Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - jimjohn

Pages: [1] 2

General Discussion / check_mk Server (!) on OPNsense appliance

« on: October 12, 2022, 11:55:57 am »

Hi, I want to start monitoring my network better. Therefore, I found that check_mk may be suitable. Since I do limit my hardware a little and the OPNsense is running 24/7 anyway, I thought I would make the OPNsense the check_mk Server and all other real (Proxmox) and virtual (VM / LXC) hosts agents. Does this make sense? Does anyone do this? I only found a check_mk agent plugin for OPNsense, no server plugin. Or is check_mk not the right approach? I would like to see if my apt / yum packages are out of date and monitor suspicious activity in logs / network traffic. The OPNsense could be server and agent at the same time I think. Glad if you can help me get on the right track!

22.7 Legacy Series / Display an explanatory page when DNS block / firewall rules kick in

« on: July 29, 2022, 08:12:01 am »

Hi all,

is it possible to display an explanatory static page once either DNS block lists or firewall rules kick in and avoid the display of a webpage?

Thanks!

Virtual private networks / Harden OPNsense for WireGuard Access

« on: July 21, 2022, 12:31:10 pm »

Hi,

I successfully configured WireGuard on an OPNsense behind a Fritz!Box. I did a port forward to the WAN of the OPNsense and was able to connect from my cellphone. So far so good. Before I activate the port forward in the Fritz!Box continuously, I wonder if there is anything I can do on the WAN side of the OPNsense to harden it. For example against any spamming / port scanning / flooding. How do you harden your VPN ports properly?

Second question: if I only want to use the WireGuard for a RoadWarrior usage, would you allow all traffic via the tunnel and block the packages on the WireGuard side via the firewall rules? Or can I somehow decide even earlier on the cellphone?

Third question: I have two interfaces for WireGuard on the OPNsense: the WireGuard (Group) and my specific WireGuard interface. How to you manage the rules here? Is the "Group" interface similar to the "Floating Rules" but only for the WireGuard interfaces?

German - Deutsch / Kein Internet auf dem LAN Interface

« on: February 28, 2022, 11:22:02 pm »

Hallo,

ich bin mit meinem Latein am Ende. Ich habe kein Internet auf dem LAN Interface. Am LAN IF hängt ein MikroTik Switch, auf der OPNsense läuft der DHCP Server. IP, DNS-Server (Bind) und Router sind korrekt durch DHCP übermittelt.

Am Rechner hinter dem Switch kann ich mit nslookup DNS Anfragen auflösen. Am DNS liegt es also schonmal nicht. Auch mit der ANY ANY Regel komme ich im Browser auf keine Webseite. traceroute funktioniert nicht. Updates von OPNsense funktionieren. ping ins Internet mit dem WAN Interface aus der OPNsense GUI heraus funktioniert, vom LAN Interface aus der OPNsense GUI heraus wiederum nicht. Ich vermute hier liegt irgendwo das Problem.

Ich habe ein Single-Gateway aufgesetzt, welches ja offensichtlich funktioniert. Im Firewall Log sehe ich keine Pakete, weder für die Catchall Regel (DENY ALL ganz am Ende) noch für irgendeine ALLOW Regel.

Der Aufbau ist Fritzbox <> OPNsense <> Mikrotik Switch <> PC.

Was mache ich falsch?

German - Deutsch / VLAN mit LAGG / LACP (?)

« on: February 26, 2022, 02:41:57 pm »

Hallo Zusammen,

ich möchte mir jetzt mangels einer ausreichenden Zahl physikalischer NICs an meiner OPNsense Appliance mit einem untergeordneten Switch VLANs aufspannen. Vor einiger Zeit hatte ich hierzu mal gelesen, dass man die Interfaces wohl irgendwie vorher als LAGG bzw. LACP konfigurieren solle, "um jederzeit beliebige VLANs hinzufügen zu können" (?). Vielleicht verwechsle ich auch etwas. Leider finde ich den Artikel nicht mehr bzw. weiß auch nicht mehr, wo genau ich das gelesen habe.

Kann sich hierauf jemand einen Reim machen? Was könnte damit gemeint sein? Verliere ich Flexibilität, wenn ich die VLANs einfach so aufspanne? Mein Ziel ist eigentlich bloß die Ports am Switch über die OPNsense zu routen und dort dann zu entscheiden, welche Pakete in welche Richtung gehen dürfen - also quasi die Anzahl physikalischer Geräte mit eigenen Rechten zu erhöhen, die ich an die OPNsense Appliance anschließen kann.

Vielen Dank für eure Hilfe!

22.1 Legacy Series / [FEATURE REQUEST] Overview Edit Mode

« on: February 11, 2022, 01:45:25 pm »

Hi all,

I do not know where to put this best, but feel free to move it to another sub-forum.

For me it is very annoying that I have to enter each Firewall rule I want to change, scroll down, find the correct text field, click save, scroll down again in the overview and repeat.

So I thought how this could be handled better in terms of user experience. Basically I think it is quite simple. In the overview (Firewall -> Rules -> Interface), if you hover about any "label" - if this was transformed into a "text box" where you could directly change the content, this would tremendously help for editing multiple rules, adding a port, or even adding a whole rule. If you would need specialties or advanced settings, you could still use the detailed editing page as it is now.

Is there any chance to see something like that? Or has this been discussed in the past?

Thank you for your feedback!

Virtual private networks / No HTTPS over OpenVPN Site-to-Site Tunnel

« on: December 26, 2021, 02:20:25 pm »

Hi all,

I am running some services over an OpenVPN tunnel between to OPNsenses. There services run well and can communicate with each other. However, I cannot reach the :443 port and display a webpage over HTTPS on Site B from Site A although I can see the HTTPS request pass in the firewall log of Site B (so the package is definitely not blocked on Site A, is definitely sent through the VPN tunnel and is definitely not blocked on Site B; it is marked as an "outgoing" package of the "ovpns1" interface and passed through to my physical interface by the "let out anything from the firewall host itself" rule).

When physically being on Site B, I can access the webpage through OPNsense, so the server is definitely working as well. I am using a self-signed certificate, all private since everything is happening within the tunnel network.

All looks fine for me but it is still not working. What could that be? No hint in the OpenVPN log (level 4) as well ... I am stuck.

Any help is very much appreciated!

21.7 Legacy Series / Update Error

« on: December 12, 2021, 12:29:42 pm »

Hi, got an error when updating my OPNsense. It seems stuck somewhere between 21.7.4 and 21.7.6. I suppose it happened due to an aborted update.

When updating, it tries to update the "base" and "kernel" packages, everything else seems to be the newest version available. It declares "no signature found" while / after fetching the packages and does not proceed with updating as a consequence of that. What can I do?

Versions:

Code: [Select]

base	21.7.4
kernel	21.7.4

Update output:

Code: [Select]

***GOT REQUEST TO UPDATE***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (1 candidates): . done
Processing candidates (1 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
	/var/cache/pkg/wpa_supplicant-2.9_11~d6fe3dca64.txz
	/var/cache/pkg/unbound-1.13.2~c2781a1635.txz
	/var/cache/pkg/wpa_supplicant-2.9_11.txz
	/var/cache/pkg/syslog-ng-3.34.1.txz
	/var/cache/pkg/unbound-1.13.2.txz
	/var/cache/pkg/syslog-ng-3.34.1~f2a9b4d4db.txz
	/var/cache/pkg/strongswan-5.9.4~3776e982e1.txz
	/var/cache/pkg/squid-4.15~6ec79a5499.txz
	/var/cache/pkg/strongswan-5.9.4.txz
	/var/cache/pkg/squid-4.15.txz
	/var/cache/pkg/python38-3.8.12_1~aa001528c2.txz
	/var/cache/pkg/python38-3.8.12_1.txz
The cleanup will free 23 MiB
Deleting files: .......... done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-21.7.5-amd64.txz: ... done
Fetching kernel-21.7.5-amd64.txz: ............................................................ failed, no signature found
***DONE***

Health output:

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.6 (amd64/OpenSSL) at Sun Dec 12 12:06:10 CET 2021
>>> Check installed kernel version
Version 21.7.4 is incorrect, expected: 21.7.5
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.4 is incorrect, expected: 21.7.5
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Virtual private networks / OpenVPN Site-to-Site Tunnel UP but no connection

« on: December 07, 2021, 04:26:08 pm »

Hi all,

I am driving myself crazy on this. Got two sites that I want to connect with each other for backup purposes via OpenVPN. Each site has a unit connected directly to the respective interface on the OPNsense (both sites have OPNsenses).

a) I could get the connection up (see screenshot) but I am not able to ping from OPNsense A to OPNsense B. I guess I am messing something up with my firewall rules. What am I doing wrong?

b) On OPNsense B I got 2 additional gateways, one for IPv4 and one for IPv6, after creating the OpenVPN client. However, I am not using IPv6 on either of the OPNsenses and OPNsense A only has one gateway for IPv4. How can I get rid of the additional IPv6 gateway?

Thanks for your help.

21.7 Legacy Series / SOLVED: 21.7.4: Health check fails

« on: October 28, 2021, 11:58:33 am »

Hi,

after upgrading to the latest version, I get a suspicious health check. Anyone encountered this as well?

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.4 (amd64/OpenSSL) at XXX
>>> Check installed kernel version
Version 21.7.4 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.4 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ........
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/io.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/os.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/posixpath.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/re.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/site.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/sre_compile.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/sre_parse.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/stat.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/threading.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/token.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/tokenize.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/traceback.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/types.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/__pycache__/warnings.cpython-38.pyc
python38-3.8.12_1: checksum mismatch for /usr/local/lib/python3.8/encodings/__pycache__/aliases.cpython-38.pyc
Checking all packages..... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

21.7 Legacy Series / Special Routing Issue

« on: October 20, 2021, 04:54:03 pm »

Hi,

I got two sites coupled via IPsec:

(A) is 10.X.X.X
(B) is 192.X.X.X

The IPsec tunnel works. Now at (A), I got an OPNsense appliance with a host connected that I want to reach from (B).

(B) == IPsec ==> (A) ==> OPNsense WAN IF ==> OPNsense LAN IF ==> Target Host

How can I achieve that? I do not see any packages coming in on the WAN IF of my OPNsense appliance (yes, log is on, yes catchall rule defined).

Thanks in advance!

21.7 Legacy Series / GeoIP Filtering US does not allow .com domain with IP in US

« on: August 29, 2021, 01:32:43 pm »

Hi,

I set up GeoIP based filtering as described in the docs.

For now, I am only allowing inbound traffic on my LAN interface with the destination to a few countries. I allowed US, which gives my 104.0.0.0/12 in my aliases (pfTables).

Now, when I browse via my LAN interface, following my live log, https://www.maxmind.com (=> 104.17.215.67, see DNS Answer below) is blocked. How can I find out where that server is located to that I can allow browsing so that site?

Non-authoritative answer:
Name: www.maxmind.com
Address: 104.17.214.67
Name: www.maxmind.com
Address: 104.17.215.67

Virtual private networks / LAN IF anti-lockout rule bleeding into WireGuard IF?

« on: August 28, 2021, 10:57:11 pm »

Hi,

I am now running a WireGuard Road Warrior tunnel (only locally for testing). Everything works as expected, but I have access to my OPNsense web GUI, which I do not want to have when using the WireGuard tunnel. I could not see the packages in the live log and the only rule I found that could explain that behavior is the anti-lockout-rule which is auto-generated (see attachment).

What I do not understand is if this anti-lockout-rule, which is only enabled for the LAN interface, can "bleed" into the WireGuard interface (I added an interface alias on wg0 to use it in my firewall rules).

The rule belongs to the LAN and not the WireGuard interface. What am I missing?

Virtual private networks / WireGuard RoadWarrior Internet Access not working

« on: August 28, 2021, 08:17:53 pm »

Hi,

I ultimately want to setup a WireGuard Road Warrior setup to be able to "secure" my mobile device's WiFi traffic in public networks. As an initial test, I want to connect locally (from my home network behind OPNsense) to the WG server running on the OPNsense, routing my traffic directly to the internet without any interference to local networks. Once this works, I want to do the same on the WAN interface with a port forward from my ISP's router.

Therefore, I followed that guide: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I was able to get a handshake and a successful Wireguard connection (OPNsense => Wireguard => Handshake => Latest Handshake available).

I also added a FW rule to the "WireGuardRoadWarrior" Interface that I added as given in the tutorial:

IPv4 TCP/UDP SOURCE WireGuardRoadWarrior net * DESTINATION !RFC1918 (My alias that I use for _the internet_) *

Unfortunately, I cannot reach public addresses, however, I can reach the OPNsense web GUI. I also see the WG traffic (DEST PORT 51820) and the WireGuardRoadWarrior Interface traffic on :443 on the live log. However, my browser does not get a response.

Do you have any ideas what the problem could be?

Here's the output from the WireGuard page on OPNsense:

interface: wg0
public key: XXXXX
private key: (hidden)
listening port: 51820

peer: YYYYY
endpoint: 10.0.1.11:57092
allowed ips: 10.10.10.2/32
latest handshake: 1 minute ago
transfer: 23.49 KiB received, 29.60 KiB sent

Here's the PEER CONFIG

[Interface]
PrivateKey = ZZZZ
Address = 10.10.10.2/24

[Peer]
PublicKey = ZZZZ
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.1.1:51820

Let me know if you require any more information.

... or should I rather use OpenVPN?

Hardware and Performance / Cheap WiFi <=> WiFi / LAN gateway

« on: August 25, 2021, 11:01:36 am »

Hi,

when on the road (hotels, café, etc.) there is "free WiFi" or LAN everywhere. I am looking for a small device running OPNsense which I can connect to the "free WiFi" and open up my private WiFi / LAN to connect all my devices to (smartphones, laptop, etc.). The OPNsense shall then tunnel all packages to my home OPNsense via a VPN tunnel.

Any hardware recommendations? I think the tricky part is the WiFi gateway. Is it technically possible to make the OPNsense work with these webpages where you have to accept terms and enter vouchers?

Pages: [1] 2