Messages

Franco,

I need to open this one again.

The custom access rule that I implemented does show the correct UI.
But it does not let me generate vouchers!
The resulting CSV file is empty.
Actually it looks like this:

username,password,vouchergroup,validity
"undefined","undefined","undefined","undefined"

And in the UI no entry is shown for the voucher I tried to create.
Seems there are access rights missing...

Stefan

Franco,

our systems are OPNsense A10 Quad Core SSD rack appliances by Deciso.
SKU: OPN20077R-EUPC3-S2YN

Stefan

OK, found it  :)

Patch works as expected.

Great support, thank you.

Stefan

I had similar problems on one of our two firewalls when upgrading from 16.1.20 to 16.7.0.
FreeBSD stayed at version 10.2.

I found this thread and tried to open a console.
But no matter how I tried to login all I got was "Access denied".

I addition I started to receive notification mails with the following content:
There were error(s) loading the rules: pfctl: DIOCADDRULE: Operation not supported by device - The line in question reads

• :
  
  Via the WEB Interface I did a reboot of the device.
  At least that's what I thought I did. And it did not solve the problems.
  Then suddenly I saw on the dashboard that the system was up for 107 days!!!
  So there was no reboot at all. Not now and not after several of the earlier 16.1.x updates.
  
  Now I tried to execute a "Power Off" via the WEB GUI.
  Like the reboot it did not work.
  
  As a last resort I performed a hard power off by pulling the plug.
  
  Now after the restart I see FreeBSD 10.3 running.
  I can log into the console again.
  No more error messages, too.
  
  So the root problem seemed to be the failing reboot.
  No idea  what could have caused it.
  
  My two cents
    Stefan
  
  
  

Thanks Franco!

Adding a custom access rule worked fine.

Newbie question: How do I use opnsense-patch?

Have a nice weekend
  Stefan

Hi,

as the topic says: I want to create a user that is allowed nothing but to create vouchers for the Captive Portal.
So I create user "VoucherAdmin" and set only one privilege "WebCfg-Services: Captive Portal".

Now I can login as "VoucherAdmin" and I see a heavily reduced UI.
But I have two problems:
1. The UI is not reduced enough - all the Captive Portal functionality is available. Not only "Vouchers" but "Administration", "Sessions" and "Log File", too. That is more than our office ladies can (and should) handle.
Anything I (or you) can do to further reduce the privilege?

2. In the reduced UI there is no "Logout" button. I see no way to login again as "admin" except waiting for a timeout.
This is not by intention, is it?

Regards
  Stefan

I have submitted the related report via the web interface.

Stefan

Hey Franco,

that did it. Thanks!

Regards
  Stefan

Hi!

I have two similar Deciso firewall boxes (OPNsense A10 Quad Core SSD rack OPN20077R) with this installed:

  OPNsense 16.1.5-amd64
  FreeBSD 10.2-RELEASE-p12
  OpenSSL 1.0.2g 1 Mar 2016

When I "Click to check for Updates" on the dashboard I get this on one of the boxes:

  Warning:
  stream_socket_client(): unable to connect to unix:///var/run/configd.socket (Connection refused) in
  /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php on line 93 Connection Error
  Click to retry

Don't know what to do. Retry doesn't help.
The other box is working fine and shows one available update.

Any help welcome...

Best regards
  Stefan

Hi,
see attached picture.

As you can see the graph itself shows high incoming traffic and very low outgoing traffic.
In reality it is the other way around.
The list on the right has it right.
One upload from 172.16.1.23 is generating the outgoing traffic.
Incoming traffic is necligible.

Looks a bit mixed up.

Stefan

Franco,

thanks for sharing.

I will talk to Secunia, perhaps there is a short list of hosts that I need to allow connections to.

StP

Hi,

I have several machines that are not allowed to access the WAN. I have created a firewall rule for that.
Problem: All machines run Secunia's CSI agent (www.secunia.com).
The firewall requirement for this agent is: "Allow https to *.secunia.com"
How do I create such a rule? It seems wildcards are not supported.

Regards
  StP

Ok, the culprit was Flashblock 1.5.18, a Firefox add-on that stops flash content from auto-playing.
As soon as this one is deactivated the traffic graph is visible.

Loading https://yourip/graph.php shows an empty graph even if the add-on is active.

I have now replaced Flashblock with NoScript and this seems to work fine.

No idea why a flashblocking software stops the graph display???

Thanks for your support
  StP

Maybe an AdBlocker or another plugin preventing the graph from showing up.

I have AdBlock Plus installed, but deactivating it does not solve the problem.

I don't know how else to debug this if the graph does work in general...

Anything I can do to help?

StP

Hi,

our old CISCO security appliances allowed LAN devices to be blocked by MAC address.
It seems this is not possible with OPNsense. Correct?

StP