opnsense blocked legal site

[total.ce]

Hello everyone. Opnsense blocks one legal site, directly without a firewall it opens as expected. I created a rule for LAN and Wan interfaces, but to no avail. Disabling the blocking also did not help. It seems to me that the site somehow does not accept opnsense. What could be the problem?

[patient0]

More information is needed. What website? What does 'blocking' mean for you? What message do you see in the browser and in OPNsense? What version of OPNsense are you running and on what (bare metal, virtual machine)? What DNS upstream server are you using?

[total.ce]

State website gov.kz. When I disable opnsense, the site opens, it turns out that it somehow blocks. The browser says the site is not available and I tried to open the site via IP address, it also does not open. Opnsense version 6 and is installed on a virtual machine, and the VM itself is on a physical server. DNS from the provider.

[Patrick M. Hausen]

There is no OPNsense version 6, and it being a network firewall appliance if you disable it, you will lose all Internet access.

Are you sure you have come to the right forum for the right product? This place here is about this one.

[patient0]

Opnsense version 6

As @Patrick wrote OPNsense 6 does not exist, can you post a screenshot of the dashboard? In case you do use OPNsense, which DNS service do you use and have you enabled block lists?

What IP is gov.kz resolved, under "Interfaces: Diagnostics: DNS Lookup"

I do run an OPNsense 25 instance as a VM on Proxmox with Unbound and some blocklists and access to gov.kz does work.

[total.ce]

I'll send a screenshot a bit later, I may be wrong. DNS is not specified in the firewall itself, I wanted to specify DNS, but it asks to enter a range.
Yes, we have entered several rules to close access to sites on the local network.
You can check eks.gov.kz, whether it will open through your firewall.

[Patrick M. Hausen]

gov.kz doesn't have a valid TLS certificate to begin with.

[total.ce]

Sorry, I misspelled the version. Version 24.7.8

[Patrick M. Hausen]

But if you do web filtering and/or DNS blocking then you need to investigate the details. There is no "OPNsense is blocking X". It's one of your filtering rules, blocklists, etc. that does that.

[total.ce]

Yes, the firewall does not write about blocking the site. I also tried to disable the rules I created, but nothing helped. I recently started using Opsense. That's why I ask you for help. I also wanted to ask how to disable filtering and the blacklist.

[Patrick M. Hausen]

This depends on what filtering and blacklisting exactly you are using. A newly installed OPNsense does not block anything outbound.

Without more information about which blocklist and filtering methods you configured, it is not possible to help you, unfortunately. There are a dozen different methods at least one could use.

[total.ce]

If the site address is not listed in the blacklist, then what prevents the site from being opened? I specifically created a rule for this site, but did not solve the problem.

[Patrick M. Hausen]

You could start with describing which blacklist mechanisms you are actually using?

- firewall based
- DNS based
- - if yes, Unbound
- - or BIND
- - or AdGuard Home ...
- or Zenarmor or Suricata
- ...

Please describe your setup in as much detail as possible.

A plain OPNsense with default rules does not block anything. Outbound acces, that is, of course.

[pfry]

gov.kz doesn't have a valid TLS certificate to begin with.

Sorta. The cert does not contain "gov.kz". For total.ce: Have you tried https://www.gov.kz/ directly (to avoid the cert error and redirect)? ("eks.gov.kz" times out for me with open sessions - no response to SYN.)