Topics

I have a simple a simple 2 node LAN/WAN setup, but it looks like having the CARP VIP/being master on node1 or node2 is on the interface level and not global.
If I unplugged the WAN cable from node1 I can see the CARP master role for WAN moving from node1 to node2. However, node1 still is master on the LAN, responding on the LAN CARP VIP.
To me this split situations seems weird en incorrect, causing the LAN<->WAN traffic to halt. Shouldn't all interfaces move at same time from master to slave and vice versa? Can't see how this should work if that's not the case.

What am I missing here? Did I just misconfigure something? I followed guide at https://docs.opnsense.org/manual/how-tos/carp.html

Disable Preempt is NOT checked! That should be the setting controlling this, right? So preempt is enabled and this should group all VIPs and move all at the same time AFAIKS.

Have a HA setup, everything seems to work fine, except I'm unable to see ANY DHCPv4 logs on the master, no matter if using real or VIP IP. Always shows up empty in GUI, although in /var/log/dhcpd/ there is a dhcp_<date>.log with actual data and latest.log linking to it.

On backup node I can access the log from the GUI just fine, but just as long as it is backup. As I becomes master (by powering off the first node), the problem moves to the second node.

It seems you somehow can't access the DHCPv4 logs in the GUI on a node that is master...

Any ideas?

Is there a way to let nginx give a status code of 403 in case of violation of the NAXSI rules?
Some security scanners now can't detect a WAF and flag that as a security issue. The cause seems to be the 200 response instead of a 403, even if the request is actually denied. Setting a custom error violation page won't work too, cause "Only the page content itself is used. Status code rewriting and redirection is not supported"

Any ideas how to get a 403?

My fiber provider in Holland (KPN) offered me a free upgrade from 100Mb to 200Mb, but told me I need to switch from PPPoE to IPoE.
Current situation: WAN is PPPoE, getting first IP automatically from my /29 subnet from provider, and configured the remaining IPs as an alias, working perfectly fine. LAN is on 192.168.1.0/24.
As I was unfamiliar with IPoE I started looking around and read everywhere I should just change the WAN type to DHCP and asked KPN for confirmation for that.

To my surprise they told me it was quite different and gave me a example config for Cisco looking quite strange to me. This was the only example they could provide. The Cisco config they gave me seem to tell to configure the WAN on a static IP in a different /30 subnet (calling it a "interlink subnet") with a gateway in that same subnet and configure my current /29 subnet on the LAN side...

!## Guide, instelling IPOE met Cisco Router.
!## Poortype kan afwijken
!-------
!------- WAN poort ----
!------- interface GigabitEthernet0/0/0 description Connection to WAN ip address 145.54.111.62 255.255.255.252 speed 100 duplex FULL MTU 1500
!
!
!
!-------
!------- LAN ------
!-------
! interface GigabitEthernet0/0/1 description to Customer LAN ip address 31.149.115.137 255.255.255.248
!
!
! ip route 0.0.0.0 0.0.0.0 145.54.111.61
!

That looks ridiculous to me, as I don't want my public IPs on the LAN! And I also don't want to buy a another router to put in front of OPNsense so I could use my public IPs on my OPNsense WAN.
Any idea how to configure this right on the OPNsense WAN interface? Could I probably just use the /30 subnet as suggested as primary and configure the /29 as aliases on the WAN also?
Anyone familiar with IPoE in general and/or KPN setup in particular?

Regards,

Julian

Reading the docs it seems there should be a NAT/BINAT options in the ipsec phase2 settings to do translation before the traffic enters the tunnel. However, in my setup (17.7.1) it is missing. Has this changed and are the docs not updated or am I missing something else?

Julian