Messages

Ok,

It seems I do need a NAT Port Forward rule and set it as follows:

Interface : WAN1
Destination : WAN1 (This is the destination IP address seen in the Logs - e.g. my WAN IPaddress)
Source Port Range: any
Dest Port Range : HTTPS - HTTPS
Redirect Target IP : my server IP
Redirect Target port : HTTPS

Pic of the result attached.

Odd that you can't set it for all WAN addresses like you can a normal port but easy enough to duplicate.

Any further info gratefully received (e.g. I did something really stupid) !

B. Rgds
John

Hi Bart,

thanks for replying. I'm a no-nothing on firewalls :-)

Can you explain the difference between setting up a straight forward rule, and setting up a NAT rule ?

On my current Draytek 3300 I just have some simple rules that forward various ports to a couple of internal servers e.g. IMAPS, SMTP, HTTPS, SSH etc Pic attached.

I have two WAN ports each with a public IP. Some ports get forwarded from either WAN port, and some depending on which WAN port they arrive on.

I just wanted to recreate those in Opnsense. My guess is I can just create a simple firewall forward rule and do not need to bother with NAT rules as I do not need a 'Redirect Target IP/Port ?

Funny - you get so used to something it seems second nature, and then you try a new system and it takes a while to get your head around it.

Any help gratefully received !

B. Rgds
John

Thanks ! I'll give it a whirl.

B. Rgds
John

Remember this when I played with earlier versions (https://github.com/opnsense/core/issues/199)

The first WAN interface is called 'wan' by the system with further interfaces then being called optx.

Despite being able to change the description of the interface the actual sort order does not change.

So for example in Firewall rules you get

WAN1   LAN   WAN2   WAN3   IPSEC

I found a solution was to manually rename and sort each interface in the <interfaces> in:

/conf/config.xml

I then renamed any references

e.g.

wan -> wan1
opt1 -> wan2
opt2 -> wan3

I then updated any relevant pages e.g. interfaces/gateways to resave and regenerate any configs e.g. firewall rules.

I now have nicely sorted interfaces everywhere :-) Only a small thing but looks SO much better and everything is more logical, and where you expect to find it.

It is better to do it as soon as you have assigned your interfaces and before you do any other configuration.

Not sure how to suggest fixing this - happy to create a bug if you think it is worth a NFR ?

B. Rgds
John

Been messing with firewall rules and some things don't quite make sense

If I create a Port Forward in the NAT section, it appears in the Firewall Rules section but cannot be edited from there. Is there any point, assuming that any rules created in NAT are just firewall rules, period? Or is there some difference somewhere that I have missed?

Wouldn't it just be simpler for me to create a Firewall rule and not bother using the Port Forward section or does a NAT rule do something different?

Under Port Forward rules you have 'Destination' and 'Redirect Target IP'. It isn't apparent what the difference is (there is no help text for 'Destination'). I presume that for a simple rule the Destination should just be the WAN address ?

It's probably all good if you know the system, but coming at it fairly blind it isn't that obvious !

B. Rgds
John

Running "pkg search mc" should get you what  you need.

Awww damn. Noob question :-(

Sorry... too stuck in my linuxy ways !

pkg install mc-light

Many thanks.

B. Rgds
John

Grrrr.... thanks !

There are none so blind as those who cannot see ;-)

B. Rgds
John

One of my fave little packages for rooting about places is mc - midnight commander

Any ideas/suggestions on how to install/add it as a package ?

B. Rgds
John

I have been using a bash script called letsencrypt.sh on my linux boxes and wrote a small plugin for them to generate the config files. The letsencrypt.sh script is a lot easier and more transportable than the full fat official clients.

https://github.com/lukas2511/letsencrypt.sh

It probably wouldn't take much to use that (and believe it is BSD compatible). You just need to write a simple plain text config file and domains.txt file and add a cronjob for renewals.

You have to be able to http resolve a .well-known/acme-challenge directory for a given domain.

B. Rgds
John

Managed to get my box installed and updated to 16.7

I was looking for sshd to be able to shell in but can't see anything anywhere. Am I missing something ?

B. Rgds
John

I have tried boot delays out to 60000 now still with no joy.

More I read, the more I think something is fundamentally broken in there that no one wants to really sort out.

Similar 'USB' orientated issues all over the show.

Ah well, can't do any more now. Let me know if you have suggestions to test.

B. Rgds
John

if i were you i wouldn't use L2TP, i would go for openVPN of IPSEC.

I use OpenVPN for about 10 years now. Problem are companies and customer that still demand PPTP or at least a VPN that works right out of the box on client machines. For there is still no (simple) way to use Microsofts SSTP-VPN, L2TP is the only answer.

I'd ask them whether they leave the keys in the front door of their house, or their office, or their nice car.

I'd also ask them are they happy that most of the known planet is listening to every character of their data

Would they be happy if all those people actually just turned up at their office and house and walked in without any permission and started rifling through all their documents and reading and copying everything ?

Are they happy to sit in front of a judge and risk fines or even jail for not protecting their, or their clients data properly ?

Do they really not care THAT much ?

Windows users (slapshead)..... :-)

B. Rgds
John

Hi John,
Here's the 15.7.18 amd64 ISO:

Thanks Franco. Makes installing a little easier ! Still would like to get to the bottom of the issue though.

Seem like the IPMI system creates a USB based virtual CD from the ISO image. From the looks of things this is getting timed out when the system tries to mount it across the network. Do you have any idea what units are used by kern.cam.boot_delay ?

I'm away on business for about 10 days so won't have much time to actually have a go at this but I will try and do some reading.

B. Rgds
John

Managed to get to 16.1.18 from the 15.7.11 BUT I am stuck now on i386

Any chance of a link to a x64 version of 15.x please ? Seem to be in short supply out there !

B. Rgds
John

PS - is there anywhere I can get a copy of a 15.7.x x64 iso rather than the i386 I have ?

I can test, and also upgrade from 15-16 it seems ?

B. Rgds
John