Topics

I apologize for the number of post. I have transparent proxy working and working well for most clients on my network. I was able to determine "no bump" urls for youtube/netflix apps on android phones/tablets.

However I can't get Amazon's Kindle Fire and Fire TV's youtube app working through the transparent proxy. I was able to no bump the netflix app on these devices. I would like to "no bump" the destination URLs for the youtube app which when launching squid gives me an error with an IP in the URL instead of an actual domain name which I thought was strange.

I searched the internet and this forum for possible url destinations to add to the "no bump" list without any luck. Like I said, the youtube app is working on the android phones/tablets but not on Amazon's products.

Is there a way to "no bump" the devices by source address if it comes to that? Anyone able to point me in the right direction on URLs to no bump for Amazon Kindle Fire/ Fire TV apps? Thanks

["ERRORThe requested URL could not be retrievedThe following error was encountered while trying to retrieve the URL: https://192.168.1.2/ Failed to establish a secure connection to 192.168.1.2The system returned: [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) Certificate does not match domainname: /C=xx/ST=xxxxxxx/L=xxxxxx /O=xxxx/emailAddress=xxxxxxxxxxxxxxx/CN=firewalltest.test/subjectAltName=DNS:firewalltest,IP:192.168.1.2This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.Your cache administrator is admin@localhost.local."]

Hello, hoping someone can help me understand why I am receiving message "Failed to establish a secure connection to 192.168.1.2" when I access the webgui from behind the squid forward ssl proxy but have no issues with accessing it with another SAN name "firewalltest"?

As I mentioned both are subject alternative names on a self generated certificated issued by the CA created on the opnsense firewall. One works, one does not when behind the proxy. If I access the webgui for firewall management without the proxy via the ip address it shows valid.

I have the CA on the firewall trusted in my OS. I have an entry in my /etc/host file on the client attempting to access the webgui for 192.168.1.2     firewalltest.

error message:


"ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: https://192.168.1.2/

    Failed to establish a secure connection to 192.168.1.2

The system returned:

    [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)

    Certificate does not match domainname: /C=xx/ST=xxxxxxx/L=xxxxxx /O=xxxx/emailAddress=xxxxxxxxxxxxxxx/CN=firewalltest.test/subjectAltName=DNS:firewalltest,IP:192.168.1.2

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.local."


Certificate for the Opnsense webgui issued by a CA on opnsense which is also the one chosen for the CA for squid in opnsense services.

"Certificate Subject Alt Name = "DNS:firewalltest,IP:192.168.1.2"
CN = firewalltest.test
E = xxxxxxx
O = xxxxxx
L = xxxxxx
ST = xxxxx
C = xxxxx"

Hello, I am new to Opnsense trying to get everything setup. I am hoping someone can give me some troubleshooting tips for the issue I am seeing.

I have configured transparent http/https web proxy and verified when going to https sites my CA is listed as the issuer of the cert and everything shows valid. I have added the "7999999   Drop   opnsense.test.rules   bad-unknown   OPNsense test eicar virus" rule and verified alerts are present when trying to download it at the http link and it is blocked. However when attempting https I am able to download it. There are no alerts present in the ids logs.

I have all interfaces in my IDS configured lan,opt1,opt2,wan

I tried both pattern matchers "hyperscan and aho-corasick". I have also tried promiscuous mode even though I am not using vlan tagging. It should be blocking the file via that same rule when download https right?

Here is my log entry when restarting the ids service:

May 11 23:30:59    suricata: [100159] <Notice> -- all 8 packet processing threads, 4 management threads initialized, engine started. Thanks for any help.


only blocking on 80:

2019-05-11T23:45:41.674353-0400   blocked   wan   213.211.198.62   80   34.21.174.42   30170   OPNsense test eicar virus   
2019-05-11T23:45:41.674353-0400   blocked   wan   213.211.198.62   80   34.21.174.42   30170   OPNsense test eicar virus

I have configured the Web Proxy utilizing HTTP Transparent. I have 3 interfaces configured (LAN, OPT1 (DMZ), OPT2 (Servers). Before configuring the proxy I only permitted specific endpoints to access specific destinations on port 80 in OPT2 as well as only permitted 1 endpoint to access the WebGUI/SSH on the firewall on port 80.

Now, all devices are able to get to these destinations due to the fact the source appears the firewall now which is always permitted. What would be the best way to permit only the devices I wish to access these endpoints on 80 now since proxy their traffic now?

One way I thought of doing this is creating a a No RDR NAT rule with a destination of RFC1918 above the present NAT redirecting the 80 traffic to the firewall.

I also thought about changing the destination from ANY to !RFC1918 on the NAT that is presently redirecting 80 traffic to 127.0.0.1.

I would prefer not to circumvent the proxy though. Is there a way to create whitelist/blacklist in the web proxy to only permit specific sources to access specific destinations on RFC1918 subnets? I wasn't sure how. What is your opinion on how to best configure what I am wanting to achieve? Thanks

I have read information on firewall configuration for Transmission-Daemon and it appears all is working but I have quite a lot of denied firewall outbound traffic. I am able to download torrents from a specific tracker I am allowed to access and when viewing the peer listening port in the GUI it shows open. Also if I go to canyousee.com it is successful on the chosen port. The denied traffic appears to be return traffic which should be stateful? Thanks for any insight. 

Software/Hardware
Distro Debian
Transmission-Daemon 2.92-2 (Debian Repo)
OPNSense (Latest Version)

OPNSense Config:

Destination NAT:
WAN Interface: TCP/UDP Src: Any Dst: WAN_IP Port 55555 > DebianIP Port 55555


Firewall Rules:

LAN Interface:
TCP/UDP Src Any Dst Any Port 53,123
TCP/UDP Src Any Dst tracker_url Port 2145
TCP/UDP Src Any Dst portcheck.transmissionbt.com Port 80
**** Implicit Deny All ****

WAN Interface:
TCP/UDP Src Any Dst DebianIP Port 55555
**** Implicit Deny All ****



Firewall Logs show a multitude of entries like the one line shown below (with the real IPs and ports omitted). I believe the firewall should be stateful and handling this return traffic? Any help or ideas are appreciated. I do see some peers leeching from me, not much.

Src DebianIP:55555 > RandomPublicIP:RandomPort Default Deny (Blocked)
Src DebianIP:55555 > RandomPublicIP:RandomPort Default Deny (Blocked)
Src DebianIP:55555 > RandomPublicIP:RandomPort Default Deny (Blocked)
Src DebianIP:55555 > RandomPublicIP:RandomPort Default Deny (Blocked)
Src DebianIP:55555 > RandomPublicIP:RandomPort Default Deny (Blocked)
Src DebianIP:55555 > RandomPublicIP:RandomPort Default Deny (Blocked)
Src DebianIP:55555 > RandomPublicIP:RandomPort Default Deny (Blocked)