Messages

So Port 22 works. Seems to be proxy related. But even when I turned off the web proxy, no transparent mode, no interfaces selected, it does not work.

Are there any hidden rules?

Hello,
LAN contains ESXi Hosts and vCenter.
VLAN2 contains Active Directory and Horizon Connection Server.

I try to access vCenter (LAN) or any "internal" webservice via TCP 80 or 443. 80,443 or 3389 from LAN -> VLAN2 works fine.

Machines from VLAN2 can access the internet via Web Proxy (if needed, but currently not configured on any machine in VLAN2) (had it transparent before, but removed that).

OPNSense is the only physical gateway for both subnets.

Are there any hidden rules from the web proxy?

Hello,
obviously I'm to stupid to get traffic from one VLAN to another one.

I do get traffic from LAN to VLAN2. But I can't reach VLAN2 to LAN (only ICMP works).

Can someone help me with that? I tried rules in every direction on every interface (LAN, VLAN2). I'm able to reach LAN -> VLAN2 but not in the other direction. What am I doing wrong?

As ICMP works, I would rule out any routing problem.

Is this related to the webproxy? (transparent mode, but rules deleted on VLAN2)

Cheers and thx for help.

IDS IPS is active on the physical interfaces or vlans as well?

Activate IPS only on physical interfaces.

You uncompressed it? bz2 is not the raw image. Use 7zip.

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.

No I'm using suricata with additional Snort Rules. Use 29190. Don't use 3.x rules.

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

sorry, didn't guess that this is a hint of adding a new feature  :D

Kind of. Actually the question was more like "am I blind", "is there an easy way" or "can I achieve this via cmdline" to renew certificates.

However thanks for help!

ah
you can try to export "old" certs .crt and .key files from System: Trust: Authorities (for CA cert) or System: Trust: Certificates (for server's certs).
then do what @bartjsmit advised.
what didn't work for CA?
did you specify the keyUsage?

Thank you. No everything works with the CA, however I thought a simple renew button would have been nice as long as the private keys are managed by OPNSense.

As for configuring ZFS from the GUI for use cases such as snapshots/boot environments that might be part of a future business edition instead.


Cheers,
Franco

Any plans to impelement automatic snapshots before any opnsense-code or opnsense-update? I saw this on TrueNAS.

I do have the following certificates issued by OPNSense.

CA
|_ Inspection CA -> SSL Inspection Web Proxy
|_ Signing CA
   |_ Several Certificates for Web Servers

Now some certificates for webservers are expired and the inspection CA is expired. How to get these resigned with the same private key or if only possible to resign without private key?

I thought there is a better way than deleting and issue again.

I've to dig this up again. This feels unconfortable when the private key was generated by opnsense and I don't know where the certificates are on the FS.

Thanks for the tipp bartjsmit, but this doesn't work with a SubCA.


Is there a way to renew a certificate previously signed within OPNSense via CLI?

1) Check Rules and Policy Tab
2) Its called passlist.
3) Not out of the box. Whats the requirement here?

Hello,
is there any way to renew certificates that have been issued?

I use this as "light" CA, as other systems are to comlicated.

Cheers

Such mal nach SSL Passthrough mit SNI in Verbindung mit HAProxy.

Der Hostheader bzw die SNI Payload ist unverschlüsselt.