Messages

121

Tutorials and FAQs / Re: Issues with android app

« on: October 11, 2024, 02:23:02 pm »

Ah!. Unlikely unless you hare doing something wacky with certificates and breaking TLS.
Some of those use certificate pinning.

If it is so, then it's completely out of my wish/controle, I just use the tablet the same way I did while connected to my previous router, which was much of a strainer, letting most going through, hence me on OPNsense now

To me the next step in diagnostic is to do a packet capture and analysis.

I would be happy to oblige, using the search I found "packet capture" and set it up to interface LAN2, IP 192.168.102.103 (Tablet)
And will post it below

You are using Unbound, right ?
And do they (the apps) give some error or some indication of the problem?

Unbound, yes
with or without blocklist (AdWare, ...) doesn't change anything
The app asks for passphrase, then spin for about a minute and then drop saying: -"Sorry, there was an issue processing your request, please try again later" kinda standard msg

Right, thanks for this.

5 sections seem right from the header: Interface   Timestam  SRC   DST   output.
Do me a favour. Can you provide the capture in the download format. In other words, set it and when finished, provide the file instead of this pasted output. That way I can put it in wireshark and see more easily and quickly.
Interfaces: Diagnostics: Packet Capture (what you did).
Select the interface where the traffic is coming IN from the firewall's perspective, which is the netowork your client is.
Select promiscuous. All other as any/ and defaults except the count. Set it to say 10000 just to ensure it won't runaway.
Then start the capture, trigger what you want to test with the client attached to that network/interface, wait for it to do its thing, could then move to open a tab on browser for instance and navigate to a known place, say google.com  so we have a postitive one to compare against on the same capture.
Then stop the capture, download the file (will be a compressed one possibly). Attach or send to me if you're more comfortable and I'll give it a check. If you want.

122

24.7 Production Series / Re: [NOOB] CSRF check failed.

« on: October 11, 2024, 01:36:27 pm »

Indeedledy. Just to add:
Usually a close tab, then open solves.
Sometimes it needs a new broser session, but rarely.
As Bart says, stale bowser session cookie.

123

General Discussion / Re: VLANs spanning physical interfaces

« on: October 10, 2024, 10:21:26 pm »

Thanks Patrick, most useful.
Indeed I have a host where I've been using Bastille to get some VNET jails going.
All is good for them and the IPs are still currently on the members, not the bridge. The members of the bridge are the a side of the epairs + host interface.
The b sides in the jails have IPs for each jail.
I have in my to-do to align it to the advice but have always been curious to the reason.
Thanks again.

124

Tutorials and FAQs / Re: Issues with android app

« on: October 10, 2024, 10:04:00 pm »

Ah!. Unlikely unless you hare doing something wacky with certificates and breaking TLS.
Some of those use certificate pinning.
To me the next step in diagnostic is to do a packet capture and analysis.
You are using Unbound, right ?
And do they (the apps) give some error or some indication of the problem?

125

Tutorials and FAQs / Re: Issues with android app

« on: October 10, 2024, 06:26:32 pm »

> Fpor some reason each LAN can't communicate with the others (but that's another thread)
Only first LAN interface has an allow all out rule. New interfaces and networks need it creating explicitly.

> Devices on WiFi AP are all Android or IoT, and all have full Internet access.
> But I have 2 app that can't connect to Internet, but can't see/find any packet dropped, any blocked traffic (or I don't look in the right place)
If all else works on the Android device except the app and no other services on the firewall enabled, then it suggests the problem not on OPN, no ?
Zenarmor enabled ?

126

General Discussion / Re: VLANs spanning physical interfaces

« on: October 10, 2024, 06:20:14 pm »

That said, can someone point me to where to read the background to why we have been saying for freeBSD bridges, put the ip on the bridge, not on the members?
I know there is a reference to it on the freebsd handbook but I've not seen yet the why.

127

General Discussion / Re: Changing default IP of blocked domains

« on: October 10, 2024, 06:16:33 pm »

No need. Since it is a dns lookup, when 0.0.0.0 is returned for the domain, the dns query results in an NXDOMAIN response. At that point the query is finished. No further action is taken by the querying client as it has nowhere to go. The concept of sinkholing.

128

Tutorials and FAQs / Re: [NOOB] Connecting NAS dble ETH to LAN1 not accessible from LAN3

« on: October 10, 2024, 04:04:41 pm »

Yes I was going to ask that, what is meant by can not access.
It seems each has two IPs on the same network. The device is probably only listening on one.

129

Tutorials and FAQs / Re: [NOOB] how to see exactly what is being blocked on a given IP

« on: October 10, 2024, 10:04:27 am »

You could start by looking in Firewall > Log Files > Live view but if you can browse, I would expect to show all positive signs. After all the firewall looks at network packets only.
More likely something else, either a detection system i.e, Zenarmor or soomethign before the firewall like a software misconfiguration.
Do you know what port the app communicates on and is it to the open internet?

130

Tutorials and FAQs / Re: [NOOB] Connecting NAS dble ETH to LAN1 not accessible from LAN3

« on: October 10, 2024, 09:58:12 am »

I've lost track on this thread. What is the problem and what is the current setup where it manifests itself?
For instance out of the blue comes what seems a VLANs setup. Please describe it, including the setup in OPN and your managed switch for it.

131

Tutorials and FAQs / Re: Using Grandstream ATA HT801 with Telekom Magenta VOIP

« on: October 09, 2024, 11:17:59 pm »

I have a Grandstream  HT801 on its own VLAN and I'm in the UK, so the settings might not be of any help to you but these are the rules I have for it.
 
You don't need the block rule to 7443. I do it because I don't want to allow it to call the ACS server of the provider. But most users would want that. I happen to have a hand-written config for the device that we don't want to be changed.

132

23.7 Legacy Series / Re: speedtest from cli

« on: October 09, 2024, 11:03:08 pm »

Some options but the mimugmail one I think installs the cli one (dependency) if not present.

Code: [Select]

penguin@OPNsense:~ $ pkg info speedtest-cli
pkg: No package(s) matching speedtest-cli

penguin@OPNsense:~ $ pkg info speedtest
speedtest-1.1.1.28-1.c732eb82cf
Name           : speedtest
Version        : 1.1.1.28-1.c732eb82cf
Installed on   : Fri May 12 21:09:41 2023 BST
Origin         : fpm/speedtest
Architecture   : FreeBSD:12:x86:64
Prefix         : /
Categories     :
Licenses       :
Maintainer     : support@ookla.com
WWW            : http://example.com/no-uri-given
Comment        : no description given
Annotations    :
Flat size      : 0.00B
Description    :
no description given

penguin@OPNsense:~ $ pkg search speedtest-cli
py311-speedtest-cli-2.1.3      Command line interface for testing internet bandwidth

penguin@OPNsense:~ $ pkg info os-speedtest-community
os-speedtest-community-0.9_5
Name           : os-speedtest-community
Version        : 0.9_5
Installed on   : Tue Aug  6 12:43:50 2024 BST
Origin         : opnsense/os-speedtest-community
Architecture   : FreeBSD:14:amd64
Prefix         : /usr/local
Categories     : net-mgmt
Licenses       : BSD2CLAUSE
Maintainer     : miha.kralj@outlook.com
WWW            : https://opnsense.org/
Comment        : Speedtest
Annotations    :
FreeBSD_version: 1401000
repo_type      : binary
repository     : mimugmail
Flat size      : 36.7KiB
Description    :
An OPNsense wrapper for the speedtest CLI test.
Plugin allows speedtests to be executed periodically
through CRON, generates history of past tests, shows
statistics (avg, min, max) for latency, download and
upload results in the dashboard widget.

133

24.7 Production Series / Re: Should the Services widget match service names to plugin names

« on: October 09, 2024, 01:49:07 pm »

Ok thanks Monviech. One for plugin maintainers. Got it.

134

24.7 Production Series / Should the Services widget match service names to plugin names

« on: October 09, 2024, 11:36:05 am »

Hello.
Version    24.7.5_3
It might have been asked already when transitioning to OPN 24 series and new dashboard, if so apologies.
I find the Services widget when adding services to show, do not seem to match the services on the left-hand side that are used when configuring them.
Examples:
- Widget: Reverse Proxy and Web Server
I have os-nginx installed and enabled. I imagine this is what the widget is refering to.

- Widget: ddclient
I have both Dynamic DNS and Dynamic DNS (Legacy) installed. Only the new one enabled, result of preparation for deprecation.
Neither match the entry in the widget listing.

This is only cosmetic lack of consistency and the new dashboard is actually nice.
So is a question really, are we expecing them to match or is this how is designed to be?

135

General Discussion / Re: I am having trouble with my DNS and NTP settings getting bypassed

« on: October 09, 2024, 10:41:45 am »

I appreciate not everyone's first language is English but your posts are hard to understand. Please see if you can observe the rules of grammar.
Now then for your questions.
> Anyone know a way to hold your preferences in opnsense
If you are not running on a live usb session i.e. OPN is actually installed, all changed via the UI persist reboots.

> Using unbound I entered google 8.8.8.8 as DNS, it works a couple times then gets over ridden
where is 8.8.8.8 entered?
where does it get overridden ?

> Any way to beef up the security of those, thanks
what makes you think these settings are insecure ?