Hello
So I have a block of 6 usable static IP's. My Opmsense FW has the default of x.x.x.182 as the main FW Ip/Gateway. This ip does not have a domain registered to it.
I have x.x.x.181 has a domain I purchased with it and also happens to host the inside devices caddy is using... right now I have it coming in on .182 and port forward to the correct lan and had to create a duckdns for that.. I wanna use my domain instead, but it is not the default wan ip.
Is this an option?
Bump
I do not understand the question.
You can not bind to a specific interface. You could change the default HTTP and HTTPS ports of Caddy and use port forward 80/443 from one of your IPs to these ports, e.g. 127.0.0.1:8080, 127.0.0.1:8443.
Hello
Yeah I may just not be good to explain. Through my ISP I have a Block of 8 IP's, 6 Usable. By default whatever is PPoE is the x.x.x.182 IP and then I can assign x.x.x.177 - x.x.x.181 to other applications, but the OPNSense default WAN is x.x.x.182.
I do not have a domain registered to .182, but I do on x.x.x.181 (which also NAT's to the 192.168.2.0 Network where all my docker containers and servers reside ).
With caddy set up if I use domain.org (which is x.x.x.181) it does not route, as caddy is of course looking at the default WAN IP x.x.x.182. Is there a way for Caddy to reverse proxy let's say qbittorrent.domain.org which is x.x.x.181 instead of having to make a duckdns entry that I do not want simply to use the WAN IP x.x.x.182.
Just add x.x.x.181 as an alias IP to your WAN interface and Caddy will listen to that, too.
Assuming you meant under Interface:Settings:Virtual IP's, there is an entry;
x.x.x.181/32 WAN IP Alias
Unless you meant Firewall:Aliases then I do not see any reference to assostiaing an ip to a WAN Interface.
Exactly. Caddy will listen to that address. Of course you need a firewall rule on WAN, e.g.
Source: any
Destination: x.x.x.181
Destination ports: 80, 443 (create an alias for more than one port in a single rule)
Protocol: TCP
Action: allow
Done.
Alright so I did what I feel you mentioned to do, assuming the x.x.x.181 was the WAN IP. Does not work, I just can not imagine what I am clearly not seeing
Did you move your web UI to a different port than 443 and disable the HTTP --> HTTPS redirection?
Yes, currently everything works WHEN I use a calibreweb.domain.duckdns.org (which uses .182 IP which I do not want) so it WORKS, but just not with the .181 domain.org I own.. I THINK I found the problem. If I recall, a certificate needs to be made [from] the IP in question? So if .182 is initializing the certificate for .181, it won't work? OR AM I WRONG?
Either way here is the error
"error","ts":"2024-12-11T18:07:00Z","logger":"tls","msg":"job failed","error":"calibreweb.domain.net: obtaining certificate: [calibreweb.domain.net] Obtain: [calibreweb.domain.net] solving challenges: [calibreweb.domain.net] context canceled (order=https://acme.zerossl.com/v2/DV90/order/Up4Tbor5ngGsgamcVeSztQ) (ca=https://acme.zerossl.com/v2/DV90)"}
Sorry I said qbittorrent earlier, I meant calibreweb.
I guess I am gonna purchase a domain for my main wan ip and see if it works, if it does then it is definitely something not obtaining a cert for the correct wan ip. I planned on buying a domain anyway so it's not terribly out of the way . Now I just I just gotta get creative .
Bud, you need to understand something about the interbewz ( no offence to you, it's not knowledge everybody learns in school ):
unless you have some specific interface with given IP address, your operating system (router, and by that extention - caddy) will not listen to it.
So let's work through your scenario:
You were given a range of 6 IP addresses
by default, when your router connects, it needs an IP, but it will only use ONE IP address, because you know, you might want to use the others somewhere else.
Your DNS traffic points towards the IP that your router does not have assigned to the interface, so it ignores it because it's possibly for different machine.
If you had some routing that pushed this traffic to your LAN, you could have a separate server in so called DMZ zone, which would consume one of the additional IP addresses and everything for given IP would be forwarded to it (yes I know there are other setups possible, but I'm using this for illustration).
This is why somebody is suggesting here to you to give WAN another IP address (an alias). Then your router will also "catch" this traffic because .... you know it's for the router, right ? router has this IP so it should receive it !
Now, if you set this up. Great, but what people tend to miss is that by default ALL routers will just reject all the traffic from the evil internet. So you need to setup a firewall rule to allow traffic to port 80 & 443. Now you also need to allow this traffic going to your "alias IP", not only to your WAN default IP address.
Then I guess I am just missing it. Currently I do have it as you said, NGINX on a LAN IP and I just port forward and it works fine. I understand the dynamics are changing because now I am using Caddy on the interface itself.
I understand what you say about all being rejected, makes sense as the routers main purpose, to block.
What I am struggling to understand is.
I HAVE an IP Alias (under virtual IPs) that is assigned to the WAN.
I have 80,443 access from "any source" to "This Firewall". I guess I am not getting how to differentiate or add or specify ALSO 443,80 for WAN IP x.x.x.181 to communicate with "This Fireall" to use Caddy. I made the rule that was mentioned, source any, destination (x.x.x.181) port 443,80 and being it is a WAN IP, with an alias, Caddy would recognize it. It does not? I am also addicting due to something "I" am doing wrong.
From my perspective I am being told (advised) to do the is and this and this and this, an I am, and it is not working. Again, I totally claim that it is my lack of understanding. I'm not trying to do "big boy" things when I am a nice amateur but this all started simple and escalated to apparently "advanced" stuff so I'm trying to understand and follow.
I am being told 1+1 is 2 and my fng calculator is spitting out 3.
Quote from: fbeye on December 14, 2024, 06:45:45 AMI HAVE an IP Alias (under virtual IPs) that is assigned to the WAN.
Please show a screen shot of the configuration of that alias.
Quote from: fbeye on December 14, 2024, 06:45:45 AMI have 80,443 access from "any source" to "This Firewall".
Please change that to "WAN address", which (admittedly a bit unintuitively) refers to all addresses on the WAN interface including aliases.
Then please show a screen shot of that rule.
Quote from: fbeye on December 14, 2024, 06:45:45 AMI guess I am not getting how to differentiate or add or specify ALSO 443,80 for WAN IP x.x.x.181 to communicate with "This Fireall" to use Caddy. I made the rule that was mentioned, source any, destination (x.x.x.181) port 443,80 and being it is a WAN IP, with an alias, Caddy would recognize it.
It should. Please add the output of these commands (obfuscate the WAN addresses):
ifconfig
netstat -na | grep LISTEN
Kind regards,
Patrick
Hello
Quotevtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=1800a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,NETMAP>
ether 52:54:00:fa:26:61
inet 172.16.2.1 netmask 0xffffff00 broadcast 172.16.2.255
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=800a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 52:54:00:72:55:b4
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0 metric 0 mtu 1536
options=0
groups: enc
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pfsync0: flags=0 metric 0 mtu 1500
options=0
maxupd: 128 defer: off version: 1400
syncok: 1
groups: pfsync
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33152
options=0
groups: pflog
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
description: WAN (wan)
options=0
inet 207.108.121.182 --> 75.160.240.27 netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@OPNsense:~ # netstat -na | grep LISTEN
tcp46 0 0 *.80 *.* LISTEN
tcp46 0 0 *.443 *.* LISTEN
tcp4 0 0 127.0.0.1.6060 *.* LISTEN
tcp4 0 0 127.0.0.1.8080 *.* LISTEN
tcp6 0 0 *.8081 *.* LISTEN
tcp4 0 0 *.8081 *.* LISTEN
tcp4 0 0 127.0.0.1.8125 *.* LISTEN
tcp6 0 0 ::1.8125 *.* LISTEN
tcp4 0 0 172.16.2.1.19999 *.* LISTEN
tcp4 0 0 127.0.0.1.43580 *.* LISTEN
tcp46 0 0 *.53 *.* LISTEN
tcp4 0 0 127.0.0.1.27017 *.* LISTEN
tcp4 0 0 172.16.2.1.3000 *.* LISTEN
tcp4 0 0 127.0.0.1.953 *.* LISTEN
tcp4 0 0 *.5353 *.* LISTEN
tcp4 0 0 *.5353 *.* LISTEN
tcp4 0 0 *.5353 *.* LISTEN
tcp4 0 0 *.5353 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
root@OPNsense:~ #
And then I changed the rule to WAN address, it this firewall.
And here is snapshot;
All the IP aliases should show up in the ifconfig output for WAN/pppoe0. That's why it's not working. Please open one of them in the UI, e.g. .181, and show the details.
I do not think I follow... The only place .181 [or any of the other 5 ips] is mentioned is the virtual ip aliases, and in port forwarding. I am sorry but not sure where in the UI to find the details.
In the list you already posted (Virtual IPs) click on the little pencil on the right, then make a screen shot of all the details in that dialog. If there is an "Advanced settings" switch, activate that, too.
Well, now looking at it it appears I would possibly need a Gateway entry?
Correct me if I am wrong but would that be the WAN IP, default Static IP 207.108.121.182? Also looking at it, am I even supposed to have a /32? It is a Block of 8, 6 usable. Or would it be /29 as it's a block of 8.
Well, I am a simple minded fool. WoW, Once I found the problem, it was so obvious..
Soooooo, like I said, I was running NGINX on an internal host and all was fine.. When I went to Caddy on the FW, I forgot to remove the prior 443/80 Port-Forward NAT RULE!!!!
It appears to be working now.
Man alive.
NAT takes priority in OPNsense ;)
No doubt. Had I even remembered doing that it would not have taken so long.. It just slipped my mind. What I did was say to myself "ok, we know it works on internal lan, what did i do to make that work" and then the NAT popped in the head. Anyway
Thank you all for helping me and being patient.
One last question, maybe maybe not relevant BUT I know the "default" answer to "can i expose my opnsense gui to the internet in case I wanna remote in" is NO! And makes sense, but is there a safe way to allow WAN Access to the OPN GUI? I mean even restricting to specific WAN IP's. Or connect via WG or Caddy?
Quote from: fbeye on December 14, 2024, 11:18:06 PMOne last question, maybe maybe not relevant BUT I know the "default" answer to "can i expose my opnsense gui to the internet in case I wanna remote in" is NO! And makes sense, but is there a safe way to allow WAN Access to the OPN GUI? I mean even restricting to specific WAN IP's. Or connect via WG or Caddy?
Technically: yes
Practically: HELL NO
Insanely: "if there is a will there is a way"
So, IF, and only IF you are prepared to jump through few burning hoops, you "_can_" get a safe admin access to your router.
There are two ways of doing it:
1. setup an VPN, then you VNP to your local network and can administer it.
2. for more crazy people (like me)
- setup caddy / HAproxy, that you already do.
- get your self a cloud flare account.
- setup your DNS is such a way that your router access is only cached.
- get your access working with proper signed keys that are exchanged with cloudflare, and nobody else has those (possible in HAproxy, haven't looked in caddy for that) - so even if somebody tries to spoof them self as CF, they won't have the keys.
- allow your caddy to only accept connections from CF IP addresses (easy in HA, haven't tried in caddy)
- set your CF policies to "paranoid level".
There are few more things you can do, but ... I'll leave it to reader to imagine more ways to get this secure.
Now, remember two things: 1. the old adage "you're not paranoid if there are people actually going after you" and 2. "Internet is full of people that are going after anybody".
Interesting.
Currently what I am doing is using my WG on my LAN and then connecting to the FW through WG. Problem is that my work laptop won't let me install WG so I am limited to viewing via ipad/iphone...Really not liking that.
So currently using the 1.) setup.
I would love to access the FW, on those rare occasions, on a full screen laptop scenario which was why I asked.
I do have Cloudflare and purchased domains, except for the FW WAN Interface but I do have cloudflare set for my example.org which has a static ip as well, so I assume I can just use caddy as I do like qbittorrent or calibreweb, but with opnsense fw.
Still, like you said, lots of certificate safety practices I would need to implement.
I guess I feel I would struggle with the DNS stuff because like I said, the FW itself has a .182 WAN IP and no domain, but my .181 [set as a virtual ip] does have cloudflare and a domain. So the DNS stuff would sort of get my brain to hurt.
I mean, it is an option I can look more into... But at least I have my WG FW access from the LAN side.
Quote from: fbeye on December 15, 2024, 01:02:43 AMI guess I feel I would struggle with the DNS stuff because like I said, the FW itself has a .182 WAN IP and no domain, but my .181 [set as a virtual ip] does have cloudflare and a domain. So the DNS stuff would sort of get my brain to hurt.
I don't think you understand reverse proxy. If you have Caddy installed and it's "working" - ie, you can connect from the internet to a service you run on local lan, what is stoping you from pointing caddy at you router LAN web service ?
Let's say your:
- whatever service is 192.168.0.2:80 - first service your have on your caddy with example.org
- your router being 192.168.0.1:4343 - a second service that your caddy can serve at router.example.com
It's pretty academic. it's actually one of the most popular low effort cracking into someones network - just setup a reverse proxy at target edge and you browse like it's your home ... and super low effort is ssh pipe facility that everybody forgets to disable.
I got everything working and through cliudflare and all works on WAN IP I want etc. What was causing all the drama was the fact I forgot I had NAT Port Forwarding to my working prior NGINX system. But now all is working flawlessly.
To bind caddy to an interface follow this instructions, https://docs.opnsense.org/manual/how-tos/caddy.html#bind-caddy-to-interfaces