1
19.7 Legacy Series / Re: IPv6
« on: November 17, 2019, 06:55:18 pm »
As a VPN endpoint (OpenVPN/IPsec/WireGuard). As endpoints for a Load Balancer (haproxy/nginx). As an address for a MTA (postfix plugin)
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
19.7 Legacy Series / Re: Cannot get pfsync to work: pfsync bulk fail
« on: October 12, 2019, 10:52:28 pm »
Please show screenshots of the HA/pfsync setting. I suspect there's something wrong there.
3
19.7 Legacy Series / Re: Creating a Unbound host override breaks service
« on: September 18, 2019, 11:19:57 am »
They said they will not remove it before most functions have their equivalent in the Web UI, which would mean there has to be an comprehensive Zone Management for Unbound before that happens.
I also use that field to define stub- and forward-zones and as a consequence domain-insecure to forward requests to other DNS servers and for split-DNS.
I also use that field to define stub- and forward-zones and as a consequence domain-insecure to forward requests to other DNS servers and for split-DNS.
4
19.7 Legacy Series / Re: Creating a Unbound host override breaks service
« on: September 18, 2019, 09:38:44 am »
I think copying the quotes is the problem if your Unbound is crashing after adding the static zone.
Try typing it manually.
I have:
Try typing it manually.
I have:
Code: [Select]
server:
local-zone: "use-application-dns.net." always_nxdomain
And it works, all queries to the domain return nxdomain.
5
Documentation and Translation / Re: 2FA to multi factor authentication
« on: September 14, 2019, 10:22:41 pm »
When you select "File only" (the default) you get an .ovpn file invluding the certificates in the same file appended. If you do not get that it is indeed a bug or corrupt config.
I get a correct ovpn file on 19.7.4_1.
I get a correct ovpn file on 19.7.4_1.
6
19.7 Legacy Series / Re: DNS mismatch firewall alias table and host query
« on: September 14, 2019, 08:32:36 am »
Most of the time the CDN providers also give their customers an A record which contains only the IPs that are used to server their content.
Edit:
Cloudfront has a list as json:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html
Edit2:
I think the correct way to implement this kind of filtering would be using the proxy and only whitelist the required URLs.
Edit:
Cloudfront has a list as json:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html
Edit2:
I think the correct way to implement this kind of filtering would be using the proxy and only whitelist the required URLs.
7
19.7 Legacy Series / Re: DNS mismatch firewall alias table and host query
« on: September 13, 2019, 06:19:42 pm »
The technically correct method for the OPNSense would be to cache the alias IPs for the ttl of the DNS entry and also add the IPs that clients resolve on the OPNSense on the fly (maybe using passivedns?)
Your solution will be to use the vendor website or the reverse DNS of the IPs to find out if the CDN provider also has a DNS A record that includes all the IPs wich server this website and use it for your alias.
Your solution will be to use the vendor website or the reverse DNS of the IPs to find out if the CDN provider also has a DNS A record that includes all the IPs wich server this website and use it for your alias.
8
19.7 Legacy Series / Re: Creating a Unbound host override breaks service
« on: September 13, 2019, 08:28:42 am »
Try to remove the comment.
Nevertheless it will not stop Firefox as use-application-dns.net is just a canary domain as explained here https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Firefox will check if NXDOMAIN is returned.
You could use the unbound options field to add a local zone:
local-zone: "use-application-dns.net" static
This will return NXDOMAIN.
Nevertheless it will not stop Firefox as use-application-dns.net is just a canary domain as explained here https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Firefox will check if NXDOMAIN is returned.
You could use the unbound options field to add a local zone:
local-zone: "use-application-dns.net" static
This will return NXDOMAIN.
9
19.7 Legacy Series / Re: Creating a Unbound host override breaks service
« on: September 12, 2019, 10:39:43 pm »
Just FYI:
To block DoH you need to return a NXDOMAIN, 0.0.0.0 is a valid reserved IP address and as such will not block DoH.
To block DoH you need to return a NXDOMAIN, 0.0.0.0 is a valid reserved IP address and as such will not block DoH.
10
German - Deutsch / Re: AirPrint zwischen zwei VLANS
« on: September 12, 2019, 10:33:04 pm »
Wenn du auf dem Interface VLAN10 als Quelle auch VLAN10 nimmst sollte es funktionieren.
Edit: Bei VLAN20 natürlich dasselbe
Edit: Bei VLAN20 natürlich dasselbe
11
19.1 Legacy Series / Re: 2 NIC with same GW
« on: September 06, 2019, 07:03:11 am »
You can add the 2nd IP as an Alias IP to WAN2.
Then you can use outbound NAT to send the packets out the right IP.
Then you can use outbound NAT to send the packets out the right IP.
12
19.7 Legacy Series / Re: Outbound NAT before IPSEC for"This firewall"
« on: September 04, 2019, 09:07:00 am »
Thanks for the suggestion, this should work in many cases.
Unfortunately the WAN uses DHCP in this case.
Unfortunately the WAN uses DHCP in this case.
13
19.7 Legacy Series / Outbound NAT before IPSEC for"This firewall"
« on: September 04, 2019, 08:35:59 am »
I have the following constellation:
Local Servers-----OPNSense-----WAN-----Sophos----Remote Servers
OPNSense and Sophos have a S2S IPSec VPN
Local Subnet 10.99.201.0/24
Remote Subnet 10.99.11.0/24
This works fine, but I want to be able to access the Remote Servers (I have one Domain COntroller local and two remote) with the OPNsense.
Obviously this does not work out of the box, because packets from the Sense itself are routed out the WAN, whose IP is not allowed in the S2S tunnel.
So I added the following Outbound NAT Rule on the top:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN This Firewall * Remote Subnet * 10.99.201.1 * NO
afaik this should masquerade the requests coming from the OPNsense with its IP in the Local Subnet which is allowed in the Tunnel.
Unfortunately this does not work.
Can someone explain to me how I get this to work?
I have a workaround for Unbound, which is to select the Local Subnet as Outgoing Interface which allows the OPNsense to use the Remote DCs for DNS queries. But this workaround does not work for authentication, as it is not possible to select an outgoing interface for LDAP servers. Which means I have no redundancy for authentication when the local DC is not available.
Can anybody enlighten me if a.) this should work or b.) show me another workaround to use the remote DCs for LDAP over S2S
Local Servers-----OPNSense-----WAN-----Sophos----Remote Servers
OPNSense and Sophos have a S2S IPSec VPN
Local Subnet 10.99.201.0/24
Remote Subnet 10.99.11.0/24
This works fine, but I want to be able to access the Remote Servers (I have one Domain COntroller local and two remote) with the OPNsense.
Obviously this does not work out of the box, because packets from the Sense itself are routed out the WAN, whose IP is not allowed in the S2S tunnel.
So I added the following Outbound NAT Rule on the top:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN This Firewall * Remote Subnet * 10.99.201.1 * NO
afaik this should masquerade the requests coming from the OPNsense with its IP in the Local Subnet which is allowed in the Tunnel.
Unfortunately this does not work.
Can someone explain to me how I get this to work?
I have a workaround for Unbound, which is to select the Local Subnet as Outgoing Interface which allows the OPNsense to use the Remote DCs for DNS queries. But this workaround does not work for authentication, as it is not possible to select an outgoing interface for LDAP servers. Which means I have no redundancy for authentication when the local DC is not available.
Can anybody enlighten me if a.) this should work or b.) show me another workaround to use the remote DCs for LDAP over S2S
14
19.7 Legacy Series / Re: Limiter works but Scheduler does not match any traffic for CARP
« on: August 26, 2019, 11:30:01 pm »
Yes, the limiter works but I still get lot of bufferbloat.
I sometime even have timeouts pinging 8.8.8.8 while doing the speedtest and the ping rises > 100ms over idle.
I have the same settings at home with a single OPNsense and a cable modem where I manage to have the ping max. 10ms over idle for the speedtest.
I use the dslreports test with bufferbloat measurements.
At home with cable fq_codel improved bufferbloat from F rating to A, with the CARP OPNsense and DSL it just stays on C, no matter if I use fq_codel or not.
Edit: OK, without CARP and with cable the Svhedulers stay empty too. But there I can see a significant improvement on ping while using the available bandwidth.
Are there any additional tests I can do to check if fq_codel is doing it's thing?
I sometime even have timeouts pinging 8.8.8.8 while doing the speedtest and the ping rises > 100ms over idle.
I have the same settings at home with a single OPNsense and a cable modem where I manage to have the ping max. 10ms over idle for the speedtest.
I use the dslreports test with bufferbloat measurements.
At home with cable fq_codel improved bufferbloat from F rating to A, with the CARP OPNsense and DSL it just stays on C, no matter if I use fq_codel or not.
Edit: OK, without CARP and with cable the Svhedulers stay empty too. But there I can see a significant improvement on ping while using the available bandwidth.
Are there any additional tests I can do to check if fq_codel is doing it's thing?
15
19.7 Legacy Series / Limiter works but Scheduler does not match any traffic for CARP
« on: August 26, 2019, 08:02:04 am »
I have the following configuration:
OPNSense A-----|
|-------DSL Router
OPNSense B-----|
The OPNSense have a VIP 10.99.224.10 and the DSL router has 10.99.224.1
I set up the following Shaper configuration:
When looking at the status I can see that the rules match no traffic to the Schedulers:
The rules are set like this (direction in respectively for down):
As I am doing NAT masquerading to 10.99.224.10 for everything I treid setting the rules to match both direction and instead set source (respectively destination for the other direction) to the VIP 10.99.224.10 but then neither Limiter nor Scheduler showed any traffic, which I understand as that my rules are correct but they are not matching correctly for Schedulers.
OPNSense A-----|
|-------DSL Router
OPNSense B-----|
The OPNSense have a VIP 10.99.224.10 and the DSL router has 10.99.224.1
I set up the following Shaper configuration:
When looking at the status I can see that the rules match no traffic to the Schedulers:
Code: [Select]
Limiters:
10000: 35.000 Mbit/s 0 ms burst 0
q75536 50 sl. 0 flows (1 buckets) sched 10000 weight 0 lmax 0 pri 0 droptail
sched 75536 type FIFO flags 0x0 0 buckets 1 active
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 ip 0.0.0.0/0 0.0.0.0/0 12498 18565328 32 46555 274
10001: 9.000 Mbit/s 0 ms burst 0
q75537 50 sl. 0 flows (1 buckets) sched 10001 weight 0 lmax 0 pri 0 droptail
sched 75537 type FIFO flags 0x0 0 buckets 1 active
0 ip 0.0.0.0/0 0.0.0.0/0 68 2871 0 0 0
Schedulers:
10000: 35.000 Mbit/s 0 ms burst 0
q75536 50 sl. 0 flows (1 buckets) sched 10000 weight 0 lmax 0 pri 0 droptail
sched 10000 type FQ_CODEL flags 0x0 0 buckets 0 active
FQ_CODEL target 5ms interval 100ms quantum 300 limit 1000 flows 1024 ECN
10001: 9.000 Mbit/s 0 ms burst 0
q75537 50 sl. 0 flows (1 buckets) sched 10001 weight 0 lmax 0 pri 0 droptail
sched 10001 type FQ_CODEL flags 0x0 0 buckets 0 active
FQ_CODEL target 5ms interval 100ms quantum 300 limit 600 flows 1024 NoECNThe rules are set like this (direction in respectively for down):
As I am doing NAT masquerading to 10.99.224.10 for everything I treid setting the rules to match both direction and instead set source (respectively destination for the other direction) to the VIP 10.99.224.10 but then neither Limiter nor Scheduler showed any traffic, which I understand as that my rules are correct but they are not matching correctly for Schedulers.