Messages

106

Tutorials and FAQs / Re: [NOOB] Connecting NAS dble ETH to LAN1 not accessible from LAN3

« on: October 14, 2024, 10:47:48 pm »

Let's go one at the time i.e. diagnose between two interfaces only. Then move to the next, OK ?
OPN clean slate, basic setup - check.
     What are Lambda rules BTW ?

Now then. Are you able for diagnostics to put a laptop on an interface when diagnosing? I ask because it seems you are doing ping tests from the device itself. It "should" be the same, but when diagnosing is best to not assume. Unless I'm imagining it incorrectly, if you are putting OPN on a workbench, then the tests aren't going to be true reflection because the interfaces being tested will be down. Please inform how are they "UP" in a workbench. If they are, then the request to put a laptop on it would not be a problem, right?

107

24.7 Production Series / Re: error reconfiguring IDS => error installing ids rules (Error (1))

« on: October 14, 2024, 10:56:46 am »

Because my system is online, and so when I'm on the forum doing tests, I switch IDS off, and when I'm not, I switch it back on

Why? What do you think disabling IDS when you're on the forum and "doing tests" and switching it back on after will provide? Then you are doing "tests" that are then void to a large extent, because those tests will not be operating on the same environment setup.
Like testing antivirus behaviour when all machines are off.

Honestly it looks like you're trying to enable any and every possible capability on OPN before you have your basics understood and working correctly. Let's go back to the right thread with those basics and don't throw any more spanners in. No "trunking" as you were calling it, no services IDS, IPS, ClamAV, no VPNs, nothing other than a routing appliance. Please.

108

Tutorials and FAQs / Re: Issues with android app

« on: October 12, 2024, 05:03:56 pm »

In case you missed it:

The NASes have two network interfaces,
NAS1 has 2x 2,5 GbE and NAS2 has 2x 1GbE, with a failover (if one is down, or one is overloaded, traffic goes to the other)

Each independant from the other, so I can, if I want, connect 1 laptop to 192.168.101.111 as root, and 1 laptop to 192.168.101.112 as user

This is fundamentally impossible in networking. A system cannot have two interfaces in a single network. Period.
One possible cause of your problems.

As for the apps failing with their VPN app whilst in your network, back to packet capture for clues.

109

24.7 Production Series / Re: HaProxy and Crowdsec

« on: October 12, 2024, 04:52:16 pm »

I have been wanting also the that  for haproxy New/unknown IP are checked against crowdsec API and have been disappointed that the bouncer is not available for OPN/freeBSD.
I could very well be mistaken but my reasoning is that haproxy has ports exposed via firewall allow rules, so the firewall has handed over the connection to haproxy. Here is where crowdsec would come to do its thing.
Is that incorrect reasoning ?

110

24.7 Production Series / Re: [NOOB] CSRF check failed. [SOLVED] => ReInstall

« on: October 12, 2024, 04:45:02 pm »

yes, I was going to suggest to change as a test that but it was a chicken and egg situation.
Glad you're fine again.

111

Tutorials and FAQs / Re: Issues with android app

« on: October 12, 2024, 12:16:38 am »

Great. That diagram works.
So where is the VPN, an app installed on a device, which one?
I thought you meant the VPN was set as a VPN client on OPN to a provider like say Surfshark or even a rented vps. Can you elaborate?

p.s. you seem to have two ips on the same network for the same device (NAS). That  can cause problems, unrelated to these apps though.

112

24.7 Production Series / Re: [NOOB] CSRF check failed.

« on: October 12, 2024, 12:07:28 am »

Let's check the disk usage:
SSH to the machine, change directory to the root, then df -h

Code: [Select]

$ cd /
$ df -hThen let's have a little look at the partitions:

Code: [Select]

$ gpart show
Previous:
> On all 5 clients all at the same time ?
No, this web dev tools is useful to delete specific cookies and to analyse the browser-server conversation. Just the one machine being used to diagnose is sufficient.

For seeing if you can trace the login error on the server side you could try (with root permissions):

Code: [Select]

# cat /var/log/audit/latest.log | grep 'WebGui'after the attempt to login. Should leave a trace. 403 Forbidden is good in a way.
Are you logging in as a user you created previously that is not "root"?
If as root and perhaps the password is wrong, you can reset it from the console main menu, option 3

And just so we know the right port and interface where lighttpd is listening can you post also the result of (in code quotes here):

Code: [Select]

# sockstat | grep light
Finally, it would be good also to see the ifconfig result:

Code: [Select]

#ifconfigyou can redact your public ip if you wish for privacy. We just need the rest.

113

24.7 Production Series / Re: [NOOB] CSRF check failed.

« on: October 11, 2024, 05:47:40 pm »

And, still same issue right:?

Code: [Select]

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
No, don't restore a Boot Environment. This is just client side message saying the session cookie has expired, nothing else.
Ctl+Shift+I on windows machine brings the dev tools console. Refresh the page and see on the network "tab" of this tool what shows. From there you can also remove the cookie stored. Storage "tab".

114

Tutorials and FAQs / Re: Issues with android app

« on: October 11, 2024, 05:08:26 pm »

I imagine there are no blocks or they would still be failing. More likely to be some sort of routing problem.
Remember a VPN is another network, albeit one that is inside/alongside another depending on your point of view.
Why restarting it unclogged things ? Dunno. Some connection became stale, gremlins, will prob never know.
What you do want to know as an admin is what are your network routing setup with those i.e. their interactions.
I've mentioned it before, draw yourself a diagram and keep it updated. Easier for everyone when trying to convey a message.

115

Tutorials and FAQs / Re: [NOOB] how to see exactly what is being blocked on a given IP

« on: October 11, 2024, 05:02:13 pm »

Don't suppose you can try off wifi and on the mobile network ?

116

24.7 Production Series / Re: [NOOB] CSRF check failed.

« on: October 11, 2024, 04:30:09 pm »

just refreshing the page the problem not going away?
Some browser extension blocky thingie?

117

Tutorials and FAQs / Re: [NOOB] how to see exactly what is being blocked on a given IP

« on: October 11, 2024, 04:28:20 pm »

ookaaay.. but where do they "work" ? I mean, do the work from any other nework, not necessarily yours ?

118

Tutorials and FAQs / Re: [NOOB] how to see exactly what is being blocked on a given IP

« on: October 11, 2024, 03:37:20 pm »

Yes, this [NOOB] thread is "general" about how to determine what's blocking, how to see exactly and where to search
While the other is a specific case about specific android apps

Super.

Both tablet and phone have their own VPN, which works just fine with all other apps as listed, so VPN is not (according to my noob knowledge) not at play here ? 

If they VPN is on i.e. the connection is established, then yes, it is at play. That is because a VPN up alters the route tables, then you have the firewall rules come into play too. Both can interact. For instance, you could establish a policy-based routing, whereby some traffic goes over the VPN whereas the rest goes via the non-vpn gateway.
I'm not saying you have done that. I am saying the setups is significantly different.
Can you try those apps with the VPN Off please ?

119

General Discussion / Re: VLANs spanning physical interfaces

« on: October 11, 2024, 02:34:16 pm »

In the case of epair interfaces they have two ends. One on the host, which is probably a member of some bridge. And one end inside the jail. They are a virtual Ethernet cable.

The IP address is configured on the end inside the jail.

If you type

Code: [Select]

ifconfigon the host, you will find that all of the vnetX.Y interfaces indeed do not have an IP address. So everything is fine.

Possibly apart from your hosts physical network interface. If there is an IP address on that one, you should move it to the bridge. Otherwise IPv6 for your host and your jails is not going to work.

Yep, that's exactly how it is. Just the ip in the host side is on the interface not the bridge it is member of.
Luckily I'm not going anywhere near IPv6 until hopefully never.
Everything works fine but I intend on moving the ip to the bridge just for correctness and prevent some problem later.
Thanks and apologies OP for the noise on your thread.

120

Tutorials and FAQs / Re: [NOOB] how to see exactly what is being blocked on a given IP

« on: October 11, 2024, 02:26:40 pm »

We might have two threads for the same thing I just replied on the other for a packet capture.

Code: [Select]

Only 2 apps are being restricted, everything else goes through (i.e: Brave, FF, Twitter, OurLaws, BB10, Reddit, etc..) [u][b]and both behind their respective VPN[/b][/u] (no VPN set on OPNsense yet)Whoa! That's significant. What do you mean by "and both behind their respective VPN" ?
Are we diagnosing with a VPN in play here ? That changes everything.