Messages

1

19.7 Legacy Series / Re: [solved] HAproxy with https-redirect and letsencrypt http-01

« on: November 13, 2019, 02:56:28 pm »

I think I got it, I made a copy of the condition for the acme-challenge but checked the negate option and added this condition to the https-redirect-rule. Now things work as expected.
Maybe this is a little bit more elegant to achieve with a custom rule.

2

19.7 Legacy Series / [solved] HAproxy with https-redirect and letsencrypt http-01

« on: November 13, 2019, 10:31:40 am »

Hi,

I am a little bit stuck with this situation:
Using letsencryptlugin with http-01 challenge and haproxy. Default configuration works.
Now I like to redirect the incoming http/port 80 traffic to ssl/443, which works fine by defining a condition in haproxy for not-ssl-traffic to be redirected.
But this redirect-rule seems to match before the acme-challenge-rule.
I thought if I modify the acme-rule to use the acme-condition AND not-ssl-condition it should work because it's more specific. But it doesn't.
I tried to find something about this behaviour and read somewhere http-redirect rules are always executed before the other rules but don't know if that's right.

So... what's the correct way to catch the acme-condition and send it to the backend before the ssl-redirect-rule takes effect?

Only similar thin in this forum I could find was in the german section https://forum.opnsense.org/index.php?topic=7880.msg36600#msg36600 but there isn't an answer.

Thanks

3

18.1 Legacy Series / Zerotier - managed routes aren't availible when service starts

« on: February 05, 2018, 04:07:42 pm »

Hi,

I'm playing around with zerotier and it's really a nice and easy solution. Now I tried to make a site2site-VPN and discovered the following:

Setup zerotier like in the documentation, static IP for the OPNSense-boxes, no auto-assignment.
Routes for the networks setup as managed routes in my.zerotier, configured the network in OPNSense, everything was fine and running.
Managed routes where availible on the OPNSense-boxes and everything works - till you reboot.

When rebooting or just restarting the zerotierservice the routes from zerotier are gone.
Under the networkinformation-tab the routes are shown but they aren't in the routingtable.
Disabling the network in the zerotierplugin and re-enabling it a moment later works, the routes are there on the OPNSense-box.
It's just not really a good option to disable the network on the remotebox because re-enabling is quite hard then... :-)

So is this expected behaviour, a bug, or some setting I have to set to get the routes registered on the automatic servicestart?
I couldn't really find an option or something for the local.conf which made sense to me yesterday in the evening.

So back to OpenVPN for now, but I really like make it work with zerotier.

Thanks

  Nico

4

17.1 Legacy Series / Re: Fast DynamicDNS updates if OPNSense behind other router?

« on: August 23, 2017, 04:28:57 pm »

After migrating all the stuff, getting multiWAN to work (seems with gatewaygroups and routing it bevahes a bit different than on pfSense actually) I monitored the process now for a while and it works really great!
Nothing more to say, it just works! Thanks!

5

17.1 Legacy Series / Re: Fast DynamicDNS updates if OPNSense behind other router?

« on: August 02, 2017, 09:17:50 pm »

Ok, so this takes some days to test, because on the site where OPNSense is running I just got a static IP. On the site where I have the "problem" there is atm still some other sense running which I will migrate. Hope I can finish it this weekend (quite some stuff configured in the actual appliance and when migrating I like to clean up some things and try to get CARP running).
If the monitoring really re-inkoves the DynDNS that would just be great.
I'll let you know as soon as I migrated all the stuff. Thanks!

6

17.1 Legacy Series / Re: Fast DynamicDNS updates if OPNSense behind other router?

« on: July 28, 2017, 01:36:50 pm »

Thanks, yes, it does, but limited. They've done some improvements in the past, but it isn't like the options you get in OPNSense. And I had it sometimes not running reliable. So I try not to rely on the speedport and try to find out if there are other possibilities.

An approach might be to have a connection to somewhere open all the time and when it drops it should check IP change?

7

17.1 Legacy Series / Fast DynamicDNS updates if OPNSense behind other router? [solved: works oob]

« on: July 27, 2017, 05:29:00 pm »

Hi!

My problem is, I have a router which I have to use (Speedport Hybrid) so OPNSense is behind this router. I can't get a static public IP.
So at the moment DynanimcDNS-check works either with the default interval or a cronjob which can be defined to check e.g. every minute.
I think checking is done with the dyndns-service which is hardcoded. As far as I read they'll block you if you don't have >10min intervals.
So question is, is there anything possible (don't has to be GUI-configurable) to get OPNSense notice an IP-change?
Other methods than check X minutes eventually? Having an open connection to anywhere and recheck when it drops? I really have no idea atm, so I am asking.
10 Minutes doesn't sound so much but if you want e.g. a VPN connected this ten minutes it takes to get the update will everytime be the moment you need it, you know what I mean... :-)

8

16.7 Legacy Series / Re: [solved] NetFlow disk usage

« on: November 09, 2016, 07:45:28 pm »

After deleting the big flowd.log and starting the service again with the actual version everything keeps running smoothly!

9

16.7 Legacy Series / Re: [solved] NetFlow disk usage

« on: November 06, 2016, 12:52:12 pm »

Then I'll reset the flowd-data and try again. I think I will see within a day if it runs crazy or smoothly. Thanks.

10

16.7 Legacy Series / Re: [solved] NetFlow disk usage

« on: November 05, 2016, 05:17:54 pm »

I think I am into the same problem here, updated last week to the actual version and now it seems that opnsense crashes from time to time.
Having a 1.3G flowd.log, till Sep. 29 I have 11 MB logs. flowd_aggregate seems to eat up one core completely of the server constantly.
Disables netflow now and everythings seems back to normal.

11

16.1 Legacy Series / Re: Update to 16.1.20

« on: July 23, 2016, 12:23:28 pm »

Same here, please tell which button to press ;-)

12

General Discussion / Re: IPv6 Subnetting and routing from a /48 tunnelbroker network

« on: January 27, 2016, 03:23:04 pm »

Thank you very much for your post!
So you have the tunnel with the routed /48 at your opnsense and just assign on the different interfaces the appropriate /64 subnets, right? No other routingsetting on opnsense at this point to set? That was the thing I wasn't sure about. Thank you very much.
The other thing I won't really understand at the moment is the Prefix delegation range on the DHCPv6 server how this will be used, but that is another question...

Thanks again

   Nico

13

General Discussion / Re: SoftEther VPN daemon for Opnsense

« on: January 23, 2016, 05:18:14 pm »

The phoning home is AFAIK only the dyndns-thing, if you disable this the software isn't connecting so somewhere not configured.
The updates on it is a thing that makes me more feel bad about it. But for Windowsclients is there an alternative SSTP Server availible?

14

General Discussion / Re: SoftEther VPN daemon for Opnsense

« on: January 19, 2016, 09:06:09 pm »

I tried softether myself a couple of days ago and don't know if it is simply a great thing or if there is something bad about it. It seems to be very versatile. Openvpn and IPsec are already in OPNSense but I couldn't really find a SSTP Server (only).
For the installation in OPNSense I couldn't help at the moment as I tried it on a windows machine because of testing the AD authentication (but I think I would like it with radius a little better in the future, because of more control)

15

General Discussion / Re: IPv6 Subnetting and routing from a /48 tunnelbroker network

« on: January 19, 2016, 09:02:14 pm »

Hi there,

really noone? If the question is so easy please some stoop to answer the question. Or is it really that hard?

Thanks :-)