Topics

1

Zenarmor (Sensei) / Zenarmor and Squid proxy inline not working - again

« on: December 21, 2023, 05:08:26 pm »

Hi All,

I've posted about this in the past, and the issue/bug got resolved in a different release (1.13), but the application category / 'App Control' isn't being blocked when using Squid proxy, which stopped working a few releases ago..

I use Squid proxy for my network, but if it just passes through Zenarmor without Zenarmor being able to block, this makes using Zenarmor kinda useless unless... I believe this is the same bug spotted and resolved in release 1.13 unless something changed in the latest release which requires me to use my Squid proxy differently?


Regards!

2

Zenarmor (Sensei) / Installing older Zenarmor releases

« on: December 06, 2023, 06:35:58 pm »

Hi all,

I was wondering if there is a way to point to an older version of Zenarmor. Waiting months for a bug fix gets old and I rather roll back to a version that works with the feature I am waiting for a fix... any help would be great thanks!

3

Web Proxy Filtering and Caching / Problems with Squid Proxy SSLi after reinstall - config from backup

« on: March 07, 2023, 04:55:33 pm »

Hi Forum,

So I recently had to rebuild my Opnsense box, and redeployed the backed up config. Everything is find except the Squid proxy.. So proxy works unless I use SSLi. I did everything that anyone might think of, reinstall squid packages (from the GUI) redeploy the SSL Cert for SSLi, tried a different interface. Nothing works, anyone have any ideas?


Posted are the 'cache logs'.
2023-03-07T10:52:11       squid   kid1| ERROR: failure while accepting a TLS connection on conn163 local=172.16.10.1:3128 remote=172.16.10.6:1180 FD 17 flags=1: 0x81cd39680*1   
2023-03-07T10:52:11       squid   kid1| ERROR: failure while accepting a TLS connection on conn162 local=172.16.10.1:3128 remote=172.16.10.6:1179 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn156 local=172.16.10.1:3128 remote=172.16.10.6:1178 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn150 local=172.16.10.1:3128 remote=172.16.10.6:1177 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn144 local=172.16.10.1:3128 remote=172.16.10.6:1176 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:09       squid   kid1| ERROR: failure while accepting a TLS connection on conn138 local=172.16.10.1:3128 remote=172.16.10.6:1175 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn132 local=172.16.10.1:3128 remote=172.16.10.6:1174 FD 13 flags=1: 0x81cd39680*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn126 local=172.16.10.1:3128 remote=172.16.10.6:1173 FD 17 flags=1: 0x81cd39680*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn79 local=172.16.10.1:3128 remote=172.16.10.6:1164 FD 19 flags=1: 0x81cd39680*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn120 local=172.16.10.1:3128 remote=172.16.10.6:1172 FD 13 flags=1: 0x81cd39680*1   
            listening port: 172.16.10.1:3128   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn90 local=172.16.10.1:3128 remote=172.16.10.6:1171 FD 36 flags=1: 0x81cd3a940*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn81 local=172.16.10.1:3128 remote=172.16.10.6:1166 FD 22 flags=1: 0x81cd3a940*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn78 local=172.16.10.1:3128 remote=172.16.10.6:1163 FD 17 flags=1: 0x81cd3a940*1   
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn75 local=172.16.10.1:3128 remote=172.16.10.6:1160 FD 13 flags=1: 0x81cd3a4c0*1

4

Zenarmor (Sensei) / Using Zenarmor and Squid proxy inline

« on: December 27, 2022, 10:58:56 pm »

Hi ALL,

I can't help but notice that when using Web Proxy in Opnsense that it completely bypasses Zenarmor since it sees my hosts connecting to the destination which is the LAN interface hosting Squid Proxy. I am not sure if there is a setting on the Zenarmor or Proxy side a way to parse the data coming from source being the LAN interface and dest is whatever the proxy is connecting to?

It would be nice if the WAN interface was selectable since I am sure it would capture from LAN out during proxy options.

5

General Discussion / HAproxy not starting after upgrading firmware

« on: December 07, 2022, 10:41:43 pm »

Hi Forum,

If I was more technical I wouldn't post, but after upgrading from 22.7.7 to 22.7.8, since I've upgraded to 22.7.9 without fixing the problem. Here is the output for when I manually try to start the service;

root@ctgwfw01:~ # service haproxy restart
haproxy not running? (check /var/run/haproxy.pid).
Starting haproxy.
[ALERT]    (21092) : Starting frontend External-Pub: cannot bind socket (Can't assign requested address) [72.10.1.x:443]
[ALERT]    (21092) : Starting frontend External-Pub: cannot bind socket (Can't assign requested address) [72.10.2.x:443]
[ALERT]    (21092) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy
root@ctgwfw01:~ #


Note I have a PPPoe IP from my ISP. So each time I reboot, it seems to be binding to the old IP that is no longer being used. I am not sure if there is a cache I need to wipe out?


Any help would be great
Thanks

6

Zenarmor (Sensei) / Using Squid Proxy and Sensei inline

« on: February 08, 2022, 05:21:32 pm »

I've been using and playing with Sensei and bought a home license, however, I've noticed that this service doesn't incorporate Squid Proxy very well. When running proxy, I can see traffic from my endpoints going straight to the proxy port on the box classified as "Web Browsing". It would be ideal if I could set my capture from the source interface of the proxy IP and Dest being the internet.. 

Perhaps running both services on the same box just doesn't work, but I thought I would post and see if anyone else has a workaround or a solution.

7

21.7 Legacy Series / Issues using HAProxy and Unbound at the same time

« on: August 12, 2021, 06:40:57 pm »

Good afternoon,

I have a general question, when I use HAProxy and have Unbound running at the same time, it forces the service of HAProxy to fail. I have "overrides" DNS entries for the stuff I have hosted in HAProxy, but I fail to see how this will affect what is running on HAProxy but it does. As soon as I disable Unbound and restart HAProxy, HAProxy works again.   

Would anyone have any advise of something I need to set or do? Or if this is normal and I can't run both of those services at the same time?

Thanks,

8

20.7 Legacy Series / Issues with plugin os-freeradius / LDAP feature

« on: January 29, 2021, 05:36:41 am »

Hi Forum,

I recently installed the plugin os-freeradius in hope to use the LDAP module for authentication. However I've had issues running the LDAP feature and get auth issues. Now my remote LDAP server is a webmin build with Open LDAP server/client enabled onto it to provide the LDAP access to my opnsense box. I know my LDAP server works since I have a few different applications and services that use my LDAP server. So below are the logs that


I get when attempting an auth from the "tester". 

Auth: (0) Login incorrect (ldap: Failed performing search: Bad search filter)
Auth: (0) Invalid user (ldap: Failed performing search: Bad search filter): [


Also I feel it has something to do with the LDAP settings after seeing the "bad search filter" in the logs. Its unclear how to set and adjust the "Group Filter" and I tried to read up on the documentation, however the documentation doesn't even mention the LDAP feature (perhaps the Wiki needs updating?)

Wiki: https://docs.opnsense.org/manual/how-tos/freeradius.html


One last thing, even when I try to configure just LDAP under "access servers" I cannot get LDAP to work. Just putting it out there.

Regards!