Topics

1

General Discussion / Mimic the default "Zones" from Ipfire in Opnsense?

« on: April 26, 2020, 08:20:53 pm »

I like the way ipfire uses zones with color codes to define the network.

WAN and LAN exist in OPNsense and correlate to red and green zones in ipfire.

In ipfire they use orange for a DMZ and Blue for wireless clients.

To mimic this, would I do the default installation on my quad port network card with WAN and LAN and then configure my OPT1 interface to be let's say Blue/Wireless and the last port I would add another interface and configure that as the DMZ?

Then I would attach my WAP to the blue/opt1 interface and create rules accordingly?

I'm probably over thinking this

2

General Discussion / Security question

« on: April 24, 2020, 03:35:49 am »

I read that pfsense runs the web interface and php as root.

With opnsense being a fork of pfsense, does it also do this?

Pfsense gave me an explanation the other day of basically it is a big effort and massive undertaking to change this.

I believe this is true, but my question is how much does it matter? My understanding is that best practice is to never do this. But yet, it is still accepted I guess with the idea that because the webui isn't accessible to the internet by default that it isn't a real risk.

What does opnsense do and if it runs these services as root, what is the reasoning?

3

19.7 Legacy Series / [Solved] Need help with wireguard

« on: July 19, 2019, 04:32:53 am »

I used the doc here to configure wireguard.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I am connecting an Android client and it seems to connect to the server fine but traffic send to only be sent and not received.

What could be wrong? I cannot get to the Web interface of opnsense when connected to the time or the internet.

I configured the client to use 0.0.0.0/0 for allowed ip's.

On the endpoint config I have allowed ip's set to the client_ip/24

I added the interface wg0 to assignments and enabled it with prevent removal.

I added the NAT rule for outbound NAT

I created the WAN firewall rule

I'm not sure what I could be missing... I expected at the very least to get to the webui of opnsense and maybe have a dns issue but I can't even get to that.

4

19.7 Legacy Series / Wireguard Plugin Road Warrior Tutorial/Doc

« on: July 18, 2019, 12:42:33 pm »

Is there a tutorial or doc on how to configure the new wireguard Plugin in 19.7 for road warrior?

5

19.1 Legacy Series / IPsec VPN on mobile Question

« on: June 26, 2019, 01:49:36 pm »

How can I prevent the tunnel from being split tunnel? I want to force all traffic over the tunnel.

I'm using ikev2 and strong swan client on Android.

My main goal is using my pihole for dns remotely. So if that is possible without forcing all traffic over the tunnel then if be happy with that as well.

Any help much appreciated.

Right now it is split tunnel

6

19.1 Legacy Series / Road Warrior IPsec & Split-Tunnel

« on: June 16, 2019, 06:13:24 am »

I followed this guide to get IPsec VPN working with Android using strongswan client and IKEv2.

https://wiki.opnsense.org/manual/how-tos/ipsec-rw-srv-eaptls.html

I connect just fine and can access the the firewall web interface on the LAN address but it is split tunnel.

I would like to force the Android phone to force all traffic over the tunnel. How can I do that?

If I can't force all traffic over the tunnel I would at least like to force dns resolution to take advantage of my pihole on mobile.

7

19.1 Legacy Series / Problem with letsencrypt validations and haproxy

« on: June 14, 2019, 02:18:21 am »

I use haproxy and letsencrypt integration with http validation

I had it working fine with renewing certificates for a while but now it fails validation. The log said timeout likely a firewall problem.

I've gone over the settings and I've tried adding additional firewall rules but nothing seems to work.

What can I check and verify? It was great when it was working

8

Intrusion Detection and Prevention / Emerging Threats Rule Descriptions

« on: June 07, 2019, 12:27:12 pm »

I came across this and thought it might be useful to others.

From Proofpoint:

https://www.google.com/url?sa=t&source=web&rct=j&url=http://tools.emergingthreats.net/docs/ETPro%2520Rule%2520Categories.pdf&ved=2ahUKEwi1s5eLlNfiAhWEVN8KHV0dDgkQFjABegQIBxAN&usg=AOvVaw0VeLizsYuRFk0ekY3FOOZz&cshid=1559903175835

9

19.1 Legacy Series / Clam av plugin

« on: June 07, 2019, 02:09:02 am »

Is the clam av plugin useful for anything other than when used with a proxy?

10

Intrusion Detection and Prevention / Direction

« on: May 21, 2019, 07:20:51 pm »

With IPS, generally speaking, does it make more sense to do it on outbound traffic or inbound?

Doing it on both sounds like a performance impact will be greater.

But, if your firewall is already restricting inbound traffic to specific ports for services.. then would outbound make more sense so you can see and prevent nasty stuff that is actually on your network?

11

General Discussion / Question about the LetsEncrypt plugin

« on: August 24, 2018, 04:29:38 am »

If I have already pulled certificatees from LetsEncrypt with certbot by running it individually on web servers behind OPNsense/HAProxy, can I still use the LetsEncrypt plugin to take over the management of the certificates?

If so, how? If not, what would be the best way to cut over to the plugin so I don't have to deal with the individual servers renewing certificates?

12

18.7 Legacy Series / Haproxy ssl-passthrough help

« on: August 15, 2018, 05:37:58 pm »

Can anyone explain to me how I would setup haproxy in OPNsense to do ssl-passthrough instead of offloading?

I currently have a single public ip listening on 443 via haproxy with certainty for a couple of servers/services added to it with ssl offloading configured. There are rules that look at host contains and based on the sub domain name of the url, they are routed to the proper pool of servers.

This is currently working for me.

I am more curious on how I would do this with ssl-passthrough instead of offloading and also how I could still use rules to determine which server pool a sub domain url hits.

Any guidance would be much appreciated.

13

18.7 Legacy Series / Haproxy issue

« on: August 14, 2018, 12:57:54 pm »

I have one service running behind haproxy with ssl offloading enabled and it works fine.

I added another service to a new backend pool of servers and going to the site over ssl fails with ssl protocol error.

If I go to the site directly to the backend ip it works fine. I only get the protocol error when I go to haproxy address.

What could be the issue? It is nginx with and ssl site on 443.

14

18.1 Legacy Series / Block outbound icmp to external address?

« on: June 05, 2018, 06:13:21 am »

What rule would I need to create to block outbound icmp to 8.8.8.8?

In the log live view I see int wan with the wan ip as the source icmp to 8.8.8.8

15

General Discussion / Cloudflare DNS over TLS with Unbound

« on: April 04, 2018, 04:02:59 am »

Looking at this article https://www.netgate.com/blog/dns-over-tls-with-pfsense.html?utm_campaign=DNSoverTLS&utm_content=69532200&utm_medium=social&utm_source=twitter

I enabled unbound and added the custom settings from this article to enable dns over tls on 1.1.1.1 and 1.0.0.1.

It seemed to work fine for a short period of time and then I start getting these errors and the unbound service stops running.

unbound: [58716:1] notice: ssl handshake failed 1.1.1.1 port 853

unbound: [58716:1] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available

Is anyone using cloudflare dns over tls successfully?