Topics

1

19.1 Legacy Series / Scheduled states not working

« on: June 19, 2019, 09:41:09 pm »

Hi,

This seems to be a long standing issue in pfsense as well and since several years back:
https://forum.netgate.com/topic/69331/scheduled-blocks-won-t-work-without-manual-states-reset/2

Long and the short of it; in order to restrict kids' access to Internet at certain times of the day I've got the following rules:

Alias: kids' devices (KD)

Enable kids' devices to any, source KD, on schedule
Block kids' devices to any (source KD)
Default allow any other LAN to any (source !KD)

This almost works... except that states are not killed when the scheduled pass rule expires. So any new connection is blocked as expected, but already open ones are kept alive, which means the kids continue to play... until they have to switch page or whatever and suddenly find themselves locked out.

Firewall -> Advanced -> Schedule States is UNchecked (somewhat non-intuitively, but that's what everyone says)

As mentioned and as per the link above this seems to be an old issue and inherited into opnsense..?

Any ideas...?

2

19.1 Legacy Series / auto proxy discovery

« on: March 11, 2019, 10:12:49 pm »

Hi all,

I've been trying to get auto discovery of my web proxy to work on my LAN with limited success and I'm not sure how to debug it so wondering if there are success stories out there or if this is just intrinsically flaky with a diverse set of clients...?

My test client is Mac OS X 10.14.3. I have followed the guide, although not managing to make it work, experimented a bit further. My current config in OPNSense generates this file:

Code: [Select]

/*
  PAC file created via OPNsense
  To use this file you have to enter its URL into your browsers network settings.
*/
function FindProxyForURL(url, host) {

if (!((isPlainHostName(host)) || (shExpMatch(host, "*.mydomain.com")))) {
return "PROXY 192.168.200.1:3128";
}

   // If no rule exists - use a direct connection
   return "DIRECT";
}

... which I think should work. I have added an option to the DHCP server to send the URL on field 252 according to the instructions.

Indeed, on the client:

Code: [Select]

$ scutil --proxy
<dictionary> {
  ExceptionsList : <array> {
    0 : *.local
    1 : 169.254/16
  }
  FTPPassive : 1
  HTTPEnable : 0
  HTTPSEnable : 0
  ProxyAutoConfigEnable : 1
  ProxyAutoConfigURLString : http://192.168.200.1/wpad.dat
  ProxyAutoDiscoveryEnable : 1
}

... looks promising (the URL is picked up from DHCP).

HOWEVER. Safari completely ignores the proxy setting and just loads pages direct instead. Chrome on the other hand actually honours the proxy setting... unless in "incognity mode" in which case it also ignores the proxy setting and hits the pages directly! I can see this by following Squid's access log while loading up different pages on the client using various browsers.

Do I need to block direct access in order to get the browsers to actually use the proxy settings specified?

Very odd... Anyone got experience from this?

3

General Discussion / Access from LAN to DMZ

« on: April 14, 2018, 06:37:04 pm »

Hi! I've got a weird problem and can't figure out what I'm doing wrong.

Setup:
LAN: 192.168.200.1/24
DMZ: 192.168.1.1/24

When I'm done I'm going to let LAN access DMZ but not the other way around. For now I've left the default LAN "pass everything" and added the equivalent for DMZ (interface DMZ, source DMZ net, dest any, action Pass).

However when I access DMZ from LAN I get dropouts and timeouts (e.g. when setting up NFS connection). Debugging this, accessing a web management GUI in the DMZ from my laptop on the LAN, some packets are let through on the basis of the default LAN rule but then some dropped on the default deny, and I can't see the reason for this at all.

See attached opn1.jpg screenshot from the Live View firewall log and opn2.jpg from the drill down of one of the blocked connections - how can that not be caught by the same default pass rule?

Also, I don't understand why "default allow LAN to any" comes in pairs with DMZ "let anything out from firewall itself".

Totally stumped on this so would appreciate pointers!

4

General Discussion / Opnsense as Internet gateway for IPSec road warriors

« on: March 18, 2018, 04:45:16 pm »

Hi! First post on the forum. Just installed opnsense on a Qotom i5 mini pc at home and got it up and running fine (as router + firewall). I also managed to configure IPSec for road warriors as described here: https://wiki.opnsense.org/manual/how-tos/ipsec-road.html. All good so far and very happy!

There is however one thing I cannot figure out. When I connect to my opnsense firewall via IPSec (as road warrior) I would like to access my LAN (works) but also use my opnsense as Internet gateway (i.e. NAT through the WAN as if I would have been on the internal lan already). I cannot figure this out.

My setup:
VPN -> IPSec -> Mobile Clients; Virtual Address Pool = 10.10.0.0/24, DNS Servers = 192.168.1.1
Firewall -> Rules -> IPSec; single rule allowing anything to anything on the IPSEC interface
Firewall -> NAT -> Outbound; Hybrid outbound NAT rule generation, added a rule Interface = WAN, Source address=10.10.0.0/24, Translation / target = Interface address.

With this, I can connect to the VPN from an iOS client and successful access the LAN. When I try to load external pages from iOS Safari, I can see the connections being let through in Firewall -> Log Files -> Log view however iOS does not get any response and eventually times out.

I cannot figure this out... Would appreciate some pointers!

I'm running OPNsense 18.1.4-amd64 by the way...