Topics

1

19.7 Legacy Series / openssl-1.0.2t,1 is vulnerable

« on: December 31, 2019, 11:12:50 pm »

Hi all,

I just updated my Opnsense to latest version.

OPNsense 19.7.8-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2t 10 Sep 2019

I got this when running security audit:

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
openssl-1.0.2t,1 is vulnerable:
OpenSSL -- Overflow vulnerability
CVE: CVE-2019-1551
WWW: https://vuxml.FreeBSD.org/freebsd/d778ddb0-2338-11ea-a1c7-b499baebfeaf.html

1 problem(s) in 1 installed package(s) found.
***DONE***

Should I be concerned? If so, is there anything I can do about it?

2

19.1 Legacy Series / IPSec site to site

« on: May 23, 2019, 01:58:06 am »

Hi guys,

I have setup IPSec site to site and it is currently connected (established) but its things are not reachable.

SITE A
LAN
Cisco 3750 switch
Proxmox with VM Opnsense firewall/router (IPsec site to site tunnel)


SITE B
Debian shorewall firewall (strongswan ipsec site to site)
Cisco 3750 switch
LAN

So far, I can ping from any computer from Site A to Site B excluding the Opsnese firewall.

So if I ping from Opnsense firewall to Site B, I get a generated firewall log:

Interface Source  Destination Proto
WAN    SiteA Public IP     SiteB Local LAN IP  ICMP

Any ideas?

3

19.1 Legacy Series / IPsec to AWS

« on: April 22, 2019, 01:24:09 am »

Hi guys,

I am trying to setup IPsec from my Opsense box at home to my AWS.

Opnsense LAN 192.168.1.0/24
AWS VPC 172.31.0.0/16

I have got the IPSec tunnel to establish but pings etc are not working.

It seems the Opsense side can receive traffic, but cannot send out traffic.

Reason I know this is, if I ping from my AWS to Opnsense I can see the "Bytes in" increases, so means traffic is flowing into Opnsense, but nothing seems to go out from Opnsense because if I ping from Opnsense side to AWS, the "Bytes out" does not change.

These are my current rules:
Firewall > Rules
WAN allow Port:TCP/UDP 500, 4500
IPsec allow Source: 172.31.0.0/16 to any
IPsec allow Source: 192.168.1.0/24 to any
LAN allow Proto: ICMP any any

This is what the status shows on Opnsense IPsec status

Time : 1375
Bytes in : 672
Bytes out : 0

Am I missing some firewall rule, or do I need to add any Routes or NAT rules. Please help???
 I have been stuck with this for over a week and its driving me nuts.

4

General Discussion / Internet failover

« on: April 15, 2019, 06:30:09 am »

Hi guys,

My company has 2 internet lines from separate ISP, I am looking at setting up Opnsense failover, so if 1 internet fails, it will automatically fail over to the other internet.

Just trying to clarify, do I follow this guide then: https://docs.opnsense.org/manual/how-tos/multiwan.html

So this setup only requires 1 Opnsense box which connects to both internets?

I also found CARP setup which allows HA so 2 Opnsense box, not sure if this is what I need or not. https://wiki.opnsense.org/manual/how-tos/carp.html

So just to clarify,

1) Multi WAN setup is setup failover for 2 or more internet services, if 1 internet fails, failover to other internet?
2) CARP setup is used for only 1 internet service, and failover is only for the Opnsense boxes, not used for multiple internet?

Is it possible to also combine CARP + Multiwan setup i.e. 2 internet services and 2 Opnsense boxes?

5

Web Proxy Filtering and Caching / Firewall to Transparent Proxy

« on: February 28, 2019, 01:46:46 am »

Hi guys,

I am pretty confused and cant get my setup to work.

All on same network/subnet.

- Opnsense firewall 10.0.0.1
- Opnsense proxy 10.0.0.2

" Enable Transparent HTTP proxy" is checked.

- Certificates are installed on clients

Firewall and proxy both work completely fine alone, if I set my PC client with proxy settings to point to the proxy server it works as should for both HTTP and HTTPS.

I am trying to make it a transparent proxy i.e. no need to put Proxy settings on client but it wont work.

So on the firewall 10.0.0.1 I have these rules:

NAT Port forward
LAN TCP Src: LAN - Dest: port 80 redirect to IP 10.0.0.2 Port 3128
LAN TCP Src: LAN - Dest: port 443 redirect to IP 10.0.0.2 Port 3129

Am I missing other firewall rules or what else is needed?

Please help I have been struggling with this for a very long time.

6

General Discussion / Not sure about VLANs

« on: February 13, 2019, 03:50:05 am »

Hi guys,

I have the below setup in my home:

https://imgur.com/UhEQYaC


I want to have LAN 1 and LAN 2 separate, so no client or wifi devices from LAN 2 can communicate with LAN 1.

Should I be putting LAN 1 and LAN 2 on different subnets or should I also be putting them on different VLANs too?

Also do I need to have a firewall rules to prevent LAN 1 and LAN 2 to communicate or would the Subnets or VLAN take care of that?

Lastly, how do I prevent clients on LAN 2 from communicating with each other?

As I have some chinese devices that connect to internet on LAN 2, and I prefer it not being able to reach any other devices or computers on LAN 1 or LAN 2.

Any advice? Thanks.