Topics

When I was using Untangle, to get -FULL- visibility into all network traffic to/from my machines, I vaguely remember having to import a cert into each computer and it was just a manual, ugly, pain in the butt and never fully worked well and broke a lot of things so I eventually gave up on it.

With ZenA 1.17, would all that be a thing of the past and I'll be able to inspect everything without visiting each machine to install a cert and no fear of breaking apps? My kids are of the age where I want to have more visibility into what they're doing on the internet and I'm wondering if now is a time to give ZA 1.17 a try?

I was poking around in the Zenarmor web reporting tool and this error popped up:

critical: engine configuration error: cannot read any worker configuration from workers.map

I was able to dismiss it and things SEEMS ok? Any ideas?

BTW, I was in there testing out blocking pornographic sites and it did work but looking through the logs, I didn't see anywhere that told me the exact URL that was blocked. It would be nice to see this info because of the site possibly being mis-classified and if I know the URL, I could white list it.

Thanks

In Untangle, there was a spot you could go to and manually enter names for devices on your network. Looking at my DHCP leases: (see attached picture) ..... there's lots of blank hostnames.

Is it possible (without using the static DHCP feature), to go in and add some text to each of those devices that are missing the hostname so I know what they are?

UTC log file question..... in some of the logs, they have a UTC timestamp. Is there any way to remove UTC stamps and have -EVERY- log file use my current time zone's timestamp?

I have a Silicone Dust HDHomeRun TV tuner. It's currently at IP address 172.16.50.138. If I look at HDCP leases in the dashboard, it shows my tuner as active but offline (see attached picture).

I can ping it and watch TV with it so why does OPNsense think it's offline?

UPDATE: Never mind. I power cycled it and it's showing as online now. Guess if it hasn't talked to the OPNsense box in a while it's considered 'offline'.

In the Firewall>NAT section, I created a rule to allow Plex to work. Inbound 32400 and everything is working just fine.

Then, I duplicated that rule and created one for Emby in the same section. Again, no problem.

The weird thing (to me at least and probably due to my lack of understanding and general newbie'ness) is.... I spotted the Emby rule in the Firewall>Rules>WAN section. I didn't create an Emby rule in that section and it looks like OPNsense populated it there by itself?

BTW, how can I embed my pictures into the post vs. having them as attachments? (If I can figure that out, I'll edit my post. :) Or embedding only work when you link to pictures hosted off-site?

I made this post https://forum.opnsense.org/index.php?topic=32152.0 over in the VPN forum and for the life of me, I can not get an .ovpn file generated that has the CA data in there. I want to use the OpenVPN Client and not Viscosity.

I re-read the documentation on setting up the OpenVPN server and deleted everything and started fresh but I always end up with a .ovpn file that lacks the CA info. Heck, it even lacks the key and cert info.

I had an Asus router before and setting up OpenVPN on that thing was a breeze. Clicked a few buttons and minutes later, I had a properly formatted .ovpn file that imported into the OpenVPN client and away it went. I was comparing the Asus generated .ovpn file to the one created in OPNsense and I don't see any of those 3 sections I mentioned above (ca, key, cert) in the OPNsense .ovpn file.

I put the Asus in access point mode and want to use OPNsense but something is messed up. Either I totally suck at following directions, the OPNsense documentation is wrong or there's a bug somewhere with 23.1. :)

BTW, this is a fresh install of 23.1.

Does OPNsense offer fee based tech support for one-off issues? I just need somebody on a TeamViewer session for like 5 minutes to walk me through this. Anything cheaper than the $300/year option? Like $50 per incident? I'm just a single user at my house and want to use OpenVPN to get into my network when I'm on the road.

When i had my ASUS router up and running, I enabled OpenVPN in it, set everything up and exported the .ovpn and imported in into the OpenVPN Connect Client (v3.x) and everything worked perfectly.

I put the ASUS router in AP mode and put it behind a fresh install of OPNsense (23.1) and am trying to setup OpenVPN. I followed the guide on setting it up (not using MFA or anything fancy....just username/pass) and I'd like to use the OpenVPN client and not Viscosity.

I can import the .ovpn file into the OpenVPN client but when I try to connect, I get a 'missing external certificate' error. If I click 'continue', I get the following error: SSL_context_error: OpenSSLContext: CA not defined

I found some fixes from a year or two ago but the parts in the .ovpn file that are usually referenced don't exist in the file that OPNsense 23.1 creates.

Next up, I found somebody talking about using the OpenVPN GUI version (aka, community edition). I installed that and imported my .ovpn file and I'm getting this error: (from the client)

Code Select Expand


2023-01-28 23:47:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-01-28 23:47:18 Cannot pre-load keyfile (VPN_Server_SSLVPN_Server_Certificate-tls.key)
2023-01-28 23:47:18 Exiting due to fatal error


Any ideas? (Besides using Viscosity :) )

Getting ready to take the plunge back into OPNsense. Anyone have a referral code for Zenarmor?

If we're not allowed to ask for those, sorry. :(

I have symetrical gigabit internet at my house and have dabbled with the following firewalls off and on over the last year or so: pfSense, OPNSense, Sophos and Untangle.

All had pros and cons but eventually, I end up going back to my little Asus AX86U router as I prefer a simple UI and easy maintenance. The only demands I have of my router are port forwarding Plex, OpenVPN integration and QoS (QoS on my Asus is kind of garbo, more on that later).

Because I can never leave things alone, and like to tinker and wreck my home network from time to time :) .... I'm gearing up, again, to give OPNSense another shot.

One of the things I -love- about these firewalls is the ability to do geo IP blocking! Every so often, the TrendMicro plugin on my Asus router blocks various attacks and that got me to thinking..... how good is the TrendMicro/Asus security vs the security/IPS detection in OPNSense? Since Asus routers are allllllllllll over the place, I'm sure they put decent effort into securing their firmware and have partnered up with Trend but I don't think I've ever seen an article that dug deep into how secure a router firmware is vs. something like OPNSense. Anyone have a link that goes into detail along those lines?

QoS. The last time I played with OPNSense, I didn't mess with the QoS stuff. Whenever my server is doing a big download, and maxing out my 1 gig connection, everyone in the house complains that web browsing is super slow. Since my server is doing the downloading, and sometimes serving up files via FTP and used for Plex..... is there a way to configure QoS in OPNSense that if my server is hogging up 100% of the connection, if ANY OTHER APP OR DEVICE on my network needs 10Mbps of speed or 800Mbps.... my server connection will be throttled down to accommodate that?

I looked at some of the QoS docs on the OPNSense site and got confused on things. If I remember correctly (which I might not)..... I think I could configure things like..... device X needs this much bandwidth and device Y gets higher/lower...... but I just want to put my server dead last and have anything and everything else get priority over any traffic my server PC is using.

I know this will sound silly but it's annoying to me and I'm wondering if OPNSense can help.

Sometimes I like to watch certain videos on YT as one-offs and don't want the algorithm feeding me more of the same so I'll open the app and won't sign into my account.

When I do that, on the main YouTube screen, there is a high probability they'll showcase a video from this girl called 'SSSniperwolf'. Just the sight of her makes me want to punch the screen. On my computer, I'm using a YouTube channel blocking app in my browser and no longer see her (THANK GOD!). But if I open the YT app (or SmartTubeNext) on my Android TV (and I'm not signed into my account), I almost always see her showcased on the screen.

So, is there a way to configure OPNSense to block -just her channel- and everything associated with it?

I followed this guide https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html to install ntopng and after I was done, I do not see the "Once ntop is running, click here to open the web interface" link. Sure, I'm not using the enterprise version but would that matter?

In any case, trying to access the HTTP address: my_OPNsense_firewall_ip:3000 gets me a 'page can't be loaded' error.

First off, I know practically nothing about advanced/next generation firewalls. I'm looking into taking advantage of the features they offer (geoIP blocking), more visibility into what the endpoints on my home network are up to and blocking sites from my children.

The first thing I'd like to master is blocking a single URL. In this example, it's yahoo.com. Try as I may, I can not get this working to save my life. Yes, I'll probably spend the $99/year and buy Zenarmor if it comes to that but can't this be done with plain OPNsense? Zenarmor makes this task look trivial but I don't think it can be done with the free version.

When I was testing Sophos, I was able to create a rule that blocked that domain within a minute or so by just poking around and guessing. I'm going on 2+ days with OPNsense and can't do it. I looked at this:

https://docs.opnsense.org/manual/how-tos/proxywebfilter.html

.....but that is just how to enable blacklists. I'm interested in blocking a single URL. I think what's hanging me up is I need to block DNS requests for that site, right?

TLDR: Is there a super simple, detailed guide/video that walks you through blocking a single URL?

Thanks

With a product like McAfee desktop firewall...... it has a 'learn mode'. When it's active, a client will automatically add whatever rules it needs to allow traffic to flow and those learned rules are easily accessible in a separate report and can then be harvested/examined and made permanent. Anything like that in OPNsense?

If somebody can help me with the following problems, I'd really appreciate it and will make a donation to the project!

I  have OPNsense 21.1.7_1-amd64 running on a Dell PowerEdge server. Clean install, updated it and added one NAT rule for Plex and so far so good!

Here's the problem:

I have an app on my Android TV (and Shield) called 'SmartTubeNext'. Since putting all my devices behind OPNsense, this app no longer works. It loads but doesn't display any thumbnails for YouTube videos.

Now, I could probably figure out what rule needs added but I'm having problems locating a place to go where I can see a log file that shows incoming traffic to the IP of the device I'm using. I looked at the log files in the firewall section but they don't show the destination IP of my internal device (192.168.x.x)....just the public IP as the destination.

Bonus question: I installed Sensei (layer 3) and with that, I can probably ditch my Pi-Hole for blocking ads, right?

Tipping my toes into the home firewall arena and looked at pfSense and OPNsense and decided to go with OPNsense.

I see the H470I has dual Intel NICs, will the NICs on this board work with OPNsense? I was going to get an Intel 340/350 but every card I look at on eBay seems counterfeit so I thought, heck with it.... just go with something modern.