Messages

1

Web Proxy Filtering and Caching / Re: Sunny Valley Sensei not blocking

« on: October 13, 2019, 03:14:13 am »

Meanwhile I could get some more details regarding my issue with Sensei:

It is not caused by webproxy. Issue still there after switching off webproxy
It is not caused by IPv6 GIF tunnel. Issue still there after switching off gateway and forcing IPv4.

On DMZ interface I could find some blocked sides in the report. DMZ interface is single NIC while the not working LAN interface is LAGG interface.

So closest guess so far is LAGG interface is creating the issue with Sensei.


 

2

Development and Code Review / Re: Sensei on OPNsense - Application based filtering

« on: October 12, 2019, 04:38:53 pm »

Somehow Sensei is not filtering on my machine. But I cound not yet figure out if it is because of LAGG interface, running squid webproxy or IPv6 GIF tunnel.

I started here before I found this thread.
https://forum.opnsense.org/index.php?topic=14649.0

3

Web Proxy Filtering and Caching / Sunny Valley Sensei not blocking

« on: October 12, 2019, 03:14:54 pm »

I just installed Sunny Valley Sensei on OPNsense 19.7.5 for testing purpose. The installation completed with success and also initial configuration is completed. The LAN interface is selected and all web filters are activated for testing. Status page shows all service running fine (at least to me it looks like).

But nothing is getting blocked. All traffic is going through. On dashboard I can see that the reports filling with data.

Could be there any conflict with running squid web proxy or incompatibility with LAGG interface for LAN? I have no idea where to search.

4

19.7 Production Series / Re: IPSec VPN – Can access VPN network or Internet, not both!

« on: October 12, 2019, 05:23:29 am »

I shortly switched from open VPN to IPsec and was struggling with the same problem: access to LAN was possible but no access to WAN in the configuration that all traffic from client should go from client trough OPNsense.

Instead of posting my complete configuration I will give you some hints what to check. So will come closer to the problem. (English wording might be not 100% correct due to other language settings on my system)

(1) Route all network through IPSec tunnel
--> IPsec --> tunnel settings --> phase 2 --> local network
--> type: network
--> address 0.0.0.0 / 0

(2) mobile configurations
--> IPsec --> mobile clients --> client configuration --> virtual address pool
--> enabled
--> 10.10.0.0/24  (sample configuration)

--> IPsec --> mobile clients --> client configuration --> DNS server
--> enabled
--> 192.168.0.1  (example. unbound on LAN address of OPNsense)

(3) firewall: allow traffic from IPsec to WAN
--> Firewall -> IPsec
allow IPv4 * * * * * *
(if required more precise rules are needed to restrict traffic)

(4) allow IPsec network to unbound (if applicable)
--> services -> Unbound DNS  access lists
--> add network 10.10.0.0 / 24 (same as in example for IPsec)


(4) NAT – route to WAN
--> Firewall -> NAT -> outbound
--> modus: hybrid (automatic rules after manual rules)
--> add
--> device: WAN
--> source address: 10.10.0.0 / 24 (same as in example for IPsec)

5

19.1 Legacy Series / Re: nginx and autodiscover basic authentication on upsream server

« on: June 03, 2019, 02:09:16 pm »

Yes, that's the point. Maybe my explanation was not clear.
But the authentication error is caused by nginx not forwarding credentials correctly.
(I assume nginx is doing what it is supposed to do by the actual settings. But this is not what I want)

I am testing by web browser by opening autodiscover xml file manually
https://autodiscover.xxxx.xxx/Autodiscover/Autodiscover.xml

In case of direct access by internal LAN address:
Browser authentication windows open, enter credentials, expected xml response comes

In case of access via external address through nginx reverse proxy
Browser authentication windows open, enter credentials, authentication windows ask again for credentials.

In case of access through Microsoft Autodiscover test page I see more details: error 401

6

19.1 Legacy Series / nginx and autodiscover basic authentication on upsream server

« on: June 02, 2019, 02:27:29 pm »

Hello,

somehow my Exchange autodiscover does not work behind nginx as revers proxy. When I connect directly to the server it works. But behind OPNsense with nginx as reverse proxy autodiscover will end up in http 401 error.

Unfortunately, I don't see anything in the logs that gives me a hint were to search.

Basically, I am fine with either basic authentication pass through or authentication by OPNsense to LDAP server. Whatever is running is fine.

The rest like activesync and owa is running through opnsense.

Any idea where to search?

7

19.1 Legacy Series / Re: nginx reverse proxy IPv6 --> IPv4

« on: May 25, 2019, 09:23:36 am »

Are there any news about this topic?
Is it something on OPNsense side or is it only my system that is screwed up?

The update to 19.1.8 did not changed anything and I do not know where to continue to search.

8

19.1 Legacy Series / Re: openvpn client export not working

« on: May 12, 2019, 01:09:06 pm »

Thank you,

with a manual set-up I got it run.
But still I believe, if there is an export function implemented it should work.

9

19.1 Legacy Series / openvpn client export not working

« on: May 11, 2019, 03:14:27 pm »

Hello,

after my issue with nginx if solved, I am faced with the next issue in OPNsense 19.1.7. The openvpn client export is not working. openvpn is set-up acc. wiki as road warrior. Certs for server and client are created by OPNsense CA. But when I now go to --> VPN --> Clientexport and press the button next to the user nothing happens. The browser shows loading activity for a while, but no file is coming. In the log files I cannot find any error.

Is there cli command to create the ovpn file instead of GUI?

10

19.1 Legacy Series / Re: nginx: not starting after setting access log "disabled"

« on: May 11, 2019, 11:23:07 am »

Thanks a lot. It looks like now nginx with disabled loggin is working.

Yes, I am using os-nginx 1.11_2 what I assume is the patch level of 19.1.7. Nothing newer is visible for me on production update channel.

I copied the file and applied the patch. syslog I kept untouched.

PS:
I used SFTP client via Windows PC. This was more convinient than cli.

11

19.1 Legacy Series / Re: nginx: not starting after setting access log "disabled"

« on: May 11, 2019, 10:29:31 am »

I checked the file.
On my machine it is different as the patch is expecting:

/usr/local/opnsense/service/templates/OPNsense/Nginx/http.conf

Code: [Select]

{% if server.charset is defined %}
    charset {{ server.charset }};
{% endif %}
    access_log  /var/log/nginx/{{ server.servername }}.access.log {{ server.access_log_format }};
    access_log  /var/log/nginx/tls_handshake.log handshake;
    error_log  /var/log/nginx/{{ server.servername }}.error.log;
{% if server.root is defined and server.root != '' %}
    root "{{server.root}}";
{% endif %}
{% if server.max_body_size is defined %}
    client_max_body_size {{ server.max_body_size }};
{% endif %}
{% if server.body_buffer_size is defined %}
    client_body_buffer_size {{ server.body_buffer_size }};
{% endif %}
{% if server.satisfy is defined %}
    satisfy {{ server.satisfy }};
{% endif %}

12

19.1 Legacy Series / Re: nginx: not starting after setting access log "disabled"

« on: May 11, 2019, 10:12:44 am »

We are on the right track but looks like it was not working on my machine.

Code: [Select]

# opnsense-patch -c plugins 8022abc0bfd7daff8428d67791de8529c89576b9
Fetched 8022abc0bfd7daff8428d67791de8529c89576b9 via https://github.com/opnsense/plugins
1 out of 1 hunks failed while patching opnsense/service/templates/OPNsense/Nginx/http.conf

13

19.1 Legacy Series / nginx: not starting after setting access log "disabled"

« on: May 11, 2019, 06:15:08 am »

Hello,

Nginx is not starting after setting of access log in section srver to "disabled".

My setup with nginx as reverse proxy is running. When I change in nginx server settings access log from "Standard" to "Disabled" in the first step looks like all is working fine. Nginx is running. But after reboot of OPNsense box nginx is not starting any more.

In error.log I found:

Code: [Select]

2019/05/11 12:52:00 [emerg] 51023#100211: unknown log format "disabled" in /usr/local/etc/nginx/nginx.conf:1519
In nginx.conf I found

Code: [Select]

access_log  /var/log/nginx/xxxxxxx.de.access.log disabled;
To me it looks like after reboot of opnsense the nginx conf is getting rewiritten but the fomat is not correct.

14

19.1 Legacy Series / Re: nginx reverse proxy IPv6 --> IPv4

« on: May 05, 2019, 03:05:04 am »

Good to hear that in general it should work what I want to do.

But it looks like my explanation was not precise enough.

The timeout I got on external machine (IPv4/IPv6 client) before opnsense WAN interface.
From the same external machine over IPv4 I can reach webserver on backend and I can ping opnsense
From the same external machine over IPv6 I can ping opnsense.

I tested curl on opnsense cli, both to localhost and to external IP:

ping 127.0.0.1       --> OK
ping6 ::1               --> OK
ping xxx.xxx.xxx.xxx  --> OK
ping6 xxxx:xxxx:xxxx:xxxx::xxxx  --> OK

curl http://127.0.0.1  --> empty return
curl http://[::1]   -->  curl: no match
curl http://xxx.xxx.xxx.xxx   --> OK, response from nginx
curl http://[xxx:xxxx:xxxx:xxxx::xxxx]  --> curl: no match

So, I am a little bit closer. Routing issue or issue with binding of nginx to IPv6.

Any further ideas where to look next?

15

19.1 Legacy Series / nginx reverse proxy IPv6 --> IPv4

« on: May 04, 2019, 05:33:55 pm »

Hello,

can I use nginx plugin as reverse proxy from IPv6 address to internal server with IPv4 address only?

With all I tried so I do not get it running.

My starting point is that my IPv4 setup is running: WAN IPv4 --> nginx --> DMZ IPv4
I set-up IPv6 GIF tunnel (HE) and in firewall I allow on tunnel interface ICMP and port 80 and 443 to "this firewall'.
No further set-up of IPv6 address to any other interface.
When I look on sockets bindings of nginx to ports looks OK for IPv6:
  www  nginx  tcp6   *:443   *:*
  root   nginx  tcp6    *:80    *:*
  root   nginx  tcp6    *:443    *:*
Ping from outside to local GIF address is working fine.

But http and https access from outside to local GIF address timed out. Nothing I can see in the firewall logs.

Any idea what to do?
Or is it simple not possible what I want to do?