Messages

16

19.7 Legacy Series / Re: OpnSense stops routing all traffic when WAN drops

« on: February 25, 2020, 01:31:27 am »

Are you adding that Cron job the official way using actions.d?.

My guess is, probably not. I'm adding it via the console using crontab. There appears to be no GUI-based way to add a cron job that isn't from the pre-populated list. With that said, if there's a better way (actions.d) let me know how to do it and I'll change up my instructions to match once I try it. It would be really nice if I could get these to persist across upgrades!

Thanks!

17

19.7 Legacy Series / Re: OpnSense stops routing all traffic when WAN drops

« on: February 16, 2020, 07:54:15 pm »

Just checked and no, that doesn't resolve it for me. From what I can tell, at least on my installs, the fix seems to be in rebooting the firewall if it cannot ping a server on each of the networks and a publicly hosted website like google.com. The problem is, every time you upgrade the firewall, the crontab rule that kicks this script off gets removed, so I have to re-add it manually.

Thanks for the idea, though! It made me go through my Unbound configuration with a fine tooth comb!

18

20.1 Legacy Series / Likely an Easy fix - vpn_ipsec.php phase 1 background color

« on: February 10, 2020, 04:36:35 pm »

Hi all,

In the latest release (20.1), there's a hard-coded style element on line 1132 of the output:

Code: [Select]

1129: <style>
1130:  tr.phase1_tr > td {
1131:      font-weight: bolder;
1132:      background-color: #FBFBFB;
1133:  }

Because this is defined after all the css files are rendered, this is breaking themes. For instance, on dark themes (rebellion, tucan) the background is near white and so is the font.

Can this be moved into main.scss or another css file so it can be changed by theme designers?

Thanks!
Anomaly0617

19

19.7 Legacy Series / Re: OpnSense stops routing all traffic when WAN drops

« on: January 08, 2020, 01:13:06 am »

Not so far. I'm using my check_internet.sh script to get around the problem at the moment, but one thing I've noticed is that the cron job does not persist from upgrade to upgrade, so I have to manually put it back in.

It's unfortunate that you are seeing the same problem, but also reassuring that I'm not the only one. :-/

20

Web Proxy Filtering and Caching / Re: NGINX Reverse Proxy advice

« on: December 23, 2019, 04:50:08 pm »

From Google Translate, since I'm terrible at German :

The rewrite rule belongs off and leave the location on / match and match type empty, since the VHosts are mapped with the server names via different HTTP servers.

Ok, with this advice I got one server proxy working. I'll attempt more later today. Here's what I did to make it work...

Services: NGINX: Configuration: General
-- Enable nginx: Checked

Services: NGINX: Configuration: Upstream Server (1 Entry)
-- Description: Server1
-- Server: 192.168.xxx.zzz
-- Port: 8091 (later moved to 80, after I got it working)
-- Server Priority: 1

Services: NGINX: Configuration: Upstream (1 Entry)
-- Description: com_siteb
-- Server Entries: Server1
-- Load Balancing Algo: Weighted Round Robin
-- Enable TLS: Unchecked
-- TLS: Servername override: [Blank]
-- TLS: Supported Versions: [Nothing Selected]
-- TLS: Session Reuse: [Checked] (I think by default)
-- TLS: Trusted Certificate: [Nothing Selected]

Services: NGINX: Configuration: HTTP(S): Location (1 Entry)
-- Description: com_siteb
-- URL Pattern: /
-- Match Type: None
-- URL Rewriting: [Nothing Selected]
-- Enable Security Rules: [Not Checked]
-- Learning Mode: [Not Checked]
-- Block XSS Score: [Blank]
-- Block SQL Injection Score: [Blank]
-- Custom Security Policy: [Nothing Selected]
-- Upstream Servers: com_siteb
-- Path Prefix: [Blank]
-- Cache: Directory: [none]
-- File System Room: [Blank]
-- Index File: [Blank]
-- Automatic Index: [Not Checked]
-- Basic Authentication: [Blank]
-- Basic Credentials List: [None]
-- Enable Advanced ACLs: [Unchecked]
-- IP ACL: [None]
-- Force HTTPS: [Unchecked]
-- Enable HTTP/2 Preloading: [Unchecked]
-- Pass Request To Local PHP Interpreter / Threat Upstream As FastCGI: [Unchecked]
-- (PHP) Router Script: [Blank]

Services: NGINX: Configuration: HTTP(S): HTTP Server (1 Entry)
-- HTTP Listen Port: 8091 (Later changed to 80)
-- HTTPS Listen Port: [Blank]
-- Server Name: 192.168.xxx.zzz
-- Locations: com_siteb
-- URL Rewriting: Nothing Selected
[Everything else left to defaults]


This section was completely deleted
Services: NGINX: Configuration: HTTP(S): URL Rewriting (1 Entry)
-- Short description (to display): root
-- Original URL Pattern (Regex): /
-- New URL Pattern: $1
-- Flag: Redirect

After a restart of NGINX, It routes! Thanks, Fabian!

21

Web Proxy Filtering and Caching / [Solved] NGINX Reverse Proxy advice

« on: December 23, 2019, 01:41:09 am »

Hi there,

In the past, I have done this with pfS and the Squid Reverse Proxy tool. But it's been a few years.

I've got OPNsense 19.7-amd64 up and running at a location. I'd like to set up a number of web servers on the LAN side and have NGINX reverse proxy the traffic in to them based on the headers.

I'm not looking to load balance at this point, just setting it so that:

http://sitea.com proxies in to http://192.168.xxx.yyy:80
http://siteb.com:8091 proxies in to http://192.168.xxx.zzz:8091
http://sitec.com proxies in to http://192.168.xxx.aaa:80
https://sited.com proxies in to https://192.168.xxx.bbb:443
https://sitee.com proxies in to https://192.168.xxx.ccc:443

So, I'm starting with one server, siteb.com above. I followed this tutorial, but I doubt I did it correctly. So here's what I've got....

Services: NGINX: Configuration: General
-- Enable nginx: Checked

Services: NGINX: Configuration: Upstream Server (1 Entry)
-- Description: Server1
-- Server: 192.168.xxx.zzz
-- Port: 8091
-- Server Priority: 1

Services: NGINX: Configuration: Upstream (1 Entry)
-- Description: com_siteb
-- Server Entries: Server1
-- Load Balancing Algo: Weighted Round Robin
-- Enable TLS: Checked
-- TLS: Servername override: [Blank]
-- TLS: Supported Versions: [Nothing Selected]
-- TLS: Session Reuse: [Not Checked]
-- TLS: Trusted Certificate: [Nothing Selected]

Services: NGINX: Configuration: HTTP(S): Location (1 Entry)
--Description: com_siteb
--URL Pattern: ^http://siteb.com
--Match Type: Case Insensitive Match ("~*")
--URL Rewriting: [Nothing Selected]
--Enable Security Rules: [Not Checked]
--Learning Mode: [Checked]
--Block XSS Score: [Blank]
--Block SQL Injection Score: [Blank]
--Custom Security Policy: [Nothing Selected]
--Upstream Servers: com_siteb
--Path Prefix: [Blank]
--Cache: Directory: [none]
--File System Room: [Blank]
--Index File: [Blank]
--Automatic Index: [Not Checked]
--Basic Authentication: [Blank]
--Basic Credentials List: [None]
--Enable Advanced ACLs: [Unchecked]
--IP ACL: [None]
--Force HTTPS: [Unchecked]
--Enable HTTP/2 Preloading: [Unchecked]
--Pass Request To Local PHP Interpreter / Threat Upstream As FastCGI: [Unchecked]
--(PHP) Router Script: [Blank]

Services: NGINX: Configuration: HTTP(S): URL Rewriting (1 Entry)
--Short description (to display): root
--Original URL Pattern (Regex): /
--New URL Pattern: $1
--Flag: Redirect

Services: NGINX: Logs: HTTP Access Logs: com_siteb
--Time: 22/Dec/2019:18:32:25 -0500
--IP: [Redacted, but it's mine]
--Username: -
--Status: 404
--Size: 5431
--Referer: http://siteb.com/
--User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
--Forwarded For: -
--Requested Line: GET /favicon.ico HTTP/1.1

Services: NGINX: Logs: HTTP Error Logs: com_siteb
--Date: 2019/12/22
--Time: 18:32:24
--Severity: error
--Number: 35259#100189
--Message: *1 "/usr/local/etc/nginx/html/index.html" is not found (2: No such file or directory), client: [Redacted], server: com_siteb, request: "GET / HTTP/1.1", host: "siteb.com"

22

19.7 Legacy Series / Re: OpnSense stops routing all traffic when WAN drops

« on: December 17, 2019, 05:36:17 pm »

We haven't tried that yet. Running a multi-site business, management gets a little... testy... when we arbitrarily decide to take the network down for no perceivable reason. This may be something we test on a weekend in the early morning hours.

23

19.7 Legacy Series / OpnSense stops routing all traffic when WAN drops

« on: December 17, 2019, 04:50:40 pm »

Hi all,

I've got a weird one, but I've now seen it at different locations and it's concerning.

Please note that this one is very similar to this post, also by me, from a while back.

First, some specs because well, everyone loves specs:

System Information

Code: [Select]

Name frasvrfw.{redacted}
Versions OPNsense 19.7.6-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2t 10 Sep 2019
Updates Click to check for updates.
CPU Type Intel(R) Xeon(R) CPU X3450 @ 2.67GHz (8 cores)
CPU usage
Load average 0.53, 0.38, 0.28
Uptime 1 days 03:06:07
Current date/time Tue Dec 17 10:33:25 EST 2019
Last config change Mon Dec 16 3:31:41 EST 2019
State table size 1 % ( 8526/814000 )
MBUF Usage 1 % ( 7100/506546 )
Memory usage 13 % ( 1099/8144 MB )
SWAP usage 0 % ( 0/8192 MB )
Disk usage 2% / [ufs] (1.4G/101G)
Interfaces

Code: [Select]

   GUEST 1000baseT <full-duplex> 192.168.25.254
   LAN 1000baseT <full-duplex> 192.168.3.1
   PLC 1000baseT <full-duplex> 192.168.20.1
   Phones 1000baseT <full-duplex> 192.168.9.1
   Printers 1000baseT <full-duplex> 192.168.6.1
   SAN 1000baseT <full-duplex> 192.168.10.1
   SANBACKUPS 1000baseT <full-duplex> 192.168.16.254
   SECUREWIFI 1000baseT <full-duplex> 192.168.5.1
   SECURITY 1000baseT <full-duplex> 192.168.50.1
   WAN 1000baseT <full-duplex> {redacted}
Ok, with that out of the way, I've got a Dell PowerEdge R210 running as an OpnSense firewall/gateway between multiple networks (separated into VLANs and their own subnets) with the OpnSense firewall at the center.

We've now had this happen twice -- 16-Dec-2019 between 3:20 AM and 7:20 AM, and about a month ago where there was a 35 minute power outage.... so I'm no longer thinking this is a "fluke."

The trigger:
The WAN connection drops at the provider end (in other words, between the internet provider's fiber router and their closest node)

The symptom:
OpnSense stops routing all traffic -- even the internal traffic between internal subnets such as from the LAN to the PRINTER networks. This continues to occur even after the WAN connection is restored and the internet is available again.

The workaround resolution:
Reboot the firewall and all the problems go away... until the next time the internet connection drops.

In both instances, the power in the area has gone out, and our on-site battery backups and generator have kept the building up and running throughout. So my OpnSense logs do not show that the firewall has rebooted. But if I go to Reporting -> Health and look at any metric, ie:

Packets -> LAN
Packets -> WAN
Packets -> IPSec
Quality -> Gateway

They are all flat-lined between those times.

So the question is, what would cause OpnSense to stop routing traffic between internal networks when the WAN connection drops, and is there a way to fix it, short of setting up a check_internet script that reboots the firewall if it can't get to something really common like google?

Thanks in advance, all!

24

19.7 Legacy Series / Zabbix 4.4.1 Proxy Pkg

« on: November 18, 2019, 02:01:42 am »

Hi there,

Just wondering if anyone is actively working on generating a pkg for zabbix4.4 -- I accidentally updated my Zabbix server to 4.4.1 (meant to just go to 4.2.x) and I'm seeing errors in the zabbix server log like:

11068:20191117:195807.381 cannot process proxy "[SiteID]": protocol version 4.0 is not supported anymore

So, totally my fault for upgrading too far, but since I did and it made some database changes, I'm now hesitant to go backwards to 4.2.

If someone can walk me through compiling from source on FreeBSD, I'm generally fluent in POSIX environments. I'd be happy to submit whatever I compile.

Thanks!
-Paul

25

General Discussion / Re: Firewall reboots and will not route packets - problem and possible solution

« on: June 24, 2019, 03:24:10 pm »

EDIT: I found the script I've been testing/using to fix this issue. Here it is. Your mileage may vary...

(Mine is located as /root/check_internet.sh - this may not be the best place for the code to persist through updates.)

To implement this, you need to open an SSH session to your firewall, log in, and select "8. Shell" from the menu.

Once there, type

Code: [Select]

vi /root/check_internet.sh
The editor you are now in is called vi. Vi is very powerful, but not very user friendly. Here's what you need to do in order to get this going...

Type :i[Enter]. This puts VI in Insert mode.

Paste in the following code. I use PuTTY, and in PuTTY to paste you just right-click after you've copied the code.

Code: [Select]

#!/bin/sh

TMP_FILE=/tmp/inet_up

# Edit this function if you want to do something besides reboot
no_inet_action() {
    shutdown -r +1 'No internet.'
}

if ping -c5 google.com; then
    echo 1 > $TMP_FILE
else
    [[ `cat $TMP_FILE` == 0 ]] && no_inet_action || echo 0 > $TMP_FILE
fi

Now type [Esc] :wq [Enter]. This says "Exit Insert Mode, Command: Write, Quit" and Enter executes it.

After you create it, you need to run

Code: [Select]

chmod a+x /root/check_internet.shwhich makes it executable.

Normally I'd tell you to go to the Web UI and set up a new Cron Job, but OpnSense does not seem to have the ability to accept a custom command, so instead we're going to do this:

Code: [Select]

crontab -e
Again, you're in VI.

Type :i[enter], which puts the editor in "Insert" mode. Go to the bottom of the file and add a new line:

Code: [Select]

*/5     *       *       *       *       /root/check_internet.sh > /dev/null
Now type [Esc] :wq [Enter]. Again, this says "Exit Insert Mode, Command: Write, Quit" and Enter executes it.

What you told the cron (scheduler) to do is "run this command every 5 minutes". If the command succeeds, nothing will happen. If the command fails, it will automatically reboot the firewall.


FYI (because credit where credit is due) I found the base code and modified it from here.

The upside of this script is that if the interfaces on your firewall are not properly initialized or did not properly initialize after a reboot, this will reboot the firewall and give it another chance without you having the drive in to the office and intervene manually.

The downside of this script is, if Google appears to be down from the firewall, it's going to reboot your firewall every 5 minutes. So, be aware of the Pro's and Con's of this script.

Hope this helps. Please let me know if this resolved an issue for you!

26

General Discussion / Firewall reboots and will not route packets - problem and possible solution

« on: June 17, 2019, 05:46:24 pm »

Hi all,

Those of you that have been around the *Sense world for awhile probably know me. I've been a fan for a number of years, and have a lot of posts on the pf as well as the opnSense forums. Heck, I may even have a few on m0n0wall, since I go back that far on distros of this firewall.

If you're just now reading this, this is an awesome firewall solution and I've found nothing that compares to it in the commercial world. There's a balance of functionality and UI that I've never seen at this level in a commercial product. So what's below is more for the folks that have been running some version of *Sense for a little while and is not representative of the product of a whole.

Ok, disclaimer over. Now to the real topic:

I have somewhere in the neighborhood of 30-50 *Sense installations in production. These span everything from a terrible DSL connection in the middle of nowhere's-ville to a 200 x 200 Mbps redundant fiber connection in a controlled data center environment. I'm seeing this problem across the board, on all installations. That means everything pf 2.3.2 and newer, and I'm guessing everything opnSense 18.1.x and newer. In other words, I'm thinking this is a FreeBSD problem and not a *Sense problem.

Symptom:

The firewall is set up to reboot on a schedule. After the scheduled reboot, the firewall does not respond to anything remotely. ICMP traffic does not respond, packets are not forwarded, rules are not processed. It's as if the firewall is stuck in the default state of "deny all" for all packets.

Resolution A (a bad one):

Go to the console and log in if necessary. Reboot the firewall using the appropriate menu option. Let the firewall reboot. Check again and see if you can access the outside world, and the outside world can access you.

Resolution B (possibly better?)

Run a script that checks to see if the firewall can reach the gateway device (DSL modem, DOCSIS router, fiber router, etc.) and/or a common website (Google DNS, for instance). If it cannot, issue a reboot command. Possible side-effect: This could reboot the firewall in the middle of the day with no warning to your end users.

Anyone else run into this problem? The most common hardware we use are Dell PowerEdge R2{x}0's as firewalls, so its possible it is specific to those, but I believe I've also seen this behavior on the micro-firewalls we have running made by a reputable Amazon reseller ending in "LI". ;-)

DISCLAIMER: If you can't tell, this email has been formatted to avoid getting a nasty letter from that one company that bought one of the *Sense distributions and has been known for sending nasty letters to people trying to help.

27

18.7 Legacy Series / Re: OpenVPN (road warrior) with 2FA will not sustain connection

« on: June 13, 2019, 10:06:39 pm »

I may be seeing the same behavior, but I'm giving it time to find out for sure. However, I'm wondering if this helps at all:

Under VPN >> OpenVPN >> Servers >> RoadWarrior VPN (Edit it) >> Renegotiate Time it says:

"Renegotiate data channel key after n seconds (default=3600).
When using a one time password, be advised that your connection will automatically drop because your password is not valid anymore.
Set to 0 to disable, remember to change your client as well."

Mine was set to 0, so I changed it to be 86400, which is the equivalent of one day. I'm now waiting to see if this "resolves" the problem, ie: how many users will remain connected to the VPN for more than 24 hours? And if they do, isn't it appropriate to ask them for another OTP?

28

Web Proxy Filtering and Caching / Re: Logging to a MySQL database on the back-end?

« on: March 06, 2019, 01:42:16 pm »

Thanks for the response, Fabian. I’ll pursue logstash and report back on my findings!

29

Web Proxy Filtering and Caching / Logging to a MySQL database on the back-end?

« on: March 05, 2019, 11:14:53 pm »

Hi all,

I haven't seen this here yet, but perhaps I missed it. If so, let me know and I'll see myself out. ;-)

I've recently been exploring the idea that access log data from squid could be piped into MySQL (see here). My thought is NOT that the OpnSense server would host this MySQL data, but rather that I could push that MySQL data to a MySQL server internally for further analysis. All of this comes from the desire of management-types that do not want to read through data, but rather would like to see the data from a 1000 meter view and then tunnel down into the data they want.

For instance, if last week squid allowed 98.5% of traffic and blocked 1.5% of traffic for employees, that's one "1000 meter" view. Then if management wants to drill down into the 1.5% of traffic to see what is being blocked and who is attempting to access that information, they can.

Ultimately, this comes around to being able to ask squid on opnsense to send the log file to MySQL. And the link above seems to indicate that squid is possibly capable of doing so. The question is, has anyone done it, is it possible with OpnSense on the BSD platform (as the link above is for a debian platform), and if the answer to that question is yes, what would it take to get the functionality incorporated into Squid for OpnSense?

An ancillary question that I could see coming about would be a way to point multiple OpnSense servers to a single MySQL database (again, internally, over the VPN tunnel for instance) and the ability to see the multi-site view. Why is the internet in [location] always so slow? Lets see what their browsing patterns are like....

So, how far-fetched is this idea? In the short term I'm considering deploying proxy servers out to each location,  but in the longer term, I'm looking for a way to manage the data in a way that isn't cumbersome.

30

General Discussion / Compliance with standards (FIPS, SOX, LEADS, HIPAA), etc.

« on: November 27, 2018, 05:16:26 pm »

Hi all,

I've been around the community for a few years now, but I'm a pfSense convert like most of us here. I've used pf/OpnSense for going on 10 years (?) now. So, not exactly a newb, but I generally stay pretty quiet.

I have a small municipality who is running pfSense. I'm in the process of converting all the firewalls over to OpnSense. The local Sheriff's Office IT only uses Cisco, and nothing else. Since we have to interface with them for various agency records, this means they have Cisco appliances in key buildings sitting right next to the pf/OpenSense firewalls, plugged into the same ISP router, and with their own external and internal IP address. This creates two points of entry into the networks instead of one, which makes it doubly difficult for me to take responsibility for keeping the network safe. So, on this last expansion run (for ancillary stations) I suggested that we just set up an IPSec VPN tunnel between the county and the existing pfSense/OpnSense firewalls that are on-site at each location.

You'd think I dropped a bomb on them.

The present (valid) argument for why this is not feasible is that the OpnSense firewall platform is not FIPS 140-2 certified. Looking purely at the technical requirements, I think it'd pass with no problem, but the question is, what does it cost to make a firewall FIPS compliant? Is this something the OpnSense community should consider pursuing? Is HardenedBSD going to make this easier for us, assuming the development of OpnSense eventually gets there?

I can foresee running into this problem with other industries that have a standards-based auditing system of firewalls, examples being PCI, SOX, HIPAA, etc. so it'd be nice to hammer this one out before those come up.

Any/all responses are appreciated.