Topics

1

22.7 Legacy Series / How do I paste multiple values in multi-value boxes?

« on: August 31, 2022, 05:07:38 am »

I'm trying to get around filling these boxes:


which are kind of a nightmare since they concatenate whatever you paste in.

I tried editing the file directly in the filesystem: in the example in the shot, BIND; but it turns own BIND doesn't read the config. The GUI seems to override the CLI.

Any idea how to filled this correctly to paste is enabled?

So far I've tried pasting the the line with [,],[;],[\],[\n\n](double new line space) and even [<br>]. Nothing seems to work.

Any ideas?

2

22.1 Legacy Series / BIND won't start, "creating IPv4 interface" failure.

« on: July 20, 2022, 10:12:13 am »

I use BIND as some sort of DNS router between AD domain controllers and in-box Unbound, both listen on :53. The firewall has two interfaces; Unbound works exclusively on one of them, BIND doesn't have the option to choose interface but it set to use the addresses from the other. It had been working great for a long time until I had to change the IPv6 prefix.

That is the only thing different since it stopped working, at least. No other changes have been made. The logs are very... not really useful. The addresses are available, one of each family to each resolver/nameserver, and they are all responding, I'm testing from another subnet; ruling out gateway issues in the process. The "firewall" is not really a firewall, it's in router-only mode, filtering+NAT off.

I composed a little screenshot collage to best illustrate things — you might need to pan around on a laptop display.

Here's the link in case there are issues showing it: https://i.imgur.com/jcyCsUv.png


Any ideas what's wrong?

3

21.7 Legacy Series / Why are multiple interfaces available for NAT?

« on: October 31, 2021, 02:33:21 am »

Why are there multiple simultaneous interfaces for NAT rules? Are group-type rules supposed to be a no-no —specially NAT rules— because they'd get no reply-to?

4

21.1 Legacy Series / Tunneled EAP, IPsec, FreeRADIUS, et al + directory sync (LDAPS)

« on: March 18, 2021, 04:02:41 pm »

Playing with the FreeRADIUS plugin I discovered it was accepting just about every device that would connect to the test wireless network configured with it for auth, or so I thought. As it turns out I had [absentmindedly] configured every possible setting I could use at some point, including remote MySQL database and LDAPS.

When I unchecked the LDAP boxes the devices stopped connecting to the MAC-based authenticated network. As that was sorted out a million questions replaced it though, like why isn't the FreeRADIUS plugin able to use the users synced from Active Directory (over secure LDAP). It'd be nice to use the built-in users with the same pasword and just augment their profiles with just the needed settings*. I also noticed that even while making its own LDAPS connection to the servers, it would still fail to authenticate supplicants requiring the more secure methods, like the tunnel within a tunnel PEAP, TTLS, all that.

I know that this is basically because LDAP is insecure so it doesn't work with the tunneled EAPs, but by that logic, shouldn't LDAPS work? It is encrypted so nothing is in the clear at any stage. Furthermore,  since the users are synced, the authentication is local anyway, therefore, it is secure.

Then there's the actual tunnels, IPsec, Is IPsec able to use the synced users for authentication or is it limited as well? It's got its own section for secrets, two actually, it already hints at No.

What packages/areas (first and/or third party) can use the local directory service fully besides the system's auth and the cert manager?

Thanks!

*: a little later I discovered this can't be done even with the manually addded users anyway. I tried settings IP addreses, routing info, VLANs... Only VLANs work. Thankfully this works great on pfSense's FreeRADIUS (where ironically LDAP, secure or not, ain't much of a success) and I can keep that only for my MAC-based auth which is much nicer to manage in either of the two firewalls than in AD Users and Computers or AD Administrative Center or Windows Admin Center.

5

Virtual private networks / How do I select global no auth source for IPsec?

« on: March 18, 2021, 03:08:31 pm »

Following the setup guide of the documentation it says to select no backend for the authentication. The problem is it won't let you do that:



If you leave the page whatever you saved in there is lost so the tunnel will get no network infrastructure info which  is all in there, DNS servers, domain name, addresses for the client...

Should leave the authentication source blank in the phase instead?

Thanks!

6

20.7 Legacy Series / Netflow receiving

« on: December 08, 2020, 03:26:52 am »

Can OPNsense receive Netflow data from external sources?

I added it as a Netflow collector on a vSphere Distributed Switch using the default port number it prepopulates (2056) and added a NAT rule to redirect to the prepopulated address as well, since it's 127.0.0.1. I figured otherwise it would not reach it.

I just did this, but so far I've seen no difference. OPNsense is a secondary firewall, it doesn't have a direct connection to anywhere on the network, it's only connected to an isolated virtual switch for which the only exit is through another firewall, any traffic/data should be fairly easy to spot.

Thanks.

7

20.7 Legacy Series / Problem with NAT, firewall is blocking traffic

« on: September 28, 2020, 03:19:23 am »

[See the attached diagram]

[Ready?… OK. Last time I was told I should attrach screenshots or something ]

Hey all,

What you're seeing there is a rough approximation of the network. I'm moving from another platform where the firewall was responsible for maintaining a site-to-site link to a remote firewall. The purpose of this is getting a static IPv4 address, which my ISP no longer offers.

Anyway, S2S works, there's full communication and I'm even collecting SNMP data from the interfaces on the remote site. The problem is that OPNsense doesn't let traffic go out. I located the states and only one side is established. subsequent states are waiting. The only thing I could come up with is allowing traffic out from the interface where the server is, but it makes no sense, there's should be no need to allow traffic out if there's a inbound rule/port-forward that should allow the server reply if requested.

The subnet where the server lives has rules to allow only traffic to RFC1918 and RFC1918v6 (a misnomer for my /48) networks and ICMP to everywhere. It has no specific blocks, none of the interfaces have. I skipped using the interface that's autodesginated as "LAN" by the setup wizard because it's sort of unclear if it blocks by default as secondary LANs do.

Where could I look for more information for this in the box? -- I already made basic troubleshooting, checked that the servers have a the correct gateway, that they can reach the Internet via the tunnel (allowing traffic temporarily) and locally and the other tunnel, firewall optimization is set to conservative. Everything checks out, I'm lost here. :/ The only thing I noticed is that latency  (gateway monitoring) is off the charts, about 400-550ms, it was never this high before. But, there is no packet loss and actually doing pings FROM a server reports something like 30-40ms.

8

20.7 Legacy Series / How to import HAProxy's config file from elsewhere

« on: September 26, 2020, 01:22:30 am »

I'm moving (again…) from pfSense to OPNsense. I've tried this several times in the past but it is HAProxy which is crucial for me the part that never lets me complete the migration. I've never been particuraly skilled at HAP in the but I've gotten a little better, I now knoww what stuff means and does and thought about giving it one last shot.

It didn't quite work out like planned… It's not that it's hard--I understand it now--it's just that the OPNsense UI breaks it in soo many steps for the sake of modularity (I assume) but it ends up more complicated than actually writing the config file uncommented from scratch.. That was exactly the thought that brought me here, to ask you guys if you by chance know where is it and if it's editable by hand (pasted and adapted accordingly in my case). I noticed ordinary things like the aliases are exported in serialized config files now.

It would be super helpful because then I would be able to use the official docu that I will likely need. using OPNsense's HAProxy I'm not sure I'll be able to set loopback backend to do it all with a single port like before. I've been dying for years to use the flexibility OPNsense offers with its bleeding edge (as firewalls go) plugin selection and unlocked pkg repos, contrary to pfSense, but it all becomes irrelevant if I need to keep the pf machine just for the proxy with extra NAT running  for the proxy with an extra NAT layer in addition to OPN's VM. I just need to know where the files are, FreeBSD is weird how it sort of follows Linux dir structure but with stacked on top of something even weirder like /var/db/etc <--Whatthef--that makes no sense! I can never find any "standard" UNIXy location in FreeBSD or macOS. :/

I'm rambling now. If you now about this please share!

9

20.7 Legacy Series / Editing aliases outside of OPNsense

« on: September 21, 2020, 04:48:34 pm »

I'm trying to return to OPNsense but my aliases have changed quite a bit  since the last time I tried using it. I got a backup from them that I uploaded into the firewall and downloaded again so I would get the newest format, from then my plan was going to use and IDE or something like that to edit quickly the alias list and reapply.

It was everything going fine until I noticed the JSON entries in the file appear to be serialized. No only that, this new value appears to some sort of key for the whole entry. And, because I am no dev, I understand zeropercent of what's going on.

Am I aware that I'd be at risk of losing all of my edits or maybe crashing the firewall if there's like some conversion to generate that serial if I enter something else arbitrary. I don't know if simply copying an existing serial will merge the source with the entries, half of the time I'm struggling just to escape JSON correctly„

Can the alias tables be edited outside of OPNsense anymore? If so, are there guidelines for it?

Thanks!

10

20.1 Legacy Series / Using [LDAP-sourced/synced] local users for FreeRADIUS server plugin

« on: April 07, 2020, 03:49:29 pm »

For a very long time I've been trying to setup FreeRADIUS for full Active Directory integration but when I always manage to get something wrong and I run back to Windows Server NPS. If it's not setting up NTLM auth –something I've never been able to do– it's some random bug that makes the exact same settings work in an OPNsese config work in one install but not on the next.

Binding FreeRADIUS to LDAP won't work because "passwords are sent on the clear" …even though the connections are made over LDAPS, i.e; ldaps://…:636/. Since OPNsense's users can be also synced with AD, I figured these could be used locally by FreeRADIUS and be augemented with the proper attributes for a given user. Being already local, any authentication method should be available. But again I was wrong, or at least couldn't figure out how to set it up.

The most I managed to set up has been EAP-TLS. It's a strong method so I'm more than happy to settle for a single method if that's the one. However, I can also do that on Network Policy Server; the main appeal of OPNsense+FreeRADIUS are the per-user attribute settings. The way I setup EAP-TLS, although it validates OCSP it really doesn't associate the certificate with a directory user, so no user attributes configurable; I tried adding the information manually on FreeRADIUS's Users area but it won't allow me entering the @ symbol, necessary to write UPNs, used for the CN and SAN on certificates, leaving me back a square 1.

Do you have some insight you could share setting this up? Any advice/commentary is welcome.

11

19.1 Legacy Series / Rules are not being obeyed

« on: July 06, 2019, 01:58:23 pm »

I just reinstalled OPNsense and set only basic rules as I config other areas and the rest of the network for the change. I had set a block (reject, actually) rule for some hosts that shouldn't connect out, I did it same as always, inverting the match for the destination to the nonroutable space (RFC1918) and put it above the allow any to any rule, usually that's enough; just now I added a new address to the alias of blocked sources and realized it has been allowing the hosts to connect out all the time.

I tried reordering the rules so the Apply button would appear and do so, then reorder them back and apply again. It didn't work. I checked if I didn't inadvertently enabled some sort of bypass, like the proxy, but I didn't.

I'm on version 19.1.10, I applied the update today, I believe. Like I mentioned earlier, I just noticed this happening; I don't know if this was happening before the update. Is this a bug or did I miss something?

I have no floating rules. My LAN interface is an LACP LAGG interface and the public-facing interface is OPT1 because WAN got somehow locked up and when I select it in the sidebar it takes me to the interface assignment page but it is on the LAN default group at least.

Thanks !

12

19.1 Legacy Series / Firewall ignores rules randomly

« on: May 15, 2019, 07:16:42 am »

I'm having issues with the firewall not obeying my ruleset. All the rules are the clone of the first one so either they should all work or they should all not work. Some do, some don't. These are port forwards, BTW.

I don't know what's wrong. In the live view I can see the connections are blocked by the default ruleset, meaning for some reason it's not matching them but, like I said, not all of them: I checked them several times finding nothing wrong with them.

Is this a bug? I also added a ZeroTier interface, the firewall pings the only client I have at the other end, and the client also pings the firewall but the firewall doesn't route  the subnets.

Is this a known bug?

13

19.1 Legacy Series / Local (system) users for FreeRADIUS

« on: April 27, 2019, 05:06:50 pm »

I've been trying without luck to setup FreeRADIUS with Active Directory for a while now, apparently that'll never happen for me. LDAP both OPNsense's FreeRADIUS and OPNsense itself is setup correctly; I tried starting in another system and learned in the documentation that LDAP is useless for the tunneled EAP types anyway.

But since the users from LDAP were imported into OPNsense itself, I'd be using local users, therefore tunneled EAP should work, right? That's what I hope for anyway. I don't know how exactly instruct FreeRADIUS to use the system userbase, I don't think it's automatic because I can't authenticate with any of the imported accounts.

I figured, maybe I need to add users into FreeRADIUS, but when I go there within the information I'm also asked for a password to proceed. I don't know if by entering this value the previous is going to be changed for the account in question, or if it's going to set a different password altogether which sort of defeats the purpose of the integration.

Is it doable? Are the settings elsewhere? Thanks!

14

19.1 Legacy Series / Network suddenly crashed: "watchdog timeout on queue 0"

« on: February 22, 2019, 04:25:15 pm »

I was designing a UI for a local system and playing random stuff of YouTube as whitenoise on another computer when both suddenly lost their connection. The one playing YouTube was the odd one since usually YouTube/Netflix/… can keep on going for a while on their buffer when the network is lost. I had an IP address, but I couldn't ping my immediate gateway, not anything above it. I could still connect to another computer on the same subnet which is doubled homed and from there see what's up, I connected to the upstream router, pfSense, which basically does most of the networking, it connect via a transit network to OPNsense, and that to the first core switch, at least logically--it's all virtualized.

I logged into vCenter to get the consoles from both firewall systems, the upstream could ping out, OPNsense on the other hand showed the network interface reading "watchdog timeout on queue 0" filling the whole screen. It would keep printing that. I restarted it and as soon as it got back it wasn't finished booting when it was printing that again. Like I said, the edge firewall was doing most of the work anyway, OPNsense I was just starting to deploy to play with the things it has pfSense lacks, I just made the switch take its IP address of the /30 transit network and I got back where I was.

I'm quitting OPNsense for now, I've tried to deploy it several times but I just can't get it to be stable--and it's not like mundane things, it's a little more serious with potential for data loss, like not starting up on the update to 19.1; or connectivity problems on multi-WAN with the same ISP (hence same gateway)--I was able to spoof the gateway with another router in between, BTW, but it sort of defeat the purpose of such an advanced system. :/

Anyway, I thought I should report it. I hope it helps somebody. Also found out that to boot a failed EFI-based 19.1 upgrade, you can just change it to BIOS without reinstalling! I reported that on Github, though.

15

18.7 Legacy Series / Where to restore aliases backup

« on: January 06, 2019, 03:42:22 am »

Hey guys, first post

I just moved to OPNsense and but it updated on me and lost the ability to import aliases and I have a ton (I'm coming from the other *sense) so I thought I'd outsmart it and deployed a local VM with it, extracted the aliases from the other platform's XMLs imported them into the dummy OPNsense to export them back out into an OPNsense native backup and merge them with the current config now almost stable.

However, when I went to the working install I couldn't quite figure out where to put merge the backup in. I only modified aliases in the dummy OPNsense, nothing else, not even the initial setup except for the interfaces (about 2 dozen vs 1 in the dummy) and the aliases there should be nothing to overwrite...I think.

I exported a backup from the working install searched for the alias lists and compared it to the backup from the dummy install and I saw that they're nothing alike, so there went my chances merging it myself, manually...plus I tried editing one of these files before and I guess it was digitally signed or something because I broke down horribly.

The best fit to restore them would be under Firewall, but there's no such option, the way it's listed it sorf of screams not here. Then I thought maybe DNS, because they're aliases...but System could work as well because they work system-wide. I'm going a little insane here. If you have any advice to offer I'd be immensely grateful ! <3