Recent Posts

1

General Discussion / Re: Problem with Captive Portal

« Last post by andreadepau on Today at 10:04:21 am »

Ok, i've troubleshoot the problem and found that:

1. disabled captive portal
2. removed captiveportal sqlite database
3. enable captive portal

this create a new one captive portal DB with the zone number structure.
Now portal works great, but not for HTTPS sites.

There is a way to redirect the https traffics through captive portal?
Otherwise, there is a way to open the captive portal in other Windows, then forward to another page in the browser?

Thank you very much.

2

19.7 Production Series / Re: Does HAProxy cache?

« Last post by Taomyn on Today at 09:56:51 am »

haproxy is a load balancer and reverse proxy. It does not cache.

Check your http2 settings. Do not enable them in haproxy if back-end servers do not support it. At least firefox has problems with this protocol mismatch

Thanks for the confirmation and the tip - HTTP2 was indeed enabled and disabling it suddenly made my webmail application work again. But I've been here before and it may stop working again a few days later. I have notified the developer and will see how it goes.

3

19.7 Production Series / Re: What doese "kernel: Error(127)" mean on startup?

« Last post by hirschferkel on Today at 09:48:37 am »

Hi Franco,

actually I'm not familiar to use the console during boot sequence... I probably have access to, but I do not know how to specify the issue?

Best, hirschferkel

4

Tutorials and FAQs / Re: Help on my first setting - no internet

« Last post by tronix on Today at 09:39:22 am »

If I stay on firewall and try to ping (Interfaces/Diagnostics/ping)

ping default and WAN to 8.8.8.8: 0% packet loss
ping LAN to 8.8.8.8: 100% packet loss

ping default, LAN and WAN to 192.168.1.100: 0% packet loss

Isn't this a strange behavior?

I expect the opposite behavior: ping WAN to host blocked and ping host to WAN allowed

Luca

5

Intrusion Detection and Prevention / Re: Suricata blocking crashes OPNsense 1.19.4 and some earlier versions

« Last post by AdSchellevis on Today at 09:37:25 am »

Some people prefer Sort, I don't think there's much we can do about that, we're not considering adding it to OPNsense for multiple reasons (such as a good relationship with Suricata, progress within the project, ease of support). Adding multiple options has the downside of efforts being divided between modules, which eventually would not benefit both in this case.

Some features should be possible in the future, with proper network segmentation it might be an option to add https://suricata.readthedocs.io/en/suricata-4.1.4/configuration/multi-tenant.html at some point in time, to support different policies for different network types (for vlans this should already be possible, per device unfortunately not, when using IPS).

AppID would probably be challenging, we do support some rules ourselves (https://github.com/opnsense/rules), some commercial sets probably have rules too, but implementation would likely be different.

We really try to keep IDPS accessible for less experienced users, which is also a reason to be careful with adding a lot of knobs and handles in the interface, advanced users can add custom options in a custom.yaml by the way (which is a method we often provide in our modules).

Best regards,

Ad

6

19.7 Production Series / Re: Use Let's encrypt for FreeRadius

« Last post by scream on Today at 09:22:42 am »

What's bad with public Cert. for 802.1x?

7

German - Deutsch / Re: VoIP Probleme nach Modemwechsel ..

« Last post by Nyana on Today at 09:01:59 am »

äh, ne .. die OPNSense macht doch die Portfreigaben ..!? Wir reden hier nicht von einer DMZ, ja?

8

German - Deutsch / Re: VoIP Probleme nach Modemwechsel ..

« Last post by mimugmail on Today at 08:43:13 am »

Naja, irgendwas hat die erste Fritzbox anders gemacht. Wenn du eine Einwahl auf Vigor hast muss die OPN erst Mal als exposed Host hinterlegt sein. Ist das so?

9

Development and Code Review / Re: Sensei on OPNsense - Application based filtering

« Last post by opnsenseuser on Today at 08:20:15 am »

@mb i replied to a few emails from your colleague! (html/css)
but i think he didn´t get my mails?
Any Problems on your/his email Server?

anyway..

1. i only found one margin problem in the sensei html/css code.
For the main color modification i made a pr on github for Tukan/cicada themes which will be released in the next opnsense Firmware update!
2. the active menu problem i fixed and i made a pr too. this is already merged. it will be also released in the next firmware update!

regards rené

10

19.7 Production Series / Limiter works but Scheduler does not match any traffic for CARP

« Last post by ruffy91 on Today at 08:02:04 am »

I have the following configuration:
OPNSense A-----|
                        |-------DSL Router
OPNSense B-----|

The OPNSense have a VIP 10.99.224.10 and the DSL router has 10.99.224.1

I set up the following Shaper configuration:



When looking at the status I can see that the rules match no traffic to the Schedulers:

Code: [Select]

Limiters:
10000:  35.000 Mbit/s    0 ms burst 0
q75536  50 sl. 0 flows (1 buckets) sched 10000 weight 0 lmax 0 pri 0 droptail
 sched 75536 type FIFO flags 0x0 0 buckets 1 active
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip           0.0.0.0/0             0.0.0.0/0     12498 18565328 32 46555 274
10001:   9.000 Mbit/s    0 ms burst 0
q75537  50 sl. 0 flows (1 buckets) sched 10001 weight 0 lmax 0 pri 0 droptail
 sched 75537 type FIFO flags 0x0 0 buckets 1 active
  0 ip           0.0.0.0/0             0.0.0.0/0       68     2871  0    0   0


Schedulers:
10000:  35.000 Mbit/s    0 ms burst 0
q75536  50 sl. 0 flows (1 buckets) sched 10000 weight 0 lmax 0 pri 0 droptail
 sched 10000 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 300 limit 1000 flows 1024 ECN
10001:   9.000 Mbit/s    0 ms burst 0
q75537  50 sl. 0 flows (1 buckets) sched 10001 weight 0 lmax 0 pri 0 droptail
 sched 10001 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 300 limit 600 flows 1024 NoECN
The rules are set like this (direction in respectively for down):


As I am doing NAT masquerading to 10.99.224.10 for everything I treid setting the rules to match both direction and instead set source (respectively destination for the other direction) to the VIP 10.99.224.10 but then neither Limiter nor Scheduler showed any traffic, which I understand as that my rules are correct but they are not matching correctly for Schedulers.