Messages

1

Hardware and Performance / Re: Sophos SG 210/220/310/330 - blast from the past?

« on: October 15, 2024, 09:42:06 pm »

Thank you. This helps.

Somehow I missed your replays on my question.

2

General Discussion / Re: mDNS Repeater and firewall rules

« on: October 14, 2024, 07:00:16 pm »

OK, I did not mentioned that these two vlans are isolated from each other by default and only inter vlan routing is possible where it explicitly is allowed by a firewall rule.

Yes, I just could make trial and error. But I want to understand what is right and what is wrong. That's why I am asking in the hope someone know the answer.

3

General Discussion / mDNS Repeater and firewall rules

« on: October 13, 2024, 06:59:52 pm »

Hello,

I want to use the mDNS repeater on OPNsense to forward mDNS between two subnets.
Out of the documentation it is not clear to me what firewall rules I need to allow the mDNS multicast traffic between these two vpn.

• on both interfaces to port 5353 at 224.0.0.251 and [ff02::fb] or
• on both interfaces to port 5353 at "subnet address" or
• on both interfaces to port 5353 at "this firewall"

Or a combination out of these three?

4

Hardware and Performance / Sophos SG 210/220/310/330 - blast from the past?

« on: June 08, 2024, 10:21:19 am »

Hello,

there I are many new hardware devices with modern powerful CPU, small form factor and low energy footprint and low noise that it is difficult to find the right choice. "Old" hardware is cheap to get as used devices often was a good choice in the past.

Is today a Sophos SG 210 / SG 220 / SG 310 / SG 330 still a good choice to run OPNsense in an ambitious home environment? Or is it blast from the past that cannot compete with actual new devices in regards of power, energy consumption and noise, even when taking cost into the calculation?

I am looking to upgrade my Qotom Q355G4 with something that provides one or two SFP+ ports. A DEC2752A or DEC2770 looks like a "dream build" but at high price. Is Sophos you get for around 100 $/EUR still an option to go nowadays?

5

24.1 Legacy Series / Re: HAProxy doesn't seem to respect SNI anymore?

« on: February 02, 2024, 08:31:46 pm »

I was running in the same issue.
Habe a look here.

https://forum.opnsense.org/index.php?topic=38435.0

6

24.1 Legacy Series / Re: HAProxy - wrong ssl certificater after upgrade to 24.1

« on: February 02, 2024, 08:30:55 pm »

Thank you.
This looks like the issue I am facing.

7

24.1 Legacy Series / HAProxy - wrong ssl certificater after upgrade to 24.1

« on: January 31, 2024, 08:09:54 pm »

Hello,

for the issue with IDS not workong after update I could find quickly here the solution.
Now I have detected the second issue after update to 14.1.

I use HAProxy in a mix of SNI frontend (TCP type) and https frontend (SSL offloading). For offloading I use two hostnames with two ssl certificates that will will use two different backend servers.

Since the update the wrong certificate of the both is getting provided to the client. Backend selection is as expected. This setup is running since years. It broke when I upgraded to 14.1 yesterday.

8

23.7 Legacy Series / HAproxy: Syncthing Discovery server with forwarded client certificate in header

« on: September 02, 2023, 06:49:27 pm »

Hello,

I want to use the Syncthing Discovery server behind HAproxy with ssl offloading by HAproxy. To do so I set the discovery server to http (option -http). The connection is running. But I must forward the client certificate by header X-SSL-Cert. Acc. the manual the header is required in PEM format.

This would add the client cert in der format what is not recognized by the discovery server:

Code: [Select]

http-request set-header X-SSL-Cert %{+Q}[ssl_c_der,base64]
I modified the line to create a pem file. Either nothing is in or it is in wrong format.

Code: [Select]

http-request set-header X-SSL-Cert -BEGIN\ CERTIFICATE-\ %[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space

Connection is running. But discovery still cannot read the client cert:

Code: [Select]

no certificates: certificate decode result is empty

Any idea how to set-up the forwarding of client certificate by header correctly in OPNsense?

9

German - Deutsch / Re: Vodafone Kabel 1000Mbit - Welche Hardware für Homeoffice

« on: July 23, 2023, 08:42:18 am »

Ich habe einen Vodafone Kabel Anschluss ( ehemals Unitymedia ) mit 1000Mbit.
[...]
Welche OPNSense Hardware sollte ich für diesen Anschluss wählen ?

Du fragst nicht danach, aber mache dir beim Wechsel der Firewall auch Gedanken zur Anbindung an das Gerät, das den Zugang zum Kabelnetz herstellt. Wenn es ein "einfaches" und reines Kabelmodem ist, dann passt das immer. Wenn du dort heute ein Kombigerät hast, das auch Firewall und Telefon bereitstellt (z. B. FritzBox), dann hast du mit dem OPNsense-Gerät eine zweite Firewall, die zu doppeltem NAT führt. Geht auch. Man sollte nur wissen, was das bedeutet, bevor mit dem Basteln beginnt.

10

General Discussion / Re: Client Cert Authentication sufficient for Exchange server

« on: September 08, 2022, 10:28:34 pm »

Still please read all of my last post. Using a dedicated OWA server is highly recommended.

Thanks a lot again. Yes, I got your point already by your first mail.

I will reconsider after looking in some more details. Basically the vpn way is fine for me. My small home lab is running out of resources and one Exchange already is using more RAM I want to spend.

11

General Discussion / Re: Client Cert Authentication sufficient for Exchange server

« on: September 08, 2022, 08:09:54 pm »

Millions of Enterprises do that. Expose OWA to the Internet. That's what it was made for.

Thank you.

12

General Discussion / Re: Client Cert Authentication sufficient for Exchange server

« on: September 08, 2022, 06:30:39 pm »

What is your risk? If this is a lab setup, do you even process real data?

OK. I see that "lab setup" was misleading. Yes, it is processing real data. There are two private mail accounts on it. I know, there are better ways instead of using an oversized Exchange for this. I called it home lab set-up to avoid any link to corporate use or professional data with hundreds of mailboxes.

Therefore let me rephrase my question:

Are there common and recommended scenarios where the activesync site of IIS in Exchange is directly exposed to the internet without reverse proxy or WAF in front?

Have you considered a VPN for instance?

Yes. I am even doing it like this. Most secure variant I guess, but also with disadvantages: Drains more battery from mobile and VPN not always with a stable connection. Therefore I am looking for other ways.

13

General Discussion / Client Cert Authentication sufficient for Exchange server

« on: September 03, 2022, 05:21:15 pm »

Hello,

does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose ‘activesync’ and ‘owa’ directly to the internet?

We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.

Option 1: setup client auth on HAProxy.
Option 2: passthrough ‘activcesync’ (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for ‘owa’ on HAProxy

Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.

But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?

14

General Discussion / Re: HAProxy Client Certificate Authentication for specific backends

« on: September 02, 2022, 08:43:19 pm »

So, the client-certificate requirement is configured on the 'Public Service' as 'Optional'. This way you don't need a client-cert for the public website. For the secure services, I add the mentioned 'check' if a client-cert is used, otherwise deny access.

I try to achieve something similar and found your post.

What will happen if the client presents a cert that is not valid and you only check if the cert was presented?
Would it be the right way to combine 'ssl_c_used' with 'ssl_c_verify' in your check?

15

Web Proxy Filtering and Caching / Re: haproxy: mixed ssl passthrough and offloading

« on: August 28, 2022, 09:42:51 pm »

I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.

After reading a couple of time and trial-and-error, finally I got it running. The key infortation was written in the chapter:

6. How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_map-file_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your "NOSSLservice_server" is running in TCP mode.