How to open specific ports?

[elektroinside]

nope, i have unchecked those and then everything is blocked.

It should be exactly like in this snapshot: https://docs.opnsense.org/_images/disable_offloading.png

After you have verified that it is, reboot your OPNsense box.

1)
Then, go back to Services: Intrusion Detection and disable IPS mode.
Please confirm things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.

2)
Then, go back to Services: Intrusion Detection and enable IPS mode.
Then, go to 'Download', take each ruleset one by one, and set to 'Alert'.
Then, go to 'Rules' and hit 'Apply'.
Please confirm things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.

3)
Then, go to 'Download', take each ruleset one by one, and set to 'DROP'.
Then, go to 'Rules' and hit 'Apply'.
Please confirm things are working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'

4)
Go to 'Alerts', select a 'blocked' packet (do this with the eicar test file), edit it and set it to 'Alert'.
Go back to 'Rules' and hit 'Apply'.
Try to download the eicar file again, it should work this time. If it does, set it back to 'Drop' and hit. 'Apply' again from the 'Rules' tab.

5)
Verify the joomla login page.
Check the 'Alerts', see if anything is blocked. If it is, set it to 'Alert', go back to 'Rules' and hit 'Apply'.
Verify the joomla login page again.
Check the 'Alerts', see if anything is blocked. If it is, set it to 'Alert', go back to 'Rules' and hit 'Apply'.
Repeat these steps until the joomla login page is fully working.

Please report your findings for each step.

[Dzioobasek]

I have found guilty ruleset ET open/emerging-policy it is. Even if its set on alert its blocking my joomla panel access, when i disable it is working and i can login. Its a bug?

About adblocking, should it block all ads or only most of them? Can you check wp.pl or onet.pl if there are any ads? I have many.

[Ciprian]

I have found guilty ruleset ET open/emerging-policy it is. Even if its set on alert its blocking my joomla panel access, when i disable it is working and i can login. Its a bug?

"Policy" is the keyword here: the Policy ruleset contains rules regarding use policy (companies/ corporations). Be very careful with these sets, since are organized as a template of rules, and as a template of enabled/ alert/ block pattern. Most likely, and by default, are going to "break" things. Any ruleset should be activated on a "one-by-one rule" approach, and especially that type of rulesets.

So, I guess it's not a bug, it's a "different than template/ default" need.

[elektroinside]

There was an issue with the reporting of dropped packets in OPNsense 18.1.r2 (not all were reported as dropped in the GUI).

You should apply this patch from the console in order to see all the blocked rules in the GUI:
https://github.com/opnsense/core/commit/573612d48

Code Select Expand

opnsense-patch 573612d48

[Dzioobasek]

Im gonna wait for next update, i dont feel like could do it and dont want to make bigger mess ;)
Also had problem with updating joomla today. When i pressed update button it dropped connection, hopefully it will be fixed soon

[elektroinside]

Sure thing, whenever you feel like it, 18.1 is coming very soon anyway, so you don't have to wait that much.

[Dzioobasek]

can you reply me about adblocking?

[elektroinside]

can you reply me about adblocking?

There are different ways to display ads on a website. The most common two:
1. using external ad services, like google ad services; these ones are among the most aggressive, as they are usually java scripts bundled in the website, which connect to ad servers and based on many rules & browser activity, display ads; many of these hijack cookies as well. AdGuard will block most of these servers, but not all. Ad providers often change their IPs/hostnames and new ones might not be blocked.
2. Classic banner based ads, hosted on the same server(s) as the webpage; the ad blocker must be content aware in order to block these, and if the content doesn't contain some ad specific metadata, they won't be blocked. AdGuard DNS servers obviously are not content aware (it is a DNS based ad blocker). Content aware ad blockers must be locally installed (software).

I attached 2 pictures (with AdGuard as DNS ad blocker and without). It works for all the ads displayed using java scripts even with the two websites you mentioned. There are also other type of ads on these two websites, which a DNS based "ad blocker" simply cannot "block".

What a DNS based ad blocker does is that it will resolve ad server hostnames to 127.0.0.1 for example. If you want full ad blocking, you could combine DNS ad blocking with uBlock Origin + uBlock Origin Extra as browser extensions. These two extensions are content aware.

[Dzioobasek]

so its not blocking ads for me :/ I did everything you said in your guide.

[elektroinside]

It probably means your DNS requests are not resolved by AdGuard DNS servers.
Are your DNS settings in OPNsense look exactly like the ones in the attached snapshot? You should not have any other DNS servers configured, only the ones from AdGuard.

[Dzioobasek]

yes, i have same settings. Do i have to set those dns on clients or it doesnt matter?

[elektroinside]

Your clients should use one and only one DNS server, which is the OPNsense local IP address. If you had any other dns servers configured, after the changes, you should flush the DNS cache locally on each clients from the command line.

For Windows clients (cmd 'run as administrator'):

Code Select Expand

ipconfig /flushdns

[Dzioobasek]

if opnsense have to be only dns then i have another problem because domain controller also have to be there :)

[Ciprian]

if opnsense have to be only dns then i have another problem because domain controller also have to be there :)

Of course. And you have 2 ways to solve that problem:

1. If you have already set OPNsense as the only DNS for devices your network, then create a domain override in Unbound so that DNS queries made for either your domain, or your internal IP address range, to be forwarded to your domain DNS server(s) (your domain controllers having that role).

2. If all network devices have your domain DNS server set, then set OPNsense as the forwarder only in your domain DNS service.

What of the 2 ways you will choose, it depends on how difficult is for you to change your DNS (and DHCP) settings for clients, or DNS settings on domain controller/ OPNsense.

PS If you choose the first, be very carefull to set domain overrides for both forwarding (name to IP addresses) and reverse (IP addresses to names) DNS queries.

Reverse domain ovverride example:
Domain 1.168.192.in-addr.arpa IP "your-domain-controller-internal-IP-address" will send to domain controller every query for "ping -a 192.168.1.XXX"

[Dzioobasek]

2. If all network devices have your domain DNS server set, then set OPNsense as the forwarder only in your domain DNS service.

sounds easier but i still dont know how :P