Messages

hi, i can start new topic, anyway, before I'll try to ask here.
I'm trying to use API for adding new CSO.

The client has made a successful request. as code 200 is the answer, but at the end of response is {"result":"failed"}.

here is the curl command:

Code Select Expand

curl -v -k -u "key":"secret" \
-H 'Content-Type: application/json' \
-X POST "https://firewall.ip/api/openvpn/client_overwrites/add" \
-d '{"enabled": true, "common_name": "test.user", "server_list": ["OVPN-IN (52002 / UDP)"]}'
could someone help?

Sorry about that, I just wanted to be as clear as possible, and... At least now we know.

Same thing, being called different ways. From reading the thread "there are at least two ways to assign a segment tag to an interface. Either directly on the interface in the virtualizer or by using a bridge and tagging the segment directly in KVM."

- directly on the interface in the virtualizer =  let OPNsense itself tag the packets and remove the VLAN settings from the virtual interface

and of course the expected "opposite":

- "KVM level" = VLAN tagging by the hypervisor (KVM in this case) and OPN blissfully unaware

This was just a answer for @viragomann, didn't want to get much into it. This does not have anything to do with my issue because firewall can see the VLAN and is accessible, just wanted to be clear with the whole setup. Anyway, my problem is still ongoing and have no idea what I'm doing wrong.

What's a segment tag?

vlan, network segmentation

[Proxmox level]

Can you discribe this more clearly, please?

Certainly, there are at least two ways to assign a segment tag to an interface. Either directly on the interface in the virtualizer or by using a bridge and tagging the segment directly in KVM.

Proxmox level:

Code Select Expand

/etc/pve/nodes/pve/qemu-server/XXXXX.conf
net0: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr0,tag=10

Code Select Expand

dc01 ~
> # nmcli connection show
NAME    UUID                                  TYPE      DEVICE
enp6sXX  XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX  ethernet  enp6sXX
KVM level:

Code Select Expand

/etc/pve/nodes/pve/qemu-server/XXXXX.conf
net0: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr0

Code Select Expand

> # nmcli connection add type vlan con-name vlan0.10 ifname vlan0.10 dev enp6sXX id 10

> # nmcli device status
DEVICE      TYPE      STATE                  CONNECTION
vlan0.10    vlan      connected              vlan0.10


Code Select Expand

> # nmcli connection show
NAME        UUID                                  TYPE      DEVICE
vlan0.10    XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX  vlan      vlan0.10

This might indicate an asymmetric routing issue.

Run a packet capture on the client side Interface and sniff the DNS traffic to see, what's really going on.

Will try later today

Hi and thanks for reply

Is the alias of the type "hosts"?

Yes it is

Is this the correct interface?
This one, the clients are connected to?

This is also correct, iface has a static IP and kea is serving dhcp on that segment.

Did you try to explicitly set the pool options to "round robin"?

yes, round robin with sticky address and also the default option, what, based on the docu, "round robin" is

--

Also would be good to mention that once my DNS server iface is tagged at the Proxmox level, it is working.
Once I tag the segment whit-in the KVM it's acting as described reply from unexpected source.
Proxmox's Open vSwitch is set as simple L2, so L3 routing is only OPNsense doing.

I tested bypassing OPNsense and configured L3 on the switch, and everything started working

Whatever level i tag the iface this is working

Hello,

I'm having an issue with my internal DNS running on Samba AD, which is in a different segment than the queried DNS servers.

Code Select Expand

nslookup nic.cz
;; reply from unexpected source: 10.10.0.11#53, expected 10.10.0.12#53
;; reply from unexpected source: 10.10.0.11#53, expected 10.10.0.13#53
Server: 10.10.0.11
Address: 10.10.0.11#53
I have configured port forwarding in OPNsense according to this guide, but instead of querying 127.0.0.1, I use a host alias "DNS-Services" that includes my internal Samba DNS servers (10.10.0.11, 10.10.0.12, 10.10.0.13).

Port Forwarding Settings:
   •   Interface: vlan0.10
   •   Protocol: TCP/UDP
   •   Destination / Invert: Checked
   •   Destination: vlan0.10 net
   •   Destination Port: DNS
   •   Redirect target IP: DNS-Services
   •   Redirect target port: DNS
   •   NAT reflection: Disabled

I tested bypassing OPNsense and configured L3 on the switch, and everything started working. This makes me confident that the issue is on the firewall.

Could you point me in the right direction and help me identify where I'm making a mistake?

I'm back, templates downloading is working again so the patch helped but issue with redirecting is still ongoing.
After day of testing and troubleshooting the redirection issue, I haven't been able to find a solution. However, I can share my observations:

   •   Captive Portal is running and can be manually accessed via https://captive.domain.name:8000, certs are ok.
   •   After connecting to the network, the login page does not appear automatically – the user must manually enter a URL to be redirected.
   •   Both HTTP and HTTPS behave the same way, switching Captive Portal to pure HTTP does not solve the issue.
   •   Testing with http://captive.apple.com only works once
           •   The first time I enter this URL, I am redirected to the Captive Portal.
           •   If I enter it again (without restarting the client), no redirection occurs.
   •   Entering the same address twice in a row does not return the user to the Captive Portal.

Any idea?

Thanks for the patch franco, confirming - no issues so far.

Found some php errors on OPNsense crash reporter:

Code Select Expand

[04-Feb-2025 08:43:07 Europe/Prague] Error: Class "OPNsense\CaptivePortal\Api\SanitizeFilter" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php:91
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\CaptivePortal\Api\ServiceController->getTemplateAction('6502116055eda')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#3 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/captivepor...', Array)
#4 {main}
[04-Feb-2025 08:43:16 Europe/Prague] Error: Class "OPNsense\CaptivePortal\Api\SanitizeFilter" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php:91
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\CaptivePortal\Api\ServiceController->getTemplateAction('645e023ccc36e')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#3 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/captivepor...', Array)
#4 {main}
[04-Feb-2025 08:43:32 Europe/Prague] Error: Class "OPNsense\CaptivePortal\Api\SanitizeFilter" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php:91
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\CaptivePortal\Api\ServiceController->getTemplateAction('649155181b691')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#3 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/captivepor...', Array)
#4 {main}
[04-Feb-2025 08:43:42 Europe/Prague] Error: Class "OPNsense\CaptivePortal\Api\SanitizeFilter" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php:91
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\CaptivePortal\Api\ServiceController->getTemplateAction('669993b1037dc')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#3 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/captivepor...', Array)
#4 {main}

In the previous version of OPNsense (24.7.12), the captive portal functioned as expected. A client would connect to the guest network, and a pop-up window with the login page would automatically open. This worked reliably across all operating systems.

Now, after updating to 25.1, the pop-up does not appear. It can be bypassed by manually entering any web address in a browser, which triggers a redirect to the login page. However, this does not always work consistently. I often have to refresh the page multiple times, disconnect and reconnect to Wi-Fi, or switch browsers to get the login page to appear. This behavior is highly unreliable for a production environment.

Another issue is that I can no longer download templates, neither the default ones nor the custom templates I have added. I haven't changed any settings—this issue only appeared after the update.

Additionally, there has been a long-standing issue with session timeouts. Even if I set Idle timeout to 0 and Hard timeout to 10080 (a week), the settings are not applied. When a client disconnects, they must log in again, despite the timeout settings.

My configuration is entirely standard, and I use both vouchers and an external RADIUS server for authentication. I originally followed the OPNsense documentation when setting it up.

Has anyone else encountered the same problem? Or even better—found a solution?

Hello all, I've been struggling for weeks with forwarding traffic to a WireGuard gateway. When I create a rule on the segment interface, it works, but it directs the entire segment to the WireGuard gateway. What I need is to configure it so that a client computer using the SwitchyOmega extension in Chrome (an HTTP proxy within the browser) on port 8100 is forwarded to this gateway.

The question is whether I need to use Squid—which, at least in the pfSense GUI, doesn't seem capable of this—or if I should use SNAT and DNAT rules to route traffic from the client, translating port 8100 to 80 and 8101 to 443, for example.

I've tried countless combinations, but none of them worked correctly, likely due to my insufficient knowledge of the issue.

In the attached screenshots, you can see the configuration of the SwitchyOmega extension in the browser, where the address 10.2.0.1 is the WireGuard gateway connection, and its physical local address is 10.2.0.2.

Would really appreciate any help with this

got it, 1st address server, 2nd broadcast so that's why +2

So at the server config need to be topology option tagged, then client overrides are set to x.x.x.x/24

Hi I'm using Force CSO Login Matching option to use username as CN because need to set static IP for the connection. It's kind of working just always the client gets +2 as an IP, so whenever i set IP to 172.16.100.100, it get 172.16.100.102. No any overrides are set there.

Also when I change the IP i can't connect again with TLS handshake failed log.

Any advice?

Got it, everyone. After re-reading my message, I realized it needs Enigma to decode :)

It's simple in the end: I need to forward HTTP/HTTPS traffic to multiple VPN gateways.

There's no specific filter based on redirection to the correct gateway, and that's the challenge. So, I thought of using a proxy to forward traffic to the gateway interfaces. Users could then choose a browser profile with the necessary proxy settings, allowing them to use the Proton connection configured on the OPNsense firewall.

I just installed Squid on a Debian KVM with forward option, and it works as I need it to, so the challenge is resolved. After a few days of experimenting, I'm just curious if this could be done directly on OPNsense.