Welcome to the new Home Network Guy forum!

Recent Posts

Pages: 1 [2] 3 4
11
Troubleshooting / Opnsense content filtering
« Last post by ejayb9 on May 28, 2021, 10:48:04 AM »
Hello. I'm struggling to get content filtering working in Opnsense. I'm sure the part I have wrong is the rule order, in the NAT and in the interface Rules, but it could be something else.

Setup:
I'm using a 4-port Protectli and just updated Opnsense to 21.1.6.
Created a guest network on OPT2 with 192.168.1.1/24
No VLAN (I couldn't get this to work, and I couldn't find any tutorial on why it is even needed)
DHCP service for OPT2 is enabled.

Steps followed:
Added http://www.shallalist.de/Downloads/shallalist.tar.gz to Remote Access Lists - downloaded and apply
Cleared the authentication method and local group (within the Forward Proxy sub-menu)
Checked box to enable HTTP (Forward Proxy sub-menu). Turned on "full help" and the used the "add new firewall rule" link to add the NAT rule.
Select "add associated filter rule" at bottom of new NAT rule and also enabled rule.
Repeated for HTTPS.
Added HTTP and HTTPS block rules in OPT2
Checked box to enable proxy in Web Proxy -> administration -> general proxy settings
Done

Current Rule order for OPT2 is: 1)HTTP redirect to proxy rule 2)HTTPS redirect to proxy rule 3)HTTP block rule 4)HTTPS block rule
no other rules inside OPT2

It's just not working. Could use any help/advice. Thank you!
12
Cool. It's always nice to learn something new.

So I edited my NAT Port Forwarding settings for both the servers to include the "pass" setting for 'Add associated filter rule' and I tried with and without my FW rule for allowing traffic to pass on ports 25565 - 25566 on the WAN interface, but I still can't connect to the servers from outside of my LAN. I only have one WAN interface, so as you said nothing showed up under the FW rules, but the icons changed from > to <->



I try scanning the ports with this tool: https://www.ipfingerprints.com/portscan.php but they're both "filtered"

There must be something really obvious that I'm doing wrong here. How hard could it be to get this configured right...  ::) Anyway. I'm about to set up a new computer for OPNsense, so I'll do a fresh install, just to start from scratch and then see if I can get this working. I'll report back whether I get it working or not.
13
I just learned something today about NAT port forwarding. I had incorrectly assumed the settings under Firewall > Settings > Advanced would cause the corresponding WAN rule to be created. However, it gets created when you select "Add associated filter rule" option at the bottom of the NAT port forward rule. However, if you only have one WAN, you can also select "Pass". If you select "Pass", the corresponding WAN rule will not be displayed but the NAT port forward should still work properly.
14
Security/Advisories / ParkMobile Breach
« Last post by Home Network Guy on May 26, 2021, 10:58:24 AM »
I received the following email from ParkMobile about a breach that occurred in March 2021. You may want to change your password since they did not automatically reset passwords for all their users since they stated the passwords were hashed/salted and the encryption keys were not compromised. Better to be safe than sorry!
15
Thanks for all the help so far. I really appreciate it.

Yes, both those firewall setting where enabled when I created the rule. The install is fresh, just a few days old, but I've been trying out different things, so there might be a setting which I've not reverted back to default. I can try to do a fresh install, now that I sort of know what the settings should look like. It doesn't require that much time and effort to do.
16
That’s odd no WAN rules we’re automatically generated. Did you have those 2 advanced firewall settings enabled before creating the rule? The NAT rule and WAN rule you created looks good at a glance. You can’t see all the details of each rule on the main rule list pages so not sure if some other odd/incorrect settings are set.

Port forwarding should be pretty simple in general. I have some servers in the DMZ with port forwarding am that works well and the rules are auto generated on the WAN. You can tell which rules are auto generated from the NAT rule because you can’t edit those WAN generated rules. You can only remove them.

I’m trying to think of what’s wrong. There are lots of knobs and buttons you can turn and push in OPNsense and if you push the wrong ones then you can get into trouble. You said you started from a clean configuration with minor changes so that may not be the issue. I may try think about this more tomorrow. I was away from home today so I was answering in between doing other things with the family.
17
OK. So under Port Forwarding the destination is set to WAN address, not WAN net.

Both Reflection for port forwards and Automatic outbound NAT for Reflection are (and where) enabled, but no corresponding rule for WAN appeared under Firewall: Rules: WAN. I did test with allowing traffic through ports 25565 - 25566 in the WAN interface, but still no luck. Not sure if I did this part right, or why no rules got generated automagically.




18
Use WAN address rather than WAN net. I forgot to specify earlier. Also do you see a corresponding WAN rule created for those 2 rules? You should have 2 rules created automatically on the WAN interface if you have those options enabled that I mentioned earlier.
19
I've tried this also. And I just gave it another go now. Both with destination as WAN address and WAN net.





20
I think I see the problem. You need to select WAN as your destination since you are port forwarding the WAN address to access your servers remotely. Then for the redirect address you would pick your internal server IPs.
Pages: 1 [2] 3 4