Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - abij

Pages: [1]

Intrusion Detection and Prevention / Automated update of SSL Fingerprint blocking rules possible?

« on: January 13, 2021, 04:42:12 am »

Hello,

As of now, we can use Services: Intrusion Detection: Administration to add User-defined rules to block domains associated with given SSL Fingerprint. This is a manual process since when define the rules we have to copy and paste SHA1 of the certificate. Is there a way to update the rule automatically when the cert expires, e.g., say

35:00:2E:BF:32:62:B6:6D:0F:EA:A2:E6:72:26:D6:51:3F:7F:CB:42

is the SHA1 for the cert of this forum, it expires 2/17/2021. Do we have a design such that a week before the expiration date, as in the above example, 2/10/2021, OPNsense can query about a potential new cert then extract the new expiration date, so that user defined rules can be renewed with an update using the new SSL Fingerprint?

Thanks.

20.1 Legacy Series / FreeRadius handshake failure with Android and Windows devices

« on: July 24, 2020, 01:21:09 am »

Hello,

I am running OpnSense on 20.1.9 with plugin os-freeradius 1.9.7 installed. Windows 10 & 7 and Android 10 devices won't connect to a WPA2 Enterprise wireless network set up with EAP type: MSCHAPV2. Connections to the same WPA2 Enterprise network using devices with Mac Catalina 10.15 and Debian 10 are OK. Details of the handshake failure were captured when radiausd debug mode was enabled. The most relevant part was highlighted in red. See below.

According to the error, there is a mismatch of TLS versions, but I am confused, is it freeradius requiring TLS 1.3 or the user is only capable of TLS 1.3?

Thanks.

(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(11) eap_peap: Got complete TLS record (131 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: (other): before SSL initialization
(11) eap_peap: TLS_accept: before SSL initialization
(11) eap_peap: TLS_accept: before SSL initialization
(11) eap_peap: <<< recv TLS 1.3 [length 007e]
(11) eap_peap: >>> send TLS 1.2 [length 0002]
(11) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(11) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
(11) eap_peap: ERROR: System call (I/O) error (-1)
(11) eap_peap: ERROR: TLS receive handshake failed during operation
(11) eap_peap: ERROR: [eaptls process] = fail
(11) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 2 length 4
(11) eap: Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11) Post-Auth-Type REJECT {
(11) attr_filter.access_reject: EXPAND %{User-Name}
(11) attr_filter.access_reject: --> LGN5
(11) attr_filter.access_reject: Matched entry DEFAULT at line 11
(11) [attr_filter.access_reject] = updated
(11) [eap] = noop
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) } # Post-Auth-Type REJECT = updated
(11) Login incorrect (eap_peap: TLS Alert write:fatal:handshake failure): [LGN5/<via Auth-Type = eap>] (from client Home AP port 23 cli 8c3ae3735337)
(11) Delaying response for 1.000000 seconds

19.7 Legacy Series / dnscrypt-proxy not available as an installable plugin

« on: September 24, 2019, 05:56:20 am »

Hello,

My router is on

OPNsense 19.7.4_1-i386
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019

Is it true that dnscrypt-proxy plugin is not available for i386 firmware? I cannot find it as an installable plugin under tab System:Firmware:Plugins.

Thanks.

19.1 Legacy Series / Renew Letsencrypt cert on server behind Opnsense router (haproxy w/ send_proxy)

« on: February 05, 2019, 07:10:34 pm »

Hello,

My web server (only one server active when renewing cert) is behind an Opnsense router with hdproxy. Haproxy was set up with "Option pass-through: Add send-proxy" under "Real Servers Tab". This is used for logging real IPs of those who visited my website. But when send_proxy is present as pass-through option, Letsencrypt cert (on the server, not Opnsense router) has difficulties renewing itself. It will show error "Type: connection Detail: Error getting validation data".

As soon as I turn off "Option pass-through: Add send-proxy", I can renew cert without problems. So this means, I cannot use crontab to auto renew certificate; rather, I have to turn send_proxy on and off whenever I have to renew a cert.

I was wondering if there is an automatic way of keeping send_proxy and renewal of Letsencrypt cert.

Thanks.

18.1 Legacy Series / Does hard drive's health affect integrity of internet traffic?

« on: June 15, 2018, 04:36:21 pm »

Hello,

I was wondering besides providing OS, saving configurations and logging what else does a storage device do in OPNsense. More importantly, does a hard drive's health affect the integrity of data packets passing through OPNsense? Or the data filtering happens in RAM so hard drive is not relevant?

I ask this question since I am new to OPNsense and at this stage I am playing with a retiring hard drive which SMART plugin reports it is failing. But the whole OPNsense set up has been running for days and my use of internet seems fine.

Many thanks in advance.

18.1 Legacy Series / [SOLVED]OPNsense installed but no ipv4 internet for home network

« on: June 13, 2018, 08:27:01 pm »

EDIT: I got it working. During setting interface I unchecked 'track ipv6' then it worked.

Hello,

I am new to OPNsense and please bear with me for my stupid questions.

I recently turned an old thinkpad x40 to an OPNsense appliance with the
following hardware set up

- thinkpad x40 (provides cpu + ram)
- thinkpad docking base (provides hard drive + one LAN port)
- SMC cardbus ethernet plugged into thinkpad (provides one WAN port)

I have installed the latest OPNsense on this appliance and updated it. However I
don't know how to and where should I insert it to my current network. What I
want is just use it as a firewall for my home network.

My current network topology is like this

Internet --> ATT NGV599 modem (IP passthrough) --> (WAN port connected) Netgear
AR6250 wifi router --> one LAN port connected server + several WIFI devices

My intention is to insert the OPNsense appliance between the modem and router so
the traffic can be firewalled, i.e., the new topology would become

Internet --> ATT NGV599 modem --> [intended] cable goes to WAN interface of
OPNsense thinkpad then let thinkpad LAN port connect to --> (LAN port connected)
Netgear AR6250 router --> one LAN port connected server + several WIFI devices

But the problem now is there is no internet access coming out of LAN of
OPNsense. What I did was

- I plugged cable from modem into the thinkpad WAN port
- Then the OPNsense thinkpad LAN port went to my computer directly for testing
the internet access
- The computer (on windows 10) immediately after OPNsense thinkpad appliance
could not visit the Internet. It says it has IPv6 Internet however no access
to any website (I tested google.com).

Any suggestions? Thanks in advance.

Pages: [1]