Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - StP

Pages: [1] 2

24.7 Production Series / Certificate webConfigurator default is not intended for server use

« on: August 12, 2024, 03:52:46 pm »

While preparing to update from 24.1.10_8 to 24.7.x I'm reading through this forum and find I should adhere to

https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces

and set "System->Settings->Administration->Web GUI->Listen Interfaces" to All (Recommended).
I had it set to LAN since the beginning (2016 I think).

Problem:
No matter which setting I try to change on that page I get
"Certificate webConfigurator default is not intended for server use"
I do not use a certificate in that configuration. Or am I?
I see a "webConfigurator default" certificate under "System->Trust->Certificates" but that has expired more than eight years ago.

Not sure what to do!?

See attached screenshots.

23.1 Legacy Series / Missing dependencies

« on: March 24, 2023, 09:15:19 am »

I just updated a system from 23.1.2 to 23.1.4_1 and found the following in the update protocol:

Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.

pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:

python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed

>>> There are still missing dependencies.
>>> Try fixing them manually.

Anything I need to worry about?
Is there something I need to do?

21.1 Legacy Series / NAME:WRECK Is OPNsense vulnerable?

« on: April 21, 2021, 11:43:42 am »

I just read that FreeBSD 12.1 has some issues with its TCP/IP stack that make it vulnerable for Remote Code Execution attacks that go by the name of NAME:WRECK.

I'm alarmed as we use OPNsense 21.1.4 to secure our company network.
Do I need to worry?

Hardware and Performance / Migrate configuration from AMD GX-416RA to AMD GX415GA

« on: September 10, 2020, 02:27:21 pm »

I have two Deciso A10 appliances. One with a GX416RA SOC, the other has a GX415GA SOC.
The first one is currently active, the second one should provide some redundancy (cold stand-by).
So I want to export the config of the GX416 and load it into the GX415.
As I already found out I have to rename the network interfaces from igb0 to em0 etc.

Now when testing I can connect to the stand-by machine and I see that its WAN interface is connected to the internet.
But not a single data packet is moving from LAN to WAN and vice versa.

What else do I need to change in the config?

20.1 Legacy Series / [Modified] No traffic from secondary local network to WAN

« on: April 14, 2020, 08:19:37 pm »

After the update to 20.1.4 I seeing some NAT problems.
This is on a Deciso DEC2630 or DEC2640 device.
I have two internal - physically seperated - networks. LAN on igb0 (172.16.30.1/16) and a new one called BBB on igb2 (172.31.30.1).
WAN is on igb1 with a fixed IP.
I have some NAT rules to 172.16.x.x which are all LAN clients. These still work.
And I have some rules to 172.31.0.2 which is a server in the BBB network. These do not work anymore after the update. The server itself is listening to all ports, I checked that from behind the firewall. Coming in over WAN I only get connection timeouts (10060).
I double ( and triple) checked my rules. They look good and unchanged.

Any changes in the last update that could cause this trouble?

Is there an easy way back to 20.1.3 to do some cross checks?

Regards, stay safe
Stefan

18.1 Legacy Series / [SOLVED] Mysterious IP address

« on: April 11, 2018, 04:57:55 pm »

I just found an unknown IP (192.168.0.45) in our network. It replies to a ping and looking at the reply with Wireshark the answer originates from the LAN interface of our OPNsense firewall. We never used 192.168.x.x here at the company, so I'm quite sure I did not configure it somewhere. And looking through the firewall's config I don't find any place where this is set.

Clueless here, anyone with an idea?

Stefan

Edit (fabian): Mark as solved

17.7 Legacy Series / Blocking WEBDAV?

« on: August 07, 2017, 02:20:35 pm »

According to this

http://borncity.com/win/2017/08/07/us-cert-warns-microsoft-windows-lnk-vulnerability/

we should block outgoing SMB and WEBDAV traffic to close some attack vectors which can be used by the vulnerability.

How to block WEBDAV in OPNsense?

Stefan

16.7 Legacy Series / Time to upgrade?

« on: February 27, 2017, 11:26:42 am »

With 17.1.2 now out what is the common sense about upgrading from 16.7.14?
Production systems on Deciso hardware (OPN20077R-EUPC3-S2YN).
Any known risks still lurking?

Is 16.7.14 still safe? Or are there known security issues?

Best regards
Stefan

16.7 Legacy Series / Captive Portal: Dropped vouchers still valid?

« on: September 28, 2016, 05:00:01 pm »

- Create voucher
- Use voucher to connect a device over WIFI -> works
- Disconnect device
- Drop voucher
- Reconnect device over WIFI -> still works

Is this WAD?
I'd expect a dropped voucher to be invalid even if its validity period is not yet expired.

Best regards
StP

16.7 Legacy Series / Captive Portal not working with Android devices

« on: September 09, 2016, 08:48:42 am »

It seems the general discussion forum is not (regularly) visited by OPNsense developers. So I'm reposting here...
------

We did set up a guest WIFI access point following

https://docs.opnsense.org/manual/how-tos/guestnet.html?highlight=captive%20portal

It works fine for Windows PCs and iOS devices.
But Android devices do not show the login screen.
Neither automatically (as my iPhone does) nor after opening a browser and entering an arbitrary URL.

Any ideas?

Stefan

General Discussion / Using Captive Portal with Android devices

« on: September 01, 2016, 10:46:56 am »

We did set up a guest WIFI access point following

https://docs.opnsense.org/manual/how-tos/guestnet.html?highlight=captive%20portal

It works fine for Windows PCs and iOS devices.
But Android devices do not show the login screen.
Neither automatically (as my iPhone does) nor after opening a browser and entering an arbitrary URL.

Any ideas?

Stefan

16.7 Legacy Series / Hanging script

« on: August 16, 2016, 03:43:41 pm »

If I log into OPNsense, navigate to the dashboard and just leave it alone for some hours I get an error message about a hanging script. This is the link mentioned in the error box:

https://172.16.30.1/ui/js/d3.min.js:2

My dashboard shows:
- Traffic graph
- Interface statistics
- System information
- Interface list

OPNsense 16.7.1
Browser: Firefox 48.0

Regards
Stefan

16.1 Legacy Series / [SOLVED] Captive Portal - Add user to create/drop vouchers

« on: July 28, 2016, 12:13:34 pm »

Hi,

as the topic says: I want to create a user that is allowed nothing but to create vouchers for the Captive Portal.
So I create user "VoucherAdmin" and set only one privilege "WebCfg-Services: Captive Portal".

Now I can login as "VoucherAdmin" and I see a heavily reduced UI.
But I have two problems:
1. The UI is not reduced enough - all the Captive Portal functionality is available. Not only "Vouchers" but "Administration", "Sessions" and "Log File", too. That is more than our office ladies can (and should) handle.
Anything I (or you) can do to further reduce the privilege?

2. In the reduced UI there is no "Logout" button. I see no way to login again as "admin" except waiting for a timeout.
This is not by intention, is it?

Regards
Stefan

16.1 Legacy Series / [SOLVED] Unable to check for Updates

« on: March 07, 2016, 11:24:15 am »

Hi!

I have two similar Deciso firewall boxes (OPNsense A10 Quad Core SSD rack OPN20077R) with this installed:

OPNsense 16.1.5-amd64
FreeBSD 10.2-RELEASE-p12
OpenSSL 1.0.2g 1 Mar 2016

When I "Click to check for Updates" on the dashboard I get this on one of the boxes:

Warning:
stream_socket_client(): unable to connect to unix:///var/run/configd.socket (Connection refused) in
/usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php on line 93 Connection Error
Click to retry

Don't know what to do. Retry doesn't help.
The other box is working fine and shows one available update.

Any help welcome...

Best regards
Stefan

15.7 Legacy Series / Status graph UI issue

« on: November 13, 2015, 01:23:39 pm »

Hi,
see attached picture.

As you can see the graph itself shows high incoming traffic and very low outgoing traffic.
In reality it is the other way around.
The list on the right has it right.
One upload from 172.16.1.23 is generating the outgoing traffic.
Incoming traffic is necligible.

Looks a bit mixed up.

Stefan

Pages: [1] 2