Topics

1

24.1 Legacy Series / can not reach web UI from different subnet than LAN

« on: February 18, 2024, 03:00:25 pm »

I have been banging my head for hours over the following, but can't figure out where my problem could be.

I am running an opnsense (latest release) in a KVM hypervisor on linux.
I have it connected to a trunk port on a managed switch.

I've decided to configure the VLAN interfaces on the level of the hypervisor as follows:
- for every VLAN on the trunk a VLAN interface on the hypervisor
- for each of those VLAN interfaces a bridge has been created
- these bridges are then attached to my opnsense VM, who manages the traffic in between (basically opnsense isn't aware that underneath VLAN's are in use, it's handled on the hypervisor level).

Now I want to make the opnsense web ui accessible on one of those VLAN's.
I have the web ui listening on all interfaces.
I also have a firewall rule which allows traffic to port 443 on the firewall interface in that specific network segment.

I am now connected from my laptop to that same managed switch via a port which has that same vlan configured as an untagged port.

My hypervisor also has an IP on the bridge in that same VLAN.
I can successfully ssh from my laptop, so in that VLAN, to the hypervisor and login.
I can however NOT connect to the webui of opnsense in that same VLAN.

When I look in the firewall logs of opnsense, I see that the rule I configured for access to the firewall interface on port 443 from that specific VLAN/network segment is hit, it goes green and is a rule of type "pass".
So from the firewall rules, it seems as if I'm hitting the correct rule with a pass.

However, the Web ui is not loading and I can not access it.
I have no idea where the root cause of this problem could be, anybody here perhaps an idea?

2

General Discussion / virtualized opnsense in kvm - vlan + bridge?

« on: November 28, 2022, 09:10:55 am »

Hi all,



I currently have the following setup:
- OPNsense virtualized, not using proxmox but using your basic kvm
- hosted on a machine with 2 physical NIC's
- the WAN is a bridge on one physical nic, the LAN is a bridge on the other physical nic.


I now also want to add VLAN segmentation on the LAN-side using a managed switch which should arrive any day now.

But I was just wondering: how would I need to configure the VLAN's in combination with the LAN bridge on the OPNsense side?
Will that even work?

Thanks for any info you can give!

3

General Discussion / best approach to do a cloud-install?

« on: November 19, 2022, 10:55:59 am »

Hi all,


I'm currently wondering what would be the best and most secure approach to do a new install in a cloud-environment?

So basically I can have a VM where opnsense is installed, but since it's a cloud environment, the only thing I have is a console access to the VM.

Network-wise, after install, I can only reach the VM from the WAN-side, where the GUI is blocked by default.

I want to get to the situation where I can use a VPN to connect to the firewall and then access the GUI over that VPN.
However, I first need to get to the GUI before being able to configure a VPN, chicken or the egg problem

So how would you approach something like this?

If I have it correctly, enabling SSH access via the console is not possible, adding firewall-rules to temporarily enable GUI access over the WAN is not possible via the console, ...

How do others tackle this?

Thanks for any input you can give here!

4

22.7 Legacy Series / DNS blacklist unbound update issue

« on: September 05, 2022, 01:27:55 pm »

Hi,


Have been experiencing regular issues while using the unbound DNS service with DNS blocklists.

More specifically: let's say I want to add some blocklists and download&apply them (see attachment - 1.PNG).
It proceeds with downloading as seen in the unbound log, which seems to complete successfully. (2.png and 3.png)

However, the DNS console shows an error (see 4.png).
In the logs, the only thing I can find is "Timeout (120) executing: inbound dnsbl". (see 6.png)

Now, in this case, I'm lucky, my DNS service still seems to be running, despite the error message.
More often than not, once I click away the error message and refresh, I see the red arrow at top right indicating stopped service. (as in 7.png)

Anyways, to be sure, I manually restart the unbound DNS service.

I'm again seeing error messages in logs: see 8.png.
But the service seems to start and to resolve DNS queries, taking into account the blocklists (e.g. known porn lists are blocked based on the selected porn blacklists).

The above behavior occurs EVERY time I manually trigger a download & apply on the DNS blacklists.

I also have a cron job which refreshes the blocklists every night in the middle of the night.
When I go online in the morning, DNS resolving still seems to work, so it seems the service does not stop in the night when updating the blocklists.

So I'm a bit in doubt here.
Is there an issue with the unbound DNS blocklist, is this only an issue when doing a manual trigger, ...

Thanks for any insight you can provide!