Topics

Hello,

I have the following topology: OPNsense -(cable)-> Fritz!Box as WiFi AP -(WiFi)-> Fritz!Box Repeater -(cable)-> Unifi AP -(WiFi)-> Clients

The Unifi AP spans 3 WiFi networks:

1) Standard
2) Guest (VLAN 110)
3) IoT (VLAN 120)

In OPNsense, I created the VLANs, the interfaces and enabled DHCPv4 on the interfaces. I also added firewall rules.

If I connect to the standard WiFi (no VLAN), all is fine.

If I connect to either the Guest or the IoT network, I see at the OPNsense a DHCPDISCOVER and a DHCPOFFER from the respective VLAN in the logging; so I conclude that VLAN tagging is fine and the traffic comes (at least) to the OPNsense.

However I do not see a DHCPREQUEST nor a DHCPACK by the client on the VLAN. What I DO see is a ping from the client with the non-DHCP-given address (169.X.X.X) which is blocked and logged by my "block all" rule at the end of the firewall rule set. What I expect is a 10.0.110.X or a 10.0.120.X client IP address provided via DHCP based on the respective WiFi net / VLAN (110 or 120).

Any ideas what I am doing wrong?

P.S. Fritz!Box is planned to be replaced but this is my current test setup.

I have Unbound blacklists in place which filter some ads. Now one device shall have access to some of the blocked DNSs. I have created an alias with the respective MAC address of the device. How can I make Unbound deliver the correct DNS resolution if the request is coming from "the" device from the alias?

Hi,

I would like to setup a Matrix Synapse server. I own a domain and could forward ports from my router to the OPNsense. There I am currently running HAProxy to point on a Proxmox Hypervisor server. For services like Wireguard etc. I use DynDNS, but for Matrix Synapse I would like to use my "proper" domain. Since this seems a quite complex setup, may someone guide me in a direction where I could start? I think most of my problems are with handling the proper domain instead of using DynDNS.

Thanks!

Hi, I want to start monitoring my network better. Therefore, I found that check_mk may be suitable. Since I do limit my hardware a little and the OPNsense is running 24/7 anyway, I thought I would make the OPNsense the check_mk Server and all other real (Proxmox) and virtual (VM / LXC) hosts agents. Does this make sense? Does anyone do this? I only found a check_mk agent plugin for OPNsense, no server plugin. Or is check_mk not the right approach? I would like to see if my apt / yum packages are out of date and monitor suspicious activity in logs / network traffic. The OPNsense could be server and agent at the same time I think. Glad if you can help me get on the right track!

Hi all,

is it possible to display an explanatory static page once either DNS block lists or firewall rules kick in and avoid the display of a webpage?

Thanks!

Hi,

I successfully configured WireGuard on an OPNsense behind a Fritz!Box. I did a port forward to the WAN of the OPNsense and was able to connect from my cellphone. So far so good. Before I activate the port forward in the Fritz!Box continuously, I wonder if there is anything I can do on the WAN side of the OPNsense to harden it. For example against any spamming / port scanning / flooding. How do you harden your VPN ports properly?

Second question: if I only want to use the WireGuard for a RoadWarrior usage, would you allow all traffic via the tunnel and block the packages on the WireGuard side via the firewall rules? Or can I somehow decide even earlier on the cellphone?

Third question: I have two interfaces for WireGuard on the OPNsense: the WireGuard (Group) and my specific WireGuard interface. How to you manage the rules here? Is the "Group" interface similar to the "Floating Rules" but only for the WireGuard interfaces?

Hallo,

ich bin mit meinem Latein am Ende. Ich habe kein Internet auf dem LAN Interface. Am LAN IF hängt ein MikroTik Switch, auf der OPNsense läuft der DHCP Server. IP, DNS-Server (Bind) und Router sind korrekt durch DHCP übermittelt.

Am Rechner hinter dem Switch kann ich mit nslookup DNS Anfragen auflösen. Am DNS liegt es also schonmal nicht. Auch mit der ANY ANY Regel komme ich im Browser auf keine Webseite. traceroute funktioniert nicht. Updates von OPNsense funktionieren. ping ins Internet mit dem WAN Interface aus der OPNsense GUI heraus funktioniert, vom LAN Interface aus der OPNsense GUI heraus wiederum nicht. Ich vermute hier liegt irgendwo das Problem.

Ich habe ein Single-Gateway aufgesetzt, welches ja offensichtlich funktioniert. Im Firewall Log sehe ich keine Pakete, weder für die Catchall Regel (DENY ALL ganz am Ende) noch für irgendeine ALLOW Regel.

Der Aufbau ist Fritzbox <> OPNsense <> Mikrotik Switch <> PC.

Was mache ich falsch?

Hallo Zusammen,

ich möchte mir jetzt mangels einer ausreichenden Zahl physikalischer NICs an meiner OPNsense Appliance mit einem untergeordneten Switch VLANs aufspannen. Vor einiger Zeit hatte ich hierzu mal gelesen, dass man die Interfaces wohl irgendwie vorher als LAGG bzw. LACP konfigurieren solle, "um jederzeit beliebige VLANs hinzufügen zu können" (?). Vielleicht verwechsle ich auch etwas. Leider finde ich den Artikel nicht mehr bzw. weiß auch nicht mehr, wo genau ich das gelesen habe.

Kann sich hierauf jemand einen Reim machen? Was könnte damit gemeint sein? Verliere ich Flexibilität, wenn ich die VLANs einfach so aufspanne? Mein Ziel ist eigentlich bloß die Ports am Switch über die OPNsense zu routen und dort dann zu entscheiden, welche Pakete in welche Richtung gehen dürfen - also quasi die Anzahl physikalischer Geräte mit eigenen Rechten zu erhöhen, die ich an die OPNsense Appliance anschließen kann.

Vielen Dank für eure Hilfe!

Hi all,

I do not know where to put this best, but feel free to move it to another sub-forum.

For me it is very annoying that I have to enter each Firewall rule I want to change, scroll down, find the correct text field, click save, scroll down again in the overview and repeat.

So I thought how this could be handled better in terms of user experience. Basically I think it is quite simple. In the overview (Firewall -> Rules -> Interface), if you hover about any "label" - if this was transformed into a "text box" where you could directly change the content, this would tremendously help for editing multiple rules, adding a port, or even adding a whole rule. If you would need specialties or advanced settings, you could still use the detailed editing page as it is now.

Is there any chance to see something like that? Or has this been discussed in the past?

Thank you for your feedback!

Hi all,

I am running some services over an OpenVPN tunnel between to OPNsenses. There services run well and can communicate with each other. However, I cannot reach the :443 port and display a webpage over HTTPS on Site B from Site A although I can see the HTTPS request pass in the firewall log of Site B (so the package is definitely not blocked on Site A, is definitely sent through the VPN tunnel and is definitely not blocked on Site B; it is marked as an "outgoing" package of the "ovpns1" interface and passed through to my physical interface by the "let out anything from the firewall host itself" rule).

When physically being on Site B, I can access the webpage through OPNsense, so the server is definitely working as well. I am using a self-signed certificate, all private since everything is happening within the tunnel network.

All looks fine for me but it is still not working. What could that be? No hint in the OpenVPN log (level 4) as well ... I am stuck.

Any help is very much appreciated!

Hi, got an error when updating my OPNsense. It seems stuck somewhere between 21.7.4 and 21.7.6. I suppose it happened due to an aborted update.

When updating, it tries to update the "base" and "kernel" packages, everything else seems to be the newest version available. It declares "no signature found" while / after fetching the packages and does not proceed with updating as a consequence of that. What can I do?

Versions:

Code Select Expand

base 21.7.4
kernel 21.7.4

Update output:

Code Select Expand

***GOT REQUEST TO UPDATE***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (1 candidates): . done
Processing candidates (1 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/wpa_supplicant-2.9_11~d6fe3dca64.txz
/var/cache/pkg/unbound-1.13.2~c2781a1635.txz
/var/cache/pkg/wpa_supplicant-2.9_11.txz
/var/cache/pkg/syslog-ng-3.34.1.txz
/var/cache/pkg/unbound-1.13.2.txz
/var/cache/pkg/syslog-ng-3.34.1~f2a9b4d4db.txz
/var/cache/pkg/strongswan-5.9.4~3776e982e1.txz
/var/cache/pkg/squid-4.15~6ec79a5499.txz
/var/cache/pkg/strongswan-5.9.4.txz
/var/cache/pkg/squid-4.15.txz
/var/cache/pkg/python38-3.8.12_1~aa001528c2.txz
/var/cache/pkg/python38-3.8.12_1.txz
The cleanup will free 23 MiB
Deleting files: .......... done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-21.7.5-amd64.txz: ... done
Fetching kernel-21.7.5-amd64.txz: ............................................................ failed, no signature found
***DONE***

Health output:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.6 (amd64/OpenSSL) at Sun Dec 12 12:06:10 CET 2021
>>> Check installed kernel version
Version 21.7.4 is incorrect, expected: 21.7.5
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.4 is incorrect, expected: 21.7.5
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Hi all,

I am driving myself crazy on this. Got two sites that I want to connect with each other for backup purposes via OpenVPN. Each site has a unit connected directly to the respective interface on the OPNsense (both sites have OPNsenses).

a) I could get the connection up (see screenshot) but I am not able to ping from OPNsense A to OPNsense B. I guess I am messing something up with my firewall rules. What am I doing wrong?

b) On OPNsense B I got 2 additional gateways, one for IPv4 and one for IPv6, after creating the OpenVPN client. However, I am not using IPv6 on either of the OPNsenses and OPNsense A only has one gateway for IPv4. How can I get rid of the additional IPv6 gateway?

Thanks for your help.

Hi,

after upgrading to the latest version, I get a suspicious health check. Anyone encountered this as well?

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.4 (amd64/OpenSSL) at XXX
>>> Check installed kernel version
Version 21.7.4 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.4 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ........
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/io.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/os.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/posixpath.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/re.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/site.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/sre_compile.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/sre_parse.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/stat.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/threading.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/token.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/tokenize.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/traceback.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/types.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/warnings.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/encodings/__pycache__/aliases.cpython-38.pyc
Checking all packages..... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Hi,

I got two sites coupled via IPsec:

(A) is 10.X.X.X
(B) is 192.X.X.X

The IPsec tunnel works. Now at (A), I got an OPNsense appliance with a host connected that I want to reach from (B).


(B) == IPsec ==> (A) ==> OPNsense WAN IF ==> OPNsense LAN IF ==> Target Host

How can I achieve that? I do not see any packages coming in on the WAN IF of my OPNsense appliance (yes, log is on, yes catchall rule defined).

Thanks in advance!

Hi,

I set up GeoIP based filtering as described in the docs.

For now, I am only allowing inbound traffic on my LAN interface with the destination to a few countries. I allowed US, which gives my 104.0.0.0/12 in my aliases (pfTables).

Now, when I browse via my LAN interface, following my live log, https://www.maxmind.com (=> 104.17.215.67, see DNS Answer below) is blocked. How can I find out where that server is located to that I can allow browsing so that site?

Non-authoritative answer:
Name:   www.maxmind.com
Address: 104.17.214.67
Name:   www.maxmind.com
Address: 104.17.215.67

Hi,

I am now running a WireGuard Road Warrior tunnel (only locally for testing). Everything works as expected, but I have access to my OPNsense web GUI, which I do not want to have when using the WireGuard tunnel. I could not see the packages in the live log and the only rule I found that could explain that behavior is the anti-lockout-rule which is auto-generated (see attachment).

What I do not understand is if this anti-lockout-rule, which is only enabled for the LAN interface, can "bleed" into the WireGuard interface (I added an interface alias on wg0 to use it in my firewall rules).

The rule belongs to the LAN and not the WireGuard interface. What am I missing?

[... or should I rather use OpenVPN?]

Hi,

I ultimately want to setup a WireGuard Road Warrior setup to be able to "secure" my mobile device's WiFi traffic in public networks. As an initial test, I want to connect locally (from my home network behind OPNsense) to the WG server running on the OPNsense, routing my traffic directly to the internet without any interference to local networks. Once this works, I want to do the same on the WAN interface with a port forward from my ISP's router.

Therefore, I followed that guide: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I was able to get a handshake and a successful Wireguard connection (OPNsense => Wireguard => Handshake => Latest Handshake available).

I also added a FW rule to the "WireGuardRoadWarrior" Interface that I added as given in the tutorial:

IPv4 TCP/UDP SOURCE WireGuardRoadWarrior net * DESTINATION !RFC1918 (My alias that I use for _the internet_) *

Unfortunately, I cannot reach public addresses, however, I can reach the OPNsense web GUI. I also see the WG traffic (DEST PORT 51820) and the WireGuardRoadWarrior Interface traffic on :443 on the live log. However, my browser does not get a response.

Do you have any ideas what the problem could be?

Here's the output from the WireGuard page on OPNsense:

interface: wg0
  public key: XXXXX
  private key: (hidden)
  listening port: 51820

peer: YYYYY
  endpoint: 10.0.1.11:57092
  allowed ips: 10.10.10.2/32
  latest handshake: 1 minute ago
  transfer: 23.49 KiB received, 29.60 KiB sent

Here's the PEER CONFIG

[Interface]
PrivateKey = ZZZZ
Address = 10.10.10.2/24

[Peer]
PublicKey = ZZZZ
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.1.1:51820

Let me know if you require any more information.

... or should I rather use OpenVPN?  ::)

Hi,

when on the road (hotels, café, etc.) there is "free WiFi" or LAN everywhere. I am looking for a small device running OPNsense which I can connect to the "free WiFi" and open up my private WiFi / LAN to connect all my devices to (smartphones, laptop, etc.). The OPNsense shall then tunnel all packages to my home OPNsense via a VPN tunnel.

Any hardware recommendations? I think the tricky part is the WiFi gateway. Is it technically possible to make the OPNsense work with these webpages where you have to accept terms and enter vouchers?

Hi,

I got kind of a philosophical question. Currently, I am running a router cascade (Fritz.Box + OPNsense Appliance behind it).

I am using the Fritz.Box' VPN (IPsec) currently for site-to-site as well as for mobile client access. The problem now is that Apple's mobile devices do not allow a persistent IPsec tunnel. Hence, I want to use either OpenVPN or Wireguard along with the respective applications that allow me to do exactly that. I now wonder what could happen if I forward the OpenVPN / Wireguard port of the Fritz.Box to the OPNsense WAN. Obviously, I only want to open this one respective port. What is generally the risk of opening ports?

Assuming I use Wireguard for my mobile clients, what are the attack scenarios / vectors which are added to my current setup (since the Fritz.Box uses IPsec, it must have opened UDP 4500 and 500)?

Hi,

I use Unbound DNS on Port 53 to forward to BIND on Port 53530, whereas BIND does DNS Blacklisting (found that way more reliable than Unbound).

Question: How can I exclude single hosts from DNSBL (e.g. gaming console), e.g. to use multiplayer features.

Thanks!