Topics

Hello all

I have an alias, host_Webservers, with 2 IPv6 addresses, of my 2 web servers (Public IP's).
When I create a WAN rule to allow port 443 through to the web servers, it gets blocked by the default Deny rule.

If I create 2 rules, one for each server instead of using the alias it works as expected.

Has anyone any ideas?

Just noticed it doesn't seem to work for any Aliases,  only IP addresses for  the Source or destination.

Hi, Has anyone had the experience of setting up a OPNsense firewall  to work how you want and move it to another location to have it FAIL.. (in particular Squid with SNI, a few SSL Bump additions, a restrictive firewall to allow only web access through the proxy)

This  setup works like charm, with speedtests  (speedtest,net) reaching maximums I have recorded.
I then take this fire to a customers premises and change the WAN IP address, reset up the gateways, etc. to have the firewall just be a brick.

The only change is the WAN IP address and Gateway. web browsing is sporadic and random. there appears to no issues looking at the logs in the GUI.

I haven't been able to look any more closely, as I needed to get this firewall going for the client (had to set to up like an ISP modem  :-[). I then take the firewall back to the office, change the Gateways again and it works as expected.

Another random issue, with 18.7 was trying to get the Failover going. After 2 weeks (client break ) I went to troubleshoot, and the fail over was just miraculously working. NO CHANGES.

Is there any sort of caching, in RRD databases, Squid Cache etc that may Cache or otherwise still retain the OLD WAN address and or gateway ? (This is the thread I was troubleshooting the with this older gateway issue).

Has anyone had any similar issues?

The Sage !!

[iPhone App store]

I have tried pfSense SSL Man in the middle years ago and ran into many issues, and have picked it up again in OPNsense. I have managed to get get many annoying things going, but still have issues with several aspects (described later) that are show stoppers. The current docs are adequate to start  the Web Proxy, but there are many things not documented. This is by no means a dig at the developers, more of a plea to the community to contribute to this AWESOME project. 

With my understanding of the mission ".. the most widely used open source security platform." we need to band together and consolidate our knowledge into documentation so we can continue to make this the BEST Security platform available and make more accessible and straight forward to new users.

How can we get these questions answered and incorporated into the Docs / Wiki after they are confirmed actual best practices for the problem they solve.

I will start.

Here is a list of how I solved some common issues (sourced from this forum, the web and some deep dark areas of my brain)

iPhone App store, Add these to the No Bump  .apple.com, .cdn-apple.com, .icloud-content.com, .itunes.com, .nzstatic.com.

Bypass proxy altogether. Create Alias "No_Proxy", Add IPs of devices to completely bypass. Edit the NAT rules for transparent with source to be invert Alias.

I added home Playstation's and X Boxes to the No_proxy alias so it would connect to the PS network.

On iOs devices, instagram how do I get videos to play with transparent Squid SSL proxy?.

We cant just add hosts to the No_proxy alias so one program / one app / one feature works. This defeats the purpose of the transparent squid proxy.

Can we get ideas and solutions in one place so we can try to add these to the wiki / docs.


 

I would like to see an Alias type  URL Table  (Ports), similar to the URL Table (IPs).

Use case.

Changing the port on clients Web app can easily done by changing the Ports file in the URL. Within the frequency time frame, ALL clients firewalls using this Alias URL (Ports) will be updated.

Hello all.
I have a NAT rule that works as expected ..

WAN    TCP    *    *    WAN Address    80 (HTTP)    192.168.0.254    80 (HTTP)   ::  (WORKS) :D

If I include a source IP Alias, (so NAT only works from the source IP Alias) the NAT does NOT work.

WAN    TCP    SourceIPs    * WAN Address    80 (HTTP)    192.168.0.254    80 (HTTP) ::   (doesnt work)  >:(

Here is the log of the packets dropping
filterlog: 11,,,0,pppoe0,match,block,in,4,0x0,,117,834,0,DF,6,tcp,52,5.x.x.x,124.x.x.x,30518,80,0,S,501560329,,64240,,mss;nop;wscale;nop;nop;sackOK

live view says Blocked by default deny rule

However, if use an IP address, the same one that came from the Alias, the NAT works
WAN    TCP    59.X.X.X    * WAN Address    80 (HTTP)    192.168.0.254    80 (HTTP)  ::  (WORKS ) ;D

How should I accomplish this?
What is the best way to go about NATing only from a certain IP address?

NB. SourceIP Alias is a Hosts Alias with 2 entries, 2 of my Public IP addesses

Is there a way to force the update of a URL table(IP) If i add a  entry (to the file in the URL), I would like to be able to immediately update the Alias. I know I could reduce the frequency to 0.1 (1o mins I think?) but that is over kill if I change an IP address once a month. 

Is it possible to add categories to the Aliases (as there is for firewall Rules).

I would like the ability to have say for example ..

  1. General set of aliases, HTTP, HTTPs etc
  2. Business software IP and Ports
  3. Telephony IPs
  4. Gaming
  5 .etc similar categories.

Also, how about a ports Table (ports)

Thanks for taking time to read this.

I am trying to add an alias using the Firewall API. I can get a list of aliases, and a list of values for an alias so I have the curl set properly.

$key ="key";
$secret = "secret";
$url = "https://OPNsense.gateway/api/firewall/alias/addItem/xyzzy";

$handle = curl_init($url);

curl_setopt_array($handle,
    array(
        CURLOPT_USERPWD         =>  "$key:$secret",
        CURLOPT_RETURNTRANSFER  => true,
        CURLOPT_SSL_VERIFYPEER  => false,
        CURLOPT_SSL_VERIFYHOST  => false,
        CURLOPT_POSTFIELDS      => "",      // Tried with this line out as well
        CURLOPT_POST            => true,
    )
);

My issue occurs when trying to add an Alias using the above code. (I am stepping out of comfort zone here ), but I have traced the calls back to the 

/usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php

And added some extra results to see where (??) the process is failing.

from the lines here in the addBase function,

$result = array("result" => "failed");
        if ($this->request->isPost() && $this->request->hasPost($post_field)) {

hasPost($post_field) is NULL or empty from results 

error =:           (No curl error)
result => {
    "result":"failed 1st step addbase              //renamed result to see output
               $isPost :alias                              // $post_fields var
               Is req. : 1                                  // $this->request->isPost()
               has post :                                 //  $this->request->hasPost()
      "}

I am probably barking up the wrong tree, but can someone point me in the right direction please.  I am sure the API is OK, and I am sure there is something in my code.

Thanks
the Sage !!

Here is my issue.
I have WAN and LAN working as normal.
WAN is PPPoE, LAN is 192.168.0.0/24. 4G is 192.168.15.1.
I have 4G as a multi WAN fail over. I have been checked the settings over and over from a system that works, and this one. (Also from OPNSense Wiki Multi WAN doc.)
When WAN goes down, DNS works, as the firewall is the DNS server, but there seems to be no routing of traffic on the LAN network through the 4G network.
The problem seems to be that from the LAN interface, a PC cannot PING the 4G interface,
ping 192.168.15.1 - Request Timed Out
tracert 192.168.15.1 -> out the PPPoE gateway ??
instead the packets go out the "default" gateway. From the firewall itself, I can ping from LAN (firewall IP) to 4G, but NOT from LAN network.

So from the firewalls perspective, the Failover works. But the PC's on the LAN network do not work in a fail over situation.

Can anyone shed any light?

P.S.
I have numerous firewalls setup like this that work. The settings are (seem) to be the same.

Hi guys, I have set up a OPNSense box with 3 NIC's. Firmware is 18.7.1
Interfaces LAN, WAN and OPT1, OPT1 is used as a 4G Failover with a 4G router (which works pluged into a pc)

I set WAN as Static IP to the internet. As per OPNSense Multi WAN documentation. 

To cut a long story short, This setup works as expected (better than expected, with switch overs withe 20 seconds.) My problem arises when I  change the WAN over to DHCP setting, reconfigyre DNS, gateways, Gateway groups Etc As per OPNSense Multi WAN documentation. I reboot OPNSense and the WAN sometimes comes up and works as expected. If I pull the WAN plug, or the WAN doesnt come up, it stays in a state PENDING. After a few restarts, it may work through the WAN but more often than not, remains in the PENDING state.

If I reconfigure the WAN to be STATIC everything works OK, so I dont think it is in the set up ??? as I have switched from DHCP to Static at least 5 times and each time STATIC works perfectly.

Can anyone shed some light? Will more config info be helpful?
What am I missing?


The Stuck Sage