Recent posts

#21
German - Deutsch / Dynamische WAN IP - Info-Mail ...
Last post by viragomann - Today at 02:44:04 PM
Hallo,

nachdem ich bereits 2 Business Editions betreibe, habe ich mich nun daran gewagt, auch meine Heim-Firewall von pfSense auf OPNsense zu migrieren.
Damit sehe ich mich erstmals mit einer dynamischen WAN IP (PPPoE) bei OPNsense konfrontiert. Den IP-Wechsel zum selbst gewählten Zeitpunkt habe ich hinbekommen, doch würde ich gerne passiv über eine neue IP informiert werden.

Gibt es eine Möglichkeit, dass mir OPNsense automatisch ein Mail mit der neuen WAN IP nach der IP-Erneuerung schickt?
Ist dafür etwa schon ein Prozess implementiert, den ich noch nicht entdeckt habe?

Ich habe dazu recherchiert und nur Hinweise auf eigene Scripte oder externes Monitoring gefunden.
Wie löst ihr das?

Wenn Script, wäre die weitere Frage, wie man das am besten in OPNsense einrichtet?

Wäre für Anregungen dankbar.

Grüße
#22
25.7, 25.10 Series / Re: Afther Update meet issues
Last post by rumenblg - Today at 02:38:40 PM
Sorry mate didnt understand me. so will explain the black list is running at remote server. And Firewall: Aliases has refresh interval 1 min, means every 60 sec opnsence is checking the black list for new ip's.
   
#23
25.7, 25.10 Series / Re: Afther Update meet issues
Last post by cookiemonster - Today at 02:27:47 PM
Maybe just me but I'm unclear what is that you are saying. Can you break it up a bit?
What/where is the blacklist? You say they are restricted TO access your network. Is that they are allowed ?
If however you mean you are seeing a lot of attempts to access your network from ips in some sort of blacklist, then how is that a problem?
As I say, just all very unclear what the setup is, and what the problem is.
#24
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by humnab - Today at 02:09:18 PM
Hello,

here's the UTM configuration, I replaced the domain with example.com

/var/chroot-reverseproxy/usr/apache/conf/httpd.conf

ServerRoot /usr/apache
DefaultRuntimeDir /var/run/apache2
PidFile /var/run/apache2.pid

Include conf/modules.conf
Include conf/mpm.conf
Include conf/modsecurity.conf

HostnameLookups Off
ExtendedStatus On
ServerTokens Prod
ServerSignature Off
Header unset Server

User nobody
Group nogroup

Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 15

UseCanonicalName On
CoreDumpDirectory "/tmp"

SecDataDir /tmp
SecTmpDir /tmp

LogFormat "id=\"0299\" srcip=\"%a\" localip=\"%A\" size=\"%B\" user=\"%u\" host=\"%h\" method=\"%<m\" statuscode=\"%s\" reason=\"%<{block-reason}e\" extra=\"%<{block-reason-extra}e\" exceptions=\"%<{matched-exceptions}n\" time=\"%D\" url=\"%U\" server=\"%{Host}i\" port=\"%p\" query=\"%q\" referer=\"%{Referer}i\" cookie=\"%{Cookie}i\" set-cookie=\"%{Set-Cookie}o\" websocket_scheme=\"%{scheme}w\" websocket_protocol=\"%{protocol}w\" websocket_key=\"%{key}w\" websocket_version=\"%{version}w\" uid=\"%{UNIQUE_ID}e\"" astaro
ErrorLog syslog:local1
CustomLog "|/bin/logger -p local1.info -t httpd" astaro
LogLevel notice

## Uncomment these lines for extended debug logging
#LoadModule firehose_module /usr/apache/modules/mod_firehose.so
#FirehoseProxyConnectionInput /tmp/proxy-input.firehose
#FirehoseProxyConnectionOutput /tmp/proxy-output.firehose
#FirehoseConnectionInput /tmp/input.firehose
#FirehoseConnectionOutput /tmp/output.firehose

## Uncomment these lines for traffic dumping in pcap format
#LoadModule pcap_module /usr/apache/modules/mod_pcap.so
#PcapFileName /tmp/WAF.pcap
#PcapNetworkProtocol ip

SecRule ENV:block-reason "@streq cookie"         "phase:5,id:99001,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq url hardening"  "phase:5,id:99002,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq form hardening" "phase:5,id:99003,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq av"             "phase:5,id:99004,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq dnsrbl"         "phase:5,id:99005,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq geoip"          "phase:5,id:99006,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"

TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-bzip2 .bz2

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gvfs/1" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLHonorCipherOrder On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyCheckPeerName off
# Disable transparent compression of SSL data transfers.
# This mitigates impact of SSL "CRIME" attacks (CVE-2012-4929)
SSLCompression off
SSLSessionTickets off

# Drop the (Request-)Range header if more than 5 ranges (CVE-2011-3192)
SetEnvIf Range (,.*?){5} bad-range=1
RequestHeader unset Range env=bad-range
SetEnvIf Request-Range (,.*?){5} bad-request-range=1
RequestHeader unset Request-Range env=bad-request-range

ProxyWebsocketFallbackToProxyHttp off

# ClamavTmpdir    /tmp/clamav
# ClamavSocket    /var/run/clamav/clamd.ctl
# ClamavMode      daemon
# ClamavPermissions 0644

# <Location /clamav>
#       SetHandler clamav
# </Location>

CookieLimit 1000

Include conf/status.conf

Include conf/reverseproxy.conf


/var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

KeepAlive On
ServerName rzfw01.example.com
ServerAdmin support-hsg@example.com
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AESGCM:RSA+AES:ECDH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!DHE
RemoteIPProxyProtocol Off
Listen 93.189.156.39:443 https
Listen 93.189.156.39:80 http
<VirtualHost 93.189.156.39:443>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAlias ex03.example.com
        SSLProxyEngine On
        SSLEngine On
        SSLCertificateFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.pem
        SSLCACertificatePath /usr/apache/conf/cacerts/
        SSLCertificateKeyFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.key
        RequestHeader set X-Forwarded-Proto https
        DocumentRoot /var/www/REF_RevFroAutodiscov
        SetEnv proxy-initial-not-pooled
        <Proxy balancer://0e9f56dedc1c6a43ee0c263a6d1b336b>
                BalancerMember https://10.10.10.5 status=-SE timeout=300
        </Proxy>
        <Proxy balancer://756724cd34319588665693abb5819b66>
                BalancerMember https://10.10.10.5 status=-SE timeout=300
        </Proxy>
        <Location "/">
                SetEnv proxy-aside-c
                ProxyPass "balancer://0e9f56dedc1c6a43ee0c263a6d1b336b/" lbmethod=bybusyness
                ProxyPassReverse "https://10.10.10.5:443/"
                ProxyPassReverse "https://10.10.10.5/"
                SetOutputFilter DEFLATE
                <RequireAll>
                        Require all granted
                </RequireAll>
        </Location>
        <Location "/ecp">
                SetEnv proxy-aside-c
                ProxyPass "balancer://756724cd34319588665693abb5819b66/ecp" lbmethod=bybusyness
                ProxyPassReverse "https://10.10.10.5:443/ecp"
                ProxyPassReverse "https://10.10.10.5/ecp"
                SetOutputFilter DEFLATE
                <RequireAll>
                        <RequireAny>
                                Require ip 10.0.0.0/16
                        </RequireAny>
                </RequireAll>
        </Location>
</VirtualHost>
<VirtualHost 93.189.156.39:80>
        ServerName REF_RevFroAutodiscov_redirect_ssl
        ServerAlias mail.example.com
        ServerAlias autodiscover.example.com
        ServerAlias ex03.example.com
        <Location />
                Require all granted
                RedirectSSL permanent / 443
        </Location>
</Virtualhost>


/var/chroot-reverseproxy/usr/apache/conf/status.conf


Listen 127.0.0.1:4080
<VirtualHost 127.0.0.1:4080>
        ServerName localhost
        ProxyStatus On
        RemoteIPProxyProtocol Off
        SecAuditEngine Off
        <Location /status>
                SetHandler server-status
                Require local
        </Location>
        <Location /lb-status>
                SetHandler balancer-status
                Require local
        </Location>
        <Location /session-cleanup>
                SetHandler session-cleanup-handler
                Require local
                SessionServerStorageDir /var/lib/apache2/sessions
                SessionServerStorageMaxFiles 25000
        </Location>
</VirtualHost>
#25
25.7, 25.10 Series / Afther Update meet issues
Last post by rumenblg - Today at 02:06:48 PM
Hi all First thanks you all who did build this software.

 To my issues Im using Opnsense since 2020 never had any issues and always been working as is should be. Until 3 days ago, when i did the update.
I got black list with amount of IP's who are restricted to access my network mostly from ddos attacks, time to time some new network comes over.
 And as I did it before just adding in to black list to my server and OPNsence is refreshing the list after 1 min by himself so the new ip's are blocked.
Until now, so now i have to go to Firewall: Diagnostics: States: and drop this ip's then the new black list comes in force.It doest work automatic anymore.
 Also i have five Intrusion Detection: Policy for suricata and at same time they stop working mean. the small attacks to my DNS server goes true. And they have a same signature same request as before.
All logs shows no errors no issues at all, just can't figure out whats is happening. Any help thanks

EDIT: forgot to mention the ver. is
OPNsense 25.7.9-amd64
FreeBSD 14.3-RELEASE-p5



#26
25.7, 25.10 Series / Could This Be The Reason?
Last post by timlab55 - Today at 02:06:28 PM
I've been trying to set up Opnsense transparent bridge for almost a month now (spent over 60 hours).  I've been following The Network Guy.  I do exactly what he does on the video.  When I get to the part where we're almost ready to put the bridge up and going to hit Change (something), I lose everything.  Even my maintenance can't get back in.  Therefore, I have to start all over again.  Last night I was messing with my router (RT-BE86U) and came to realize that it has AiProtection on it, including Two-Way IPS, Malicious Sites Blocking, Infected Device Prevention, and Blocking.  Would this prevent me from running the Bridge completely?  If so, is there a workaround? 
Thanks
#27
25.7, 25.10 Series / Re: 25.7.9 update and WireGuar...
Last post by s1l3nce - Today at 01:53:50 PM
Quote from: meyergru on Today at 01:47:04 PMThe problem is / was probably present before.

Well, that's very strange. I've been using this firewall with Wireguard for a very long time without any issues after rebooting. But since the last update, every single time I rebooted, wg clients could no longer connect.

The "Renew DNS for Wireguard..." cron job didn't fix it for me (maybe I did something wrong). The script I posted works fine and it acts right after finishing the reboot process.
#28
On second thought, I think at least the PowerD disablement worked.  "dev.cpu.0.cx_lowest: C1"

Not sure why the NIC still says ASPM L1(L1), which is the same as before the change.
#29
25.7, 25.10 Series / Re: 25.7.9 update and WireGuar...
Last post by meyergru - Today at 01:47:04 PM
The problem is / was probably present before. If you use DNS names for wireguard peers, then the daemon will only resolve them once on start and never recognizes if the peer's IP changes. There is a cron job "Renew DNS for Wireguard on stale connections" which will restart Wireguard. You can run that job every 5 minutes and it will probably fix the DNS resolution problem during startup, too (at least after 5 minutes).

This has been reported over an over, so now I appended it as point 30 here: https://forum.opnsense.org/index.php?topic=42985.0


#30
25.7, 25.10 Series / Re: 25.7.8 Wireguard road warr...
Last post by s1l3nce - Today at 01:45:52 PM
Could your issue be related to this?