Topics

1

General Discussion / Question about routing traffic to another county (like some vpn's do)

« on: January 30, 2023, 01:39:07 pm »

i'll be changing to another country soon. But i would like to use eg.  my TV-Account also from there, which usually is blocked.

i look for a solution to get from abroad to the homecountry, where all my accounts are

Would this be feasable by tor or should i look for another solution? (imho i would prefer routing it on the firewall instead of having a vpn client eg on my chromecast...)

Thx,
Roger

2

22.1 Legacy Series / somehow solved: Upgrade to 22.1.4_1: ACME Client and DDClient do not start

« on: March 28, 2022, 08:11:48 am »

Hi,

i made the Upgrade from 22.1.3. to 22.1.4_1 this morning. After several reboots, the following services do not start:

ACME Client
DDClient (dynamic DNS)

All i find in logs for DDClient is the info, that there is no adress, which in fact is there. Config was working fine until the update.

Where could i find logs to provide more info or is this known?

Regards,
Ruggerio


Edit:

- after entering a interface on ddclient, save and apply, ddclient worked.
- after changing something for and back on acme (e.g. wildcard or so), save and appy, acme worked.

3

Intrusion Detection and Prevention / Question: IDS shows only alled in protocols - no blocking possible?

« on: February 16, 2022, 07:25:27 am »

Hello,

As i have a small APU4, i did not want to enable IPS, as it eats up bandwith. So i tried with IDS and enabled drop in the policy. With IDS i do not loose to much bandwith and it's better to know whats going on instead of getting surprised...

Nevertheless, all traffic is shown as allowed. I am aware of the difference of IDS (for monitoring only) and IPS (acitively acts without human intervention), so i was wondering, to change to drop, even if you choose IDS.

Thx,
Ruggerio

4

21.7 Legacy Series / NGINX: not replying on Port 80 [kindof solved]

« on: January 25, 2022, 11:20:49 am »

Hello,

Since weeks i have a problem with the letsencrypt plugin on my sense.

I configured 2 http-Servers on it:

1 Webserver, reached via reverse proxy function on nginx
1 local webserver on nginx with a separate hostname, and an webroot containing just a index.html

The local webserver has the cross on enable letsencrypt plugin. Nevertheless, it does not work. I read, that le needs port 80 opened, so i tested this.

Result connecting to local webserver on port 443 gives back my dummy index.html
Result connecting to local webserver on port 80 gives ERR_EMPTY_RESPONSE

both ports (80/443) are enabled - but for both webservers, i just can connect to port 443. Port 80 btw. is opened on WAN-Port and redirected to "this firewall".

Might it be, that port 80 is still in use by lighttpd from the sense? I change it to a higher port und use just https (so configured in Web-GUI)

ACME results in hcocde 6, btw.

Thanks for any idea.
Roger

5

21.1 Legacy Series / need help on nextcloud-fpm

« on: July 07, 2021, 09:23:29 am »

Hi together,

i wanted to have nextcloud-fpm using nginx from nginx. I installed a usual Webserver on opnsense and configured "position"




Everything seems work, except that the webpage is delivered unformatted. What did i miss?

Thx,
Ruggerio

6

21.1 Legacy Series / 21.1.7: Problem with Freeradius

« on: June 17, 2021, 08:00:15 am »

Right after the upgrade, Freeradius does not start anymore:

Error: /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"   
2021-06-17T07:58:25       Error: rlm_eap (EAP): Failed to link rlm_eap_leap: Cannot open "/usr/local/lib/freeradius-3*/rlm_eap_leap.so"   
2021-06-17T07:58:25       Info: Debugger not attached   
2021-06-17T07:44:37       Error: /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"   
2021-06-17T07:44:37       Error: rlm_eap (EAP): Failed to link rlm_eap_leap: Cannot open "/usr/local/lib/freeradius-3*/rlm_eap_leap.so"   
2021-06-17T07:44:37       Info: Debugger not attached

Roger

7

German - Deutsch / Erfahrungen mit Intel Celeron CPU's mit IPS/IDP

« on: February 15, 2021, 10:14:22 am »

Hallo zusammen,

habe ne APU4, damit geht IPS nicht wirklich. Max. 80 mbit/s. Suche nach beserer Hardware und wollte nachfragen, ob jemand Erfahrungen mit den Celeron CPU's hat:

Intel Celeron N4100
Oder der J9100

Habe in Zukunft max. 400 mbit/s Download und würde gerne IPS mitlaufen lassen, damit aber möglichst den Durchsatz erreichen.

Gruss
Roger

8

Web Proxy Filtering and Caching / Signal App only working if SNI enabled

« on: February 01, 2021, 08:40:44 am »

Hello,

I have an old tablet, which i would like to have SSL Inspection enabled. But this will not work for Signal, even if .whispersystems.org and .signal.org are inserted into no ssl bump sites.

It still reclams the certificate, e.g.:
kid1| ERROR: negotiating TLS on FD 30: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (1/-1/0)

Does anybody know, how i can handle Signal having ssl inspection enabled? Btw. the proxy is not transparent.

9

20.7 Legacy Series / Proxy and Clam

« on: January 28, 2021, 10:20:50 am »

How far does it still make sense, checking for viruses on the proxy, as lots/most/whatever webservers already use hstsc if we just use SNI? In that case, the content cannot be checked, i think.

This traffic will not be checked, isn't it?

Just for comprehension.

10

21.1 Legacy Series / Squid SSL [Solved]

« on: January 27, 2021, 11:19:17 am »

Hi,

I tried for an old tablet having Squid using SSL Bump (without transparent proxy) - default listening is on port 3129.

On the tablet i get a reduced connection. Strange. On the sense, i see also not listening anything to port 3129 (which perhaps causes this).

And even more strange, the traffic gets - as it seems - inspected, as https://-download from eicar is recognized in c-icap...

usually i expected no inspection of traffic, as it is not listening on 3129 (SNI, btw. is disabled...)

Are there perhaps changes in squid, that could cause this?

11

21.1 Legacy Series / NGINX problem with https server

« on: January 20, 2021, 11:21:44 pm »

Since the upgrade to 21.1-rc...my https-reverse-proxy does no longer start.

Logs say:
SSL_CTX_load_verify_locations("/usr/local/etc/nginx/key/trust_upstream_4fa78829-e9c2-4d1b-b07d-3223d324f828.pem") failed (SSL: error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found)

in the mentionned path, i can find a pem. This error holds nginx from start. if i remove TLS-support from the server, the services starts again.

Somebody with a good idea?

12

21.1 Legacy Series / Update to 21.1 not possible

« on: January 14, 2021, 11:05:47 am »

Hello,

RC1 is not yet advised on my box. This according to the bug mentionned in the announcment. Will there be a fix (e.g. analogue to the update to 20.7., where first another update had to be done before the update to 20.7 was possible)?

13

20.7 Legacy Series / Double NAT - Provider Modem

« on: January 14, 2021, 09:29:06 am »

Hello,

I have a DOCSIS-Cablemodem, which was in bridged mode. Unfortunately, i had lots of packet losses in the last time. So i had to switch to router mode. The opnsense (where all traffic flows on it) is in dmz (i have mail- and webserver from the outside)

Since i changed the way, i get max 100mbps passing via opnsense. Before, it was up to 700 mbps without any problem. I think now, this is a problem of natting opnsense and the modem.

Easy, i disabled natting on the sense, nothing more worked. Of course, as the sense with nat got the ip from the isp-router, without natting all clients behind the sense come now up with their own ip instead of the natted from the wan-port of the sense.

I'm a little bit out of ideas. Does anybody have a "similar" installation? How did you solve this for you?

Thanks!

14

20.7 Legacy Series / [Solved, RFC needed?] NGINX as IMAP reverse proxy

« on: October 25, 2020, 01:21:34 pm »

i got nginx at 80% as reverse proxy for dovecot running. 80% because i don't get the external ip of the client transferred to the mailserver.

if i enable proxy protocol, the connection will not be accepted. Does anybody have an idea? Eventually i was searching false, but google did not reply that much on imap on reverse proxy

all i would need is having the external ip in the logs of dovecot.

Thx,
Ruggerio

15

20.7 Legacy Series / Suricata - Engine?

« on: August 03, 2020, 04:14:29 pm »

Hi,

When testing 20.7 from iso, i always used Aho Ken Steele, no problems with memory.

Now, in 20.7 Production, memory goes up nearly 70% for suricata and the system is swapping. This was not the case before. I changed for now to "reduced memory implementation", but still lots of memory used and swap.

thx!
Ruggerio