1
21.7 Legacy Series / Re: Valid setup for several virtual machines with a web server in a DMZ
« on: April 21, 2022, 04:55:29 pm »
Thanks for the hint about haproxy. I will test this one.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
21.7 Legacy Series / Re: Valid setup for several virtual machines with a web server in a DMZ
« on: April 21, 2022, 04:30:37 pm »
As I still want to use NAT and multiple VMs with similar services I guess I have to use a reverse proxy.
3
21.7 Legacy Series / Re: Valid setup for several virtual machines with a web server in a DMZ
« on: April 21, 2022, 03:37:51 pm »
Thank you for the information.
I am using a public ipv4 lan segment with no access from the outside in the DMZ for management tasks. I will check vlans but a new box with more ports makes more sense to me.
I have a /64 IPv6 segment with public ip addresses for the DMZ. On the WAN interface I have one public IPv4 address.
I am using a public ipv4 lan segment with no access from the outside in the DMZ for management tasks. I will check vlans but a new box with more ports makes more sense to me.
I have a /64 IPv6 segment with public ip addresses for the DMZ. On the WAN interface I have one public IPv4 address.
4
21.7 Legacy Series / Re: Valid setup for several virtual machines with a web server in a DMZ
« on: April 18, 2022, 07:38:04 am »
@zerwes
Thank you for your reply.
I have no port left on the firewall to have a separate management network. I will consider this when I buy my next firewall system with more lan ports.
If the port forwarding is only to one IP what other possibility do I have so I can use several systems with the same port?
Thank you for your reply.
I have no port left on the firewall to have a separate management network. I will consider this when I buy my next firewall system with more lan ports.
If the port forwarding is only to one IP what other possibility do I have so I can use several systems with the same port?
5
21.7 Legacy Series / [SOLVED] Valid setup for several virtual machines with a web server in a DMZ
« on: April 17, 2022, 05:39:04 pm »
Hello community,
I am using OPNsense 21.7.7 on a pcengines apu2d4.
I have an ESXi Server in the DMz with several virtual machines. On these virtual machines I run apache web server.
Each virtual machine has a private IPv4 and a public IPv6 address.
I have the following configuration to access these web servers.
- All virtual machines are in an alias WEB
NAT - WAN
- I have one Port forward for http / tcp / IPv6 port 80 / Redirect target IP: WEB
- I have one Port forward for http / tcp / IPv6 port 443 / Redirect target IP: WEB
RULES - WAN
- I have one rule for http / tcp / IPv6 port 80 / Destination: WEB
- I have one rule for http / tcp / IPv6 port 443 / Destination: WEB
I started with one web server and everything is fine.
When the 2nd web server comes in I observse some strange things with using certbot to get an ssl certificate. From the outside it seems that sometimes the 1st web server is answering.
On the DNS for my domain (at my domain provider) I have a default entry which has the 1st virtual machine as target.
Is this the correct setup for this usage?
If this is not the correct setup how can I configure my firewall to have several web servers on different systems with different IPs?
Best regards
--Christian
I am using OPNsense 21.7.7 on a pcengines apu2d4.
I have an ESXi Server in the DMz with several virtual machines. On these virtual machines I run apache web server.
Each virtual machine has a private IPv4 and a public IPv6 address.
I have the following configuration to access these web servers.
- All virtual machines are in an alias WEB
NAT - WAN
- I have one Port forward for http / tcp / IPv6 port 80 / Redirect target IP: WEB
- I have one Port forward for http / tcp / IPv6 port 443 / Redirect target IP: WEB
RULES - WAN
- I have one rule for http / tcp / IPv6 port 80 / Destination: WEB
- I have one rule for http / tcp / IPv6 port 443 / Destination: WEB
I started with one web server and everything is fine.
When the 2nd web server comes in I observse some strange things with using certbot to get an ssl certificate. From the outside it seems that sometimes the 1st web server is answering.
On the DNS for my domain (at my domain provider) I have a default entry which has the 1st virtual machine as target.
Is this the correct setup for this usage?
If this is not the correct setup how can I configure my firewall to have several web servers on different systems with different IPs?
Best regards
--Christian
6
General Discussion / Re: IPv6 / Questions about DNS, WAN interface and internal LAN
« on: June 05, 2020, 11:49:20 am »
@marjohn56
Many thanks for your information.
I had problems of understanding with the /56 and /64 I got from my ISP Telekom. I found an entry in the telekom community
https://telekomhilft.telekom.de/t5/Festnetz-Internet/IPv6-im-LAN-bereitstellen/td-p/3852995. It is in German language. It explains that the /64 is an segmant where my router gets automatically an IP address to talk with the world. The /56 is for my usage.
With this information your information makes sense and solved my problem
Many thanks for your information.
I had problems of understanding with the /56 and /64 I got from my ISP Telekom. I found an entry in the telekom community
https://telekomhilft.telekom.de/t5/Festnetz-Internet/IPv6-im-LAN-bereitstellen/td-p/3852995. It is in German language. It explains that the /64 is an segmant where my router gets automatically an IP address to talk with the world. The /56 is for my usage.
With this information your information makes sense and solved my problem
7
General Discussion / Re: IPv6 / Questions about DNS, WAN interface and internal LAN
« on: June 05, 2020, 10:03:13 am »
@marjohn56,
Quote
/56 address block is not link-local, they are global addresses as I explained, not local only.Ok
Quote
You can assign a separate /64 IPv6 range to each LAN interfaceThat was what I am looking for. How can I do this?
8
General Discussion / Re: IPv6 / Questions about DNS, WAN interface and internal LAN
« on: June 04, 2020, 04:57:46 pm »
Hello marjohn56,
thank you for your information.
I have checked the IPv6 leases shown in OPNsense gui again. These IPv6 addresses are from the /56 block which I understand is link-local.
When I understand your information correctly this comes from my "IPv6 Configuration Type" setup for the WAN interface which is DHCPv6.
How can I use the global /64 IPv6 addresses in the DMZ? Is this possible via OPNsense / DHCPv6 or do I have to configure this on my systems lan configuration?
Best regards
--Christian
thank you for your information.
I have checked the IPv6 leases shown in OPNsense gui again. These IPv6 addresses are from the /56 block which I understand is link-local.
When I understand your information correctly this comes from my "IPv6 Configuration Type" setup for the WAN interface which is DHCPv6.
How can I use the global /64 IPv6 addresses in the DMZ? Is this possible via OPNsense / DHCPv6 or do I have to configure this on my systems lan configuration?
Best regards
--Christian
9
General Discussion / IPv6 / Questions about DNS, WAN interface and internal LAN (solved)
« on: June 03, 2020, 03:04:54 pm »
Hello Community,
before I start with my questions I would like to say thank you to the OPNsense team and the community for having this software. It is working very well and I am happy to use it. It took me some time after the discontinue from monowall to choose another firewall system. I am glad to be here now.
I have searched the forum but found not the information I seek in the search results.
I have a DSL connection from the German provider Telekom. I am using OPNsense 20.1.7 on a apu2 (pcengine)
Beside one public IPv4 address I have received
1x /56 IPv6 for private use
1x /64 for public use
I have configured the public IPv6 /64 according to https://wiki.opnsense.org/manual/how-tos/ipv6_dsl.html.
In the leases overview from the OPNsense GUI I can see several systems using a public IPv6 address. This address seems to be defined by SLAAC. Is this IPv6 public address always the same so I can use it for DNS entries?
I see an official IPv6 address on the LAN interface. I have expected to see it on the WAN interface. Is this behavior correct?
The /56 is divided in 56 IPv6 address blocks. Is it possible to use OPNsense as DHCPv6 server for a private LAN?
Best regards
Christian
before I start with my questions I would like to say thank you to the OPNsense team and the community for having this software. It is working very well and I am happy to use it. It took me some time after the discontinue from monowall to choose another firewall system. I am glad to be here now.
I have searched the forum but found not the information I seek in the search results.
I have a DSL connection from the German provider Telekom. I am using OPNsense 20.1.7 on a apu2 (pcengine)
Beside one public IPv4 address I have received
1x /56 IPv6 for private use
1x /64 for public use
I have configured the public IPv6 /64 according to https://wiki.opnsense.org/manual/how-tos/ipv6_dsl.html.
In the leases overview from the OPNsense GUI I can see several systems using a public IPv6 address. This address seems to be defined by SLAAC. Is this IPv6 public address always the same so I can use it for DNS entries?
I see an official IPv6 address on the LAN interface. I have expected to see it on the WAN interface. Is this behavior correct?
The /56 is divided in 56 IPv6 address blocks. Is it possible to use OPNsense as DHCPv6 server for a private LAN?
Best regards
Christian
10
Tutorials and FAQs / [Hints] VDSL2 / Speedport Smart 2 / OPNsense 18.1.6
« on: April 25, 2018, 06:31:31 pm »
Hi community,
it cost me some time to get my setup running. I would like to give some information how to do that so if someone has the same components / setup he might save some time.
My setup:
- Telekom VDSL2 100Mbit
- Telekom Speedport Smart 2 (SS2) as Modem
- PC Engines APU2C4 with OPNsense 18.1.6
The Speedport Smart 2 comes by default with the IP 192.168.2.1.
If the DSL connection is not working you have to check the status again before able to continue with the setup wizard.
After the setup wizard you can see the web gui. Either in "Heimnetzwerk" (Home Network) or "Einstellungen" (Setup) you are able to declare this device to act as a modem.
The device will reboot after this configuration. It will change its IP to 169.254.2.1 (ports 1-3).
When you connect again you will see only a status page.
The WAN port from the APU2C4 has to be connected to LAN port 4 of the SS2.
In OPNsense you have to configure
- PPPoE user (anschlusskennung+zugangsnummer+mitbenutzer@t-online.de)
Example: 1122334455669988776655440001@t-online.de
- PPPoE Password (Ihr persönliches Kennwort)
Telekom use VLAN id 7. In OPNsense you have to configure this VLAN id in Interfaces -> Other Types -> VLAN.
Additionally you have to assign this new PPPoE Interface with VLAN 7 to the WAN port. Interfaces -> Assignments. This step took me some time and was the reason to create this topic in the forum.
After this my setup was running properly and I could enjoy 100Mbit
Regards
--Christian
it cost me some time to get my setup running. I would like to give some information how to do that so if someone has the same components / setup he might save some time.
My setup:
- Telekom VDSL2 100Mbit
- Telekom Speedport Smart 2 (SS2) as Modem
- PC Engines APU2C4 with OPNsense 18.1.6
The Speedport Smart 2 comes by default with the IP 192.168.2.1.
If the DSL connection is not working you have to check the status again before able to continue with the setup wizard.
After the setup wizard you can see the web gui. Either in "Heimnetzwerk" (Home Network) or "Einstellungen" (Setup) you are able to declare this device to act as a modem.
The device will reboot after this configuration. It will change its IP to 169.254.2.1 (ports 1-3).
When you connect again you will see only a status page.
The WAN port from the APU2C4 has to be connected to LAN port 4 of the SS2.
In OPNsense you have to configure
- PPPoE user (anschlusskennung+zugangsnummer+mitbenutzer@t-online.de)
Example: 1122334455669988776655440001@t-online.de
- PPPoE Password (Ihr persönliches Kennwort)
Telekom use VLAN id 7. In OPNsense you have to configure this VLAN id in Interfaces -> Other Types -> VLAN.
Additionally you have to assign this new PPPoE Interface with VLAN 7 to the WAN port. Interfaces -> Assignments. This step took me some time and was the reason to create this topic in the forum.
After this my setup was running properly and I could enjoy 100Mbit
Regards
--Christian
11
General Discussion / Re: tcp:s entries in log file (normal view) from wan interface to hosts on port 80
« on: October 05, 2016, 10:04:08 pm »
hello jos,
many thanks for your answer and information.
best regards
--christian
many thanks for your answer and information.
best regards
--christian
12
General Discussion / tcp:s entries in log file (normal view) from wan interface to hosts on port 80
« on: October 04, 2016, 10:25:43 pm »
hi community,
before i start with my questions i would like to say thank you to the developers and the community about their great work to have this software available.
i am using 16.7.5 on a apu2c4 system from pcengines.
when i check the log files (normal view) i see many entries like the attached screen shot.
a click on the line tells me it comes from rule 67.
i have not created such a rule by myself directly.
is this a automatic / default rule?
i am a bit irritated because it says pass to a connection attempt from my opnsense box to a host unknown to me on port 80.
can someone explain this entry in the log file please.
best regards
--christian
before i start with my questions i would like to say thank you to the developers and the community about their great work to have this software available.
i am using 16.7.5 on a apu2c4 system from pcengines.
when i check the log files (normal view) i see many entries like the attached screen shot.
a click on the line tells me it comes from rule 67.
Code: [Select]
@67 pass out log route-to (pppoe0 213.148.133.205) inet from 92.194.107.220 to ! 92.194.0.0/15 flags S/SA keep state allow-opts label "let out anything from firewall host itself"i have not created such a rule by myself directly.
is this a automatic / default rule?
i am a bit irritated because it says pass to a connection attempt from my opnsense box to a host unknown to me on port 80.
can someone explain this entry in the log file please.
best regards
--christian
Pages: [1]