Messages

76

21.7 Legacy Series / A rule that should not block on the firewall blocked something temporarily.

« on: October 15, 2021, 09:59:12 pm »

Hi there,

I had a strange occurrence. I have rules that block certain IP's on my home network and an allow rule above this block rule that allows certain IP's that I dont want captured in the block.

Last night a netflix CDN IP was blocked . I noticed today (the next day) when reviewing the logs. However this IP was already in the allow rule. The effect this had was momentarily netflix would not work and I refreshed a few times and thought nothing of it. However I noticed today that IP was blocked and so I went to add it to the list of allowed IP's and discovered it was already in the list.

This means temporarily the rules did not function as expected last night. However there were no changes to the firewall and in fact I was not logged onto it at all either at that time or around that time (due to watching netflix).

Why would the firewall temporarily ignore a firewall rule? The problem seems to have resolved itself with no intervention. I have not added this IP later on into the alias of allowed IP's. I can confirm it was already in there and did not require a change to the firewall.

Kind regards
Pete

77

20.7 Legacy Series / Re: Resize OPNSense Partition

« on: October 11, 2021, 08:56:34 pm »

Yeah this is not a "just type in commands and hope" kind of example above. Its more like a "I did this and this was my output between each steps, you check yours and reconfigure as appropriate" style guide.

78

General Discussion / Re: OpnSense in small Enterprise segment - negative feedback

« on: October 10, 2021, 08:28:20 pm »

For the HA option are you just saying you want active-backup option?

79

German - Deutsch / Re: github timeout wegen FireHOL block

« on: October 07, 2021, 11:06:01 pm »

Which list are you using?
That ip does not exist in firehol 1:

https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset

80

21.1 Legacy Series / Re: BELL FIBE IPTV (Ontario)

« on: September 28, 2021, 10:30:55 pm »

I have not done it before but as I dont have TV from bell but here is a post that suggests the VLAN is 34 for TV.

In addition, I am informing you not to use 192.168.2.x in your network. The TV boxes are hard coded to their IP's on that range. You will 100% have issues if you dont re ip your home network (and want tv).

Here are posts that explain how to do it:
https://www.idscomm.ca/blog/bell-fibe-internet-iptv-with-pfsense

https://forum.netgate.com/topic/78892/how-to-get-bell-fibe-in-quebec-ontario-internet-and-iptv-working-with-pfsense

81

Virtual private networks / Re: Wireguard port - public wifi

« on: September 28, 2021, 09:45:21 pm »

I cant explain why it doesnt work for you. I mean I am totally stuck on what to look at next. I cant think of a reason what could be causing you an issue

82

Virtual private networks / Re: Wireguard port - public wifi

« on: September 28, 2021, 02:14:09 pm »

Here is the proof it works from an iphone. My iphine gets an ipv6 address so thats why the endpoint looks strange but I assure you this works on ipv4 clients also (just easier to rest from my phone quickly).

83

Virtual private networks / Re: Wireguard port - public wifi

« on: September 28, 2021, 02:03:27 pm »

Currently because I was testing for you guys I have 2 rules:

NAT
Rules

However they both work currently. Presumably as mine work and you are wanting to achieve the identical setup (one forwards to same port, the other redirects from a different port) yours should also work (when you have 2).

Dont forget to modify the port on the client connecting afterwards. Thats also a requirement obv.

P

84

21.7 Legacy Series / Re: 21.7.3. - high CPU - Mem usage:OK - very slow web access - HALF SOLVED

« on: September 28, 2021, 01:03:39 am »

Then I am stumped 

85

21.7 Legacy Series / Re: 21.7.3. - high CPU - Mem usage:OK - very slow web access - HALF SOLVED

« on: September 27, 2021, 10:36:09 pm »

Can you check IPv6 is not causing an issue by disabling it entirely:
https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6

86

Virtual private networks / Re: Wireguard port - public wifi

« on: September 27, 2021, 09:31:26 pm »

Under my rules, wan the destination is the internal IP of the firewall not wan address (mine is working so assume correct?). Probably because of stateful inspection the bottom wan rule is never hit (the rule above stops further processing of rules). You could try reorder the bottom rule and move it before the rule that is to wan address in your screenshot.

Im pretty sure this is the issue because I only use nat rules even when forwarding to the router itself (ie as opposed to just opening the wan up directly). The reason for this is in my case I use IDS/IPS on the LAN interface so without making the packet process through the lan the router itself will not have this port protected by any filtering you have in place. Indeed some small cost of a cpu cycle is incurred by the packet having to move across and interface but a faster CPU can mitigate that and probably the cost is so small you will be unable to detect it. The same reason could apply if you used sensei on the LAN.

Also I am pretty sure a nat rule is the default way it was done in the documentation before, but I did just check and it is no longer like that so I think this was changed in the documentation at some point because I assumed everyone did it this way, and at one point Im fairly confident it was the case.

87

21.7 Legacy Series / Re: 21.7.3. - high CPU - Mem usage:OK - very slow web access - HALF SOLVED

« on: September 27, 2021, 08:04:22 pm »

I also had this before when I setup bridging incorrectly. Did you have any bonding or bridging at all?

88

Virtual private networks / Re: Wireguard port - public wifi

« on: September 27, 2021, 07:54:51 pm »

MTR you cannot redirect to ‘wan address’ as this is the external ip of the firewall. Try redirecting it to 192.168.1.1 in your case.

89

21.7 Legacy Series / Re: 21.7.3. - high CPU - Mem usage:OK - very slow web access to OPNsense

« on: September 27, 2021, 02:00:58 am »

Any strange vlan setup?

90

Virtual private networks / Re: Wireguard port - public wifi

« on: September 26, 2021, 08:29:34 pm »

See - I told you it had to work.

GG.

Pete