Topics

Hello,

I used this tutorial (https://forum.opnsense.org/index.php?topic=19305.0) to setup NGINX with Let's Encrypt to setup my initial server.

After reading other items, I ended up using subdomains with subdomain certificates for my Home Assistant and Plex, so the following entries into a web browser work correctly:

• https://hass.mydomain.dns.com goes to local IP 192.168.XXX.30:8123 for Home Assistant
• https://plex.mydomain.dns.com goes to local IP 192.168.XXX.67:33500 for PLEX

No issues with either of those services through mobile browsers or through their respective apps after setting them up correctly.

I tried adding another entry to NGINX for another new server I started for Mealie.  I created a subdomain so that it should connect:

• https://mealie.mydomain.dns.com should go to local IP 192.168.XXX.30:9925

But when I restart NGINX and enter the address into my browser, I get a warning that the website is not safe and once I ignore the safety messages, it takes me to the login screen for home assistant.  Even though the HTTP server is setup with the correct certificate, the website is showing the certificate for hass.mydomain.dns.com instead of the certificate for mealie.mydomain.dns.com.  If I just enter https://mydomain.dns.com into a web browser, it also takes me to the home assistant login screen with a similar certificate issue, even though there is nothing setup in NGINX for that server.  I wonder if it has something to do with sharing the same machine with different ports, but the ports are defined in the Upstream server.

Any help to solve this would be appreciated.

Hello,

I have been running the Let's Encrypt add-on with Nginx for a little while without a problem for a while.  However, now I need to use the certificates for a couple of other items.

I have setup SFTP and can connect with Putty using Keys, but get an error when I test the connection via the automation for uploading the certificate via SFTP.

I checked the log in the SSH/SFTP server and can see that my OPNsense machine attempts to connect, but I get this error in OPNsense

Host cannot be trusted.
{ "actions": [ "connecting" ], "success": false, "error": "Key mismatch for '192.168.X.XX'; The expected key ({'hash':'SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1234','key_type':'RSA','key_length':'2048'}) was not found in ([{'hash':'SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5678','key_type':'RSA','key_length':'3072'}])", "host_not_trusted": true, "connect_failed": true }

Can anyone tell me what I am doing wrong?  I noticed that there is a key length mismatch along with key not matching, but not sure how to fix on the OPNsense machine.

Hello,

I tried searching for a solution before posting, but I have been unable to solve my issue of setting up NGINX with Let's Encrypt on my OPNsense firewall.

I followed this tutorial (https://forum.opnsense.org/index.php?topic=19305.0), but when I finally went to start, I received the following errors in the NGINX logs

2021/07/13   16:33:54   emerg   78826#100183   bind() to 0.0.0.0:80 failed (48: Address already in use)
2021/07/13   16:33:54   emerg   78826#100183   bind() to [::]:80 failed (48: Address already in use)
2021/07/13   16:33:54   emerg   78826#100183   still could not bind()
2021/07/13   16:34:10   emerg   99740#100114   bind() to unix:/var/run/nginx_status.sock failed (48: Address already in use)

I did a search and although I have been using https with port 440 for my GUI, I ran sockstat and found port 80 was being used by lighttpd.  Did more searching, disabled the GUI http redirect, and NGINX still would not start.

Reran sockstat and no port 80 is listed after changing the redirect setting.  Restarted the machine and no port 80 found using sockstat, but NGINX still shows the errors above with multiple bind() :80 failed messages.

Any advice would be appreciate.

Thanks

[Rule 1]

Hello,

I am trying to setup my security cameras (only one is connected to the network while I figure this out) with 3 goals:

• The individual camera can email me if there is an alert (I have a separate email that is used only for this purpose)
• The individual camera cannot be reached by the internet (all remote viewing will be done through OpenVPN)
• The individual camera cannot reach the internet (so that they cannot be used as part of a botnet in the case that they ever become infected)

First, I created an alias for my security cameras and added the static IP I had setup for the camera (so I can just add IPs here as I add more cameras to the network).

I setup 3 rules in OPNsense

• Rule 1 - Action - Block, Interface - WAN, Protocol - any, Destination - security_cameras, destination port range - any (goal is to keep anything from the internet from reaching the camera)
• Rule 2 - Action - Pass, Interface - LAN, Protocol - TCP, Source - security_cameras, Destination - any, Destination Port Range - from 587 to 587 (port needed for smtp.gmail.com with TLS on camera), (goal is to allow the cameras to contact the smtp server)
• Rule 3 - Action - Block, Interface - LAN, Protocol - any, Source - security_cameras, Destination - any, Destination Port Range - any (goal is to block the cameras from reaching the internet)

Rule 1 is on the WAN rules page and Rules 2 and 3 are on the on LAN rules page.  Rule 2 is higher on the list than Rule 3, so I thought that should take precedence.

If I have all 3 rules enabled, using the cameras test email setting, the email fails to send. 
If I have Rule 1 and Rule 2 enabled, and Rule 3 enabled, the camera test email will send.

I plan on using the same types of rules to block other items from the internet as much as possible as I add them back to the network, so if I could just get the basics down using this one example, I think I can move forward from there.  I was able to use aliases and WAN rules to get my Xbox ONE from a strict NAT to a moderate NAT using one of the threads on this forum.  With a little bit more research, I was able to get that NAT from moderate to open.

I'm hoping someone with more networking experience can help me out with this and help guide me on this.

Thank you.

Hello everyone.  It's been a while since I have posted, but I have learned a lot from many people here.

I have a qotom q355-g4 running opnsense 18.1.13 (waiting a little bit to upgrade to 18.7) sitting on my desk and I hope to be able to plug it back in as my main router.  The WAN is currently set as dhcp.

I upgraded to CenturyLink gigabit fiber service and had issues trying to connect the OPNsense box and resorted to using the isp's gateway, so I pulled the OPNsense box to when I had more time to figure this out.

Thanks to the help of many here and some other tutorials I found online, I was able to setup and successfully connect to 2 different OpenVPN Servers through OPNsense and I was also able to SSH and install the Ubiquity Unifi controller on the qotom box.

Now I need to setup the VLAN -tagged PPPoE interface to connect to Centurylink's service.  The VLAN tag is 201.   I have my PPPoE username and password (encrypted and non-encrypted).  I looked to see if there is a guide for noobs, but I am kind of at a loss.

The qotom has for nics (igb0 - WAN, igb1 - LAN, igb2 - OPT1, igb3 - OPT2).  I plan on using OPT1 later on as a LTE failover for certain IP addresses, but that is a future item.

I have setup a VLAN in Interfaces --> Other Types --> VLAN and made the following selections:

• Parent Interface - igb0 - wan
• VLAN tag - 201
• VLAN Priority - Best Effort (0, default)

I'm not sure where to go from here.  I know I will need to go to Interfaces --> WAN and select PPPoE from the IPv4 Configuration Type and then enter my username, password, enable Dial-On-Demand, and enter 0 Idle timeout. 

What would I do after this point?

I appreciate any help on this.  Thanks in advance. 

[Where can I find the command line to run scripts?]

Hello.

I had hoped to have a better first post to the forum, but I keep coming to a dead-end to such a simple question.

This is my first time using OPNSense.  I had played around with another product in a virtual machine prior to ordering a Qotom q355-g4, but once I had the actual hardware, I decided to try OPNSense (for some reason,I had issues trying to load it into a VM, so abandoned that endeavor until I had dedicated hardware).

I had the issue trying to do a bare metal clean install of 18.1 directly, so I installed 17.5 and then eventually upgraded to 18.1.4 through the GUI.

As I am still setting this up, I only have 1 computer in use behind it through wired LAN (double NAT behind OPNsense box and ISP gateway (will bridge ISP gateway to PPPoE once OPNSense setup is complete and tested)).  Already have a Ubiquiti AC-Pro running for WIFI. OPNSense box is still connected to a KB and monitor in case I need to make changes on the console.

I am still learning a lot about networking and reading different forum posts and logs, but I have a really simple question.

Where can I find the command line to run scripts?  I looked through out the GUI, used the search function (GUI, Wiki, forums), Google, etc. but I am unable to find where to actually open the CLI to be able to run scripts.

Thanks in advance.