Messages

1

22.7 Legacy Series / Help needed setting up nginx reverse proxy

« on: December 12, 2022, 01:37:47 am »

I feel like I should have gotten this to work by now but I am misunderstanding a setting and cant seem to get nginx to work properly.

I have a server hosting two webpages behind opnsense. They are www.mydomain.com/one and www.mydomain.com/two.

The server accepts incoming connections on 443. My current working opnsense configuration to access these webpages from external IPs is to forward all 443 connections going to WAN-IP to MyServer-IP. This works but there is a quite large volume of port sniffing and random access attempts when I do this.

I would like nginx to filter for and forward only requests for www.mydomain.net/(one or two) to MyServer-IP/(one or two). A fairly standard use case for nginx, that I somehow cant get working right. I have ssl certs stored on MyServer for the domain, so in my current setup where I forward all requests on 443, MyServer will do the filtering for any request to www.mydomain.com/(one or two) and serve the correct ssl cert.

I believe the system I am looking for is transparent reverse proxy, where all nginx does is look for a request using my domain name and forwards it without modifying data or serving certs.

These are my current rules to port forward all 443 to MyServer
Firewall > NAT > Port Forward: Interface WAN, IPv4, Protocol TCP/UDP, Destination WAN net, Destination Port Range HTTPS, Redirect target IP MyServer, Redirect Target Port HTTPS

i also have one for internal subnets to reach this server using the domain name

Firewall > NAT > Port Forward: Interface subnet1 subnet2 subnet3, IPv4, Protocol TCP/UDP, Destination WAN net, Destination Port Range HTTPS, Redirect target IP MyServer, Redirect Target Port HTTPS

and then in Firewall: Rules: WAN there is an autogenerated rule for IPv4 TCP/UDP, source/port any, destination MyServer(alias), port 443

The Nginx configuration I have tried is this, based on most write ups I have found
Upstream Server
   Description: MyServer
   Server: (MyServer IP)
   Port: 80
   Priority 1
   Max Conns: 1000
   Max Fails: 10
   Fail Timeout: 60

Upstream
   Description: MyServer Backend
   Server Entries: MyServer
   LoadBalancing: WRR
   Enable TLS: False

Location
   Description: MyServer Root
   URL Pattern: /
   match type: none
   url rewriting: nothing selected

HTTP Server
   HTTP Listen 80
   HTTP Listen 443
   Server Name: www.mydomain.com
   Locations: MyDomain Root
   URL Rewriting: nothing selected

Firewall: WAN: Rules
Protocol IPv4, TCP/UDP, source/port *, Destination WAN Address 443(and same rule with 80), Gateway/schedule *

Whenever I try and connect I get a "Cannot Complete Request" error. Nginx logs show a connection attempt  by my device in http access logs with a status 404 error. I am a little confused here because it seems like I made pretty much the same forwarding rules as I did with NAT forwarding with nginx rules. But for whatever reason these requests aren't getting forwarded the same way. Hopefully it is something simple enough that someone who knows more about this can point me in the right direction.

Thanks,

2

Intrusion Detection and Prevention / Re: How to block ET CINS Active Threat Intelligence Poor Reputation?

« on: June 29, 2022, 08:34:53 pm »

Getting the policy to drop properly would be ideal for me since the list gets updated from time to time. I frequently need to access the network from random locations and machines so I cant just blot out whole IP ranges or restrict to certain devices.

Its also just a bit frustrating that using the policy to drop anything with the CINS tag doesnt seem to actually do that. It seems to be the only policy this does not work on.

3

Intrusion Detection and Prevention / How to block ET CINS Active Threat Intelligence Poor Reputation?

« on: April 23, 2022, 06:18:41 pm »

I would like to block the IP addresses in the various "IP Groups" from this list but I cant seem to get the policy correct. Some remain allowed, and others are blocked.

I have CINS selected in the tag drop down menu and "new action" set to drop but for this one list that does not seem to be enough to get suricata to actually drop everything from this ET CINS list.

The IPs involved arent being flagged by other lists first, it just seems like something about this list is still overriding my attempts to drop the connection.

4

22.1 Legacy Series / Re: recent update made host computer unable to reach its own hosted page

« on: April 23, 2022, 06:09:11 pm »

Well I sort of fixed it by disabling my firewall rules and re-enabling them. As well as flushing the arp tables. Something must have hung up in the update that a restart did not clear out.

5

Intrusion Detection and Prevention / Re: Rejected ETPro Telemetry registration

« on: April 21, 2022, 03:39:01 pm »

I had the same problem. They said they would manually review the application and contact me but never did. I assume it was because of the IP address i was using and my email is not to a normal domain like @gmail or whatever. It probably thought I was spam.

If you used a public IP and normal looking email address then perhaps it is just broken.

6

22.1 Legacy Series / [Solved?] recent update made host computer unable to reach its own hosted page

« on: April 21, 2022, 03:27:36 pm »

I have a computer on my network hosting a webpage at www.mydomain.com. External requests were forwarded to the host computer using opnsense port forward rules and I had the nat 1:1 reflection option enabled to allow other devices on my network to reach the website using www.mydomain.com instead of having to use the IP address of the host machine.

Strangely, after the most recent update of opnsense the host computer can no longer reach its own website using www.mydomain.com. It can get there using its own IP address. Every other computer on the network can still get to the page using www.mydomain.com, as can devices from external IPs.

So did something change with the way NAT reflection or forwarding rules work recently? I need an API on the host machine to be able to contact the website using the www.mydomain.com address so the ssl certs are valid.

The host computer is on its own subnet, all other machines are on various other subnets. The host is running debian stable with a LAMP stack. I am not seeing requests on the firewall from the host machine trying to reach itself, but can see other local subnet addresses communicating with the host machine, as well as external addresses. So it seems like a setting somewhere is blocking domain name resolution for this one machine all of a sudden.

7

21.7 Legacy Series / Can using LAG improve a 1gbps connection? even slightly?

« on: November 05, 2021, 07:32:50 pm »

I just got a 1gbps connection and a new sb8200 modem to handle that speed upgrade. It has two NICs for link aggregation for use on connections over 1gbps.
But I was wondering if there was any benefit at all if I used both lines on my 1gbps connection. Maybe like a load balancer or to help decrease latency if a bunch of devices are communicating through my opnsense box at the same time.

Most of the stuff I could find online was for intranetwork speed improvements for a NAS or commercial access points. Its a new concept to me so I am just looking to get up to speed on any capabilities this could bring to the table.

It kind of seems like LAG would be helpful on my PCs that are using wired connections but that would require quite a few hardware upgrades and I only have one free ethernet port on my router and one on the sb8200 for now to play with.

8

21.1 Legacy Series / Re: Default deny rule started blocking things that it should not have

« on: June 24, 2021, 08:31:18 pm »

This happens to me sometimes and is really frustrating.

Going into the ARP section and flushing the table gets things to work again. Rebooting wont work.

I think somehow, a device will be assigned an address from dhcp, like 192.168.1.133 and then that computer will disconnect from the network and log back in. The DHCP server will give the device a new IP of 192.168.1.122 and will update the ARP table accordingly(viewed from the webgui)  but traffic will be routed using the old IP even though nothing in the system is registered to that IP. The firewall sees this is a foreign/unregistered IP and blocks it.

So there is some sort of situation where traffic will get routed briefly based on some other identifier besides the IP assigned by DHCP. For the record, I am only using DHCP to assign ip addys to people on my wifi and this only happens to users on my wifi. I am not using anything other than the stock configuration for adding devices to my network. My wifi is provided by access points that have static IP addresses assigned to them that arent available to the dhcp range and will occur whether I have one AP or multiple ones(so I think its not a roaming issue caused by the APs)

9

21.1 Legacy Series / Passing a wwan to OPNsense running in KVM

« on: June 15, 2021, 07:01:51 pm »

I have a Sierra EM7565 LTE modem I use on a laptop for roaming around and for whatever reason I wanted to try passing it to a KVM of OPNsense.

I am using Virt-Manager to do this and I am passing just the USB device to OPNsense. Then when I log into OPNsense via the terminal(in the KVM window) I can see under /dev that there is a cuau0 device being added. The OPNsense webgui also sees the /dev/cuau0 device under PPP devices. Unfortunately I cant get OPNsense to communicate via AT commands to the modem.

I tried configuring the modem settings between MBIM(USBIF) and Legacy-Generic, as well as switching from qmi to mbim mode for the data link but none of the settings seem to communicate in OPNsense. For whatever reason the device does not seem to want to talk to OPNsense but will talk to Debian just fine.

The error I get in the webgui is "failure to issue AT command" and in terminal I can use

Code: [Select]

cu -l /dev/cuau0 which gives me a CONNECTED status, but I cant enter anything after that.

I was thinking I might need to pass the whole USB bus, but there is only one bus and that would take all of my USB ports, touchscreen, etc. with it.

Does anyone have any experience doing this? I don't have any other modems to try so I cant be too sure it isn't a BSD issue with this particular modem.

10

21.1 Legacy Series / Re: Suricata 6

« on: January 29, 2021, 06:44:24 pm »

I installed it and got it to work just fine.

But I will second the documentation is somewhat lacking.

11

Zenarmor (Sensei) / Installing sensei plugin breaks updates, doesnt install

« on: January 29, 2021, 06:42:05 pm »

I upgraded to 21.1, im using the libressl flavor, and then went to install the sensei plugin(first time). After it installed it never showed up in the menu tab. When I looked at the plugins page it said both the sensei plugin, and the chrony plug in were outdated. It also listed no packages or plugins besides those two. When I tried to check for new updates it said it could not contact the repository.

Uninstalling the sensei plugin reverted everything back to normal. Pretty strange, my guess is that's not supposed to happen.

12

20.7 Legacy Series / Re: How to switch from ntpd to chrony?

« on: January 28, 2021, 02:11:17 am »

I think I got it working, hope this helps anyone else.

The firewall time seemed to update itself. But since it was suggested to add a cron job I just did this:
crontab -e
which opened up the cron jobs already enabled in opnsense. Then I added

*    3    *    *    *     (ntpdate -v -u 192.168.1.1) > /dev/null

So hopefully this means it will update tomorrow morning at 3am. And every day after.

13

20.7 Legacy Series / Re: How to switch from ntpd to chrony?

« on: January 27, 2021, 02:55:29 pm »

Thanks, ill get on the suggestions. I goofed not specifying the subnets correctly.

14

20.7 Legacy Series / Re: How to switch from ntpd to chrony?

« on: January 26, 2021, 02:20:11 am »

meh, it took a while but the time did not resync for my client. So it must be misconfigured the way I had it setup

15

20.7 Legacy Series / How to switch from ntpd to chrony? [SOLVED]

« on: January 26, 2021, 02:03:25 am »

I currently have the opnsense ntpd setup to provide time sync for all connected clients and to force any client trying to use its own ntp address to sync with the opnsense ntp.

I would like to do a similar thing using chrony so that I can also take advantage of NTS since that is now available. 

This is how I configured it

enabled: true
listen port: 123 (it defaulted to 323 for some reason)
nts client support: true
ntp peers: time.cloudflare.com
allowed networks: 192.168.1.1 , 192.168.2.1 (my subnets)

Then I stopped the ntp service, there seemed to be no way to explicitly disable ntpd in the gui.

Is this set up correct?

how can I disable ntpd in opnsense? I assume it will just restart after a reboot.