Messages

106

19.7 Legacy Series / Re: Having weird problem with default rule blocking some IPs and ports

« on: January 24, 2020, 07:10:50 am »

default deny is a "last match" rule, so if that does match it means your created rules didn't match, have you created them as "first match"? can you post a screenshot?

107

19.7 Legacy Series / Re: Floating rules logging

« on: January 24, 2020, 07:06:06 am »

you can't disable automatic rules from the firewall interface, you should instead unflag the related setting that generated that rule, you should have a link in the details of that rule, which shows you which setting added that rule

108

19.7 Legacy Series / Re: Alias Help

« on: January 24, 2020, 07:02:59 am »

I have your same settings (except I didn't enabled statistics, but that's for sure not the issue)

Have you checked you can reach the url from your firewall? check with a curl from ssh

[root@myfw ~]# curl https://www.spamhaus.org/drop/edrop.txt
; Spamhaus EDROP List 2020/01/23 - (c) 2020 The Spamhaus Project
; https://www.spamhaus.org/drop/edrop.txt
; Last-Modified: Sat, 28 Dec 2019 21:03:27 GMT
; Expires: Fri, 24 Jan 2020 14:54:02 GMT
5.188.11.0/24 ; SBL402809
5.188.207.0/24 ; SBL419952
5.188.216.0/24 ; SBL394632
27.112.32.0/19 ; SBL237955
31.184.237.0/24 ; SBL419884
. . .

109

General Discussion / Re: Why firewall rules and vlans must use /32

« on: January 22, 2020, 08:42:42 am »

192.168.1.5/24 is providing 2 information, the IP of the host and the netmask (from which of course you can calculate the network IP)

192.168.1.5 is just equivalent of 192.168.1.5/32, a single IP

the netmask is there so you can also specify the entire subnet, 192.168.1.0/24

you cannot specify 192.168.1.5/24 because it will not understand if you want the entire subnet or the single IP

110

General Discussion / Re: captive portal - cannot disable "enforce local group"

« on: January 22, 2020, 08:27:50 am »

no, I didn't

at the end it works, my real issue was related to something else

still, this is indeed a bug, but probably "only" at WUI level

111

General Discussion / Re: Port 80, 443 forwarding issue

« on: January 21, 2020, 07:54:48 am »

destination address should be "WAN address", NAT IP should be where you want the packets to be forwarded, makes no sense to have the same IP on both fields, it would means no forwarding is needed

112

General Discussion / Re: NAT issue using aliases

« on: January 20, 2020, 10:27:22 am »

thanks for your reply

And your scripts always returns content? No timeouts that may create empty results?

As far as I know, yes, it always get results, this is confirmed running this command while I have the issue

[root@myfw ~]# pfctl -t google_networks -T show
   35.190.247.0/24
   35.191.0.0/16
   64.233.160.0/19
   66.102.0.0/20
   66.249.80.0/20
   72.14.192.0/18
   74.125.0.0/16
   108.177.8.0/21
   108.177.96.0/19
   130.211.0.0/22
   172.217.0.0/19
   172.217.32.0/20
   172.217.128.0/19
   172.217.160.0/20
   172.217.192.0/19
   172.253.56.0/21
   172.253.112.0/20
   173.194.0.0/16
   209.85.128.0/17
   216.58.192.0/19
   216.239.32.0/19

problems with merging the aliases into 'https_www_proxied_hosts'

I really think this is the issue.

Next thing I will try is creating a dedicated port forwarding with only "google_networks" alias, instead of having nested aliases.

113

General Discussion / Re: NAT issue using aliases

« on: January 20, 2020, 08:40:48 am »

That alias works on others fw rules, there's a script scheduled that run a pfctl replace

[root@myfw ~]# cat google-nets
#!/bin/sh
dig @8.8.8.8 +noall +answer +short +dnssec +tcp _spf.google.com txt | tr ' ' '\n' | awk -F: '$1=="include" {print $2}' | while read blocks
do
  dig @8.8.8.8 +noall +answer +short +dnssec +tcp "$blocks" txt | tr ' ' '\n' | awk -F: '$1=="ip4" {print $2}'
done | xargs pfctl -t google_networks -T replace

[root@myfw ~]# cat /usr/local/etc/cron.d/custom-pf-tables.cron
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour    mday    month   wday    who     command
40      4       *       *       *       root    /root/google-nets

I wrote a small post here:
https://www.signorini.ch/content/opnsense-create-pftable-for-google-networks

114

General Discussion / Re: NAT issue using aliases

« on: January 19, 2020, 08:21:45 am »

I confirm that's the issue (external table alias), if I create an alias with the same content but "static" it works. Should I open an issue on github?

115

General Discussion / NAT issue using aliases

« on: January 18, 2020, 06:27:44 pm »

I have a port forwarding defined for let go out only some ip addresses, through squid.

The alias used (https_www_proxied_hosts) does not seems to contains everything defined

See attachments for details

I defined a cron job to run every 5 minutes to reload the aliases

See here the content of the pf table for alias google_networks

[root@myfw ~]# pfctl -t google_networks -T show
   35.190.247.0/24
   35.191.0.0/16
   64.233.160.0/19
   66.102.0.0/20
   66.249.80.0/20
   72.14.192.0/18
   74.125.0.0/16
   108.177.8.0/21
   108.177.96.0/19
   130.211.0.0/22
   172.217.0.0/19
   172.217.32.0/20
   172.217.128.0/19
   172.217.160.0/20
   172.217.192.0/19
   172.253.56.0/21
   172.253.112.0/20
   173.194.0.0/16
   209.85.128.0/17
   216.58.192.0/19
   216.239.32.0/19

That should be included in this table, but completely missing:

[root@myfw ~]# pfctl -t https_www_proxied_hosts -T show
   23.23.73.124
   50.19.218.16
   54.204.26.223
   54.225.71.235
   54.225.169.250
   54.235.203.7
   54.235.220.229
   54.243.147.226
   104.17.172.102
   104.18.48.62
   104.18.49.62
   104.18.206.87
   104.24.110.187
   104.24.111.187
   104.31.90.50
   104.31.91.50
   104.131.209.4
   108.171.202.195
   108.171.202.203
   108.171.202.211
   172.217.168.4
   172.217.168.10
   172.217.168.14
   172.217.168.42
   172.217.168.45
   172.217.168.46
   172.217.168.78
   198.143.164.0/24
   198.143.164.251
   198.143.164.252
   216.58.215.225
   216.58.215.234
   2606:4700::6811:ac66
   2606:4700::6812:ce57
   2606:4700:3033::6818:6fbb
   2606:4700:3035::6812:313e
   2606:4700:3037::6812:303e
   2606:4700:3037::6818:6ebb
   2606:4700:3037::681f:5a32
   2606:4700:3037::681f:5b32
   2607:f2d8:4010:8::2
   2607:f2d8:4010:b::2
   2607:f2d8:4010:c::2
   2a00:1450:400a:800::2001
   2a00:1450:400a:800::200a
   2a00:1450:400a:801::2004
   2a00:1450:400a:801::200e
   2a00:1450:400a:802::200a
   2a00:1450:400a:802::200d
   2a00:1450:400a:802::200e

Any idea what's the issue here? I saw in the forum in the past there was a bug when using aliases for NAT rules, and here I use an external alias (google_networks) that may complicate the stuff. Could this be the issue?

THX

116

General Discussion / Re: gpsd

« on: January 18, 2020, 03:55:23 pm »

I played a lot with NTP and GPS and I never realized NTP could directly access NMEA sentences via pseudo IP 127.127.20.0, I was sure gpsd was involved in the process of "translate" NMEA for NTP

Thanks for this

Since I want PPP (Precise Point Positioning) in order to put the receiver in stationary mode, I will need to be able to read raw data, so I will manually compile that gpsd. It looks like with the zed-f9t I can achieve less that 1cm accuracy, which is quite impressive

https://gpsd.gitlab.io/gpsd/ppp-howto.html

117

General Discussion / Re: gpsd

« on: January 18, 2020, 12:27:05 pm »

thanks a lot Fabian, you are, as always, really helpful

Do you mean current GPS timing is supported natively by OPNsense without that daemon? Because I connected an older module and it works...

118

General Discussion / gpsd

« on: January 18, 2020, 11:10:36 am »

does OPNsense use gpsd for GPS timing? I see the package is not installed and not in the repo

root@myfw:/usr/ports/astro/gpsd # pkg install gpsd
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'gpsd' have been found in the repositories


Anyway I found this, which does not come from a package:
root@myfw:/usr/ports/astro/gpsd # cat distinfo
TIMESTAMP = 1516146278
SHA256 (gpsd-3.17.tar.gz) = 68e0dbecfb5831997f8b3d6ba48aed812eb465d8c0089420ab68f9ce4d85e77a
SIZE (gpsd-3.17.tar.gz) = 8755304
root@myfw:/usr/ports/astro/gpsd # pkg info|grep gps
root@myfw:/usr/ports/astro/gpsd #

root@myfw:/usr/ports/astro/gpsd # pkg which /usr/ports/astro/gpsd/distinfo
/usr/ports/astro/gpsd/distinfo was not found in the database

Also with a ps aux I can't find a gps daemon, so how does it works?

I just ordered a u-blox zed-f9t and would like to know if gpsd 3.19 (or 3.20) will be part of the 20.1 release

119

General Discussion / Re: Can't ping or connect from firewall

« on: January 15, 2020, 08:21:17 am »

check on the floating fw rules if you have "let out anything from firewall host itself" enabled

120

General Discussion / Re: Network question

« on: January 11, 2020, 10:34:19 am »

oh, OK, I got it now

well, I don't see any reason to use NAT, but you can still use it as a router if you want for whatever reason a different network to be routed (it depends on what does you router conf allow, you have no limits if you configure openWRT on it)

if you use it as AP then DHCP will be served by OPNsense