Messages

Thank you.
I will try this. I had another fight with the OPNWAF - the timeout parameter on the Proxy balancer is missing and every time after an apply I need to change the config file like this
BalancerMember https://xx.xx.xx.xx connectiontimeout=xxx timeout=xxx

I will try as soon as our customer will be less aktiv on the application server.
And one question about the use of modsecurity_ruleid.json
If we update/upgrade our appliance and the system won't this file change or will be rewritten? because right now it's our main problem

Thank you ahead.

Hi,

right now I'm pretty busy with system migrations. We are still using the proxy as simple as we could get (http) no opnproxy and no sso. We are using the OPNsense like we could use a Pfsense. I mean with almost no plugin.
Have you any answer of the support on this topic? After the migrations I will find the alternative (maybe I will setup myself a server with all options that I need), because it's, for my opinion, really to light as it's configured.

Regards,
Joel.

Dear Opnsense Community,

Is there a way, as with NGINX and Naxsi, with the OPNWAF Web Application Business plugin to limit the simultaneous connections of an IP for the proxied applications?
As it's a well-knows needed security feature of the web application proxies. It's possible that is in the plugin present, but I've found nothing. Maybe it's possible on another layer of the OPNsense Firewall or in another plugin.

Thank you ahead,

Regards,

Joel.

Hi,

there is no output.
The Version is: 25.4
-> the only output with grep is in apache24 level folder -> modsecurity.conf
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

On GitHub and in many forums, it is pointed out that this rule triggers many false positives. Why is this rule not set up as information only by default?
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827
https://community.sophos.com/sophos-xg-firewall/f/discussions/136863/false-positive-which-can-t-be-skipped
https://stackoverflow.com/questions/77583424/modsecurity-multipart-boundary-false-positives

Thank you for your help.

Regards,

Joel.

Hello WireShire,

We have disabled the business functionality because it is simply useless to us.
With the new version 25.4.1, we are experiencing even more problems and cannot find a solution ourselves, as there is no useful documentation on this topic.
We are considering using another solution that we can rely on more. I think that this is unfortunately just one example of how the modularity of a solution is not always an advantage.

Hello Joel,

we also buy a Deciso Appliance. And we also want to you squid as a forward proxy. With the opn-proxy buisness plugin we think, it have the complete function that we want.

But we also dont udnerstodd it full. we try different settings , but we see also policy fallback allow, and dont know where it come from.
we have a * block and test one single site allow, but when we change ip or diffenret , policy falllback allow rule comes.

when we delete custom rules. apply, restart or stop the plugin and start it again, policy tester ,s how the old custom rules and say allow.
how can we clear the cache from the tester?  i though its a buisness solution not , one time its function, one time not.

the wiki is not good for the product. it must have examples for a default buisness like sceneraio with block all, and allow custom different sites.

do you have a final resolution? or can someone thats used the buisness proxy settings , can share pictures?

For us, there was no other solution than to disable the transparent proxy and use the proxy with the simplest options on IPs.
The proxy with username and password does not work at all (LDAP AD), can import the users but does not recognize the user's password when they try to log in.
We had this feature and it worked flawlessly with Sophos for almost 7/8 years without any interruptions,
we had a presentation that OPNsense could easily replace the Sophos appliance, I'm not sure anymore.

This is already the third time I have had to change the proxy configuration after an update/upgrade was performed on the proxy, and each time we lose functionality.
@elenagilbert: I will dig this, but I cannot only focus on OPNsense right now.

Thank you all for your help.
Regards,
Joel.

Thank you for your reply, Patrick.
I will continue to try to use all communication channels. I don't consider this forum to be a support platform. Perhaps someone else has already had this problem.
We purchase business appliances in order to have stable versions and fewer or no problems with troubleshooting. The support channel would be intended for us if we needed to set something up and it wasn't working, but that wasn't the case this time.
Regards.

Dear Community and OPNsense Team,

we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.

The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)

here the infos on the warning message:

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault

segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen

We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.

Thank you ahead for you help.

Regards,

Joel.

I've found there is no ProxyPass Timeout global parameter. Is it possible to implement the parameter?
Is there a command to restart only one of the proxy and not all at once?

Thank you ahead.

Regards,

Joel.

Dear OPNsense Community,

for one week every request that are longer as 30 sec are reset or finalized and we are receiving an AH00989 from the OPNWAF Business plugin. The service is active on an official Deciso OPNsense appliance. If it's less than 30 sec, it will work. I've setup on the location a connection timeout of 300 secs. I've no clue what could reset the connection every time after 30 secs. It seems that some FIN packets are send from the OPNsense OPNWAF to quickly. There's another error but it's less often: AH01102: error reading status line from remote server xx.xx.xx.xx:xxx. My colleagues have confirmed that there's an error in Edge browser 502 proxy error after 30 secs.
I've checked the status of the application server. The server responds and is available for the OPNWAF. The system has flawlessly worked without OPNsense during more than 3 years (It was an apache proxy-system too), that's why I'm a little perplex with this case. The worst for us. That's a system already in production.

Could you please give me a hint where I can look in OPNsense to fix this?

Thank you ahead,
Regards,
Joel.

Dear OPNSense Community,

I'm trying to use one of our Business OPNSense in transparent bridge mode in one of our DMZ. The Bridge will work until I reboot the system. The appliance is an official Deciso OPNSense DEC3842.
The topology is not so complex but more complex than what we find on internet and forums in general. It's a 3-tier environnement and OPNSense isn't used for NATing. I've tried to integrate the OPNSense to scan the traffic (IPS/IDS, CrowdSec and the firewall) between the 1st and 2nd HOP of our Networks.
Every time I restart the appliance, I have to save the bridge interface again to restore to connections behind the OPNSense. If I don't do that, I can't access the various applications, remote sessions and https interfaces. It works for about 2 or 3 days then the connection is lost again. I press the "save" button and it works again.
The online applications are working without that because they're proxied by the OPNSense, but our intern connection between the network not. What is really strange and that's why I believe that's a problem from the OPNSense, I can access the UI of the OPNSense and nothing behind (the last time), sometimes I can access some of the UIs / RDP.

I've found a second problem and I think it's an effect of this bridge's problem. If I don't save the parameter from suricata again (IPS/IDS) the logs are filled with thousands of those lines: [101142] <Error> -- bridge0: error reading netmap data via polling: No buffer space available
Some times it's written also with bridge0^. I've found something about on internet but it doesn't match my case.
I just need to save the suricata configuration and it's gone and works as it should.

The topology looks something like this: 1st Hop Router (with NAT) -> OPNSense as transparent bridge + proxies connected to some Web Apps -> 2nd Hop Router (with NAT) -> application servers etc...

It seems that OPNSense is interfering with something in the communication between the routers. I've suspected something with ARP, but the last test with some static ARP entries (neighbors) has failed. Before the OPNSense we had a Sophos XG (in bridge mode too) and it has worked flawlessly. But with the EOL it was the time to change.

The only solution for me was to save the bridge and the IPS/IDS configuration again(interface bridge+lan).

Could you please help me?
I'll go into detail, when some information is needed. But it could be a really long topic, so I made this summary.

All the best

Regards

Joel T.

Dear Community / OPNsense Team,
actually we are trying to publish our own web application through the OPNWAF (Apache + ModeSecurity) and we have a problem the remains event with the latest version unsolved.
 There is a core rule that block our web application and we cannot upload anything bigger than 8MB with the web application.
The triggered core rule is the id 200004. We have found now that often this rule generate false positive (example https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827), but with the OPNWAF Business we have no possibility to disable this rule (thanks, by the way, for the "disable security rules by id" combo box). We are trying to use the Business OPNsense functions (paid functions) as professional. What are our possibilities in this case?
-> We know that we can edit the conf and comment the rule, but this isn't really a professional solution and the next time that we will update our firewall, those comments will be gone.

I hope you can provide us a solution or give us a hint to avoid this kind of problems.

Thank you ahead
Regards,

Joel T.

I have some news, here. I've tried to activate the proxy in windows with the fqdn and port of the OPNSense and somehow it "works". The problem is that the websites are randomly blocked and I cannot understand which of the rules is triggered, when the website is blocked.
For example... I've put the website of thomas-krenn.com in the whitelist ACL of squid and in the custom whitelist (allow) ACL of the OPNSense Advanced PROXY (os-OPNProxy) and I'm still blocked on the computer where I've setup the proxy in Windows. How it's possible... I don't know.

In the Log (Access Log) I have something like that:
IP - MAC ADDR USERNAME@DOMAIN "GET https://www.thomas-krenn.com/favicon.ico HTTP/1.1" 403 24992 "https://www.thomas-krenn.com/de/wiki/OPNsense_Plugins" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" NONE_NONE:HIER_NONE
IP - MAC ADDR USERNAME@DOMAIN "CONNECT www.thomas-krenn.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE
USERNAME@DOMAIN is in a group in a custom allow rule

Policy tester:
{
  "message": "OK user=\"User\"\n",
  "user": {
    "uid": "User",
    "id": "2020",
    "applies_on": [
      "u:User",
      "g:Group One",
      "g:Group Two"
    ]
  },
  "policy": {
    "action": "allow",
    "policy_type": "fallback"
  }
}




I'm sure that this website isn't in a blacklist.

Is there a possibility to have a log that write which of the rule is triggered?

It's pretty hard to administrate the webfilter like that.

I've followed this to implement the OPNProxy: https://docs.opnsense.org/manual/opnproxy.html
But it seems to be not enough the become that the web proxy will be fully configured.

Thanks ahead.

Joel T.

Dear OPNSense Community,

We have purchased a DECISO appliance with a Business license to replace our Sophos UTM. We thought that it would be possible to replace the Sophos UTM Webfilter (transparent with LDAP) with the OPNSense plugins (WEB PROXY + OPNPROXY + SSO). But it doesn't work for us right now. The Business plugin OPNPROXY could be the solution. It seems that the plugin cannot work with the SSO plugin. That's really sad. We have setup the Access control but nothing is applied as it should. The policy tester is working, but in reality im browser nothing is filtered. It's like that the OPNPROXY plugin isn't enable or present and I've setup lot of rules. The WEB PROXY is working as it should.
Is it right that this Business plugin cannot work with SSO? (AD)
If yes, I think that's the biggest lack of feature in this plugin. If no, what could I've missed, please?

Thanks ahead,

Regards,

Joel T.

I've no OPNsense in a vm. We have Deciso full hardware and we had the same problem.
I've juste add the WAN interface in the Intrusion Detection settings and now the log went silent about this problem.

I hope it'll help

I've started another thread about that because I had a combination of problem after the upgrade:

https://forum.opnsense.org/index.php?topic=44178.0