"
Thank you for the helpful guidance. I know what to do now. I'm going to set up Caddy as the reverse proxy and make it manage my Let's Encrypt certificate. I'll figure out a way for the web server to automatically fetch the certificate from the firewall so the internal clients don't have to communicate with it through the Caddy.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: HTTPS inside the firewall/reverse proxy that manages Let's Encrypt certs
March 26, 2025, 01:33:36 PM #2
General Discussion / Re: HTTPS inside the firewall/reverse proxy that manages Let's Encrypt certs
March 24, 2025, 10:32:34 PM
Is this true if the internal computers don't use the WAN IP address to connect? If they use the LAN address of the reverse proxy? The firewall's LAN NIC is also 1G.
#3
General Discussion / HTTPS inside the firewall/reverse proxy that manages Let's Encrypt certs
March 22, 2025, 09:08:17 PM
I want to configure OPNsense to update my Let's Encrypt certificate and to serve as a reverse proxy for the web server inside my firewall. What's the recommended way for the web server to use the same Let's Encrypt certificate when computers inside the firewall talk to it?
I can think of a few answers to my question:
The network inside the firewall (2.5GBE) is faster than the NIC in the firewall (1GBE), so #1 isn't my preferred solution.
Open to suggestions and pointers to tutorials.
I can think of a few answers to my question:
- make the computers inside the firewall use the same reverse proxy as those outside of it.
- periodically curl/wget/scp the certificate from the firewall to the web server
The network inside the firewall (2.5GBE) is faster than the NIC in the firewall (1GBE), so #1 isn't my preferred solution.
Open to suggestions and pointers to tutorials.
#4
24.1, 24.4 Legacy Series / Re: Unbound DNS doesn't resolve names for un-named hosts
August 20, 2024, 12:19:12 AM
On a whim, I booted the live version of OPNsense 24.7. Its DNS served both my named hosts and my unnamed hosts.
After fiddling with my 24.1 installation's firewall rules and Unbound DNS configuration for most of a day, I gave up, upgraded to 24.7, and set up DHCP for my various hosts again.
After fiddling with my 24.1 installation's firewall rules and Unbound DNS configuration for most of a day, I gave up, upgraded to 24.7, and set up DHCP for my various hosts again.
#5
24.1, 24.4 Legacy Series / Re: Unbound DNS doesn't resolve names for un-named hosts
August 15, 2024, 09:57:43 PM
The output is nearly the same as above. The only difference is that each host reports that it found one server.
From the host without a name:
From the host with a name:
From the host without a name:
Code Select
talmage@otis:~$ dig @192.168.1.1 www.onespeeddave.com
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out
; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> @192.168.1.1 www.onespeeddave.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached
From the host with a name:
Code Select
talmage@minerva:~$ dig @192.168.1.1 www.onespeeddave.com
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.1.1 www.onespeeddave.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15615
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.onespeeddave.com. IN A
;; ANSWER SECTION:
www.onespeeddave.com. 3600 IN A 192.168.1.99
;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Aug 15 15:53:38 EDT 2024
;; MSG SIZE rcvd: 65
#6
24.1, 24.4 Legacy Series / Unbound DNS doesn't resolve names for un-named hosts
August 15, 2024, 07:29:55 PM
Please help me fix this problem: Unbound DNS won't resolve a name when the DNS query comes from a host without a name.
Unbound DNS works just fine when a DNS query comes from a host with a name.
All hosts on my network get an IP address from ISC DHCPv4, which is configured to not deny unknown hosts. ISC DHCPv4 gives each known host the same name each time they ask for a lease. It recognizes a host by its MAC address.
Here's an example of dig's output on a host with no name:
Here's an example of dig's output for the same query on a host with a name:
Here is an example of the logging output of ISC DHCPv4 when a host without a name makes a DNS query:
I'm running OPNsense 24.1.5_3-amd64.
Unbound DNS works just fine when a DNS query comes from a host with a name.
All hosts on my network get an IP address from ISC DHCPv4, which is configured to not deny unknown hosts. ISC DHCPv4 gives each known host the same name each time they ask for a lease. It recognizes a host by its MAC address.
Here's an example of dig's output on a host with no name:
Code Select
talmage@otis:~$ !dig
dig www.onespeeddave.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> www.onespeeddave.com
;; global options: +cmd
;; no servers could be reached
Here's an example of dig's output for the same query on a host with a name:
Code Select
talmage@minerva:~$ dig www.onespeeddave.com
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> www.onespeeddave.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47178
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.onespeeddave.com. IN A
;; ANSWER SECTION:
www.onespeeddave.com. 2002 IN A 192.168.1.99
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Aug 15 13:21:35 EDT 2024
;; MSG SIZE rcvd: 65
Here is an example of the logging output of ISC DHCPv4 when a host without a name makes a DNS query:
Code Select
2024-08-15T13:27:05-04:00 Notice unbound [34306:0] notice: remote address is ip4 192.168.1.205 port 56220 (len 16)
2024-08-15T13:27:05-04:00 Notice unbound [34306:0] notice: sendmsg failed: Invalid argument
2024-08-15T13:27:05-04:00 Notice unbound [34306:3] notice: remote address is ip4 192.168.1.205 port 53927 (len 16)
2024-08-15T13:27:05-04:00 Informational unbound [34306:0] info: send_udp over interface: 192.168.1.1
2024-08-15T13:27:05-04:00 Notice unbound [34306:3] notice: sendmsg failed: Invalid argument
2024-08-15T13:27:05-04:00 Informational unbound [34306:0] info: 192.168.1.205 www.onespeeddave.com. AAAA IN NOERROR 0.000000 1 38
I'm running OPNsense 24.1.5_3-amd64.
#7
General Discussion / Re: Adding DHCP hosts from the CLI
July 16, 2024, 11:45:58 PM
Stipulating that editing /conf/config.xml is the right thing to do, https://www.reddit.com/r/opnsense/comments/16g5z62/how_to_update_config_via_cli/ says that
configctl dhcpd restart
will tell dhcp about my changes.
configctl dhcpd restart
will tell dhcp about my changes.
#8
General Discussion / Adding DHCP hosts from the CLI
July 16, 2024, 07:35:22 PM
What's the way to add another host to isc-dhcp using the CLI?
My guess is that I can add a <staticmap> stanza for the new host to the <lan> section of <dhcp> in /conf/config.xml .
How do I tell Opnsense to re-read /conf/config.xml and reconfigure dhcpd?
Is this the right way? Is there a better way via the CLI?
My guess is that I can add a <staticmap> stanza for the new host to the <lan> section of <dhcp> in /conf/config.xml .
How do I tell Opnsense to re-read /conf/config.xml and reconfigure dhcpd?
Is this the right way? Is there a better way via the CLI?
#9
17.1 Legacy Series / Re: DLNA on two subnets
August 06, 2017, 10:47:16 PM
I reframed the query into a request for igmpproxy configuration examples.
Please see https://forum.opnsense.org/index.php?topic=5666.0
Please see https://forum.opnsense.org/index.php?topic=5666.0
#10
17.1 Legacy Series / simple igmpproxy configuration examples
August 06, 2017, 10:44:36 PM
I'm looking for simple examples for configuring igmpproxy. I can't find any that I understand.
The specific example I want is how to enable a DLNA media renderer on one network to discover a DLNA media server on another network. But feel free to post other examples here.
Given:
LAN1, 192.168.1.0/24
OPT1, 192.168.2.0/24
a DLNA media server on 192.168.1.10 sending SSDP messages on 239.255.255.250
a Roku4 media renderer on 192.168.2.102
What configuration for igmpproxy will let the Roku4 discover the DLNA media server?
The specific example I want is how to enable a DLNA media renderer on one network to discover a DLNA media server on another network. But feel free to post other examples here.
Given:
LAN1, 192.168.1.0/24
OPT1, 192.168.2.0/24
a DLNA media server on 192.168.1.10 sending SSDP messages on 239.255.255.250
a Roku4 media renderer on 192.168.2.102
What configuration for igmpproxy will let the Roku4 discover the DLNA media server?
#11
17.1 Legacy Series / DLNA on two subnets
July 09, 2017, 11:10:08 PM
Please help me make my DLNA media server visible on both subnets in my network. Someone asked for this information in the 16.7 Production Series forum (https://forum.opnsense.org/index.php?topic=3681.msg12592#msg12592) and received no answers. I hope there is an answer for 17.1.
My DLNA media server is on the 192.168.1.0/24 subnet. Media players on my 192.168.2.0/24 subnet can't see it. Why is that?
My DLNA media server is on the 192.168.1.0/24 subnet. Media players on my 192.168.2.0/24 subnet can't see it. Why is that?
Pages1
