehere)net to any.
An autocreated NAT outbound rule for all networks to wan.
DHCP enabled on each lan giving a range of assignable addresses.
Unbound DNS resolver enabled and 'Enable Forwarding mode' set.

I am unsure of where to start to localize the issue and figured I would ask here and save some time.
Thanks

I have numerous firewall entries from an IP address trying to call the 255.255.255.255.68 address internally.

packet capture log set to full(not any different in detail from other settings)
13:33:32.895203 IP 10.102.0.1.67 > 255.255.255.255.68: UDP, length 250

When I look at the firewall log the explanation for the blocking is
@61 block drop in log quick on bce0 on inet from 10.0.0.0/8 to any label "Block private networks from WAN"

These incidents happen every minute or so. There doesn't seem to be any issues. 67 and 68 are related to dhcp and that seems to be working properly. I have three lans that have their own dns servers and they are being assigned IP addresses and dns addresses correctly.

Any thoughts? I thought packet capture might give me more detail on the source of this IP but it didnt return much detail.

I noticed some new settings in IPSEC that are complicating the transition a bit. (Thanks for fixing the missing certificate authority field in 17.1.4)

In phase 1 what do you enter for "remote gateway"? In 16.7 this defaulted to 'mobile client'.

A similar problem is in phase 2. Before remote subnet defaulted to 'mobile client' but now it wants an address or network entered.

Lastly, and probably has nothing to do with anything, what is 'disable mobike'?

I guess this just isnt going to work

I have opnsense on a server handling vpn traffic. I like the idea of using a read-only install on an SD card and just loading a config file onto it and using ram disks for logs(which I don't really need to check or keep). So my question is, will the firewall and opnvpn function fine without being able to write data? What functions need to write data in opnsense? I get that caching and storage do but what else?

If the img file is 400mb about why do you need a 4gb SD card? Is this to write data to? If so what would the minimum size?