Messages

Hi

I was patching up this situation using OPNsense, but I would like a second opinion.
This question is about how to set up OPNsense as a GW itself.

Setup is:

Code Select Expand

WAN (dhcp) <=> INET/29 (owned WAN subnet) <=> one or more OPNsenses.

I know the subnet basics and initially did it using basic routing/ default GW/firewall in Linux, but would like to do it with OPNsense if that makes sense, performance-wise, because OPNsense has some features I would include.

What I did is creating the INET/29 subnet as if it were a LAN, and add up all the flags like BOGUSIPS, Firewall, Special exceptions etc myself, plus deactivating OUTBOUND NAT.

However I don't trust it as there are questions.

• For one, OPNsense doesn't know the INET/29 is a WAN port. I cannot tell for sure that there is no special internal edge case that gets traffic to escape the WAN<->INET/29 highway.
  
• OPNsense does identify WAN/LAN, and I don't know if thats just visual or if it means something more.
  
• Also, if the endpoint-router behind the GW restarts, connections through the GW are unstable. I have to restart the GW to make it work again (that is: let clients from WAN access HAproxy on the INET/29 endpoint again). It seems to me I converted a solution into another that is not meant to be.
  

Somebody/your opinion?

thanks

Code Select Expand


#Will trigger an existing uuid:
POST /wol/wol/set {uuid: 6def5e9b-ebb5-409d-ab52-912c06be7dc2}

#Will trigger a manual/undefined wake:
POST /wol/wol/set {wake: {interface: "opt22", mac: "b4:2e:99:30:da:dd"}}

#Will add a new host to the list:
POST /wol/wol/addHost {host: {interface: "opt22", mac: "b4:2e:99:30:da:dd", descr: "My Hamster"}}


The stuff in brackets is the body of the post, a json encoded object (not array).
So except the basic auth, and the endpoint (ie. "/wol/wol/set"), all variables seem to be going into the body.

It is easy to sniff into the structure via browser dev tools. Some things are more structured than the DOCS show.

see
https://github.com/opnsense/plugins/blob/9e45c51384e276a785ac09502e10f7faf20739c9/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt#L63

try the "set" command and probably pass uuid either in GET or the JSON body.

didn't test, i'm on a different mission.

m

I managed to boot into the current usb serial installer, preselect the config from the internal apu ssd (side load from within installer), having it confirmed on screen and installed the fresh version with the old config over the internal ssd.
i was astonished the old fs was well intact.

Thanks for pointing to this, but I'd like to respectfully disagree:

---

Any opinions on that?

Disclaimer: I'm a learner. I just don't know what I'm fighting against with all this IPS on VLAN problems.

My gut says your clarification is so perfect to agree, or disagree upon,
if I were you I'd file an improvement request at https://github.com/opnsense/core/issues and link back here for more background. Copy everything around "Rename the settings as follows" and any DEV can judge.

me too,
after an upgrade
Did you find a solution?

There is!

X-Forwarded-For carries the Original sender, but that sender is wrong.

Or how do you mean "work"?
Like make conditions for a broken SRC?

The problem is not with HAproxy, but that the outbound-NAT of OPNsense does not work with HAproxy.
It is usually not a problem with normal webservers, but in my case the software (Seafile) fails with the wrong SRC.

Hi folks

I need to mask LAN-HAproxy traffic with my WAN IP.

it seems I cannot get an outbound NAT for HAproxy working.
The conditions are never met for the Outbound-NAT to hook in.

I used: Outbound NAT
- Interface: WAN
- Source: The complete 10.24.0.0/16
- Dest: WAN (HAproxy port)
- Translate IP: Interface
... still the http server sees my LAN IP.

As soon as I route the traffic via a masked outside GW loopback, the Outbound-NAT works (useless, just to illustrate).

Somebody knows a solution?
What kind of hidden shortcut is in place here?
Thanks

Hi all

Edit: Sorry this belongs to the other (Suricata) forum, but it seems I cannot delete this.

I read in this doc
https://suricata.readthedocs.io/en/suricata-4.0.1/configuration/multi-tenant.html

that it's possible to distinguish configs by VLAN IDs using multi-detect.

My questions here:

• are the default baremetal interfaces in "netmap" the ones where the VLANs tenants are based on?
  
• if I want filters on VLAN-1, but empty rules on VLAN-2: will there be an inspection and latency on VLAN-2? (I ask because I had lags with openvpn going through suricata. a pass rule didn't help. only disabling did.
• what is the most stable way for opnsense to eat my "multi-detect" config? just add it in the custom.yaml file, and reference (+TARGETS) the additional yamls?

Thanks a lot.
Best
Manu

EDIT:
Ich glaube MEIN Problem war:
Mein /var läuft im RAM. Alle acme Keys sind weg nach einem reboot.
Logisch mussten also alle keys (pseudo rekonstruierbar) zuerst erneuert werden.

https://github.com/opnsense/plugins/issues/884

Ich habe das selbe(?) Problem.

- DNS Challenge (nsupdate)
- manual/force Update

Aber:
- Beim ersten Mal erscheint obiger Fehler.
- Beim zweiten Mal gehts durch.

Scheint als ob er beim ersten Mal erst den key vermisst, dann generiert (oder in diesen Ordner reinkopiert), beim zweiten Mal erst anwendet. Also "expected behaviour" weil manueller Vorgang? Jedes Mal einen neuen Key erzeugen sollte aber eigentlich nicht sein?

Zitat aus acme log (Erster Durchgang):

Code Select Expand

...
Read key length:
Creating domain key
Using config home:/var/etc/acme-client/home
...


Zitat aus acme log (Zweiter Durchgang):

Code Select Expand

...
Read key length:4096
_createcsr
...

Hi,
I'd like to know, if anyone..., and how difficult it was to get CUDA in Suricata on Opnsense up and running.
Thanks
Manu

[On which internal IP do I set HAproxy for LAN access?]

Hi all

I have a basic question that I don't seem to find an answer for.
Say I use HAproxy as a SSL/Non-SSL reverse-proxy of my Non-SSL webpages in a DMZ.
I have an interest to also use HAproxy from the LAN1, because it handles the LetsEncrypt Certs, and the servers dont have SSL enabled.

On which internal IP do I set HAproxy for LAN access?

- I use split-horizon DNS
- loop-back on WAN is blocked because of the (useful) privatenet/bogus-rule I guess?
- There will be more LANs, this IP should be shared accross them

I tested that using the DMZ Router IP works, publishing it via the internal DNS. But I guess that way traffic passes through the router twice?

Thanks a lot
Best Manu

Sorry, I guess it's minor.
And I misunderstood the facilities part.

Hostname is missing, yes, but in my case (graylog) it's harmless to override it.

m

Hi

I think this thread perfectly describes my problem
https://serverfault.com/questions/155618/remote-logging-with-syslogd-can-i-change-the-hostname

Basically in syslogd's messages to a remote, the hostname is missing.
On the remote logger it mixes up with rsyslogd's messages from others, that prepend a hostname (seen as a source).

Is this intended behaviour or syslogd-only?

best
manu