"Recent posts
#1
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by Monviech (Cedrik) - Today at 05:15:32 PMThe popups should not happen since this apache plugin is compiled in:
https://github.com/opnsense/ports/tree/master/opnsense/mod_proxy_msrpc
Outlook Anywhere should just work the same as in Sophos (fun fact that module was developed by Astaro - which later became Sophos).
When I tested this while writing the manual, it was still working. Is your setup exactly as described? If not, do it like in the manual.
https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server
https://github.com/opnsense/ports/tree/master/opnsense/mod_proxy_msrpc
Outlook Anywhere should just work the same as in Sophos (fun fact that module was developed by Astaro - which later became Sophos).
When I tested this while writing the manual, it was still working. Is your setup exactly as described? If not, do it like in the manual.
https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server
#2
General Discussion / Re: Port Forwarded Traffic (fr...
Last post by viragomann - Today at 05:03:49 PMMost probable reason for this behavior ist a gateway defined on the LAN interface.
So check the interfce settings.
So check the interfce settings.
#3
25.7, 25.10 Series / Re: GeoIP with ipinfo stopped ...
Last post by franco - Today at 05:02:07 PM> I'm deducing that the maximum download exceeded is due to the firewall making multiple attempts to download the file
Yes, because it stopped being able to read the file yesterday:
2025-12-04T11:41:01 Error firewall geoip update failed : File is not a zip file
2025-12-03T11:40:08 Notice firewall geoip updated (files: 496 lines: 5785121)
Whether or not that's because of the update I doubt at this point. It seems circumstantial.
Cheers,
Franco
Yes, because it stopped being able to read the file yesterday:
2025-12-04T11:41:01 Error firewall geoip update failed : File is not a zip file
2025-12-03T11:40:08 Notice firewall geoip updated (files: 496 lines: 5785121)
Whether or not that's because of the update I doubt at this point. It seems circumstantial.
Cheers,
Franco
#4
General Discussion / Port Forwarded Traffic (from W...
Last post by Enverex - Today at 05:00:40 PMSo I've just noticed an issue I've not experienced on any router before so I'm not sure how to handle it on OPNsense either.
I have a bunch of ports forwarded from OPNsense (as well as NAT reflection enabled so they work from inside the LAN) through to various servers but in this case I'll focus on the web traffic. Traffic that hits the internal web server from external clients is showing the routers internal LAN IP rather than the IP of the actual remote client.
Any ideas why? I've not created any custom rules other than the port forwards which are set up in the same way as all the guides I've seen.
I have a bunch of ports forwarded from OPNsense (as well as NAT reflection enabled so they work from inside the LAN) through to various servers but in this case I'll focus on the web traffic. Traffic that hits the internal web server from external clients is showing the routers internal LAN IP rather than the IP of the actual remote client.
Any ideas why? I've not created any custom rules other than the port forwards which are set up in the same way as all the guides I've seen.
#5
Q-Feeds (Threat intelligence) / Re: Traffic from unassigned su...
Last post by Q-Feeds - Today at 04:55:29 PMQuote from: Kets_One on December 01, 2025, 08:25:00 PMThanks for the suggestion.
However, I don't have managed switches installed. All other networking equipment I have monitored for years without such behaviour.
Strangely nslookup of 94.16.122.152 resolves s7.vonderste.in.
Not known as a part of the ntp.pool, maybe just an NTP client.
Indeed this doesnt explain the source ip.
Update:
Just now a new request was made from 192.168.90.100:123 to a different destination ip: 217.144.138.234, which appears to be an NTP server: ntp2.wup-de.hosts.301-moved.de. Again i am unable to locate the source ip / host on my LAN. Maybe some WireShark is in order...
94.16.122.152 is identified as a TOR node, that's why it's on our list :)
#6
German - Deutsch / Re: IPSec site2site neues Setu...
Last post by viragomann - Today at 04:45:17 PMDu hast aber die Remote IP und den Remote Identifier für jede Verbindung klar definiert?
Und es sind IKEv2?
Was steht im Log zum Nichtzustandekommen der weiteren Verbindung?
Und es sind IKEv2?
Was steht im Log zum Nichtzustandekommen der weiteren Verbindung?
#7
25.7, 25.10 Series / os-OPNWAF / Exchange 2019 auth...
Last post by humnab - Today at 04:44:04 PMHello,
we're migration from a Sophos UTM to opnsense-business and try to replace the Sophos WAF with os-OPNWAF.
No we have the problem that we get authentication Popups in Outlook when we try to connect externally.
After canceling the popups or entering the password 2-3 times Outlook shows online.
When we do the same with the caddy plugin we have no popups (but no WAF), with the Sophos UTM WAF we also have no Popups.
Any idea whats wrong? The Web Protection is disabled in os-OPNWAF, the Locations are configured as "Exchange Server", the Remote destionatios with https://IP of Exchange...Thanks!
we're migration from a Sophos UTM to opnsense-business and try to replace the Sophos WAF with os-OPNWAF.
No we have the problem that we get authentication Popups in Outlook when we try to connect externally.
After canceling the popups or entering the password 2-3 times Outlook shows online.
When we do the same with the caddy plugin we have no popups (but no WAF), with the Sophos UTM WAF we also have no Popups.
Any idea whats wrong? The Web Protection is disabled in os-OPNWAF, the Locations are configured as "Exchange Server", the Remote destionatios with https://IP of Exchange...Thanks!
#8
German - Deutsch / Re: IPSec site2site neues Setu...
Last post by gfroehlich - Today at 04:36:02 PMdas dachte ich eigentlich auch, dass die ID egal ist. Es hat aber nur mit der echten IP bzw. FQDN funktioniert.
Wenn ich die zweite Seite ganz weglassen will, kann ich nur eine PSK anlegen, und müsste die für alle Verbindungen verwenden.
Das hab ich sogar versucht, da war auch immer nur eine Verbindung aktiv.
Wenn ich die zweite Seite ganz weglassen will, kann ich nur eine PSK anlegen, und müsste die für alle Verbindungen verwenden.
Das hab ich sogar versucht, da war auch immer nur eine Verbindung aktiv.
#9
General Discussion / Re: Behind ISP Router vs DMZ H...
Last post by Untoasted9563 - Today at 04:23:25 PMHope its ok to jump into this slightly older thread, but my issue is related to that one. I switched to fiber, and my crappy ISP only provides modems/router with no bridge mode, meaning I also need to rely on placing my OPNsense into this pseudo-DMZ.
If OPNsense has the DMZ-host (private) IP on its WAN interface, what does that mean in terms of fire-walling? Do I lose all information about originating IPs? Will all inbound connections to OPNsense just show the ISP router IP 192.168.1.1? I rely heavily on geo-blocking and additional blocklists, which I cannot afford to lose.
Sorry if this is a bad place to ask, I can start a new thread if this seems like a hijack of that thread.
If OPNsense has the DMZ-host (private) IP on its WAN interface, what does that mean in terms of fire-walling? Do I lose all information about originating IPs? Will all inbound connections to OPNsense just show the ISP router IP 192.168.1.1? I rely heavily on geo-blocking and additional blocklists, which I cannot afford to lose.
Sorry if this is a bad place to ask, I can start a new thread if this seems like a hijack of that thread.
#10
25.7, 25.10 Series / Re: GeoIP with ipinfo stopped ...
Last post by MoonbeamFrame - Today at 03:45:02 PMI'm using unique tokens on all firewalls.
I'm deducing that the maximum download exceeded is due to the firewall making multiple attempts to download the file, which matches the logs.
If I use curl to download the file from another location I see ?token=f2cbc8898bc30a appended to the filename.
I'm also seeing:
In order to use GeoIP, you need to configure a source in the GeoIP settings tab
When I go into the Firewall: Aliases
I'm deducing that the maximum download exceeded is due to the firewall making multiple attempts to download the file, which matches the logs.
If I use curl to download the file from another location I see ?token=f2cbc8898bc30a appended to the filename.
I'm also seeing:
In order to use GeoIP, you need to configure a source in the GeoIP settings tab
When I go into the Firewall: Aliases
