How to open specific ports?

[elektroinside]

What AV are you referring to? Where is it installed?

[Dzioobasek]

https://docs.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html

this one

[elektroinside]

Ok, this AV (the proxy actually) will not use the ports you want to use for your db (pls somebody correct me if i'm wrong).
Again, i don't think the proxy has anything to do with your problem unless your clients connect from the port (source port) 80 or 443.

I think you should (re)verify your firewall rules on the LAN side.

[phoenix]

I think we should start with another simple question. Your database server(s) listen on port 3306, don't they? From one of the machines on your LAN (from where you run the Java app), can you connect to the DB server by running the following command:

Code Select Expand

telnet <db_server_ip> 3306Do you get a connection to the DB server and if not, what happens? If you get a connection then there should be no problem connecting to the from any app on your LAN.

[Dzioobasek]

kinda found solution, in internet settings > connections > LAN settings > advanced Ive added exception for server address and application is working now.

phoenix
I cant connect with telnet command - it says failed connect to host on port 3306. Connection failed.
Ping command is working also i can browse local network

[elektroinside]

kinda found solution, in internet settings > connections > LAN settings > advanced Ive added exception for server address and application is working now.

phoenix
I cant connect with telnet command - it says failed connect to host on port 3306. Connection failed.
Ping command is working also i can browse local network

You lost me here (again)...
So your app is working after adding a local firewall rule (so not in OPNsense, but in Windows Firewall) as i told you before, but still telnet isn't working?

[elektroinside]

Try this:

PC1-the client, with the java app
PC2-the server, with the database

Temporarily TURN OFF windows (or whatever OS) firewall on PC2
Go back to PC1 and type this from the command line:

telnet PC2IP 3306 (eg: telnet 192.168.0.199 3306)

Is it working?

[Dzioobasek]

kinda found solution, in internet settings > connections > LAN settings > advanced Ive added exception for server address and application is working now.

This is in control panel > internet options.

As I mentioned before app is working when im conecting to server without opnsense. Im not using windows firewall, I have eset but its not blocking my app. Problem is in opnsense. Im after work now, so ill check anything tomorrow.
If we wont find whats the problem ill manually add this excpetion on every client as i have to set proxy connection anyway.
Big thanks for you!

PS
Ill contact apps support tomorrow if it has any specific settings to work with proxy

[elektroinside]

Well, that's the thing... You add "exceptions" to something related to Windows (probably proxy, as the location of settings you described is related to proxy) and then it works.
This is what I don't understand, why is it OPNsense at fault here.

If you are proxy-ing http and https traffic, that's done for ports 80/443 and 2 others on the local machine, and any other (the configured proxy ports) in OPNsense. If you are not allowing http/s traffic except through the proxy server on your LAN, it would make sense to force the client to use a specific proxy server, if you did not configure PAC (proxy auto-config) on OPNsense. In this case, clients do not automatically collect proxy server and manually configured proxy server needs to be added.

But, if proxy is involved, on the client, only 80/443 and two others are proxied (usually). This is what confuses me, why you app works if you configure a proxy, unless your app uses 80/443 to connect to the db as well. In this case, it is proxied.

But maybe your app connects to the server on at least two different ports, the db on the server on port 3306 and the webserver on the server on port 80/443. 3306 most probably is not proxied and should work from the client, and port 80/443 which is proxied only if the client is configured. Isn't this your case?

I'm not the best to explain stuff, but i'll try anyway.
Sure thing, you're very welcome.

[Dzioobasek]

Settings which Im writing about are in windows control panel and yeah, its about global proxy settings for all browsers. Adding server address if for now only working solution for me. It has to be something with opnsense because without it app is working.

i have another problem now :P i cant access https://cas.mpips.gov.pl:8443/CAS/signin.do Can you help me with that?

[elektroinside]

So let us recap:

- you have at your workplace a 35 clients LAN
- you have deployed an OPNsense box and you are the sole administrator of that box
- for some reason you enabled the proxy server on the OPNsense box
- without properly (and manually) configuring LAN clients you cannot make your app work
- also, you cannot access a polish government login website and you cannot debug the reasons

Am i correct up until this point?

[Dzioobasek]

all yeap. Reason im using proxy is for web filter and AV. Access to that site is important in my work, im from Poland :)

when I added my IP in WebProxy>Forward proxy>access control list > unrestricted IP i can access site now you think its ok doing that this way or should i try someting else?

[elektroinside]

I prefer IDS/IPS + custom DNS services like OpenDNS or AdGuard as a protection layer (with enforced rules for DNS queries), instead of proxy, in "office" environments.
But this is just me.

I know the headaches a proxy server can give to you in such environments if it's not properly maintained. IDS/IPS needs some attention as well in the beginning, a few days to see what's being blocked (and to allow stuff if necessary). General performance is just poor and waste of resources with proxy, this is how it works. "Unrestricting" ips sounds like making the proxy server almost useless...

It has its own applications, no doubt about it, maybe you really need it, but also maybe you can try protecting your network is some other ways and would be good enough. I'm not trying to make you change your mind here, just consider other stuff as well.

This is a good article describing various protection techniques, many of them available in OPNsense as well:
http://resources.infosecinstitute.com/network-design-firewall-idsips/

Otherwise, you need to debug your proxy setup. Since it has been a long time since i didn't use proxy, i forgot many details about it. What i do remember, is that you need proper security certificates to make it work in https as well, not just http (without the need to trust CAs and other stuff with every client), a powerful box if you have many proxy clients, caching properly configured, and many other aspects...

[Dzioobasek]

oh maaaan, when im about to finish you say i could choose sth else :P
IDS/IPS will block viruses like av module? This opnsense proxy AV seems to be working.
You got any link how to set it up in opnsense and test? Im not in hurry so i can check diffrent solutions.

[elektroinside]

IDS/IPS will not block viruses like an AV but rather they are complementary to each other. IDS/IPS will scan network traffic (packets) while the AV scans files. Both work with rules/signatures., both heavily dependent on these (except some newer technologies).

There's always a compromise to be made between speed and security. I prefer obviously both if possible, but this is difficult.

I prefer IDS/IPS in inline mode as it's lightning fast. The protection it offers is as good as your rules are. Combine this with a good DNS service and you will get a nice and fast security.

I will write you in the next comment a little howto.