Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - SteveK

Pages: [1]

23.1 Legacy Series / Re: Secure NTP

« on: November 28, 2023, 12:20:00 pm »

Just found this topic...while I was about to implement secure NTP, too.

I have a question...setup:
- Install chrony, enable it, check " NTS Client Support", add the appropriate NTP servers in "NTP Peers"
- and for the network time service: remote all entries of time servers and check "Client support"

So far, the network service has provided NTP in all interfaces (set in "Interfaces" accordingly).

What is the "right approach"? Set the chrony "Listen port" to "123" + manually enter the networks in "Allowed Networks", like "10.55.10.0/24; 10.55.160.0/23" in order to provide NTP service?
I mean that by enabling "Client support" for the network time service ends the NTP service.

23.7 Legacy Series / 23.7.8 - Allow new backup API to download latest configuration

« on: November 13, 2023, 11:58:32 am »

Hey,

I couldn't find any API documentation about the new feature for downloading the latest configuration directly via /api/core/backup/download/this. I tested it successfully with: curl -u "key":"secret" -o backup.xml https://opensense/api/core/backup/download/this

Is there a parameter for getting the configuration encrypted, as it is possible through the WebUI?

Thanks

Virtual private networks / OpenVPN Group Rules

« on: March 16, 2023, 07:30:54 pm »

Hi,

I created two OpenVPN servers following the documentation of OPNsense.

I defined the remote networks that should be reachable from the OpenVPN clients during the connection, but I was suprised to see that there were two group rules in the FW rules for OpenVPN that allow a connection to all networks (see attached screenshot). I am also not able to remove these two group rules.

How can I remove these two rules?

Thanks

23.1 Legacy Series / Re: Ciphers for WPA3 Enterprise

« on: March 02, 2023, 07:12:48 pm »

Thanks for the feedback.

I thought that the certificates to be generated should fulfill kind of ciphers "requirements".

23.1 Legacy Series / Ciphers for WPA3 Enterprise

« on: March 01, 2023, 11:13:03 am »

Hi,

I found this topic regarding the certificate to be used for RADIUS:

Quote

To use WPA3 enterprise, the RADIUS servers must use one of the permitted EAP ciphers:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Could someone please tell me, which options in the GUI for creating a server certificate reflect to these ciphers?

I would like to create such a server certificate for the RADIUS server in order to use it with a Unifi AP for setting up a WPA3 enterprise WLAN.

Thanks

German - Deutsch / Re: Routing zwischen WAN und einem VLAN im gleichen Subnetz

« on: January 30, 2020, 11:43:43 am »

Hallo shb,

Danke für deinen Feedback.

Um die Topology ein bisschen "Einfacher" darzustellen:

Code: [Select]

             FRITZ!Box                                                 OPNsense
  +-----------------------------+                           +-----------------------------+
  | IP/GW/DNS:192.168.178.1  P1 |192.168.178.0/24 ----------| ig0 WAN 192.168.178.2       |
  |                             |                           |                             |
  |                             |                           |                             |
  +-----------------------------+                           |                             |
                                                       +----| ig2 VLAN178: WANoverVLAN178 |
                                                       |    |     VLAN10:  LAN            |
                                                       |    |                             |
                                                       |    +-----------------------------+
                                                       |
                                                       |               L2 Switch
                                                       |    +-----------------------------+
                                                       +----| P1 TRUNK                    |
                                   +--+                     |                             |
                                   |PC|---------------------| P2 ACCESS (VLAN 178)        |
                                   +--+                     |                             |
                                                            | P3 TRUNK                    |
                                                            |                             |
                                                            | P4 ACCESS (VLAN 10)         |
                                                            +-----------------------------+

habe ich Folgendes getestet:

- die Interfaces WAN & WANoverVLAN178 als "Bridge_WAN" gebridged
- WAN hat weiterhin die 192.168.178.2 IP
- WANoverVLAN178 hat keine IP
- keine Firewale Rules für alle diese 3 Interfaces

..und siehe da...die Pakete (sowie DHCP...usw.) kommen durch...

Nun muss ich die Filterungsregeln anpassen und mit den Firewal-Rules "spielen", d.h.
net.link.bridge.pfil_member=1 (enable filtering on the incoming and outgoing member interfaces)
net.link.bridge.pfil_bridge=0 (disable filtering on the bridge interface)

Ob sich das lohnt?!?!?..mal sehen

SteveK

German - Deutsch / Routing zwischen WAN und einem VLAN im gleichen Subnetz

« on: January 23, 2020, 04:15:12 pm »

Hi,

ich hätte eine Frage bzgl. folgendem Netzwerk-Setup:

Code: [Select]

             FRITZ!Box                                                 OPNsense
  +-----------------------------+                           +-----------------------------+
  | IP/GW/DNS:192.168.178.1  P1 |192.168.178.0/24 ----------| ig0 WAN 192.168.178.2       |
  |                             |                           |                             |
  | IP/GW/DNS:192.168.179.1  P4 |192.168.179.0/24 ----------| ig1 DMZ 192.168.179.2       |
  +-----------------------------+                           |                             |
                                                       +----| ig2 VLAN178: WANoverVLAN178 |
                                                       |    |     VLAN179: DMZoverVLAN179 |
                                                       |    |     VLAN10:  LAN            |
                                                       |    +-----------------------------+
                                                       |
                                                       |               L2 Switch
                                                       |    +-----------------------------+
                                                       +----| P1 TRUNK                    |
                                   +--+                     |                             |
                                   |PC|---------------------| P2 ACCESS (VLAN 178)        |
                                   +--+                     |                             |
                                                            | P3 TRUNK                    |
                                                            |                             |
                                                            | P4 ACCESS (VLAN 10)         |
                                                            +-----------------------------+

Es geht um die Interfaces WAN & WANoverVLAN178 in OPNsense. Die Ziele sind wie folgt:
- wenn ein PC am Port 2 auf dem "L2 Switch" angeschlossen wird, dann sollte er genauso funktionieren, als ob er an die FRITZ!Box direkt angeschlossen wurde (d.h. auch dass DHCP direkt von der FB kommt)
- Firewall Rules in OPNsense sollen für den Traffic zwischen WAN <-> WANoverVLAN178 möglich sein, z.B. Deny Rules für SMTP vom PC ins Internet (WANoverVLAN178 -> SMTP -> WAN)

Ist sowas möglich?

Danke,
Steve

18.1 Legacy Series / Re: Base64 certificate

« on: February 19, 2018, 09:49:54 pm »

It worked with the PEM!

And the correct command were:

openssl x509 -in sw1.crt -outform PEM -out sw1.crt.pem
openssl rsa -in sw1.key -outform PEM -out sw1.key.pem

Thanks for the help!

18.1 Legacy Series / Re: Base64 certificate

« on: February 15, 2018, 08:09:28 pm »

The only info that I found so far is...the certificate and private keys must be in RSA PEM format.

Would these be the right commands for converting?

openssl rsa -in switch1.key -outform PEM -out switch1.crt.pem

openssl x509 -in switch1.crt -outform PEM -out switch1.key.pem

18.1 Legacy Series / Base64 certificate

« on: February 15, 2018, 11:57:35 am »

Hi,

I have implemented an internal CA and an intermediate CA...and everything works fine with the generated internal server certificates

.

Trying to configure a switch for HTTPS, I found out that it needs a BASE64 certificate. When an internal certificate is created, then there are a .crt, a .key, and a .p12 files that can be downloaded. How can I generate a BASE64 certificate and key (?!) using those files?

Regards,
Steve

Pages: [1]