Topics

1

20.7 Legacy Series / 20.7.3 - OpenVPN Site2Site change Tunnelnetwork

« on: October 11, 2020, 09:41:59 am »

Hey guys,
I have a running Site-to-Site Tunnel just for one site with configured Tunnel network 10.0.31.0/30.
The Server and Client instance on both sites is assigned to separate Interfaces.
On the main site there are 3 different OpenVPN server instances with all /24 Tunnel networks which are working very well.
Now I want to change the Tunnel Network of this specific instance from /30 to /24 to be able to connect more sites.
The problem with this is that if I change the Tunnel network on both sites to whatever (<30 Bits), the connection gets established, but no traffic will pass.
Changing the Tunnel network to /30 makes it work again.
I tried the following:
- rebooting both sides after change of Tunnel network --> same problem
- disabling and re-enabling and restart of client/server ovpn-instances --> same problem
- Re-Applying the assigned Interfaces of the OVPN Interfaces (unconfigured) --> same problem
- Cloning of the server/client instances and assign the clones to the Interfaces --> same problem
I would be happy if someone has another hint for me..

Thx

Gesendet von meinem Mi 10 mit Tapatalk

2

19.7 Legacy Series / NGINX- LE for SMTPS, SUBMISSION, IMAPS

« on: December 16, 2019, 10:46:43 am »

Hi all,
i would like to use NGINX to Offload Letsencrypt Certificates on my internal services SMTPS, SUBMISSION and IMAPS.
In https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/ it is stated that you need to configure nginx with the following arguments: --with-mail --with-mail_ssl_module.
Our nginx plugin is configured with the arguments --with-mail=dynamic and --with-mail_ssl_module.
Is this setup possible with our default nginx plugin?

THX

3

19.7 Legacy Series / Unbound - DNS Overrides

« on: December 04, 2019, 10:04:59 am »

Hey guys,

i still have problems with Unbound and DNS-Overrides.
It persists since my last Thred (https://forum.opnsense.org/index.php?topic=7252.0).

But last week i made an important discovery.
I had a setup with wan on dhcp and set up domain and host overrides. Worked like a charm.
But then i changed the wan to pppoe and since then the overrides stopped working correctly.
I tried to disable "allow dns to be overridden by pppoe" and set static upstream dns, but without luck.

Any ideas?

4

19.7 Legacy Series / Get Opnsense Version through API

« on: September 18, 2019, 06:44:17 pm »

Hey Guys, I am trying to get the version of OPNSense through the API.
Currently I am calling „https://opnsense-ip/api/core/firmware/info“ and extract $.product_version out of the output.
My problem is that I generate thousands of lines with all installed and available packages, changelogs etc. to only extract a string like „19.7.3“.
Maybe someone has an an idea on how to do this without such a big overhead?

THX


Gesendet von iPhone mit Tapatalk

5

Web Proxy Filtering and Caching / Squid Bump Interfaces

« on: April 01, 2019, 02:29:38 pm »

Hey guys, is it somehow possible in the GUI to let squid do ssl-bump on LAN and only do SNI-Filter on WiFi-Interfaces?
Thx


Gesendet von iPhone mit Tapatalk

6

19.1 Legacy Series / Generate Configuration Reports

« on: March 13, 2019, 07:17:35 am »

Hey Guys, i searched something to generate reports/documentations from configuration files and found pfFocus.
I adjusted the code a bit to work with OPNSense configuration files.
https://github.com/AndyX90/OPNReport
There are some issues but in principle it works.
Maybe someone with python knowledge can help to fix the port-alias parsing?
Another question is the <version> section in OPNSense configuration files.
Am I wrong or is this dropped somehow? I noticed that it is not present anymore in 19.x.

Thx

7

19.1 Legacy Series / Insight - Interface wrong

« on: March 04, 2019, 08:38:32 am »

Hey guys,

i have a Problem regarding Netflow/Insight and specific WAN-Traffic.
Basically i have one WAN Interface, one LAN Interface and one Interface linked to another firewall.
There are Internet-connections coming into my LAN from the other firewalls interface.
But Netflow displays them on my WAN-Interface.
Any suggestions?

Thanks in advance!

8

19.1 Legacy Series / [SOLVED]19.1 - flowd_aggregate crashes

« on: February 14, 2019, 11:38:29 am »

Hi folks,
i have 2 DEC4630 in a HA-Cluster. Both of them are fresh installed 19.1.
And on both firewalls flowd_aggregate constantly crashes with the following error:

kernel: pid XXXXX (python2.7), uid 0: exited on signal 11 (core dumped)

Maybe it has something to do with those lines:

kernel: -> pid: 19271 ppid: 45268 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
kernel: [HBSD SEGVGUARD] [python2.7 (19271)] Suspension expired.

?

I did try both, repairing and resetting Netflow Data without luck.
Thanks!

9

19.1 Legacy Series / Postfix plugin - User Authentication

« on: February 13, 2019, 02:02:19 pm »

Hi folks, is it somehow possible to force the Postfix-Plugin to require User Authentication?
Thanks

10

18.7 Legacy Series / Nginx as Webserver for Lightsquid-Reports

« on: September 13, 2018, 08:06:18 am »

Hi ho,

i recently tried to use the nginx plugin for serving Lightsquid-reports.
I created one HTTPS-Server and a location with the option " Pass Request To Local PHP Interpreter / Threat Upstream As FastCGI".
But it doesn't work. I get the following error in nginx error logs:

*1 FastCGI sent in stderr: "Access to the script '/usr/local/web/lightsquid/index.cgi' has been denied (see security.limit_extensions)" while reading response header from upstream, client: xxxx, server: webserver, request: "GET /index.cgi HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-www.socket:", host: "xxxx:xxxx"

And in the Browser i get the message

Access denied.

Has someone already got this working?

Thx.

11

Web Proxy Filtering and Caching / Squid - SSLBump Windowsupdate

« on: April 14, 2018, 09:22:19 am »

Hi, i am experiencing some problems with squid+SSL-Bump and windowsupdate(WSUS). I have set up Single-Sign-On.
I have inserted .microsoft.com and .windowsupdate.com to no-bump-sites.
Now i get the following error multiple times in squid log:

Code: [Select]

kid1| Error negotiating SSL on FD 22: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)If I try to open https://update.microsoft.com/ directly without proxy i get a cert-warning in my browser too.
There seems to be an issue in their certificate chain.
How can i explicitly trust those sites? I tried to put them in whitelist, but it doesn't work.
Many thanks!

12

Web Proxy Filtering and Caching / Squid SSO - No Bump Sites

« on: February 13, 2018, 12:30:11 am »

Hey guys,
i have found out, that the configured No-Bump-Sites are getting ignored when Single-Sign-On is enabled.
Any solution for that?

Thx

Gesendet von meinem Pixel 2 XL mit Tapatalk

13

18.1 Legacy Series / Unbound Problems

« on: February 10, 2018, 09:05:38 am »

Hey guys,

i have strange problems with unbound and domain overrides.
I have configured a local domain override with xxx.local pointing to my domain controller and a reverse override also pointing on my domain controller.
If i check the resolution via Interfaces-Diagnostics-DNS Lookup it resolves the ip only on each 3rd or 4th try.
Attached some screens.
EDIT: I read somewhere that unbound could have problems with domains named *.local?

Thanks for help!

14

18.1 Legacy Series / Problems after upgrade to 18.1

« on: February 06, 2018, 07:37:29 am »

Hey guys, i have some problems after the 18.1 upgrade.
First there is only one Phase 2 in IPSEC established (there should be three).
If i restart ipsec manually, at least two of them get established.
Secondly i can not connect to one of my local networks from lan.
Devices on that interfaces are pingable from the firewall itself but after the upgrade there is no more access from lan. Also i noticed that in the new Livelog some traffic gets counted on the wrong interface. For example lan traffic to other local subnet shows interface enc0..
Any suggestions?

15

17.7 Legacy Series / Web-Proxy SSO

« on: November 26, 2017, 10:12:52 am »

Hey guys,

i'm trying to get WebProxy-SSO to work but it won't...
The checklist in plugin is okay.

If i click CREATE KEYTABLE it shows the following:

Password for Administrator@XXXXX.LOCAL:
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 82
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXX.LOCAL for procotol tcp
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXX.LOCAL for procotol udp
 -- get_dc_host: Attempting to find a Domain Controller to use (DNS domain)
 -- get_dc_host: Found DC: XXXXX.LOCAL
 -- get_dc_host: Canonicalizing DC through forward/reverse lookup...
 -- get_dc_host: Found Domain Controller: XXXXX.XXXXX.local
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-3PVDF8
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: FIREWALL$
 -- try_machine_keytab_princ: Trying to authenticate for FIREWALL$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Generic preauthentication failure)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for FIREWALL$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Generic preauthentication failure)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/firewall.XXXXX.local from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for FIREWALL$ with password.
 -- create_default_machine_password: Default machine password for FIREWALL$ is firewall
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
 -- LDAPConnection: Connecting to LDAP server: XXXXX.XXXXX.local
SASL/GSSAPI authentication started
....

In proxy-log it shows:

:2017/11/26 09:30:11| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2017/11/26 09:30:10   kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}

Any suggestions?

THX