Messages

31

General Discussion / Re: Multi-WAN failover works - sort of

« on: April 27, 2020, 06:04:14 pm »

Well it was wishful thinking. It is still completely unreliable. Today our cable Internet is not having issues but the firewall keeps intermittently switching over to the failover Tier 2 gateway and continues alternating between the two. I've had to mark the failover gateway as down in order to fix it for now. Can anybosy help me with this. I sure wish stuff would work the way it is supposed to, it would make life much easier. 

32

General Discussion / Re: Multi-WAN failover works - sort of

« on: April 25, 2020, 01:16:57 am »

I may have figured out my own issue. I had also messed around with the priority and weight settings and when I set them both back to 1 on both interfaces and just let the Tier settings do the choosing then it looks like it is working correctly.

33

General Discussion / Multi-WAN failover works - sort of

« on: April 25, 2020, 12:54:56 am »

So I have a multi-WAN failover setup using a gateway group and it works initially when I pull the physical netork cable for the primary WAN connection BUT what happens is a minute later the primary WAN shows as online and it switches back over even though it is physically unplugged so it cannot be online. It then continues to cycle between the two WAN connections being active because it is alternately stating that the primary WAN is up and then down and then up and then down. How can I fix this and make it reliable? I mean it can't possibly be reaching the monitor IP on the primary and yet it thinks it is up every 30 seconds or so. In fact I can sit here and refresh the screen on the single gateway page and nearly every refresh it is seeing the status as changed for that primary WAN. The failover is setup to switch when an interface is down as opposed to latency or packet loss. The second WAN is a Verizon wireless 4G LTE router that is connected with a wired ethernet connection to the firewall. The latency is obviously more than our primary cable connection but typically is in the 40-50ms range so not anything crazy. Please help if you can. Thanks.

P.S. - I forgot to say that I can get it to stay permanently on the second WAN if I mark the primary as down but the primary status still shows as online. Also I have noticed that everytime I make a change to the primary gateway and save it, such as marking as down or not, as soon as I save it then it shows as down and then if I refresh then it shows as online. I'm really baffled.

34

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 22, 2020, 01:24:46 am »

Amr,

I want to thank you again for your help. Everything is now working as it should. It was indeed the order of firewall rules. I hadn't looked into that deeper because I was nearly certain I had tried it with the block rules disabled and got the same results but honestly I could have had something else tweaked wrong at the moment since I have been trying so many different configurations. Thank you again for finding the solution for me. I now feel much more confident in the software doing its job. Here is why I put it at the top even though it didn't seem right to me.


From this page: https://docs.opnsense.org/manual/how-tos/proxywebfilter.html?highlight=web%20filtering

35

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 21, 2020, 11:23:15 pm »

Thanks AMR, I will go through these steps and see what I get. I could have sworn that the instructions on the site said to put the block rules before anything else. I found some of the instructions very strange but tried to follow accordingly. Thanks again and I will update after trying these things.

36

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 18, 2020, 01:59:04 am »

Nobody? Anybody?

37

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 14, 2020, 10:16:48 pm »

Here is the final screenshot.

38

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 14, 2020, 10:12:56 pm »

Okay so I figured out how stupid I was. Somehow when I had attached before, I never saw it come up as images in the message but now I see that is how it works. Sorry for being such an idiot. Here are the first four screenshots and I'll post another one below.

39

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 14, 2020, 09:51:03 pm »

Also, let me make one more attempt at clarifying the issue. I can successfully setup transparent web filtering for HTTP and skip HTTPS proxy altogether BUT here is what I get. HTTP filtering works great, HTTPS directly entered URLs work great. What doesn't work is HTTP to HTTPS redirects. So for instance someone enters google.com or www.google.com and Google redirects that to https://www.google.com but the browser never takes you there, it just spins around trying and then times out. IF you manually enter https://www.google.com then it works fine. I would eventually like to get the filtering for HTTPS working without inspection BUT for now if I could just get the dang HTTPS redirect to function correctly I could at least work within those limitations for now. Hopefully this plainly describes my issues. Thanks again.

P.S. - What's killing me is that I have successfully configured more complex things such as automatic failover WAN with a wireless interface connected to a LTE hotspot but this simple web filtering issue is kicking by butt!

40

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 14, 2020, 09:16:11 pm »

Hey guys,

I finally figured out that attaching files automatically puts them in the message. I don't know how I missed that but I have posted them below. I really need to get this figured out as I need to start blocking and filtering some specific things but I can't turn it back on until I have HTTPS access working, even if it isn't being filtered I at least need it able to be accessed but it stops working every time I enable the filtering. Please help again. I'm sorry to bug you guys but I really wish some parts of this configuration were much more straight forward. As far as I know I have followed exactly what is in the instructions and I can't figure out why it is not working. Thanks again.

41

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 10, 2020, 11:38:44 pm »

Do you have DHCP enabled on opnsense lan interface or in relay mode?

Neither. I do not have anything DHCP related turned on at the firewall. All DHCP is being served by the Windows Domain controller. When it serves out the DHCP it is serving out the firewall address as the gateway. Also any DNS that the firewall is processing is strictly by interception. The Windows domain controller is also acting as the DNS server so again I'm not using the DNS directly from the firewall at all.

before proceeding with transparent proxy troubleshooting first check that the caching proxy is working fine.
1- Disable transparent proxy.
2- Configure firefox proxy settings to use the proxy by :
   a- Choosing ->"Manual proxy configuration"
   b- Enter the ip in http proxy and port number
   c- Check "Also use this proxy for FTP and HTTPS"
3- Check the the proxy is working like expected with web filtering.

 

I did this originally before setting up the transparent mode and HTTP worked fine but I had the same results with HTTPS traffic. Nothing got through at all so I did not have a chance to test whether it would properly redirect to HTTPS from an HTTP request. Currently I have all web filtering rules disabled because that is the only way I can get HTTPS traffic to work properly.

Don't share the screenshots in a Zip File, i think nobody is downloading them.

Take a screenshot of your NAT, Rules and Squid config and upload them as images

Okay sorry about that. Do you mean insert them into the message or just don't zip them? Is there a way to upload here on the forum inline in the message or do I need to use an external site and link to it? The insert image button only inserts the HTML code so I am assuming the latter is what you mean?

42

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 08, 2020, 12:41:57 am »

No, sorry for the confusion. It is a standard setup with the OPNsense firewall connected directly to the ISP but I just wanted to let you know that the LAN is using the DHCP and DNS on the Windows server instead of the firewall providing those roles in case that brought up any other ideas and made any difference for the solution. I didn't think it should matter but just in case.

I will try to attach the appropriate screenshots. Keep in mind that for now all of the needed rules are disabled so people can work without getting blocked so just know that I had them enabled but couldn't get through as described previously. This includes the HTTPS settings in squid.

Thank you again and let me know if you need anything else.

43

Web Proxy Filtering and Caching / Re: HTTPS traffic not working correctly

« on: April 06, 2020, 04:53:03 pm »

@Fabian,

I do have it there but I have to disable it along with the firewall rules to get any HTTPS traffic to work. In fact with all the rules enabled according to the instructions on the OPNSense website here I cannot get any HTTPS traffic at all.

@Amr,

Do you want screen shots or is there a better way to export those settings for you to see?

Also, in case this makes any difference this is in front of a Windows Active Directory domain network and the main DNS is the DHCP/DNS server which is not the firewall itself.

44

Web Proxy Filtering and Caching / HTTPS traffic not working correctly

« on: April 04, 2020, 05:24:13 pm »

So I am having a really hard time getting the web proxy to work properly. I cannot get HTTPS traffic to work correctly no matter what I try when the firewall and NAT rules are redirecting to the proxy. With rules enabled for HTTP (80) only using a transparent setup, normal HTTP traffic works fine and directly entered HTTPS URLs work fine but any HTTP URLs that are being redirected to HTTPS sites never connect. If I try and enable transparent HTTPS rules then no HTTPS traffic works at all whether directly entered or not. If I disable proxy rules then everything works as expected. I really don't want to have to forego all web filtering just so we can have normal HTTPS redirects happening. Can somebody please help me before I pull what's left of my hair out? Thank you in advance for any assistance you can give me.