Messages

Or just create two firewall rules, one for each separate alias.

This is essentially what I did.  The vendor eventually gave us a list of 130 possible IP addresses (all apparently owned by Amazon).  I made an accept rule for these IP addresses for the necessary ports and placed those first.

Then I placed the blocked "invert-source" GeoIP rule (block if not from the chosen GeoIP areas). Then the rest of the firewall rules.

So, thanks!
d.

We haven't shipped Python 3.7 for quite some time now so your issue lies with a third party repo or manual ports install.

Cheers,
Franco

After some reading I came to the conclusion, that py37-markupsafe is no longer needed. So I removed it:

Code Select Expand

# pkg delete py37-markupsafe
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        py37-markupsafe: 1.1.1_1
...

... I did this on my backup machine first to see if any side–effects occur. If not, I will do this on my production box after upgrading that one too.

I assume NUeB did this at the console with a keyboard.

I have approximately 20 remote opnsense boxes that I am seeing this message on, and I'm wondering if anybody (Franco?) has suggestions as to the best way to proceed.  They are all at different clients.  SSH has not been enabled.  I can enable SSH on each, but I'm wondering if there is a better way that I am unaware of.

Thanks in Advance!
d.

I have a (well one of many) opnsense community edition with a particular new need.
version info

OPNsense 21.7.2_1-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021

We have port 443 forwarded and access controlled using GeoIP.  It greatly reduced the log noise, and the slow-moving brute force attacks that every so often triggered the mail server's auto-lockout defences.  We do need to allow this access to a wide range of local IP addresses ( various ISPs, plus people do travel, and want to check their work mail while away).  This has been an acceptable compromise 'til now.

The client has now signed up for a CRM service that requires 3 addresses from the Amazon cloud to also have access to port 443.  The vendor has not been particularly impressive in their grasp of technical detail, and proposing access via a custom port (limited only to them) was met with consternation and clear lack of knowledge if it was even possible.

Is there a way to set up an alias that allows both the GeoIP and the CRM addresses?

I have been unable to figure this out from the documentation, and from just playing with my Dev firewall.

Some other method would be acceptable.  The mail server is zimbra OSE, and implementing 2FA is in the works, but until then I'm hoping for an extra layer from the firewall.

Thanks in advance!
d.

D'oh!

Restarting FF (which has the effect of clearing the cache/cookies on my config) fixed the issue.  I think I was blinded by the fact that all the other updates worked just fine.

BTW (maybe for future use), when you say "errors in the dev console", can you be more explicit?  Would this be the physical console for the unit? or just using ssh to get to the unit and becoming root?

Thanks for the tip!
d

It was working pre-upgrade (21.1.5).  Essentially the widget on the lobby dashboard is now just a white box.  I have rebooted, removed and re-instantiated the widget (with reboots at each stage).

The Reporting -> Traffic page is in a similar state - two tabs (Graph, Top Talkers), and "Nothing Selected" with the pull down for the selection showing nothing.

I have attached a screenshot of the main reporting page

I have several other routers on the same hardware that all upgraded successfully

Where to go from here?

Thanks in advance!
d.

So, I am now able to create the alias -- I think there is some table somewhere holding on to the names I was using.  I have therefore started using a naming convention that increments the Alias name to ensure it is unique.

I re-read the earlier post I referenced in my question and tried again the idea of using source/invert.  Of course that immediately stopped my access to the WAN port of the firewall. (It works!)  Fortunately the IPSec tunnel was unaffected. Unfortunately, the dropped packets were still not being logged (not showing up in Firewall -> Log Files -> Live View, nor in Plain View)..

The next step was to create an alias containing only the regions I want to allow, creating the blocking firewall rule, incoming on WAN, and ensure the Source/Invert flag is set, remove the problematic rule, and test.

I am now seeing the usual storm of packets being blocked by the Geo-blocking rule, and unsetting / setting the "Log packets that are handled by this rule" has the desired effect of not showing (or showing) the activity in the firewall log.

So, not problem solved, but a "duct-tape" workaround.   If there is any way to elevate this to the development people, please let me know. 

I know the rule was NOT being evaluated until I set the source/invert flag, because of the logs on the mail server showed that IP addresses that should have been blocked were getting through. Even after my inadvertent successful test to block packets from myself, logging did not work until I created a new rule with the source/invert flag set. 

thanks for the idea, but upping this, and for good measure, the Maximum Table Entries had no effect.

I have attached a screen shot of the captioned error message, generated when I attempt to create an alias as part of setting up GeoIP blocking.

By way of background, GeoIP was working on this firewall, and then we started getting lockouts on our mail server.  Investigation revealed the geographic blocking was no longer working.   See this discussion for some of the things I have tried.
https://forum.opnsense.org/index.php?topic=18411.0

I have several times removed all parts of the configuration for the geoIP function (including removing contents of directories in the filesystem) and attempted to re-create it, using various forms of the name for the Alias.  I have numerous other opnsense firewalls with working geo-blocking configurations, and the same configuration on this particular box does not work.

The firewall is updated to OPNsense 20.7.4-amd64 (it stopped working before this update).  I have working instances of GeoBlocking on the same code level, on both identical and completely different hardware.

Where to go with troubleshooting?  I'd like to make this fixable, rather than just configure another box and drop it in, but we have email accounts exposed to slow-moving brute force password attacks, which generate lockout for some of our users, so it's not something we can live with for very long.

Thanks in advance for any help!
d.

PS - here's my recipe for creating a geo-blocking rule.  It's in wikimedia format, so readability might be an issue (monospace font helps).

Code Select Expand

===GeoIP===
new procedure for OPNSense v20.1x
[[https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html must sign up at Maxmind]]
:TL;DR
:have set up an account that all clients can use. Details, if you need to do it again to provide completely separate credentials for a client, are below.
: paste this URL in the entry box for ''Firewall:Aliases:GeoIP Settings''
::https://download.maxmind.com/etc/etc/etc/

:Credentials
   userID:
password:
     name:       

'''License Key'''
Your new license key ''YadaYadaYada'' has been created.
This license key is stored in hashed format for security purposes.

It may take up to five minutes for this new key to be activated.

This will be the only time this key is displayed to you in full.
Please copy the key to a safe location for your future reference.

Account/User ID:
     License key:
====set up alias====
Firewall -> aliases
   + button at bottom of alias list
     Enabled <X>
     Name    [GeoBlocking1]
     Type    [GeoIP] [ IPv4 | IPv6 | IPv4+IPv6 ] 
     Content [pick your countries to accept/block] <-- start at bottom of list and work upwards
     statistics <X>  (or not - you decide)
     Description [block incoming connections by geographic region]

====set up WAN Rule====
Firewall -> Rules -> WAN
<pre>
Action                        [Block]
Disabled                      < > Disable this rule
Quick                         <X> Apply the action immediately on match.
Interface                     [WAN]
Direction                     [in]
TCP/IP Version                [IPv4]
Protocol                      [any]
Source / Invert               < >
Source                        [Geographic_blocks] (from aliases)
Source                        [Advanced]  (not used)
Destination / Invert          < >
Destination                   [WAN address]
Destination port range from:  [any]    to:  [any]
Log                           <X> Log packets that are handled by this rule
Category                      [GeoBlock1 ]
Description                   [REMEMBER TO TURN OFF LOGGING]
Advanced features
Source OS                     [Any]
No XMLRPC Sync                < >
Schedule                      [none]
Gateway                       [default]
Advanced Options              [Show/Hide]  (not used)
</pre>
'''Position rule at top of ruleset''

[Type]

And many thanks to cguilford!

For future me, the only additional detail is to set the Type in the Internal Certificate section to be Certificate Authority, to more closely match the original.

Cheers!

Sorry - I just realized I posted this to the 19.1 thread in error.  S/B the 19.7 thread, and I don't see a way to unpost or move it to the correct place...
------------------------------

A curious thing just happened at a client site that I don't think I've seen elsewhere.

The ISP dropped in and replaced their modem, and of course something didn't work afterward, so they cycled power on the OPNSense router to troubleshoot, by pulling the power cord (didn't fix the problem). 

Once they called me and we got the real problem solved (Windows Server DNS needed a restart), I wanted to review the health data, especially the Quality metric for the the upstream gateway.

I was dismayed to see that these are all the data I have  (screen shots below -- you can see when the router was brought back up).



This router has been running for months, and has been through at least two update cycles, with at least one reboot.  There are 5 other routers as part of the system, all deployed pretty close to the same time and configured the same.  They all have the normal complement of data (example at bottom).

So, is this by design?  Or have I missed something in my configuring?  Where to start troubleshooting?

Thanks in advance!


PS I don't seem to be able to get the .png screenshots to show up in the body.  They are attached, and all fit under the various max size limits.

I just created new Certs and reconfigured the server to point to new certs.

Would you mind posting a brief recipe, or pointer to documentation about how you did this?  It would very much increase the chances I'd get to fixing the issue sooner.

thanks in advance!

[Remote admin]

Hey all,

New opnsense user here.  I have it mostly the way I want, but ran into one thing that I can't solve yet.  I want external access to the GUI.  I am running HTTPS on 444.  So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it.  Looking for assistance as to what I am missing.

Thanks

here's what I have in my wiki, from my setup recipe, about how to do this.

Remote admin

Listen on port 10443

   set listening port to 10443 (from default 443), 'cause most clients use 443 for something internal
    System --> Settings --> Administration

Code Select Expand

<Skip all the other settings>
TCP Port: 10443
Disable Port 80 redirect: < X >
Scroll down and click "Save" (button)

Create Additional Admin user

    System --> Access --> Users
    click on "+" button to "add user"

Code Select Expand


Disabled < >
username: Admin
password: Whatever it is
          type it again
Full Name: Second Admin User
E-mail:
Comment:
Preferred landing Page: index.php
Language: Default
Login Shell: /sbin/nologin
Expiration Date:
Group Membership:
   Not a member of     Member Of
    < >                admins
Certificate:
OTP Seed:
Authorized Keys:
IPsec Pre-Shared Key:

Save and go back (button)

Create Firewall Alias

    Add external hosts for remote admin
    Firewall --> Aliases --> "+" (button)

Code Select Expand

Name: remote_admin  (note limits on naming – no spaces)
Descriptions: Auth remote admin locations
Type: Hosts or Ports
Aliases: 111.222.222.111
        111.222.222.112
        name.bogus.tld

Apply (button)

Create WAN Firewall Rule

    Firewall -> Rules -> WAN
    Create Rule ('+' button labelled 'add new rule')

Code Select Expand

Create rule
Action: pass
Disabled: < > Disable this rule
Interface: WAN
TCP/IP Version: IPv4
Protocol: any
Source / Invert: < >
Source: remote_admin  (put your alias here)
Source: [Advanced]
Destination / Invert: < >
Destination:  This Firewall
Destination port range:
:from: to:
:any any
Log: < > Log packets that are handled by this rule
Category:
Description: RRTI BISI remote admin
Advanced features
Source OS: any
No XMLRPC Sync: < >
Schedule: none
Gateway: default
Advanced Options: [show/Hide]

Save button
Apply Button

... The alternative is updating the config.xml and restart the web interface with a new certificate / key.

I think this is the path I would prefer to follow.  It will reduce complexity of troubleshooting, assuming I can make it happen.  Do you know of any pointers to documentation about creating a new certificate/CSR for this.  I 'm guessing there's only ne config.xml file, or that it will at least be easily distinguishable from other config.xml files... ;)

Keep in mind this is the internal Web GUI certificate:

OPNsense.crt

Code Select Expand


Identity
Verified by
Expires: 2019-05-25

Subject Name
C (Country): NL
ST (State): Zuid-Holland
L (Locality): Middelharnis
O (Organization): OPNsense
Issuer Name
C (Country): NL
ST (State): Zuid-Holland
L (Locality): Middelharnis
O (Organization): OPNsense
Issued Certificate
Version: 3
Serial Number: 00 89 48 6C 66 7A 51 A7 61
Not Valid Before: 2018-05-25
Not Valid After: 2019-05-25
Certificate Fingerprints
SHA1: B6 57 25 D0 BA BF 56 D0 FE 7E AB 51 51 68 D3 3E DF 4A EF A8
MD5: 1E DD 06 62 A7 B5 9D 11 20 EF 2D 8B 60 38 3A 50
Public Key Info
Key Algorithm: RSA
Key Parameters: 05 00
Key Size: 4096
Key SHA1 Fingerprint: 62 11 F6 00 F3 A9 78 8C 5C AF D3 52 B6 1F BA 75 15 B4 96 1F
Public Key: <elided for readability>
Subject Key Identifier
Key Identifier: DF 29 3A 82 22 3E A9 43 3B F2 EB C8 89 45 DC C3 CE 5E 2F 49
Critical: No
Extension
Identifier: 2.5.29.35
Value: 30 16 80 14 DF 29 3A 82 22 3E A9 43 3B F2 EB C8 89 45 DC C3 CE 5E 2F 49
Critical: No
Basic Constraints
Certificate Authority: Yes
Max Path Length: Unlimited
Critical: No
Signature
Signature Algorithm: 1.2.840.113549.1.1.11
Signature Parameters: 05 00
Signature: <elided>


I have several OPNsense firewalls deployed.  I have recently noticed (as a result of troubleshooting Firefox's inability to connect to the GUI -- stalling at the TLS handshake stage) that they all have expired certificates.  This is one I just updated to 19.1.8 last night.  The expiry date of the cert is 2 days previously.  Is there an explanation for this?  A way to rectify it?

This does not really matter for any practical purpose in my situation (it's only a small factor in the Firefox issue), except that the browser developers are constantly removing the ability for a user to exercise their judgment in situations like this, and at some point I fully expect to be barred from accessing these hosts, based on an expired (or self-signed) certificate.

I've attached a screen shot as a .png