Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - amichel

Pages: [1]

24.7 Production Series / FIXED: After Applying 24.7.4_1 IPSec fails to initiate Phase 2

« on: September 16, 2024, 03:51:37 pm »

Hi,
after applying the hotfix 24.7.4_1 on my two Opnsense boxes during the IpSec negotiation I see the error:

Code: [Select]

"parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]"
received NO_PROPOSAL_CHOSEN notify error

Any ideas if there is some conection to the update?

Zenarmor (Sensei) / Devices detecting the same devices over and over.

« on: February 02, 2024, 09:25:15 pm »

When I review my setup, I see the same devices being "discovered" as new devices over and over again although the devices themselves remain the same. It might be that the IP Address is changing but in an environment with DHCP that should be expected.
Is there any intention to make this more reliable?
At the moment it is impossible to create a Policy to block untrusted devices and assume all new devices are untrusted.

24.1 Legacy Series / FIXED: Certificate Admin website changes no Access possible

« on: January 30, 2024, 08:04:22 pm »

I have more certificates stored on my box. One as Webcertificate for the Admin Gui and another one for Haproxy to be used.
After boot without any change the Admin Website is using the certificate for my mail server mail.domain.com instead of opnsense.domain.com and I am logged out of the website.
Any Idea what to do here?

UPDATE:
I removed the wildcardcertificate and kept only the two certificates needed. Additionally I disabled HSTS in the admin website to at least have access to the box if the wrong certificate is presented.
Nothing works.
After a couple of minutes when I connect to the admin website I am presented with the mail.domain.com cert and then not being able to log on as hsts is presented. Which is enabled on HA proxy. Looks like HAproxy is interfering here and hooks on the admin website.
UPDATE 2:
Looks like Benerages is right it has something to do with haproxy. Once I stop haproxy I can access the Webinterface.

Zenarmor (Sensei) / Zenarmour 1.16 stale Devices delete

« on: December 25, 2023, 10:54:47 am »

I see that Zenarmour is adding devices more than once. This could be because of changing MAC addresses for example in Windows and Android.
Is there an automatically cleanup process implemented that removes sale devices, or is the only option to delete them one by one?

22.1 Legacy Series / Ha Proxy SSL Offloading Exchange on 2022

« on: April 29, 2022, 03:24:53 pm »

Hi,
Publishing Exchange with offloading through haproxy works like a charm as long as the OS of the Exchange server is Windows Server 2019.
Now when installed on Windows 2022 the connections fails.
looking at the logs I see in the working configuration:

Code: [Select]

Exchange_Frontend_Offloading~ Exchange_Offloading/MAil_Real_Offloading 0/0/37/137/174 500 679 - - ---- 1/1/0/0/0 0/0 "GET /autodiscover/autodiscover.json

While in the non working I get:

Code: [Select]

Exchange_Frontend_Offloading~ Exchange_Offloading/MAil_Real_Offloading 0/0/0/1/1 400 459 - - ---- 2/1/0/0/0 0/0 "POST /autodiscover/autodiscover.xml HTTP/1.1"

Any idea where I can look?
It might be because Windows 2022 enables TLS 1.3 per default but even when I disable it it does not work.
Accessing the server directly works so it is something between the Server and haproxy.
amichel

22.1 Legacy Series / 22.1.3 DDNS Client error - Workarounded

« on: March 18, 2022, 07:43:06 am »

Hi,
after upgrading to 22.1.3 the new DDNS client does not work.
In the log file I see

Quote

file /var/tmp/ddclient.cache, line 3: Invalid Value for keyword 'ip' = ''

Any Ideas where I can dig into?
amichel

21.7 Legacy Series / Disable Gateway and reenable from the command line

« on: January 17, 2022, 07:53:40 am »

Hi all,
my current VPN configuration to azure is disconnecting when I get a new dynamic IP Adress from my ISP. While the VPN tunnel is automatically recreated, the connection to Azure is not established as long as I do not disable the Gateway and reenable it (I am using a route based IPSEC connection).
So I do have the possibility to automate this with zabbix, sending a remote command to the Opnsense box, but I am missing the correct command to do that
I tried to ifconfig down and ifconfig up on the IPSEC interface but this did not help.

Any help to send me in this direction would be highly appreiciated.

amichel

21.1 Legacy Series / HA-Proxy Oauth/ADFS Token Issue

« on: March 02, 2021, 09:27:14 pm »

Hi all,
I decided to go for HA Proxy as a reverso proxy as my current implementation ofr Port forwarding to a Web Application Proxy does not help in using Exchange HMA as the WAP does not correctly forward the authentication Request. So after some fiddling around I was successfully able to configuere that with Ha Proxy and now I end uzp in another Issue I can't fix.
Additionally I am using Work Folders which can use ADFS/Oauth authentication, and if using an Azure AD Joined device are able to do device based authentication.
For some reson this does not work with HA Proxy. I did a fiddler trace, but usually the only thing I see from the client side is that the request simply times out.
In the Clients Event Log I see that the device does not get an JWT from the ADFS Server and in the ADFS Eventlog I see:
"The refresh token received in 'refresh_token' parameter is invalid. The device identifier in the token does not match the specified device certificate"

So for me that looks like the cert of the client is not passed through.
It works when using the WAP as reverse Proxy and ADFS Proxy. I have to use TCP as I rely on SNI for correctly forwarding the servers and because ADFS does not support offloading.

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
    nbproc                      1
    nbthread                    1
    maxconn                     50
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             128
    log 10.168.1.39 local0 info
cache opnsense-haproxy-cache
    total-max-size 8
    max-age 120

defaults
    log     global
    option redispatch -1
    maxconn 50
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats



# Frontend: Frontend_443_SNI (All Backends to be placed here)
frontend Frontend_443_SNI
    bind 0.0.0.0:443 name 0.0.0.0:443 
    mode tcp
    # tuning options
    timeout client 30s

    # logging options
    option tcplog
    # ACL: Condition_Traffic_SSL
    acl acl_603c864d90ff52.36940379 req_ssl_hello_type 1
    # ACL: Condition_Certauth_FS_SNI
    acl acl_603de074a90f78.82060934 req.ssl_sni -i certauth.fs.domain.com
    # ACL: Condition_FS_SNI
    acl acl_603c8693c29905.84827726 req.ssl_sni -i fs.domain.com
    # ACL: Condition_MAIL_SNI
    acl acl_603d2cefa4baa3.21722062 req.ssl_sni -i mail.domain.com
    # ACL: Condition_MAIL_autodiscover
    acl acl_603d3dd94f1241.73969723 req.ssl_sni -i autodiscover.domain.com
    # ACL: Condition_workfolders_SNI
    acl acl_603d5286ac0958.05383484 req.ssl_sni -i workfolders.domain.com
    # ACL: Condition_Sync_SNI
    acl acl_603d52af5c2b72.14160560 req.ssl_sni -i sync.domain.com

    # ACTION: RULE_Inspect_Delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 60s 
    # ACTION: RULE_Acccept_SNI_SSL
    tcp-request content accept if acl_603c864d90ff52.36940379
    # ACTION: RULE_WAP_SNI
    use_backend WAP_Pool if acl_603de074a90f78.82060934 || acl_603c8693c29905.84827726
    # ACTION: RULE_Mail_SNI
    use_backend Mail_Pool_SNI if acl_603d2cefa4baa3.21722062
    # ACTION: RULE_Autodiscover_SNI
    use_backend Mail_Pool_SNI if acl_603d3dd94f1241.73969723
    # ACTION: RULE_Workfolders_SNI
    use_backend Workfolder_Pool if acl_603d5286ac0958.05383484
    # ACTION: RULE_Sync_SNI
    use_backend Workfolder_Pool if acl_603d52af5c2b72.14160560

# Frontend: Frontend_HTTP (Backend for HTTP)
frontend Frontend_HTTP
    bind 0.0.0.0:80 name 0.0.0.0:80 
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Condition_CRL
    acl acl_603d60d79b7ae4.11560289 hdr_beg(host) -i crl.domain.com

    # ACTION: RULE_Crl
    use_backend CRL_Pool if acl_603d60d79b7ae4.11560289

# Backend: WAP_Pool (Web Application Proxy Pool)
backend WAP_Pool
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server WAP_Real wap.sub.domain.com: 

# Backend: Mail_Pool_SNI (Mail Pool)
backend Mail_Pool_SNI
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server Mail_Real_SNI msx.sub.domain.com: 

# Backend: Workfolder_Pool (Pool Workfolder)
backend Workfolder_Pool
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 5s
    timeout server 30s
    server Workfolder_Real sync.sub.domain.com: 

# Backend: CRL_Pool (Pool fÃ¼r CRL)
backend CRL_Pool
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server CRL_REAL dc2.sub.domain.com:

If anyone sees if there is a glitch in my config I highly appreiciate any help here
amichel

Zenarmor (Sensei) / SOLVED: Remote Database not available Webgui not reachable

« on: November 17, 2020, 06:32:30 pm »

Hi,
I am using Sensei on my APU box with a remote elasticsearch database. Once I power down the database server I am not able to connect to the Webgui of opnsense as it does not respond anymore. Internet Access and ssh access is still working and once the database is reachable again, logging on to the Webgui is possible.
I just wanted to know it that is an expected behavior and if there is any other workaround on the shell to reach the Gui?
amichel

20.7 Legacy Series / SOLVED: Wireguard UI not writing config in 20.7.4

« on: November 02, 2020, 07:25:21 pm »

Hi,
I just found out that adding an endpoint in Wireguard in 20.7.4 through the gui does not work. It took some time to figure out. When adding the endpoint in the /usr/local/etc/wireguard/wg0.conf file it works like a charm.
amichel

Intrusion Detection and Prevention / Log Rotation not working

« on: June 14, 2019, 07:57:26 am »

Hi all,
I have my suricata log configured to rotate daily and to keep them for 5 days.
However the log doesn't get neither rotated nor truncated. What I see is that my stats.log keeps growing and growing. Changing the value in the UI did not help either. Is there a config file where I can look up what is configured there to see if modification of this file would help?

amichel

Intrusion Detection and Prevention / [SOLVED ]ET Telemetry Rules no autoupdate

« on: March 19, 2019, 07:13:07 am »

Hi,
My telemetry rules do not autouodate. I see in the log that other rules for example fedo tracker do update. The widget shows that my account is active and a manual update works also.
Any help where to look is appreciated.

EDIT: Looks like this was an intermediate issue. On both Systems which are connected to different networks and location the rules updated tonight.

19.1 Legacy Series / [Solved]: Ntpd stops every 10 minutes

« on: February 01, 2019, 12:51:59 am »

Hi,
So I am on V 19.1 on my Apu2c4 and all is fine, besides the fact that the ntp service stops after 10 minutes with an error stating that it nannot allocate memory.
So at the moment monit is configured to start the service but still that is an issue that appeared after the upgrade and worked before.
Is that a known issue?

Gesendet von meinem EML-L29 mit Tapatalk

18.7 Legacy Series / [SOLVED:] History and revert

« on: January 18, 2019, 11:15:38 am »

Hi,
I do apologize for the stupid question but when I look at System-Configuration-History in 18.7.10, there is no option to go back to a previous config. I could swear that in previous versions there was this option available in the GUI.
Has this been removed and is there an option from the shell to revert to a previous version?
thank you,
amichel

18.1 Legacy Series / [SOLVED] GuestWlan and Firewall Rules ignored

« on: July 13, 2018, 10:42:24 pm »

Hi,
I am running OpnSense 18.1.11 on an APU2c4 with a WLE200NX for my Guest Wlan.
I followed exactly the instructions as in https://wiki.opnsense.org/manual/how-tos/guestnet.html and the captive portal works like a charm.
However once I enter the voucher code in the captive portal no firewall rule is applied to the guest Wlan. The blocking rules to the LAN are completely ignored and I do have full access to the internal network.
My Wlan is not setup through a bridge but rather configured as an interface GUEST from the Parent ath() device.
Is this behaviour expected for Wlan cards which are connected internally, or could someone please shed some light here what is going on here and send me into the right direction please?
Thank you
amichel

Pages: [1]