Messages

76

General Discussion / Re: [Feedback] - System Rules Logging

« on: May 27, 2021, 04:44:30 pm »

@Valvaris,

I'm not that new to OPNsense but have spend a lot of time to find a way to disable logging for the "Block all IPv6" rule (in my case #18). I've been scrolling through /conf/config.xml but here I can't find the specific rule. So the conclusion could be that these pre-defined rules are stored somewhere else. All the rules defined by myself are stored in config.xml but the pre-defined rules seems not. Hopefully we will get a response of someone who knows how to deal with this issue.

77

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 16, 2021, 11:25:43 am »

@ Fright,
I totally agree but I'm afraid I need to spend more time to figure out what the appropriate DNS settings should be in the General settings. My first guess is that I should define an external DNS server (let's say 8.8.8. at the first position and than as a secondary my local DNS server (which is now the only one defined). Or maybe just select " Allow DNS server list to be overridden by DHCP/PPP on WAN"?

For now at least it works without complaining.

78

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 15, 2021, 04:12:41 pm »

@ Fright,
I herewith can confirm that it was indeed a local DNS conflicting issue. I've changed the local record to the public IP address and that solved the problem.
Thanks again for all your input

79

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 14, 2021, 10:34:29 am »

Hi Fright,
You are making impressive long days and thanks a lot for offering all these suggestions.
For now I'm stuck because I have forced too many renewals ending up with "too many certificates already issued for exact set of domains".
Sadly none of your suggestions led to a solution but only result, once accepting an acceptation, into an insecure connection. So I need to dive into this somewhat deeper. I now think that this behavior, as it seem to be a DNS issue, may be occurs because the public advertised FQDN (external IP address) is in conflict with the internal published FQDN (internal IP address (LAN) using a local DNS).
Could this be the case?

80

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 13, 2021, 10:30:59 pm »

Thanks for your efforts but "Disable DNS rebinding checks" was already unchecked...

81

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 13, 2021, 06:04:45 pm »

Hi Fright,

Aha, I first did misunderstood but have now unchecked the "OCSP Must Staple" box but that results in another error in recent browsers (Edge, Firefox). It says "A potential DNS Rebind attack has been detected". SO what now?

82

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 13, 2021, 05:15:43 pm »

Hello Fright,
I've decided to first upgrade to the latest version, so now I'm on 21.1.3. That at least solved the UI problems encountered earlier.
With respect to LE I can confirm that ocsp_must_staple is responsible because I can get access or not  by toggling security.ssl.enable_ocsp_must_staple from true to false in the browser settings. However, "OCSP Must Staple" is enabled in the LE cert settings but even forcing a cert renewal doesn't solve the issue. Any idea what to look for?
Thank you!

83

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 13, 2021, 10:26:18 am »

edit Cert -> "Security Settings"

edit Cert ->
Thanks for that but "OCSP Must Staple" was already enabled so that cannot be the issue...

84

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 13, 2021, 08:18:07 am »

@ Franco: Don't understand what you mean. I can't find anything related to this issue at "https://github.com/opnsense/changelog/blob/882c3cdfc94c29d9d320f7f318366bc6d2a27665/community/21.1/21.1.1#L34
"

@ Fright: Where can I find this option? Not available in the LE settings page...

But thanks for your support.

85

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 12, 2021, 06:39:55 pm »

Just like I said. Clicking the edit pencil in the GUI nothing happens. Same for clicking the + sign to add a new one.

I'm using Firefox 52.6.0 as this is the only browser to provide access. All other "newer" browsers complain as follows:

Secure Connection Failed
An error occurred during a connection to opnsense.koxkampseweg10.com. A required TLS feature is missing.
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

Not sure if this is related. I'm using a Letsencrypt cert and Firefox is just accepting it as expected but other browsers don't.

86

21.1 Legacy Series / Re: Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 12, 2021, 06:31:53 pm »

Just like I said. Clicking the edit pencil in the GUI nothing happens. Same for clicking the + sign to add a new one.

87

21.1 Legacy Series / Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

« on: March 12, 2021, 03:02:20 pm »

I've upgraded my system this morning to version 21.1 and just discovered that aliases are no longer editable.
As a work around I've made the needed changes in config.xml and pushed the apply button in the web interface. Still need to find out if that works as the change involves to allow access concerning a specific external IP address.

In addition:
Adding a new alias doesn't work either...

88

20.7 Legacy Series / Re: web interface fails after upgrade to 20.7.7.1

« on: December 30, 2020, 11:01:05 am »

The question is, how will this be solved? Will this happen again during the next upgrade?

89

20.7 Legacy Series / Re: web interface fails after upgrade to 20.7.7.1

« on: December 29, 2020, 11:40:41 am »

Thanks for that! After  opnsense-revert -r 20.7.6 lighttpd and a option 11 (Reload all services) I had access to the webgui again.
configctl webgui reload however responds with "Action not found" ().

The other thing noticed is:  The latest waterfox comes with an error Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING and Chrome doesn't like it either ().
An old firefox (52.6.0) works, Edge works as well (correction, failed after clearing cache).
So what to do next?

I've worked it out:
After reboot I received a different message in my browsers (except the old firefox.):

Website certificate revoked
The certificate used by this server is marked as untrusted and the connection is not secure.
This error was caused by a missing OCSP response, which must be present and valid because OCSP Must-Staple is used.
Try connecting later or use a different internet connection.
Access to it has been blocked.

(ESET happen to block).
Luckily I had access via my 'old' Firefox and could force a renewal of the Letsencrypt cert and after a reboot everything seems to be as should.
Revert rolled back lighttpd version 1.4.56 to version1.4.55_1   

90

20.7 Legacy Series / Re: web interface fails after upgrade to 20.7.7.1

« on: December 29, 2020, 10:20:14 am »

Thanks for that! After  opnsense-revert -r 20.7.6 lighttpd and a option 11 (Reload all services) I had access to the webgui again.
configctl webgui reload however responds with "Action not found" ().

The other thing noticed is:  The latest waterfox comes with an error Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING and Chrome doesn't like it either ().
An old firefox (52.6.0) works, Edge works as well.
So what to do next?