Messages

[Any]

Are you trying to make a internal server/device accessible to the internet?  If so, your rule is misconfigured.

Interface: WAN interface
Protocol: UDP
Source: Any (unless you want to restrict what internet hosts can talk to your internal host)
Source Port Range: Any
Destination: WAN Address
Destination Port Range: <Use an alias containing the ports needed or clone the rules and make sure one exists for each port you need to pass>
Redirect Target IP: Single Host or Network (your internal server)
Redirect Target Port: Same as Destination port above
Pool Options: Default

Also, it looks like you are port forwarding for IPsec.  If that is the case you should also create a rule which is the same as above, but change the protocol from UDP to ESP.  This will disable all the port fields for the NAT rule since ESP is a protocol and does not operate on a "port" like TCP/UDP.

Kind of a weird configuration.  Having never done this and since you aren't using OPNsense for an actual firewall, you might want to disable the packet filter completely (Firewall: Settings: Advanced) which will turn the OPNsense device into a router only.  With this configured I imagine you could then have a single NIC in your OPNsense device assigned to the LAN.  Turn off DHCP and other services that are being serviced by the Linksys router.  Forward the OpenVPN port (1194 UDP default) to the OPNsense appliance and profit!

I guess you could leave the firewall enabled which could provide additional security/control over the VPN clients if that is needed.

How can we change the ssl-ciphers that get generated in the nginx.conf file?  I've poked around and don't see any obvious place.  Are these hard coded, do they use the system ones from System: Settings: Administration ??

TIA

Right, I knew that.  It looks like it was having issue with the latest version of ES.  I installed 5.6 and it's working now.  Also took the rules out of the conf file from the firewall and it appears to see everything now.

Still would be nice to see NAXSI events (error log) in the syslog servers.  Where do I add feature requests or does the github repo allow pull requests if we add some features to the plug-ins, etc.?

What device is between the firewall and the devices on your network (proxy, nas, etc)?  I'm guessing you have a switch, and that switch is connected to opnsense via a "trunk" allowing both VLANs?  If that switch has virtual interfaces (if the switch has an IP in each VLAN), it's likely doing intra-vlan routing and the traffic isn't even touching the firewall.

That's my first thought anyways.

Just also discovered that the error logs don't go to SYSLOG Targets like the access logs do.  I am not seeing an option in the GUI.  Seems syslog servers could be useful for errors?

Hi
Been playing with OPNsense for several months and just replaced my home firewall (SophosXG) with OPNsense.  I used the NGINX (with NAXSI default rules) plugin to configure all my sites. I setup the first server with the hostname "_" so that it gets any traffic that does not match my valid site names, this "HTTP server" also has a Deny ACL of 0.0.0.0/0.  If you hit my WAF with the IP or any other SNI hostnames that don't match, you get a 403 response which is what the WAF on my XG did and while it's security through obscurity it seems to work great.

I tried to use NXAPI on another workstation but it seems like it's designed to run on the actual web servers as it seems to be trying to pull rules from a already configured list.  I don't want to dig through the error log manually and try to create whitelists, but I guess if that's all that will work here, then be it.

What are some suggestions, what are others doing here for whitelist creation?

Thanks!

What odd behavior as I can't specify an upstream when WAN in configured to DHCP.  Even though there is a direct/connected route for devices in that subnet, it still chooses the default gateway (upstream)?  The next "hop" (not really a hop) should be the device in the same subnet according to the route table.   Sounds like that needs to go back to the drawing board, never seen a firewall do that.  My ASA, SRX, SSG, pfSense, Sophos (UTM & XG) have never behaved that way.

Nope, doesn't work.  I have been trying to test some stuff on a Sophos XG which is deployed to the same environment, same WAN subnet, etc.  It works just fine.  I deployed a pfsense appliance, it responds correctly.  I reinstalled opnsense, stepped through the wizard, added ICMP to the WAN rules, same behavior.  Response traffic is headed to the MAC of my home firewall.  Must be a bug.

Oh well, I have a urgent thing I am working on with Sophos, will have to come back to OONsense later.

I have tried that setting when set to Static address.  "Out of the Box" it was using DHCP for WAN and automatically created the gateway, when DHCP is used that option isn't there.

The funny thing is I have setup this scenario many times using pfsense and even opnsense one other time, never seen this before.  Super strange.

I have 19.1 deployed in Hyper-V for testing, it's WAN interface is on VLAN10 (access) within Hyper-V, no tagging done in OPNSense (have tried no VLAN as well).  I am observing some strange behavior while trying to build an IPsec tunnel to another network appliance in the same WAN subnet.  After scratching my head for 2 days wondering why that other network appliance was not getting any response from the OPNsense appliance, i found the issue but have been unable to figure out the why.

Traffic from any host in the same /24 WAN network going to OPNsense WAN address, the response/return goes to the default gateway of the WAN interface (my actual home firewall).  The IP in the TCP/IP header is correct, but the MAC address is that of my home firewall.  ARP table looks correct, no static routes, no custom NAT, I am stumped.

root@OPNsense:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.10.1       UGS         hn1
127.0.0.1          link#2             UH          lo0
172.16.16.0/24     link#5             U           hn0
172.16.16.1        link#5             UHS         lo0
192.168.10.0/24    link#6             U           hn1
192.168.10.9       link#6             UHS         lo0

root@OPNsense:~ # arp -a -n
? (192.168.10.1) at a0:36:9f:28:75:24 on hn1 expires in 1132 seconds [ethernet]
? (192.168.10.9) at 00:15:5d:01:02:32 on hn1 permanent [ethernet]
? (192.168.10.13) at 00:15:5d:01:02:38 on hn1 expires in 1087 seconds [ethernet]
? (172.16.16.100) at 00:15:5d:01:02:33 on hn0 expires in 1041 seconds [ethernet]
? (172.16.16.1) at 00:15:5d:01:02:31 on hn0 permanent [ethernet]

Here is where it get's interesting.  A ping from the OPNsense appliance uses the correct MAC, but immediately after I ping from the other side and the last packet has the wrong MAC (that of the default gateway.

18:54:53.342957 00:15:5d:01:02:32 > 00:15:5d:01:02:38, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 27241, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.10.9 > 192.168.10.13: ICMP echo request, id 16234, seq 15, length 40
18:54:53.343594 00:15:5d:01:02:38 > 00:15:5d:01:02:32, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 55050, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.10.13 > 192.168.10.9: ICMP echo reply, id 16234, seq 15, length 40

18:55:03.320031 00:15:5d:01:02:38 > 00:15:5d:01:02:32, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 15972, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.10.13 > 192.168.10.9: ICMP echo request, id 1, seq 260, length 40
18:55:03.320259 00:15:5d:01:02:32 > a0:36:9f:28:75:24, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 5355, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.10.9 > 192.168.10.13: ICMP echo reply, id 1, seq 260, length 40

That makes sense.  I guess it worked for me because I changed the management port from 443 to an alternate.

I realized this is probably the wrong thread for this stuff, but I sort of figured out a work-around.  It seems NGINX treats the servers in order they appear in the config and configd seems to generate the file in order that they were added in the GUI.  I just created the first server as a basic HTTP Server with no Locations configured.  The other server comes after which has a location and upstreams configured.  Will continue to test with some additional servers added in.

Hi

Moderate to less than moderate nix skill, but I'm looking to migrate off Sophos UTM and WAF functionality is my biggest hurdle.  I have been playing around, getting familiar with your plugin (great work) and can't figure out one thing (aside from the WAF security rules bug).

How do we specify a default_server in the listen directive?  I want to display a not found or some generic page if someone hits my WAF by IP, etc. instead of one of the configured virtual host names.  I understand security through obscurity is not much security, but if I can not have it show my Nextcloud page when someone hits the WAF IP (without hostname in the SNI header), that would be great.

Can I specify a .conf file which gets included outside of generated nginx.conf?  (like a conf.d directory)

Thanks again for your work.