Topics

I like the way ipfire uses zones with color codes to define the network.

WAN and LAN exist in OPNsense and correlate to red and green zones in ipfire.

In ipfire they use orange for a DMZ and Blue for wireless clients.

To mimic this, would I do the default installation on my quad port network card with WAN and LAN and then configure my OPT1 interface to be let's say Blue/Wireless and the last port I would add another interface and configure that as the DMZ?

Then I would attach my WAP to the blue/opt1 interface and create rules accordingly?

I'm probably over thinking this :)

I read that pfsense runs the web interface and php as root.

With opnsense being a fork of pfsense, does it also do this?

Pfsense gave me an explanation the other day of basically it is a big effort and massive undertaking to change this.

I believe this is true, but my question is how much does it matter? My understanding is that best practice is to never do this. But yet, it is still accepted I guess with the idea that because the webui isn't accessible to the internet by default that it isn't a real risk.

What does opnsense do and if it runs these services as root, what is the reasoning?

I used the doc here to configure wireguard.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I am connecting an Android client and it seems to connect to the server fine but traffic send to only be sent and not received.

What could be wrong? I cannot get to the Web interface of opnsense when connected to the time or the internet.

I configured the client to use 0.0.0.0/0 for allowed ip's.

On the endpoint config I have allowed ip's set to the client_ip/24

I added the interface wg0 to assignments and enabled it with prevent removal.

I added the NAT rule for outbound NAT

I created the WAN firewall rule

I'm not sure what I could be missing... I expected at the very least to get to the webui of opnsense and maybe have a dns issue but I can't even get to that.

Is there a tutorial or doc on how to configure the new wireguard Plugin in 19.7 for road warrior?

How can I prevent the tunnel from being split tunnel? I want to force all traffic over the tunnel.

I'm using ikev2 and strong swan client on Android.

My main goal is using my pihole for dns remotely. So if that is possible without forcing all traffic over the tunnel then if be happy with that as well.

Any help much appreciated.

Right now it is split tunnel

I followed this guide to get IPsec VPN working with Android using strongswan client and IKEv2.

https://wiki.opnsense.org/manual/how-tos/ipsec-rw-srv-eaptls.html

I connect just fine and can access the the firewall web interface on the LAN address but it is split tunnel.

I would like to force the Android phone to force all traffic over the tunnel. How can I do that?

If I can't force all traffic over the tunnel I would at least like to force dns resolution to take advantage of my pihole on mobile.

I use haproxy and letsencrypt integration with http validation

I had it working fine with renewing certificates for a while but now it fails validation. The log said timeout likely a firewall problem.

I've gone over the settings and I've tried adding additional firewall rules but nothing seems to work.

What can I check and verify? It was great when it was working :(

I came across this and thought it might be useful to others.

From Proofpoint:

https://www.google.com/url?sa=t&source=web&rct=j&url=http://tools.emergingthreats.net/docs/ETPro%2520Rule%2520Categories.pdf&ved=2ahUKEwi1s5eLlNfiAhWEVN8KHV0dDgkQFjABegQIBxAN&usg=AOvVaw0VeLizsYuRFk0ekY3FOOZz&cshid=1559903175835

Is the clam av plugin useful for anything other than when used with a proxy?

With IPS, generally speaking, does it make more sense to do it on outbound traffic or inbound?

Doing it on both sounds like a performance impact will be greater.

But, if your firewall is already restricting inbound traffic to specific ports for services.. then would outbound make more sense so you can see and prevent nasty stuff that is actually on your network?

If I have already pulled certificatees from LetsEncrypt with certbot by running it individually on web servers behind OPNsense/HAProxy, can I still use the LetsEncrypt plugin to take over the management of the certificates?

If so, how? If not, what would be the best way to cut over to the plugin so I don't have to deal with the individual servers renewing certificates?

Can anyone explain to me how I would setup haproxy in OPNsense to do ssl-passthrough instead of offloading?

I currently have a single public ip listening on 443 via haproxy with certainty for a couple of servers/services added to it with ssl offloading configured. There are rules that look at host contains and based on the sub domain name of the url, they are routed to the proper pool of servers.

This is currently working for me.

I am more curious on how I would do this with ssl-passthrough instead of offloading and also how I could still use rules to determine which server pool a sub domain url hits.

Any guidance would be much appreciated.

I have one service running behind haproxy with ssl offloading enabled and it works fine.

I added another service to a new backend pool of servers and going to the site over ssl fails with ssl protocol error.

If I go to the site directly to the backend ip it works fine. I only get the protocol error when I go to haproxy address.

What could be the issue? It is nginx with and ssl site on 443.

What rule would I need to create to block outbound icmp to 8.8.8.8?

In the log live view I see int wan with the wan ip as the source icmp to 8.8.8.8

Looking at this article https://www.netgate.com/blog/dns-over-tls-with-pfsense.html?utm_campaign=DNSoverTLS&utm_content=69532200&utm_medium=social&utm_source=twitter

I enabled unbound and added the custom settings from this article to enable dns over tls on 1.1.1.1 and 1.0.0.1.

It seemed to work fine for a short period of time and then I start getting these errors and the unbound service stops running.

unbound: [58716:1] notice: ssl handshake failed 1.1.1.1 port 853

unbound: [58716:1] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available

Is anyone using cloudflare dns over tls successfully?

Suggestions for multiple servers running port 443 behind OPNsense With a single public ip?

What would be a good option for handling this?

example:

a.domain.com:443 —-> single public ip ——> internal_server1:443

b.domain.com:443 —-> single  public ip ——> internal_server2:443

Can any plugins for OPNsense handle this or would something like nginx/reverse proxy be required? Maybe a layer 7 load balancer like kemp or netscaler etc.

Haproxy can't do this can it?

Can haproxy do content switching like a netscaler? Allowing you to host multiple services on the same port via one IP address.

It would be nice to have some additional alert filtering options.

Right now you can do a basic search for something in the logs.

It would be great if we could filter more. Like show me all alerts maybe this dst ip and this action in this time frame or all alerts from this src ip that triggered this rule etc..

Also, is it possible to whitelist an ip in IPS? That would be cool.

I just wanted to say thank you to all the developers and team members that have made opnsense possible.

You guys have put together a really nice product and it is free for all to use.

Great job everyone. I appreciate it.

When I enable suricata on my LAN interface it seems to kill it.

I experience incredibly slow web browsing (enough to be able to continue to use to use the opnsense webui to remove LAN ) and other traffic like streaming YouTube or even loading the video thumbnails in the YouTube app just stops working.

No blocks are registered and I have tried disabling all rules but it always behaves this way.

Wan seems to work fine. I am using an emX intel card. CPU is an i3

Any idea what to troubleshoot here?