Messages

16

General Discussion / Re: Plex NAT Rule

« on: May 26, 2018, 09:48:27 pm »

You will also need to add custom DNS option

17

General Discussion / Re: Plex NAT Rule

« on: May 26, 2018, 09:44:16 pm »

Here is a screenshot of how your rule should look. Source is any and destination is WAN. Destination port is plex port (default 32400). Redirect IP is you local plex server IP and redirect port is your local plex port (32400 default)

18

18.1 Legacy Series / IDS Cron Job will not delete after being disabled

« on: February 22, 2018, 03:51:06 am »

Im currently trying to delete the IDS Rule Updates CRON JOB but it will not delete. IDS is currently not enabled and the job in question is able disable. I get the prompt to "Remove Selected Item", i select yes, i do not get an error but the job will not delete. No errors in the log on issue

19

18.1 Legacy Series / Re: PFBlocker/GeoIP Blocking alias updates

« on: February 09, 2018, 04:02:54 am »

1. Correct pfBlockerNG is not available.
2. From what I understand, the GeoIP updates every day (Gurus correct me if I'm wrong).
       *Source: core/src/opnsense/scripts/filter/lib/alias.py (line 160)
3. All Aliases auto-update, pull information, or populate in the pfTables as soon as you click the Save button.
4. I've tested firehol alias and it's working fine for me.
       *Alias has similar settings like yours: https://www.screencast.com/t/YrEu7vG2iyQ2
              -Firehol alias using this URL: https://iplists.firehol.org/files/firehol_level1.netset
       *pfTables populated immediately after saving the alias: https://www.screencast.com/t/cpZvnqyaI
5. Yes, your firehol alias set for 1 day expiration will update every day.
6. You can force an update by editing the alias, make no changes, and click Save button.

Recommendations
1. Please check your Alias Names and Descriptions. It appears you have multiple typos that can make troubleshooting confusing when your configurations become more complex.
2. Please consider allowing access for a smaller group of aliases vs denying the entire world. This will make your tables smaller, easier to troubleshoot, use less RAM, better performance, etc.

Thank for the info. FIREHOL is working now. I can see offenders being blocked in the firewall logs

20

18.1 Legacy Series / PFBlocker/GeoIP Blocking alias updates

« on: February 07, 2018, 10:16:31 pm »

I read through a past post stating PFBLocker is not available but the same functionality can accomplished using the firewall alias

I created a couple alias to test



Added my firewall floating rules



Checked my firewall logs and everything except for my firehol which i will get to later. My question is how often does the GEOIP list get updated ? I do not see a interval setting stating how often the GEOIP list gets updated

And finally my firehol doesn't seem to be working. I've set the expiration to 1 day for this alias. Does this mean after a day it grabs the new list ? Additionally how do i force an update ?

21

18.1 Legacy Series / Re: /usr/local/etc/bogonsv6 too big

« on: February 07, 2018, 10:05:54 pm »

i had the same issue after updating last night. I ended up bumping the Firewall Maximum Table Entries to 500,000 and rebooting. I can spare 500MB of RAM for this.

22

18.1 Legacy Series / Feature Request -- Pushover Notifications

« on: January 02, 2018, 11:05:49 pm »

Is is possible to include pushover notifications with the release of 18.1 ?

23

17.7 Legacy Series / Re: ClamAV on HTTPS Traffic using Web Proxy - Connection timing out

« on: December 13, 2017, 11:45:10 pm »

I think you might have configured the proxy incorrectly. Are you using letsencrypt cert for ssl inspection? You cannot use letsencrypt for ssl inspection, you will need an internal CA or self signed cert. Please go through the proxy documentation once again.

Thank you,
Regards,
Bobby Thomas

Hmmm why can't i use a letsencrypt cert ? I know the documentations states using a  self signed cert however i wanted to bypass importing of that cert to my workstations by using a cert issued by letsencrypt thats tied to my dynamic dns by duckdns . As such it should be valid cert and not receive any warnings

24

17.7 Legacy Series / Re: UEFI Installation on ASROCK J3455M

« on: December 12, 2017, 04:44:55 am »

ok getting several weird errors in my system.log

1st 

Code: [Select]

Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 0: ioport 0xc00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 1: ioport 0x1c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 2: ioport 0x2c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 3: ioport 0x3c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 4: ioport 0x4c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 5: ioport 0x5c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 6: ioport 0x6c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 7: ioport 0x7c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 8: ioport 0x8c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 9: ioport 0x9c00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 10: ioport 0xac00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 11: ioport 0xbc00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 12: ioport 0xcc00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 13: ioport 0xdc00 alloc failed
Dec 10 04:48:57 OPNsense kernel: ahc_isa_identify 14: ioport 0xec00 alloc failed
Found this FreeBSD bug in regards to issue https://lists.freebsd.org/pipermail/freebsd-current/2014-October/052554.html

Second error

Code: [Select]

module_register_init: MOD_LOAD (vesa, 0xffffffff81149b90, 0) error 19
From what i was able to find this is a video driver issue which shouldn't affect my boot time.

I'll put it into production this weekend. I can live with the delayed boot time at this point

25

17.7 Legacy Series / Re: UEFI Installation on ASROCK J3455M

« on: December 12, 2017, 04:32:31 am »

Maybe this is a console setting: System: Settings: Administration, choose "EFI" as primary console.


Cheers,
Franco

ok

26

17.7 Legacy Series / Re: UEFI Installation on ASROCK J3455M

« on: December 10, 2017, 07:56:45 pm »

I ended up installing in SAFE mode which worked fine. Now i'm running into weird delays when the system is booting. Takes 3+ minutes to boot in UEFI mode but in MBR less than a minute. Currently looking to boot in verbose mode and pulling back system log

27

17.7 Legacy Series / Re: UEFI Installation on ASROCK J3455M

« on: December 05, 2017, 01:17:01 am »

amd64? I'm having similar problems with the 17.7.5-amd64 distribution.

yes

28

17.7 Legacy Series / UEFI Installation on ASROCK J3455M

« on: December 04, 2017, 11:22:35 pm »

I currently cannot get OPNSENSE installed in UEFI mode on my ASROCK J3455M motherboard. Installation is extremely slow (4HRS so far)  then gets stuck at 67%.

I see HPET bug when installing pfsense which i didn't experience  https://www.reddit.com/r/PFSENSE/comments/7eeh70/asrock_j3455m_problems/#bottom-comments

Installing via MBR works just fine (may be 5mins if not less) but this is just work around for now until i can finish configuring the firewall.

Any suggestions on resolving my UEFI installation issue ?

29

17.7 Legacy Series / ClamAV on HTTPS Traffic using Web Proxy - Connection timing out

« on: December 02, 2017, 07:54:31 pm »

I'm currently running into issues configuring CLAMAV + Web Proxy to inspect HTTPS traffic. Each time i enable the functionality all websites except for google fail to load as the connection to each site times out.

Firewall Rule for HTTPS set

Code: [Select]

LAN TCP LAN net * * 80 (HTTP) 127.0.0.1 3128 redirect traffic to proxy    
LAN TCP LAN net * * 443 (HTTPS) 127.0.0.1 3129 redirect traffic to proxy
I do not see any errors in the access logs nor cache

Code: [Select]

192.168.5.127 - 54:60:********** - [02/Dec/2017:13:27:22 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST
192.168.5.121 - 1c:1b********** - [02/Dec/2017:13:26:40 -0500] "GET http://twitch.tv/ HTTP/1.1" 302 474 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" TCP_MISS:ORIGINAL_DST
192.168.5.121 - 1c:1b********** - [02/Dec/2017:13:25:39 -0500] "GET http://cdn.content.prod.cms.msn.com/singletile/summary/alias/experiencebyname/today? HTTP/1.1" 200 1724 "-" "Microsoft-WNS/10.0" TCP_REFRESH_MODIFIED:ORIGINAL_DST
192.168.5.127 - 54:60:********** - [02/Dec/2017:13:24:08 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST
192.168.5.127 - 54:60:********** - [02/Dec/2017:13:23:31 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST

The system log is complaining there isnt a valid cert for  traffic on port 3128. Even though SSL traffic is on port 3129 (im using a valid letsencrypt cert for SSL)

Code: [Select]

Dec 2 13:22:57 squid: No valid signing SSL certificate configured for HTTP_port 127.0.0.1:3128
Dec 2 13:21:16 squid: No valid signing SSL certificate configured for HTTP_port 127.0.0.1:3128
What am i missing ?

30

17.7 Legacy Series / Re: OpenVPN Client Export - Windows Installer

« on: December 02, 2017, 07:11:55 pm »

Hi Ren,

The binaries were checked into the core repository, but we found that too taxing on the coding/build side. Then these were quickly outdated and at some point we had to ask the question: who is going to maintain them? No maintainer was found, so we removed them instead of going though the process of writing a "download and integrate" script for the latest binaries that could have been the way to keep the binaries alive and up to date.


Cheers,
Franco

Ok thanks for the info.