Messages

I can assure you there is at least one setup mistake at play here

Sorry that doesn't offer many clues - if you suspect a configuration error then perhaps the documentation should make such configurations clearer.

Even so I'm not so sure - simply because the config works in pFSense, of course pFSense could be broken but if so I'm glad it is. To add even further insult the OPNsense insists on using the default gateway even when a 1:1 NAT explicitly says not to. The 'default' gateway is taking priority over everything, even if a specific gateway is stated in the Firewall rules for LAN outgoing traffic it is ignored and traffic exits on the 'default' gateway. Load shaping etc flat out doesn't work

How do I know - because my mail servers are supposed to use one gateway only, no exceptions, 1:1 in place and LAN rules. They don't as confirmed by RFC headers on a receiver which messes up my SPF and DMARC.

I'll do what I can to report but I'll be going back to pFSense unfortunately, I'd rather not because I don't care a lot for the direction Netgate are taking things, but I don't have time to mess with this. I will leave the system set up so that I can play but once I collect everything required for the report I'll be taking OPNsense down.

The default gateway which is one of the WAN interfaces never changes and it uses that exclusively despite both WAN and OPT1 being part of a tier 1 group - each WAN has its own gateway and is a distinct ISP account. The tier 1 group comprising WAN and OPT1 (both are set as tier 1) is set up as the default route for all outgoing LAN traffic.

No matter how much traffic transits the group it all passes out on the default WAN.

In pFSense it just works, same kind of configuration, I'd like to move away from pFSense but I keep hitting barriers like this.

How many load balancing features does OPNsense posess ? - dual WAN

Thought I'd give OPNSense another shot but loadbalancing still won't work - PFSense load balancing works out of the box and is a breeze to configure compared to OPNsense. Even if configured to the letter OPNsense makes no attempt whatsoever to balance load - yes even with the appropriate gateway set in the 'all LAN traffic' rule all traffic is pushed on the default regardless.

All the guides I have read to make loadbalancing work in OPNsense require the use of unbound - don't use it, no intention of doing so - I run my own internal DNS / DHCP systems.

There's a lot to like about OPNsense but this is a showstopper for me.

Is there a solution to make load balancing work without unbound OR any kind of gateway monitoring.

I need a server behind the firewall to use a specific gateway but no longer seem able to.

Just rebuilt the firewall on new hardware but now I can't add a rule to force a specific internal IP to leave by a specific gateway - firewall says outgoing connections cannot use policy based routing - what kind of ridiculous nonsense is this ??

Is there any solution or is it time to put my Cisco 1900 back in service ?

I have two WAN connections, I have tried numerous times to get load balancing working 'reliably' but although I can get it to function performance is far from satisfactory, DNS becomes unreliable and unacceptably slow.

I can configure load balancing but I run my own DNS server, I don't see why I should need to configure ANY DNS rule in the firewall to get load balancing to function, but if you don't then no outgoing connections are possible at all. I neither need nor desire any of the DNS facilities offered by OPNSense or FreeBSD, I can't even fathom why load balancing would require a DNS rule unless the implementation of load balancing is flawed.

I decided therefore that I'd do some manual balancing by changing gateway priorities - i.e. 255, 254, 253 ... where the lowest number is supposed to be the highest priority and therefore used, even after a reboot and clearing states the system flat refuses to use the lowest number unless I disable the other connection (with a priority of 255) entirely and seems to take the default to be the lowest / first defined 'physical' WAN NIC.

Although I have a different priority set for each WAN and the 'Allow default gateway switching' is enabled the system ignores the priorities and sticks to the gateway with the highest number i.e. 255.

This is starting to get a tad frustrating - this load balancing hasn't worked reliably since V19.

[lost connection after CONNECT from house.census.shodan.io[89.248.172.16]\nMay]

Can somebody have a look at priorities for blocking traffic vs port forwarding / NAT

I've just spotted this in my email server logs

lost connection after CONNECT from house.census.shodan.io[89.248.172.16]\nMay

but house.census.shodan.io is in a block list - (Alias configured as URL (IPs) and allocated to a floating block rule applied to all interfaces). The fact that this log entry exists tells me that something isn't working - shodan should have been blocked.

I don't want to debate the value of blocking such people - I don't invite strangers into my house to look around - this kind of intrusive scanning is no different to me.

I've also seen some 'attacked blocked' notices to port 80 on a system from Kaspersky but considered Kaspersky at fault as there is no port 80 forwarding to that system - now I'm not so sure OPNsense is doing what I expect.

For now I've moved the block rules to the interfaces and put them before any NAT generated rules, I'll be a bit disappointed if I see entries that I shouldn't in event logs going forward.

For what it is worth I had so many annoying issues (this was one) that I decided this morning to wipe my box out and start from scratch. Not only was the aliasing broken but the event reports had the wrong names - almost like the rules and names were out of sync. DNS also stopped working, neither DNSMasq nor Unbound would resolve anything.

Seems to be working OK now but it's taken all darn day to put everything back in (I didn't restore from a backup to be sure I didn't re-introduce the issues).

I think this is something to do with the upgrading process - which I have done since I can remember - this is only the second time I've done a clean install. I haven't the time spare to go figuring out what was broken but clearly things were, finding out what is made more difficult by the lack of a command prompt and file functions via the GUI.

Good to know, and another confirmation that OPNSense is the best fit for my needs.

The arrogance part for me is when they arbitrarily decide to go down a certain path then slag off anyone that dares to speak out or have a contrary opinion.

Sure you can't please all users at all times but not all users are dummies and to treat all users as low grade morons that somehow don't have a valid opinion is arrogance. Then to tell flagrant untruths to justify a position merely confirms the arrogance - when they dropped postfix from V2.3 is such a position - claiming that the plugin wasn't maintained, Marcelloc devoted hours to it, he even had a new version waiting to go. That isn't frustration, that's arrogance.

I don't want a hundred damn boxes when one will do - but that's the route PFSense have gone.

So to some extent I do agree frustration can play a role, but there are ways to handle user needs, open honesty and not treating them like fools goes a long way.

So the os-postfix is just postfix under the hood then ? not a reduced feature set ?

I may be able to make that work if it is just a GUI omission not feature.

For me PFSense started down a road I wasn't interested in following, they decided that PFSense was no longer going to be an all encompassing barrier and excluded a number of useful add ons, the devs also developed an arrogance that I have no time for - 'we do not care what you think or want - we are right you are wrong' - well fine, I'm outa here. I moved to OPNSense and retain the last decent version of PFsense to use as an MTA - although that may soon be retired now that OPNSense has gained Postfix.

Firefox / Mozilla has gone the same way, if you dare to challenge they're almost abusive - I'm afraid that arrogance in software departments I live with day to day as part of the day job - I have no time whatsoever for it.

So now I'm OPNSense and Waterfox, I like where the two are going, they fit MY needs not the developers so I'm happy to tag along.

I don't do any filtering on valid recipients and have my reasons for doing so.

I'm looking in particular though for a way to identify backscatter that may have come from my boxes - or backscatter that is nothing to do with me. The presence of backscatter is a good way to identify if a user box or even server has been compromised. I know what my server signatures look like so I use this to tell the difference between forged vs genuine - as per the postfix link. Basically if forged backscatter comes in I reject it, if genuine comes in I want to know.

I am looking ultimately to find a way to send no response whatsoever for invalid recipients - I'm quite OK tying up the spammers systems re-trying over and over and wasting time doing so, I don't want to disclose when users do not exist. I'm trying to figure out some sort of catch all - i.e. any address that doesn't exist goes to a black hole queue / inbox, this is fine and my mail server dumps anything to non existent users in a junk box. Problem is that I then want to blacklist the real message source of anything that ends up in the black hole, never quite figured how to get that to work in any MTA though.

Has anyone here configured an MTA using OPNSense and packages OS-POSTFIX and OS-RSPAMD ?

How did you deal with the potential for back scatter ?

http://www.postfix.org/BACKSCATTER_README.html

I currently run an old version of PFSense with Postfix internally as an incoming relay for all incoming port 25 traffic, I do not use it for sending and never will. I use header and body checks to detect forged headers where those headers actually contain my domains as the sender (such mails will NEVER come from 'outside').

There are a few things that I'm not seeing in the OPNSense implementation, the principle one being no way to detect forged domain headers (check out the postfix 'backscatter' link).

I still don't see the opportunity anywhere (in what I use now or in the OPNSense implementations) to decline any response whatsoever - basically I don't want my mailserver to respond with any 2xx/4xx/5xx messages if the sender is not legit - I just want an option to drop the message into a black hole so scenarios such as when no valid recipient exists that the system does not respond with a friendly 'unknown user' - in such cases I don't want a response of any kind - this and rate limiting would go a long way to prevent brute force type harvesting since spammers can no longer blanket a server with random names and check the responses (harvesting).

That said my biggest concern is stopping backscatter - any tips on how to achieve this with the OPNSense implementations ?

Got it - just checking, nothing worse than spending 4 hours rebuilding after not paying heed to such things.

Appreciate the speed of response.