Messages

One idea is to use a Unifi Access Point connected to your switch, if your current router cannot tag separate SSIDs.  I have a couple of SSIDs setup at my house with a few different VLANs to separate out traffic (normal LAN WiFi, Guest WiFi, IOT WiFi, and another IOT WiFi because Nintendo Switches do not work nicely when trying to play multiple consoles in a multiplayer game at the same time (their support saying to open all ports to them is another security story).  There are quite a few tutorials on how to create VLAN WiFi networks with Unifi and the other SENSE offering out there, and they work well for OPNsense, with just a few changes to the screens.

https://www.linuxserver.io/blog/2019-11-13-pfsense-unifi-wifi-vlan

If you can go that route, you do not need another NIC on your computer running OPNsense for that to work and you do not necessarily need a managed switch as long as your switch will pass the tags through (I started off with a switch that just did passthrough and now have a couple of managed switches in my home network.)

Hello,

I used this tutorial (https://forum.opnsense.org/index.php?topic=19305.0) to setup NGINX with Let's Encrypt to setup my initial server.

After reading other items, I ended up using subdomains with subdomain certificates for my Home Assistant and Plex, so the following entries into a web browser work correctly:

• https://hass.mydomain.dns.com goes to local IP 192.168.XXX.30:8123 for Home Assistant
• https://plex.mydomain.dns.com goes to local IP 192.168.XXX.67:33500 for PLEX

No issues with either of those services through mobile browsers or through their respective apps after setting them up correctly.

I tried adding another entry to NGINX for another new server I started for Mealie.  I created a subdomain so that it should connect:

• https://mealie.mydomain.dns.com should go to local IP 192.168.XXX.30:9925

But when I restart NGINX and enter the address into my browser, I get a warning that the website is not safe and once I ignore the safety messages, it takes me to the login screen for home assistant.  Even though the HTTP server is setup with the correct certificate, the website is showing the certificate for hass.mydomain.dns.com instead of the certificate for mealie.mydomain.dns.com.  If I just enter https://mydomain.dns.com into a web browser, it also takes me to the home assistant login screen with a similar certificate issue, even though there is nothing setup in NGINX for that server.  I wonder if it has something to do with sharing the same machine with different ports, but the ports are defined in the Upstream server.

Any help to solve this would be appreciated.

I don't use UPnP for anything, but I followed this tutorial for my XBoxes (including the part about about changing ports) and have open NATs for them.

https://forum.opnsense.org/index.php?topic=8812.0

Followed a similar tutorial for my Nintendo Switches, but had to put them on separate SSIDs for multiplayer to work.

Good luck

Hello,

I have been running the Let's Encrypt add-on with Nginx for a little while without a problem for a while.  However, now I need to use the certificates for a couple of other items.

I have setup SFTP and can connect with Putty using Keys, but get an error when I test the connection via the automation for uploading the certificate via SFTP.

I checked the log in the SSH/SFTP server and can see that my OPNsense machine attempts to connect, but I get this error in OPNsense

Host cannot be trusted.
{ "actions": [ "connecting" ], "success": false, "error": "Key mismatch for '192.168.X.XX'; The expected key ({'hash':'SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1234','key_type':'RSA','key_length':'2048'}) was not found in ([{'hash':'SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5678','key_type':'RSA','key_length':'3072'}])", "host_not_trusted": true, "connect_failed": true }

Can anyone tell me what I am doing wrong?  I noticed that there is a key length mismatch along with key not matching, but not sure how to fix on the OPNsense machine.

I hope you get a helpful response.  The speed limitation is the only reason I have kept my ISP's gateway box in the chain as a transparent bridge in order to keep my 1Gbps connection, but lately, it has needed a reset every once in a while as it will drop to 100Mbps.

Now we will never know ...  8)
But it seems it was just a small problem somewhere ..

It was the weirdest thing, but glad I can at least get it started now.

Well, I double-checked that the stream and http servers were not sharing port 80 and that definitely was not the case as I did not have any stream servers setup (yet) in NGINX.

So, I uninstalled NGINX, updated opnsense (I'm not technically savvy enough to be on the cutting edge of fixing unknown bugs, so I usually wait a little bit for others to upgrade first), reinstalled NGINX and sure enough, it started up.

Now, I'm trying to get my Home Assistant and FreePBX VMs setup to be able to connect from the outside securely...

Another reason could be that you define stream servers and http servers in nginx using port 80. Then nginx blocks itself.

I don't think I did that, but I will definitely go back and double-check.

sockstat -4 | grep 80 is really empty? Usually its only the redirect rule

It's not empty per se, but it is getting three hits that are not port 80.  One because of VLAN 180 address and two because the ports have the number 80 as part of the digits

Code Select Expand

root@OPNsense:~ # sockstat -4 | grep 80
root     ntpd       3210  31 udp4   192.168.180.1:123     *:*
root     lighttpd   58302 4  tcp4   127.0.0.1:43580       *:*
root     nc         31856 3  tcp4   127.0.0.1:8080        *:*


Hello,

I tried searching for a solution before posting, but I have been unable to solve my issue of setting up NGINX with Let's Encrypt on my OPNsense firewall.

I followed this tutorial (https://forum.opnsense.org/index.php?topic=19305.0), but when I finally went to start, I received the following errors in the NGINX logs

2021/07/13   16:33:54   emerg   78826#100183   bind() to 0.0.0.0:80 failed (48: Address already in use)
2021/07/13   16:33:54   emerg   78826#100183   bind() to [::]:80 failed (48: Address already in use)
2021/07/13   16:33:54   emerg   78826#100183   still could not bind()
2021/07/13   16:34:10   emerg   99740#100114   bind() to unix:/var/run/nginx_status.sock failed (48: Address already in use)

I did a search and although I have been using https with port 440 for my GUI, I ran sockstat and found port 80 was being used by lighttpd.  Did more searching, disabled the GUI http redirect, and NGINX still would not start.

Reran sockstat and no port 80 is listed after changing the redirect setting.  Restarted the machine and no port 80 found using sockstat, but NGINX still shows the errors above with multiple bind() :80 failed messages.

Any advice would be appreciate.

Thanks

Do you use the URLHaus list? ATM it's too big and unusable.

Thanks mimugmail.  I do have that list enabled at the moment.  Would it be better to disable the URLhaus lst and re-enable hyperscan?  Or leave the rule list enabled with the default pattern matcher?

I tried disabling that list and switched back to hyperscan.  Suricata still stalled out and stopped running with hyperscan enabled.  I have not re-checked my speed on my 1 Gbps up/down since switching to default pattern matcher, but plan to do so once I am back on ethernet instead of wifi, but I imagine it is not going to be a great speed.

I know this is a late reply, but I hope you were able to find this guide.

https://forum.opnsense.org/index.php?topic=6893.0

3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.

Hello @elektroinside

I followed your guide to the end and after downloading the rules (and after changing the ones you pointed out that caused issues with windows update to alert), I was able to get IDS/IPS to run, but only for less than a minute before it would stop itself.  I would watch the cpu graph and memory usage on the dashboard steadily climb and then I would see the cpu graph drop dramatically and watch my memory usage (4 GB RAM) drop from about 52% to 14%.  I would then refresh the dashboard to see that IDS had stopped.

I did some googling and it seems that my issue is that I had set pattern matcher to "Hyperscan"  (it's been staying on ever since I changed it back to default).  My i5 - 5250u has Intel SSE 4.1 and SSE 4.2, which are backwards compatible with SSE 3, so I rechecked your instructions to use dmesg to verify SSE3. I did use dmesg to verify the SSE3 set is there, but the only change I made was switching from hyperscan to default to make it work.  So, I am at a loss on that front.  My WAN is PPPoE, so I made sure that was not included and I double-checked all hardware acceleration was disabled.

  I see a small point that a little clarification could help those of us that need to follow this wonderful guide step by step.  The first part of step 3 says (to me) that if I have a newer Intel CPU, then I should have SSE3, but then the last part indicates that no SSE3 is indicative of a newer Intel CPU.  I re-read that part a few times, but was not sure which whether a newer intel CPU should have SSE3 or not.

Thanks again for this great guide and other guidance you have shared.

Okay, I really don't understand this.

I took screenshots of the 3 rules I had created, then deleted the 3 rules and alias.

I re-created the alias and recreated the 3 rules and placed them exactly in the same place as I had them in the rules list prior to deleting them. 

I disabled Rule 2 and tried to send a test email from the camera while simultaneous watching the live log (filtered for that camera's IP) and saw the firewall block the attempt at port 587, as expected.  I then re-enabled Rule 2 and sent another test email and I could watch the firewall log pass that packet as I had hoped for Rule 2 in green.  I then saw my Rule 3 block a few attempts at port 53 at my LAN address, so I know that the firewall rules are working now.  I'm still not sure why they work now when they didn't before.

[Rule 1]

Hello,

I am trying to setup my security cameras (only one is connected to the network while I figure this out) with 3 goals:

• The individual camera can email me if there is an alert (I have a separate email that is used only for this purpose)
• The individual camera cannot be reached by the internet (all remote viewing will be done through OpenVPN)
• The individual camera cannot reach the internet (so that they cannot be used as part of a botnet in the case that they ever become infected)

First, I created an alias for my security cameras and added the static IP I had setup for the camera (so I can just add IPs here as I add more cameras to the network).

I setup 3 rules in OPNsense

• Rule 1 - Action - Block, Interface - WAN, Protocol - any, Destination - security_cameras, destination port range - any (goal is to keep anything from the internet from reaching the camera)
• Rule 2 - Action - Pass, Interface - LAN, Protocol - TCP, Source - security_cameras, Destination - any, Destination Port Range - from 587 to 587 (port needed for smtp.gmail.com with TLS on camera), (goal is to allow the cameras to contact the smtp server)
• Rule 3 - Action - Block, Interface - LAN, Protocol - any, Source - security_cameras, Destination - any, Destination Port Range - any (goal is to block the cameras from reaching the internet)

Rule 1 is on the WAN rules page and Rules 2 and 3 are on the on LAN rules page.  Rule 2 is higher on the list than Rule 3, so I thought that should take precedence.

If I have all 3 rules enabled, using the cameras test email setting, the email fails to send. 
If I have Rule 1 and Rule 2 enabled, and Rule 3 enabled, the camera test email will send.

I plan on using the same types of rules to block other items from the internet as much as possible as I add them back to the network, so if I could just get the basics down using this one example, I think I can move forward from there.  I was able to use aliases and WAN rules to get my Xbox ONE from a strict NAT to a moderate NAT using one of the threads on this forum.  With a little bit more research, I was able to get that NAT from moderate to open.

I'm hoping someone with more networking experience can help me out with this and help guide me on this.

Thank you.