Messages

In my DMZ I have a VPS running a mail-server and I want to reach its webmail interface even through a VLAN subnet.

So, on OPNSense I created the "vSrvDMZ" VLAN with DMZ as "Parent" and in the VPS I add a NIC attached to it.

OPNSense Live View shows me that when I try to connect to webmail from LAN using the IP address of the VLAN interface, the network traffic successfully reaches the mail server through the VLAN interface but comes back through the DMZ interface, correctly using the default gateway of the VPS.

I'm in doubt as to what is the correct way to handle this thing. Natting traffic on OPNSense? Or is it possible to configure the NIC of the VPS to forward traffic from the VLAN through the same VLAN?

Thanks for any help.

I'm just getting started with VLAN and I need some help from more experienced to properly design the management VLAN.

I have an OPNsense appliance with 3 NICs: WAN, LAN, DMZ. In this case LAN and DMZ are already isolated, but to start playing with VLAN, I'm planning to use one VLAN for servers and workstations attached to the LAN interface and one for servers attached to the DMZ interface.

My question is: should there be only one management VLAN, used to manage both the servers in the LAN and the servers in the DMZ, or is it better to create two separate management VLANs, one for the LAN and one for the DMZ?

(I have this doubt because I've always read "management VLAN", in the singular, but it doesn't seem right to me to put LAN and DMZ administration services under the same broadcast domain)

Thank you.

I found the "problem" ...

Using "Packet Capture" (Interfaces->Diagnostics->Packet Capture) I found an OPNsense response from an "unknown" IP and light bulb went on in my head ...

The ISP has given us some public IP addresses that we use for our services. But the router that manages the Hiperlan connection antenna, dynamically assigns (via ppoe) another public IP to the WAN interface of OPNsense, which is the one actually used by WireGuard.

Using this address as peer endpoint in the client configuration (and changing the firewall rule for WAN interface port 51820) the VPN started working.

In order to use one of the virtual public IPs address I think it is necessary not to associate the device to an interface and manually create an Outbound rule that directs the outgoing traffic from the wireguard device to the desired virtual public IP (but I haven't tested it yet ... )

Ok... After many attempts, trying to drop and recreate server and endpoints and also using an android client with mobile Internet connection, I give up.

But I would like to test Wireguard as well, so the question is still open for anyone who wants to help me fix it. Thank you.

[PubCloud]

I'm trying to set up a Wireguard VPN. The connection takes place (firewall logs say so) but no handshake occurs with either Ubuntu or Windows client. I made several tests, also manually setting Outbount rules, but without being able to solve.

Note:
- WAN is a hiperlan connection and I manage 8 public IPs (configured as Virtual IPs on OPNsense)
- In the firewall rule for WAN port 51820 I had to set as "Destination" the Alias (PubCloud) of the public IP address used for the VPN connection (otherwise it would not work, probably due to the multiple IPs).

OPNsense config:

I took some screenshots ... I tried to follow the official OPNsense documentation (as well as checking some how-to on the Internet) assigning the wg1 device to an dedicated interface.

VPN:
VPN-WireGuard-local
VPN-WireGuard-endpoint
VPN-WireGuard-status
VPN-WireGuard-handshakes

Interface:
Interfaces-Assignments
Interfaces-WireGuard1
System-Routes-Status

Firewall:
Firewall-Log-port_51820
Firewall-Rules-WAN
Firewall-Rules-WireGuard _Group
Firewall-Rules-WireGuard1

Client config:

[Interface]
Address = 10.10.10.2/32
PrivateKey = YP8<8<8<8<8<8<8<8<8<8<8<8<8<c=

[Peer]
Endpoint = 185.x.x.x:51820
PublicKey = A18<8<8<8<8<8<8<8<8<8<8<8<8<Ww=
AllowedIPs = 10.10.10.0/24, 192.168.0.0/24
PersistentKeepalive = 15

Thanks for any help!

Do you use 17.1.2?

Updating OPSsense to version 17.1.2 the script works fine.

Thank you so much Fabian!

this means you do not have the string "__opnsense_csrf" in the body. Do you use 17.1.2?

I'm running OPNsense 16.7

I've updated your script to use 4443 port:

Code Select Expand


indexpage = URI("https://#{SERVER_IP}:4443/index.php")
backuppage = URI("https://#{SERVER_IP}:4443/diag_backup.php")


For debugging, can you add those three lines:

Code Select Expand


puts d.code
puts d.body
exit 0

after d is assigned (line 40)?

This is th output:

Code Select Expand


200
<!doctype html>
<!--[if IE 8 ]><html lang="en" class="ie ie8 lte9 lte8 no-js"><![endif]-->
<!--[if IE 9 ]><html lang="en" class="ie ie9 lte9 no-js"><![endif]-->
<!--[if (gt IE 9)|!(IE)]><!--><html lang="en" class="no-js"><!--<![endif]-->
  <head>

    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

    <meta name="robots" content="index, follow, noodp, noydir" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />

    <title>Login</title>

    <link href="/ui/themes/opnsense/build/css/main.css" rel="stylesheet">
    <link href="/ui/themes/opnsense/build/images/favicon.png" rel="shortcut icon">

    <!--[if lt IE 9]><script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.2/html5shiv.min.js"></script><![endif]-->

  <script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script><script type="text/javascript">var csrfMagicToken = "sid:7a7f16c6317e0e693af8c8d09a4244ea2f82319e,1488785494;ip:a066ee2908007256ef908b4091d91f35f963ab4c,1488785494";var csrfMagicName = "__csrf_magic";</script><script src="/csrf/csrf-magic.js" type="text/javascript"></script></head>
  <body class="page-login">

  <div class="container">
   

    <main class="login-modal-container">
      <header class="login-modal-head" style="height:55px;">
        <div class="navbar-brand">
          <img src="/ui/themes/opnsense/build/images/default-logo.png" height="30" alt="logo"/>
        </div>
      </header>

      <div class="login-modal-content">
        <div id="inputerrors" class="text-danger">&nbsp;</div><br />

            <form class="clearfix" id="iform" name="iform" method="post" autocomplete="off" action="/index.php"><input type='hidden' name='__csrf_magic' value="sid:7a7f16c6317e0e693af8c8d09a4244ea2f82319e,1488785494;ip:a066ee2908007256ef908b4091d91f35f963ab4c,1488785494" />

        <div class="form-group">
          <label for="usernamefld">Username:</label>
          <input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
        </div>

        <div class="form-group">
          <label for="passwordfld">Password:</label>
          <input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
        </div>

        <button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>

      </form>

     
          </div>

      </main>
      <div class="login-foot text-center">
        <a target="_blank" href="https://opnsense.org" class="redlnk">OPNsense</a> (c) 2014-2016        <a href="https://www.deciso.com/" class="tblnk">Deciso B.V.</a>
      </div>

    </div>

    <script type="text/javascript">CsrfMagic.end();</script></body>
  </html>


Thank you all for your help!


> can you remove the -q

The error is: 403 Forbidden


> I made my own script to help you out

Thank you very much Fabian!

I installed ruby. Ubuntu server 16.04 repository version is: ruby 2.3.1p112 (2016-04-26).

Runnin your script I have this error:

/usr/local/bin/Backuppc_OPNsense.rb:42:in `<main>': undefined method `scan' for nil:NilClass (NoMethodError)

In OPNsense I see the connection logs with pass status.

I'm searching this error on internet ...

Hi Franco.

Thanks for your reply, but change /bin/bash with /bin/sh doesn't solve the problem.

I suppose that the problem resides in the wget instruction parameters.

I'm migrating from PfSense to OPNsense.

To backup the configuration settings I'm following this guide:

https://wikit.firewall-services.com/doku.php/tuto/sauvegardes/sauvegarde_pfsense_2

but the script for OPNsense doesn't work:

Code Select Expand


#!/bin/bash -e

OUT='/var/backups/opnsense'
TMP=$(mktemp -d)
URL='https://opnsense.domain.tld'
LOGIN='backupusr'
PASS='p@ssw0rd'

# Submit the login form with the previous values, and save a new CSRF token
/usr/bin/wget -q -O /dev/null --keep-session-cookies --save-cookies $TMP/cookies.txt --no-check-certificate  \
   --post-data "login=Login&usernamefld=$LOGIN&passwordfld=$PASS" $URL/diag_backup.php

# Save only the config
/usr/bin/wget -q --keep-session-cookies --load-cookies $TMP/cookies.txt --save-cookies $TMP/cookies.txt --no-check-certificate \
    --post-data "download=Download%20Configuration&donotbackuprrd=yes" $URL/diag_backup.php -O $OUT/config-pfsense.xml \

rm -f $TMP/*.txt
rmdir $TMP


Somebody can help me to adjust the script code in the right way?


Thanks for your help.