OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of nzkiwi68 »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - nzkiwi68

Pages: [1] 2 3 ... 13
1
24.1 Legacy Series / Re: On upgrade duckdb unsupported version.
« on: February 19, 2024, 07:15:13 am »
I had the same error - fixed by resetting DNS data

  • Reporting > Settings > Unbound DNS reporting "Reset DNS data"

Then do the upgrade again - worked flawlessly.

2
Virtual private networks / Re:23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears & disappears
« on: January 11, 2024, 08:35:29 pm »
To close off this topic:

Since OPNsense 23.7.8 and beyond with the built-in support of WireGuard to follow a CARP VHID, this issue and others have all been solved.

There's no longer any need to run custom scripts etc and WireGuard now works very well indeed!

3
High availability / Re: CARP connections to switches in MLAG
« on: January 10, 2024, 05:36:08 am »
My experience is that many switches do not handle CARP / VRRP correctly across "stacked" switches.

You can tell if you've got that problem, because, you get all sorts of weird  CARP issues occurring such as:
  • MASTER or BACKUP firewall failing and disabling CARP due a a CARP problem
  • CARP won't fail back
  • CARP gets a huge demotion level number of 240 or 480 or higher
  • Sometimes it works and sometimes it doesn't and you just can't figure out why
  • You reboot the master or backup firewall and strange CARP issues occur
  • Both the master and backup firewall report themselves as the CARP master (which should be impossible)

Check here to see the CARP demotion level number:
   Interfaces: Virtual IPs: Status

Ask the switch manufacturer if they properly support VRRP which is basically what CARP is. If you tell them your trying to run CARP they will say "What?????" and won't know what your talking about.

Even then, what you want is a switch stack that supports external VRRP / CARP, that is, not that the switch stack itself supports VRRP, but, that is supports another VRRP plugged into it. In our case firewall1 and firewall2 but it could be server1 and server2 share an IP address using VRRP (which is essentially CARP).

If they do support external VRRP then CARP will work.

Often I have found it simpler to have:

     Firewall1 > switch1
     Firewall2 > switch2
     Switch1 and switch2 cross connect as standalone switches and thus CARP behaves nicely.


Why so much trouble with stacked switches?
Because it's actually really complicated for the switch manufacturer. They have to maintain an ARP states across 2 switches and replicate certain things switch to switch and the whole time lie and pretend to be a single switch. CARP/VRRP complicates things because of the technical way it shares an IP address across two devices and the fact that VRRP / CARP are protocol 112 and not UDP (protocol number 17) and not TCP (protocol number 6).

I have found they work hard on getting stacked switches to work covering most stuff, but not things like VRRP / CARP.

I know I haven't cured the problem but hopefully my explanation helps it all make sense as to why sometimes you just can't get it to go.



4
Web Proxy Filtering and Caching / Re: HAPROXY add GeoIP capability and run rules inside HAPROXY based on GeoIP
« on: November 24, 2023, 03:01:34 am »
Quote from: WhiteTiger on November 18, 2023, 11:16:31 am
Perhaps these instructions refer to a previous analysis, because I did not understand the need to establish paths that begin with /login/.
In any case, I don't see in the code where you check for /login/

What is the goal you aim to achieve?

No these instructions do not refer to previous analysis or set of instructions.

There is nothing in the code about /login/ - I am merely talking about the concept on using these instructions to satisfy a need to do something like:

  • The URL requested starts with a path, say /login
  • and the request is coming from a GeoIP of Australia
  • Then allow the request, else block the request

In my concept above, you could then allow logins to a website only from Australia IP addresses.

The instruction are for:
How to add GeoIP capability and run rules inside HAPROXY based on GeoIP

Then, how to add the GeoIP capability for HAPROXY starts in my post:
*****************************************************
ONE: These two files need to get added to the system
*****************************************************
... and so on

You do need a high understanding of how HAPROXY works for any of this to make any sense.

5
Web Proxy Filtering and Caching / HAPROXY add GeoIP capability and run rules inside HAPROXY based on GeoIP
« on: November 17, 2023, 05:29:55 am »
Firstly, let me credit Brett Merrick for huge assistance. This is not all my own work.

Here's the steps to get GeoIP working inside HAPROXY, not at the firewall rule layer, but inside HAPROXY and still utilising OPNsense GeoIP alias function.

You can write conditions such as:
Condition: Paths starts with /login/
Condition: GeoIP matches Australia

Then write a rule that does things like:
Rule: Only permit login from Australia (Permit http_request if matches "Paths starts with /login/" and "GeoIP matches AU"

Very cool! Any many, many more possibilities for protection, reject excessive error rates or connection rates from certain countries, use Tarpitting on some countries and not others, and so on.

Ok - how:


*****************************************************
ONE: These two files need to get added to the system
*****************************************************

File1
filename: actions_custom.conf
location: /usr/local/opnsense/service/conf/actions.d/

Code: [Select]
[update]
command:/usr/local/opnsense/scripts/custom/haproxy-alias.sh
parameters:%s
type:script
message:Updating HAProxy Alias %s
description:Update HAProxy Alias
File2
filename: haproxy-alias.sh
location: /usr/local/opnsense/scripts/custom/

Code: [Select]
#!/bin/csh
if ( $#argv == 0 ) exit 1
configctl filter list table "$1" > "/var/haproxy/$1.lst"
chown 80:80 "/var/haproxy/$1.lst"
exit 0

************************************************************
TWO: Build the GeoIP alias "acl_geoip_au" (for say Australian IP addresses
************************************************************
If you haven't setup for the GeoIP downloads to get the GeoIP databnase list, then follow the OPNsense documentation first:
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
Normal firewall GeoIP settings
Firewall > Aliases > GeoIP settings

*** make sure to only use ipv4 if you don't have ipv6 ***


*******************************************
THREE: Create the cron job and run it ONCE
*******************************************
Then set to run overnight after midnight sometime ideally running after GeoIP DB update and before HAPROXY reload. You will need an HAPROXY reload to pickup the new GeoIP tables.


************************
FOUR: Now setup a condition
************************
e.g.
Name: GEOIP_AU
Condition type: Source IP matches specified IP (from the drop down list)
Parameters: -f /var/haproxy/acl_geoip_au.lst

(see the acl_geoip_au.lst - that needs to match the firewall GeoIP alias name. In my example the alias name is acl_geoip_au)


*****************************************************************************
FIVE: Go make a rule that uses your condition and attach it a backend or frontend as appropriate
*****************************************************************************

Want more GeoIP ranges?
Start at step two and rinse and repeat for more aliases with different country combinations.
Each aliases needs a CRON job and don't forget you need to run the CRON job once to get the alias ready for HAPROXY to use.



6
Intrusion Detection and Prevention / Re: crowdsec firewall bouncer does not start
« on: October 17, 2023, 06:04:04 am »
Same issued here - fresh install on two new 23.7.6 firewalls

/var/log/crowdsec/crowdsec-firewall-bouncer.log:

Code: [Select]
time="17-10-2023 16:07:54" level=warning msg="unexpected ${BACKEND} mode"
time="17-10-2023 16:07:54" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-freebsd-af6e7e2"

7
High availability / Re: CARP awareness for Wireguard 2.0 & follow a single interface - 23.7.3
« on: September 10, 2023, 03:26:06 am »
My updated script 10 Sep 2023 - now working excellently to enable super fast fail-over for WireGuard for clustered firewalls.

Quote
#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("util.inc");
require_once("interfaces.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($subsystem != "1@igb0") exit;

if (!in_array($type, ['MASTER', 'BACKUP'])) exit;

    switch ($type) {
        case 'MASTER':
         shell_exec("/usr/local/sbin/pluginctl -s wireguard start");
         log_msg("Starting WireGuard due to CARP event '$type' on '{$subsystem}'");
            break;
        case 'BACKUP':
         shell_exec("/usr/local/sbin/pluginctl -s wireguard stop");
         log_msg("Stopping WireGuard due to CARP event '$type' on '{$subsystem}'");
            break;
    }


Important notes

**** ONE ****
You MUST change the line "if ($subsystem != "1@igb0") exit;" to follow an interface.
This is normally your LAN since that's where for most people the WireGuard tunnels will be tunneling VPN traffic to and from.

The "1" must be the VHID number and the "igb0" must equal the interface "Device" name.
If your interface is using a vlan, then it could look like this:

if ($subsystem != "2@vlan01") exit;

**** TWO ****
  • Place the script in this location "/usr/local/etc/rc.syshook.d/carp/"
  • Call the script "10-wireguard" - no extension
  • Make sure the script has execute permissions

**** THREE ****
Make sure the WireGuard package is set to replicate to the backup firewall.

Code: [Select]
System > High Availability > Settings > WireGuard "selected"

**** FOUR ****
If you are using a dynamic routing protocol, I recommend the FRR package and setup BGP.
Then FRR does NOT need to follow CARP, it can remain on and alive on both the MASTER and the BACKUP firewall at the same time.

8
Virtual private networks / Re: 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears
« on: September 10, 2023, 03:09:46 am »
I've tested the above and it seems very good.

Also, I no longer need to have
System > High Availability > Settings > WireGuard "unselected"

In fact, I need that set as selected and it is looking very, very good.
  • The Firewall "WireGuard (Group)" now consistently appears.
  • Transition for a failover is the loss of a single ping.
  • I have FRR running on the primary and the backup firewall, alive, NOT following CARP and I rely on the WireGuard tunnels going up and down according to CARP and this is working excellently.

Thanks Franco!

9
Virtual private networks / Re: 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears
« on: September 10, 2023, 01:55:56 am »
Thanks.

So on transition to BACKUP, don't write
Quote
config['OPNsense']['wireguard']['general']['enabled'] = '0';

But, then, the code:
Quote
use OPNsense\Core\Backend;
$backend = new Backend();
$backend->configdRun('template reload OPNsense/Wireguard');
$backend->configdpRun('wireguard configure');

Well, that won't actually stop WireGuard anymore because it's "enabled"...

Will this command from be the better fit?
https://forum.opnsense.org/index.php?topic=35578.msg172989#msg172989

Quote
pluginctl -s wireguard stop

Therefore my CARP script would become:

Quote
#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("util.inc");
require_once("interfaces.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($subsystem != "1@igb1") exit;

if (!in_array($type, ['MASTER', 'BACKUP'])) exit;

    switch ($type) {
        case 'MASTER':
         shell_exec("/usr/local/sbin/pluginctl -s wireguard start");
         log_msg("Starting WireGuard due to CARP event '$type' on '{$subsystem}'");
            break;
        case 'BACKUP':
         shell_exec("/usr/local/sbin/pluginctl -s wireguard stop");
         log_msg("Stopping WireGuard due to CARP event '$type' on '{$subsystem}'");
            break;
    }


Thanks.

10
Virtual private networks / Re: WireGuard "Local" missing "Shared Secret" in GUI 23.7.3
« on: September 10, 2023, 01:22:39 am »
Thanks, sounds good!

And, I've learnt a little more too.

11
Virtual private networks / Re: WireGuard "Local" missing "Shared Secret" in GUI 23.7.3
« on: September 09, 2023, 11:01:28 am »
ok!

Thanks very much Patrick M. Hausen for the explanation.

So... peer side at each end is where you use a PSK, like this:
peer / endpoint for Site A > B
   and
peer / endpoint for Site B > A

But not the local "server" settings, because that's not really a server at all, it's actually just a wg interface.

Naming consistency
"Local" should be renamed to "Interface"
"Endpoints" should be renamed to "Peer"

This is in keeping with Wireguard terminology.
Reference: https://www.wireguard.com/#simple-network-interface

12
Virtual private networks / Re: 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears
« on: September 09, 2023, 10:52:51 am »
No, I don't think so.


#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("util.inc");
require_once("interfaces.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($subsystem != "102@igc0") exit;

if (!in_array($type, ['MASTER', 'BACKUP'])) exit;

    switch ($type) {
        case 'MASTER':
         $config['OPNsense']['wireguard']['general']['enabled'] = '1';
         write_config("Enable WireGuard due to CARP event on '{$subsystem}'", false);
         log_msg("Starting WireGuard due to CARP event '$type' on '{$subsystem}'");
            break;
        case 'BACKUP':
         $config['OPNsense']['wireguard']['general']['enabled'] = '0';
         write_config("Disable WireGuard due to CARP event on '{$subsystem}'", false);
         log_msg("Stopping WireGuard due to CARP event '$type' on '{$subsystem}'");
            break;
    }

use OPNsense\Core\Backend;
$backend = new Backend();
$backend->configdRun('template reload OPNsense/Wireguard');
$backend->configdpRun('wireguard configure');

13
Virtual private networks / Re: 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears
« on: September 07, 2023, 11:35:51 pm »
I'm wondering if this is because of clustered firewalls and CARP and my WireGuard CARP script.

The script does get fired for start and stop quickly during a CARP standup and I wonder if the mechanism that creates the Firewall rule group "WireGuard (Group)" gets a bit lost.


14
Virtual private networks / Re: Firewall rules not applying properly to wireguard
« on: September 07, 2023, 11:32:09 pm »
Did you have the allow rules at the remote end again the "WireGuard (Group)", perhaps that firewall rule group is now missing?

15
Virtual private networks / WireGuard "Local" missing "Shared Secret" in GUI 23.7.3
« on: September 07, 2023, 11:30:06 pm »
Am I missing something?

VPN > WireGuard > Settings > Endpoint
You can specify a "Shared Secret"

On the remote site, where this Endpoint connects to:
VPN > WireGuard > Settings > Local/b]
I cannot see any way to add the "Shared Secret"

Or am I missing something?

Pages: [1] 2 3 ... 13
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2