Messages

Hello everone,

I'm apparently a complete noob on this. How do I switch to HTTPS for the GUI?

When I try it in settings, I get a browser error that the certificate is gibberish. I understand the cert is not valid as it's self-signed, but usually you can just accept that and proceed...

The Error is:

x.x.x.x normally uses encryption to protect your information. When Google Chrome tried to connect to x.x.x.x this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be x.x.x.x, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit x.x.x.x right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

Further settings:
SSL Cert: Web GUI SSL certificate
SSL Ciphers: system defaults
HTTP strict: unchecked
HTTP redirect: unchecked
DNS Rebind: unchecked
listen Interfaces: All
HTTP_REFERER: checked

I'm not following. Do you have multiple VLANs on the same 'Network port'? Best to create an interface for each VLAN for what you want to accomplish.

First result I found seems decent:
https://homenetworkguy.com/how-to/configure-vlans-opnsense/

If you do have these interfaces set up, or you have your different networks on different physical ports, you should be able to set up rules per interface. That is, without floating rules.

In my case I got a VoIP physical link to my switch, and my switch transforms it to a VLAN. But it could as well have been a VLAN on my OPNsense box. Either way, once you have the interfaces, you can limit them in the firewall rules for that interface. For me that's simple: I block everything, and only allow specific UDP ports (allong with http(s) and dns) through.

With the standard rules on the DMZ interface I can make sure no traffic can go to any other network but I can't stop other traffic coming in, this needs to be done on each other interface.

Short answer: no. You can limit what goes in... but you need to specify a source. An alias with blocked networks should suffice. In case you truly want to limit is, you can select 'this firewall' as the source to block traffic from every interface the firewall has.

Not sure I understood your question though.

[Background]

I think I've made a breakthrough in finding the cause..  Any help in finding a solution would be appreciated :)

With NAT the source address is kept. My OpenVPN server does not have an upstream gateway and can't connect back.

Is there any way to have OPNsense translate the source address to it's LAN address, and not breaking the connection?



Background
If I try to connect to the VPN from LAN, the packet source IP at the OpenVPN server is the LAN address of the OPNsense box. This is most likely as I connect to the public IP of OPNsense. When I connect from the WAN, the source ip is the public ip of my home. Simply put, NAT does it's job.

Unfortunately, the OpenVPN WAN interface, does not has an upstream gateway. This is a deliberate choice: people on the VPN are already connected to the internet, they don't need to send everything through the tunnel. This also means that OpenVPN has no idea on how to send a packet back to the public IP of my phone/laptop.

BTW: The old firewall, had some weird understanding of NAT and full cone NAT, it basically always replaced the source address with itself, which is very annoying for stuff like fail2ban

Hi,

I have an old OpenVPN server created in pfSense. I'm trying to set up a port forward to this box in OPNsense, but somewhere something is going wrong. I can't seem to figure out what it is though.

What I've got:
I got the old config from my old (really old) firewall, basically this is a NAT rule and a routing rule

I already went over some of the posts here and I did the following:

Code Select Expand


Firewall > Settings > Advanced:
Reflection for port forwards             Checked
Reflection for 1:1                       unhecked
Automatic outbound NAT for Reflection    Checked

firewall > NAT > port forward > add
Interface:                               WAN
TCP/IP Version:                          IPv4
Protocol:                                UDP
Destination:                             WAN address
Destination port range:               from:Other 20096     to:other 20096
Redirect target IP:                      Alias:172.16.20.89
Redirect target port:                    Other 20096
Filter rule association                  add associated filter rule

System > gateways > single > add
pfSense_VPN LAN 172.16.20.89

System > routes > configuration > add
192.168.200.0/24 pfSense_VPN - 172.16.20.89

With this route set up, the forward rule and the associated firewall rule, I applied the settings and gave it a go. Unfortunately, OpenVPN tells me that 'TLS key nogotiation failed to occur within 60 seconds'.

I tried to do some packet capturing on both the OPNsens box as the pfSense box. On the OPNsense firewall I took UDP traffic to 172.16.20.89, and on the pfSense box I used WAN. On both interfaces I got the packets that I expected, and now I have no idea on what to do. I've attached the packet capture images to this post.

When I connect my laptop to the internal WiFi, I can get a connection to the VPN. Same thing when I repatch the WAN and LAN cables to the old firewall. Therefore, I think something is wrong with my port forward, but I have no idea what that is.

Thanks!

Thank you @bugmanagement!

I did apply the settings. Though I haven't captured any network dumps. I wanted to check first if my approach seemed righteous.

The thing is: this is my network firezwall. So I've parallelled them. I can switch from old to new firewall by replugging 4 network cables. During the holidays these switch-overs are easy. It doesn't matter how long it takes as there is nobody to complain. Over the next few weeks debugging will become ... harder.

Therefore I would like more possible paths to explore for when I do switch over, so that I can get the most out of these corporate 'downtime'. (even though WAN is working; other studios are not able to connect over OpenVPN)

I did notice that when I replug the old firewall everything is up and running again. This implies that the VPN downtime is due to a OPNsense misdirection/rule. Any further help would be most welcome. Let me know exactly what I can publish to help.

Happy New Year to you, non-gender-specific-person ;)
Cheers!

Happy Holidays everyone!!

I have a OPNsense firewall that needs to pass openVPN to a vpn server VM, and for the hell of it I can't figure it out. I included a screenshot of the old firewalls config. There are 2 vpn servers active on that VM, I'm starting with one of them: the one on UDP port 20096.

I thought this was as straight forward as possible: firewall>NAT>port forward
Interface:    WAN
tcp/ip:       IPv4
protocol:     UDP
Destination:  Any
Dest port:    20096-20096
Redirect IP:  172.16.20.89
redir port:   20096
Filter rule:  add rule

This doesn't seem to work. I get the typical "no ssl handshake within 60 seconds" error from openVPN. Am I missing something?

(I also attached 2 screens of the opnsense nat and rules gui. I disabled the combined rule for the two vpn-servers and create one rule for each server. The rule for the port forward for the 20096 artist VPN is missing, as I tried setting it to "filter rule association: pass")

Kind regards