Messages

Hi Franco & Ad,

I will have a look at the HAProxy plugin, didn't look into this as I thought HAProxy didn't support ssl termination yet, but they seem to added support for this now, so I guess I can have a look into HAProxy for the url load balancing.
I will do some tests for the HAProxy but I think the plugin is not mature enough yet to provide me a full complex setup for the url/domain routing I am looking for right now.
I'll see if I can deploy some tests so maybe I can contribute on what needs improving.
I see no need currently for you to add varnish and ngnix as modules or binary support to take time off your hand on things that are needed more urgently then this.
So in future if the support of varnish and ngnix would be possible this would be nice, but I have no need for it right away as I will be deploying a custom solution right now.

Thanks!

Hi,

I'd like to send in a feature request to setup support for NGINX and Varnish to support a more complex reverse proxy load balancer.

- Support for url and domain routing
- Support for varnish caching mechanism on url content

I know this is a request that will take some time to complete and most can be done with Squid I guess but currently I haven't found an option to setup Squid in opnsense as reverse proxy instead of forwarding proxy.
Any changes locally on squid will get overridden when changing entries in the proxy setup.

Ideally I would like to use OPNsense to load balance a web cluster with url and domain routing and have a caching mechanism in the middle or running next to it using varnish cache.

Not sure if the general discussion is where this request should be placed, if not sorry for posting it in general section.

Really like the way the OPNsense project is heading to.

Keep up the good work!

Thanks

Matthew

You can ignore this request, as I wasn't paying attention to my rulesets.

Hi Franco,

I just set net.fibs=2 in /boot/loader.conf , this of course will probably get overridden when upgrading to new release version.
FreeBSD actually made this possible to separate the routing on different WAN's on the same machine.
But then again using pf and static routes would do the same trick.
I guess you mostly will need this feature when you want to separate BGP routing tables for example using two BGP daemons over two different paths.

And on the question on vrf support ( vrf-lite/rdomains )  for FreeBSD, fib is a bit like vrf but without the features that OpenBSD implemented with their vrf-lite.
Multiple fib's can be used to route different Jails on FreeBSD to their own routing table to segment it from your main routing table for example.

Hi,

I seem to have run into a problem that I can't seem to be able to get port forwarding ( NAT RDR ) working.


So lets say I have the following:

vip ip <--RDR NAT --> internal ip

When I create the forwarding rule for ftp for example I do see it listed as RDR rule but the rule doesn't seem to work.

pfctl -s nat shows:
No ALTQ support in kernel
ALTQ related functions disabled
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on bce1_vlan3 inet from 127.0.0.0/8 to any port = isakmp -> 130.117.75.121 static-port
nat on bce1_vlan3 inet from 192.168.1.0/24 to any port = isakmp -> 130.117.75.121 static-port
nat on bce1_vlan3 inet from 10.0.0.0/24 to any port = isakmp -> 130.117.75.121 static-port
nat on bce1_vlan3 inet from 127.0.0.0/8 to any -> 130.117.75.121 port 1024:65535
nat on bce1_vlan3 inet from 192.168.1.0/24 to any -> 130.117.75.121 port 1024:65535
nat on bce1_vlan3 inet from 10.0.0.0/24 to any -> 130.117.75.121 port 1024:65535
nat on bce3_vlan200 inet from 127.0.0.0/8 to any port = isakmp -> 178.22.83.68 static-port
nat on bce3_vlan200 inet from 192.168.1.0/24 to any port = isakmp -> 178.22.83.68 static-port
nat on bce3_vlan200 inet from 10.0.0.0/24 to any port = isakmp -> 178.22.83.68 static-port
nat on bce3_vlan200 inet from 127.0.0.0/8 to any -> x.x.x.x port 1024:65535
nat on bce3_vlan200 inet from 192.168.1.0/24 to any -> x.x.x.x port 1024:65535
nat on bce3_vlan200 inet from 10.0.0.0/24 to any -> x.x.x.x port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
no rdr on bce0 proto tcp from any to (bce0) port = https
no rdr on bce0 proto tcp from any to (bce0) port = http
no rdr on bce0 proto tcp from any to (bce0) port = ssh
rdr on bce3_vlan200 inet proto tcp from any port = ftp to x.x.x.x port = ftp -> 192.168.1.148
rdr on bce3_vlan200 inet proto udp from any port = ftp to x.x.x.x port = ftp -> 192.168.1.148
rdr on bce3_vlan200 inet proto tcp from any to x.x.x.x port 1024:65535 -> 192.168.1.148

Also created inbound rule to accept ftp connection but when I try the connection it doesn't work:

External connection:

tcpdump: listening on bce3_vlan200, link-type EN10MB (Ethernet), capture size 65535 bytes
15:56:12.182354 80:71:1f:c0:84:b2 > 10:60:4b:af:d2:96, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 50, id 34416, offset 0, flags [DF], proto TCP (6), length 64)
    149.235.255.3.54915 > x.x.x.x.21: Flags , cksum 0xdef5 (correct), seq 4153531766, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 758637770 ecr 0,sackOK,eol], length 0
15:56:14.188624 80:71:1f:c0:84:b2 > 10:60:4b:af:d2:96, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 51, id 11713, offset 0, flags [DF], proto TCP (6), length 64)
    149.235.255.3.54915 > x.x.x.x.21: Flags , cksum 0xd725 (correct), seq 4153531766, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 758639770 ecr 0,sackOK,eol], length 0
15:56:15.190539 80:71:1f:c0:84:b2 > 10:60:4b:af:d2:96, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 51, id 29698, offset 0, flags [DF], proto TCP (6), length 64)
    149.235.255.3.54915 > x.x.x.x.21: Flags , cksum 0xd33d (correct), seq 4153531766, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 758640770 ecr 0,sackOK,eol], length 0
15:56:16.191868 80:71:1f:c0:84:b2 > 10:60:4b:af:d2:96, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 51, id 15010, offset 0, flags [DF], proto TCP (6), length 64)
    149.235.255.3.54915 > x.x.x.x.21: Flags , cksum 0xcf55 (correct), seq 4153531766, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 758641770 ecr 0,sackOK,eol], length 0

Local connection:

# telnet 192.168.1.148 21
Trying 192.168.1.148...
Connected to 192.168.1.148.
Escape character is '^]'.
220 Welcome to the FTP server

Anyone know what I am doing wrong or what's up with the RDR option of PF?

Right found away around this by setting it in the boot loader.
But now would be nice if I could use it from the frontend ;)

Hi,

I'd like to know if OPNsense tends to start supporting multiple routing tables, kernel needs to be recompiled with:

# Multiple routing tables
options         ROUTETABLES=2

When this done it would be possible to setup multiple default gateways instead of having to go around the current way of doing the multi-wan setup

From the looks of it only one fib is currently allowed:

/home/matthew # setfib 0 netstat -rn | grep default
default            x.x.x.x      UGS    bce1_vla

/home/matthew # setfib 1 netstat -rn
setfib: 1: invalid FIB (max 0)

Thanks in advance

Matthew