Recent Posts

1

General Discussion / Plex port forward only works with filter association set to pass

« Last post by mkono87 on Today at 01:29:48 am »

I just wanted to double check with the community here. When I moved recently I switched to opnsense, I did my normal port forward but then was getting complaints from family about getting indirect connection. I noticed the port was still closed. When i changed filter association to pass it opened the port. I had pfsense before and never did this nor does my other current forwards have that, they are set to none. Is this normal. Here is my Nat forward.

2

Zenarmor (Sensei) / Sensei stuck on initializing

« Last post by lignumaqua on Today at 01:15:07 am »

New install of Sensei on OPNSense 21.7.3_3 using external ElasticSearch database. Install looked to go OK, worked successfully through the wizard, but now the Sensei GUI page is stuck on 'Initializing...' It's been like that for over an hour. Tried rebooting OPNSense but Sensei still says initializing.

Is it normal to take so long to initialize? How do I find out what the problem is?

(It has also killed the responsiveness of the OPNSense GUI. Now taking many 10's of seconds to open a page)

3

21.7 Production Series / Issue with web-interface Wireguard endpoints

« Last post by DEGABB on Today at 12:28:35 am »

Hello!
I found the problem with the Wireguard web interface.
OPNsense web-interface (v21.7.3_3-amd64) allows enter endpoint address without port.
So if you did it your Wireguard server will not work.
I was looking for the problem for so much time. Then I was trying to restart the wireguard service from CLI.
That is what I saw  :

Unable to find port of endpoint: `188.168.138.101:'
Configuration parsing error

So I think the web interface should ask you to fill the "endpoint port" field if you entered the endpoint address.

Sorry for my English.

4

Web Proxy Filtering and Caching / Re: NGINX Reverse Proxy - Upload performance [Nextcloud]

« Last post by doktor_g on Today at 12:15:15 am »

Same here. Said settings can be made by the Nginx menu, under location.
But speed isn´t much better. In my case, a few kBs...

5

General Discussion / System Logs

« Last post by spetrillo on Today at 12:06:44 am »

Hello all,

I found the /var/log directory for the logs but which log shows me what comes up on my monitor when booting the system? I thought I saw an error and wanted to go through it.

Thanks,
Steve

6

General Discussion / Feedback regarding LDAP Implementation

« Last post by kayson on October 20, 2021, 10:03:26 pm »

I've been using pfSense for a while and decided to check out OPNsense largely because of this issue, but also because I want to support the openness of OPNsense (hah!). So far most of the setup process has been painless, and there is a lot to love! LDAP, however, leaves a bit to be desired.

I'd like to demonstrate why by illustrating how easy and straightforward the setup is in pfSense:

• Add LDAP Authentication Server
• Add a Group with "Scope: Remote" whose name corresponds to an LDAP group (and you can have spaces!) and assign appropriate permissions
• Configure administration acccess to use the LDAP server

That's it! There's no synchronization to the local database or user creation needed, nor should there be; LDAP should be the single source of truth for user information.

OPNSense's implementation is frustrating for a few reasons: group names can't have spaces, which means I have to not only change the group name in my directory, but also any other service that used that group for ACL (in my case, this was pfSense).

Synchronizing groups and importing users is clunky and unintuitive. It's also not consistent (importing via the users page shows the DN, but if you do automatic user creation, it does not). Finally, if a user is removed from LDAP, it is not removed from the synchronized local copy. The documentation notes that this feature is enabled in the business edition, but I'd point out that this is effectively how pfSense works in the community edition (no manual removal needed).

Setting it up was rather painful, and now I find myself considering sticking with pfSense, which has a broken DNS implementation, over using OPNsense.

The synchronization requirement (and group names not able to have spaces) suggests to me that LDAP is sort of an addon that creates local users/groups so it can leverage existing authentication code. I haven't had a chance to dig through the source yet, but I'm curious if there are any fundamental technical limitations that require the implementation to be this way. It would be fantastic if the support for LDAP were first class, meaning it does not have any dependence on local authentication, and does not require user creation or group synchronization.

If the team is interested in improving this, I'd be happy to contribute whether its the code itself, or if that's beyond my skills, sponsoring another developer to do so.

7

Virtual private networks / Re: OpenVPN on Multi-WAN Environment

« Last post by _Alchemist_ on October 20, 2021, 08:41:00 pm »

I am using this with my dual WAN setup (1x cable, 1x dsl):

Firewall --> NAT --> Port Forward
--> Add (+)

- Interface                                WAN1
- Protocol                                 UDP
- Destination                            WAN1 address
- Destination port range           from:                to:
                                                OpenVPN        OpenVPN
-  Redirect target IP                 Single Host or Network
                                                127.0.0.1
- NAT reflection                        Use system default
- Filter rule association             Add associated filter rule
- Save

--> Add (+)

- Interface                                WAN2
- Protocol                                 UDP
- Destination                            WAN1 address
- Destination port range           from:               to:
                                                OpenVPN        OpenVPN
-  Redirect target IP                 Single Host or Network
                                                127.0.0.1
- NAT reflection                       Use system default
- Filter rule association            Add associated filter rule
- Save


VPN --> OpenVPN --> Servers
--> Edit

- Interface                                Localhost
- Save

8

21.7 Production Series / Re: DHCPDv6 whining about no IPV6 address on an interface designated NO IPv6

« Last post by lrosenman on October 20, 2021, 08:24:26 pm »

I've got the debug logs.  Is there a place on the system I can grab the files?  I have the circular logs turned off.

I'd like to get the files and have y'all look at them.

9

21.7 Production Series / Re: dpinger not running for WAN_DHCP6

« Last post by bimmerdriver on October 20, 2021, 06:45:38 pm »

Hi Franco,

I installed the patch and rebooted. The behaviour is the same.

Previously, I had reverted to the previous checkpoint and upgraded again. dpinger started properly after the initial reboot immediately after the upgrade. When I rebooted it again, dpinger did not start.

Let me know if I can provide any further information or if you want, you can take a look at the system remotely.

Cheers.

10

Zenarmor (Sensei) / Re: Country Blocks

« Last post by jclendineng on October 20, 2021, 06:44:24 pm »

This is right.  Any actual (most at least) attacks come from proxy/vpn in other countries.  The best bet is leave China/Russia blocked in pf, then do actual fine tuning of suricata for attack sigs and sensei or something else for proxies etc.  I personally use all the above, I have firehol levels 1-4, proxy and an aggregate list from 0 day reports among other aliases in pf, and sensei for everything else.  Firewalls are multi layered and there isnt a 1-stop shop for everything.