16
18.1 Legacy Series / Re: Created a simple port forward rule - Default Deny Rule
« on: March 18, 2018, 12:54:32 am »
How does your NAT Rule look like?
Did you create a Firewall Rule too?
Did you create a Firewall Rule too?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
17
18.1 Legacy Series / Re: Aliases aren´t fine
« on: March 15, 2018, 12:13:50 am »
Hi!
I too noticed that the aliases stopped working for me after upgrading to 18.1.4.
Alias looks like this: alias2.png
Firewallrule for testing looks like this: fwrule.png
When I change the content of the alias to the IP of my machine and restart the ping, it is being blocked -> rule working correctly.
This was working for me with 17.7. I was able to test this issue on two different machines. Are we doing something wrong?
Cheers
I too noticed that the aliases stopped working for me after upgrading to 18.1.4.
Alias looks like this: alias2.png
Firewallrule for testing looks like this: fwrule.png
When I change the content of the alias to the IP of my machine and restart the ping, it is being blocked -> rule working correctly.
This was working for me with 17.7. I was able to test this issue on two different machines. Are we doing something wrong?
Cheers
18
Web Proxy Filtering and Caching / Squid blocking self-signed webinterface certificate ?
« on: March 09, 2018, 02:18:01 pm »
Hello,
I don't know since when this started but my webproxy setup somehow blocks access to the firewall webinterface:
So yes, the certificate of the webinterface is self-signed by the internal CA of course. But this used to be no problem.
When I access the webinterface directly (without proxy) I have no issues, so I assume this has to do something with squid.
Setup:
- 18.1.3/18.1.4
- Webproxy local cache is disabled.
- Webinterface IP is in Proxy "SSL no bump sites"
Steps taken:
- Upgrade to 18.1.4
- Restart webproxy
- disable and re-enable SSL-Inspection
I even deleted the mentioned server certificate and created a new one under the same CA. Now when I try to access, I still see the old certificate which was deleted. Is this old certificate cached somewhere in squid?
Public HTTPS sites work fine.
PS: when I access with the proxy disabled, I see the new certificate...
Regards and good weekend
I don't know since when this started but my webproxy setup somehow blocks access to the firewall webinterface:
Code: [Select]
Failed to establish a secure connection to 192.168....
The system returned:
(92) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
Self-signed SSL Certificate in chain: /C=CH/ST=Zuri/L=Zuri/O=Fulltier Gmbh/emailAddress=fulltier@localhost.local/CN=FulltierInternalCA
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Your cache administrator is fulltier@localhost.local.
So yes, the certificate of the webinterface is self-signed by the internal CA of course. But this used to be no problem.
When I access the webinterface directly (without proxy) I have no issues, so I assume this has to do something with squid.
Setup:
- 18.1.3/18.1.4
- Webproxy local cache is disabled.
- Webinterface IP is in Proxy "SSL no bump sites"
Steps taken:
- Upgrade to 18.1.4
- Restart webproxy
- disable and re-enable SSL-Inspection
I even deleted the mentioned server certificate and created a new one under the same CA. Now when I try to access, I still see the old certificate which was deleted. Is this old certificate cached somewhere in squid?
Public HTTPS sites work fine.
PS: when I access with the proxy disabled, I see the new certificate...
Regards and good weekend
19
17.1 Legacy Series / Webproxy accepting revoked certificates
« on: May 27, 2017, 01:15:06 pm »
Hi guys,
I was playing around with HTTPS interception and noticed that the webproxy seems to accept revoked certificates (see screenshot revoked_interception.PNG).
If I disable HTTPS interception and try the testpage again, my browser blocks this page (see screenshot revoked_nointerception.PNG).
Is there something I can do to block those certificates using the webproxy? Other certificates, for example expired ones, get blocked correctly.
Cheers,
Netranger
I was playing around with HTTPS interception and noticed that the webproxy seems to accept revoked certificates (see screenshot revoked_interception.PNG).
If I disable HTTPS interception and try the testpage again, my browser blocks this page (see screenshot revoked_nointerception.PNG).
Is there something I can do to block those certificates using the webproxy? Other certificates, for example expired ones, get blocked correctly.
Cheers,
Netranger
20
17.1 Legacy Series / Re: IDS/IPS drop of internet speed
« on: May 17, 2017, 09:28:49 am »
Someone else with real knowledge of this module has to help you here. All I can say is I am not sure if a port scan should trigger an alarm anyway, at least I don't have a rule for it. But I have other rules alerting all the time, for example File Tracking GIF when surfing.
21
17.1 Legacy Series / Re: IDS/IPS drop of internet speed
« on: May 12, 2017, 06:36:39 pm »
Hmm no I never played with that, always used "aho-corasick". Have you tried with this?
You could disable one after another until you find the one which is the problem.
I have 9 active ruleset with almost full bandwidth.
Cheers,
You could disable one after another until you find the one which is the problem.
I have 9 active ruleset with almost full bandwidth.
Cheers,
22
German - Deutsch / Re: Traffic Shaper - IP-Bereich
« on: May 12, 2017, 05:53:47 pm »
Was passiert wenn Du in Rule 10 nur Deinen Client nimmst, also ohne /24 am Ende und das Interface nochmal auf WLAN stellst? Ansonsten sehe ich auch keinen Unterschied zu meinem Setup.
Cheers,
Cheers,
23
17.1 Legacy Series / Re: IDS/IPS drop of internet speed
« on: May 12, 2017, 05:40:27 pm »
Hi
I have the same box as you and same version of OPNSense.
I experienced similar behaviour. The following ruleset used a big chunk of my performance:
ET open/emerging-trojan
Did not test this one but i read that this is quite performance-hungry as well:
abuse.ch/Dyre SSL IPBL
If I just use a few specific ones I don't see a big performance impact.
Cheers
I have the same box as you and same version of OPNSense.
I experienced similar behaviour. The following ruleset used a big chunk of my performance:
ET open/emerging-trojan
Did not test this one but i read that this is quite performance-hungry as well:
abuse.ch/Dyre SSL IPBL
If I just use a few specific ones I don't see a big performance impact.
Cheers
24
German - Deutsch / Re: Traffic Shaper - IP-Bereich
« on: May 12, 2017, 12:29:53 am »
Huhu,
Hmm ist Deine Firewall aktuell, sprich 17.1.6?
Also habs grad nochmal eingeschaltet zum testen und bei mir läuft es mit einer Pipe und einer Rule:
Pipe:
10 Mbit/s <Maske leer!> PipeDown-10Mbps
Rule:
21 WLAN ip any 192.168...(IP vom PC) PipeDown-10Mbps ShapeDown_PC
Speedtest zeigt 9.6 Mbit, kommt also hin. Ursprünglich hatte ich es auch auf WAN gestellt aber das hat dann nicht funktioniert.
Cheers,
netranger
Hmm ist Deine Firewall aktuell, sprich 17.1.6?
Also habs grad nochmal eingeschaltet zum testen und bei mir läuft es mit einer Pipe und einer Rule:
Pipe:
10 Mbit/s <Maske leer!> PipeDown-10Mbps
Rule:
21 WLAN ip any 192.168...(IP vom PC) PipeDown-10Mbps ShapeDown_PC
Speedtest zeigt 9.6 Mbit, kommt also hin. Ursprünglich hatte ich es auch auf WAN gestellt aber das hat dann nicht funktioniert.
Cheers,
netranger
25
German - Deutsch / Re: Traffic Shaper - IP-Bereich
« on: May 10, 2017, 10:51:04 pm »
Wichtig ist noch, dass wenn Dein Client z.B. am Interface LAN hängt, dann musst Du logischerweise auch LAN auswählen in den Rules. Im Howto steht überall das Beispiel WAN was mich eher verwirrt hat. Ausser das Interface an welchem die Clients hängen heisst bei Dir tatsächlich WAN, dann würde es passen 
26
17.1 Legacy Series / Re: 17.1.6 - default gw missing / apinger won't start
« on: May 10, 2017, 08:38:09 pm »
hmm no 192.168.1.1 in my case is not the "local" firewall IP. It is the IP of my default gateway, the remote IP if you will. So it makes sense that this is monitored.
No idea what it was however.
No idea what it was however.
27
17.1 Legacy Series / Re: 17.1.6 - default gw missing / apinger won't start
« on: May 08, 2017, 01:38:18 pm »
Thanks for your feedback! I used the bootstrap command because I also had this issue:
https://forum.opnsense.org/index.php?topic=4916.msg20552
So now I checked the log and found something:
May 8 13:20:08 apinger: No usable targets found, exiting
May 8 13:20:08 apinger: Starting Alarm Pinger, apinger(27708)
Then I looked at the Gateway configuration. There is one entry with my router IP as "Gateway" and the same IP as "Monitor IP" which is correct... (192.168.1.1). But when I click to edit this gateway, the monitor IP field is empty, not sure if this is normal? So I typed 192.168.1.1 in the "Monitor IP" field and save and guess what - apinger starting again no idea why
Cheers,
https://forum.opnsense.org/index.php?topic=4916.msg20552
So now I checked the log and found something:
May 8 13:20:08 apinger: No usable targets found, exiting
May 8 13:20:08 apinger: Starting Alarm Pinger, apinger(27708)
Then I looked at the Gateway configuration. There is one entry with my router IP as "Gateway" and the same IP as "Monitor IP" which is correct... (192.168.1.1). But when I click to edit this gateway, the monitor IP field is empty, not sure if this is normal? So I typed 192.168.1.1 in the "Monitor IP" field and save and guess what - apinger starting again
no idea why Cheers,
28
17.1 Legacy Series / Re: 17.1.6 - default gw missing / apinger won't start
« on: May 07, 2017, 08:42:28 pm »
how can you start it? when I click the play button to start the service manually, nothing happens.
29
17.1 Legacy Series / 17.1.6 - default gw missing / apinger won't start
« on: May 06, 2017, 12:08:28 pm »
Good morning guys!
I have a strange behavior after upgrading to 17.1.6:
It seems that my DHCP lease no more contains a default gateway
I get my internal IP address as usual but default gateway is just empty. When I set a static IP and static default gateway on my client the connection works again. So in order to fix this I went to Services > DHCP > Server and in the "Gateway" field, which was empty, I did set the firewall IP (for example 192.168.1.1). And now after ipconfig /renew on the client, everything works again. I am not sure about the config of this field before my upgrade though... if this got deleted or the mechanics changed?
Another thing I noticed after the upgrade (not sure if this has something to do with this): The apinger Gateway Monitoring Daemon fails to start, it just stays red. Is there a log for this somewhere so I could get some information?
I updated from 17.1.3 with the bootstrap command because I wanted (needed) a clean installation because I originally came from the 17.1 beta version.
Best,
Net
I have a strange behavior after upgrading to 17.1.6:
It seems that my DHCP lease no more contains a default gateway
I get my internal IP address as usual but default gateway is just empty. When I set a static IP and static default gateway on my client the connection works again. So in order to fix this I went to Services > DHCP > Server and in the "Gateway" field, which was empty, I did set the firewall IP (for example 192.168.1.1). And now after ipconfig /renew on the client, everything works again. I am not sure about the config of this field before my upgrade though... if this got deleted or the mechanics changed?Another thing I noticed after the upgrade (not sure if this has something to do with this): The apinger Gateway Monitoring Daemon fails to start, it just stays red. Is there a log for this somewhere so I could get some information?
I updated from 17.1.3 with the bootstrap command because I wanted (needed) a clean installation because I originally came from the 17.1 beta version.
Best,
Net
30
French - Français / Re: ICAP (antivirus PROXY) ne répond pas
« on: March 25, 2017, 02:06:54 pm »
le process ICAP n'est pas partie de OPNSense.
Regards,
Regards,