"
Hi all, is it possible to backup the configuration of opnsense 18.1.x and restore it to a new 18.7?
Is there another way to upgrade to latest stable?
thank you
Is there another way to upgrade to latest stable?
thank you
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
18.1 Legacy Series / Help configuring HA-proxy
September 23, 2018, 05:59:50 PM
Hi all, I'm running OPNsense 18.1.13_1-amd64.
I'm trying to configure HA proxy to server 2 webvers.
As of now, I care http to be working.
I'll take care of https later.
I already set up xa proxy and it's working but the web pages are incomplete: only html is loaded, no images, no css.
Before I flood this post wit many details, do you already know if that's a common configuration mistake?
The network schema is this:
The public ip is held by the router that forward all ports to opnsense.
Yhank you!
I'm trying to configure HA proxy to server 2 webvers.
As of now, I care http to be working.
I'll take care of https later.
I already set up xa proxy and it's working but the web pages are incomplete: only html is loaded, no images, no css.
Before I flood this post wit many details, do you already know if that's a common configuration mistake?
The network schema is this:
Code Select
router -> wan (192.168.179.2) | lan (192.168.178.3) -> webserver1 (192.168.178.15)
-> webserver2 (192.168.178.17)The public ip is held by the router that forward all ports to opnsense.
Yhank you!
#3
18.1 Legacy Series / Re: Nat 1:1 and reflection from the same network
May 15, 2018, 09:15:51 AMQuoteI've been adding 2 rule on LAN interface:
from 192.168.2.0/24 to 192.168.6.0/24 Pass
from 192.168.3.0/24 to 192.168.6.0/24 Pass
I think this is symptom that nat reflection is not working.
It means the requests don't get masqueraded with the public ip.
I double check the concept of nat reflection on wikipedia:
QuoteThe local computer (192.168.1.100) sends the packet as coming from 192.168.1.100, but the server (192.168.1.2) receives it as coming from 203.0.113.1
I forgot to mention my firewall is configured with multiwan.
I don't know if that may matter or not.
#4
18.1 Legacy Series / Nat 1:1 and reflection from the same network
May 11, 2018, 09:40:42 AM
Hi all, I already spoke about nat 1:1 and reflection in this topic but I have another specific problematic to solve.
Consider 3 lan netwroks:
192.168.2.0/24 (office pc)
192.168.3.0/24 (office pc)
192.168.6.0/24 (servers)
I have three servers on 192.168.6.0/24.
For each server I'm using nat 1:1
1.2.3.4 -> 192.168.6.38 (webserver)
1.2.3.5 -> 192.168.6.10 (mailserver 1)
1.2.3.6 -> 192.168.6.11 (mailserver 2)
192.168.6.38 is a webserver.
I've been adding a firewall rule on WAN interface, so that ports 80 and 443 can be reached from outside.
I've been adding 2 rule on LAN interface:
from 192.168.2.0/24 to 192.168.6.0/24 Pass
from 192.168.3.0/24 to 192.168.6.0/24 Pass
doing so I'm able to reach my services from office networks.
The only thing that doesn't work is, for example, to contact port 80 from network 192.168.6.0/24.
From the webserver itself
From the webserver to a mailserver
Suggestions?
Consider 3 lan netwroks:
192.168.2.0/24 (office pc)
192.168.3.0/24 (office pc)
192.168.6.0/24 (servers)
I have three servers on 192.168.6.0/24.
For each server I'm using nat 1:1
1.2.3.4 -> 192.168.6.38 (webserver)
1.2.3.5 -> 192.168.6.10 (mailserver 1)
1.2.3.6 -> 192.168.6.11 (mailserver 2)
192.168.6.38 is a webserver.
I've been adding a firewall rule on WAN interface, so that ports 80 and 443 can be reached from outside.
I've been adding 2 rule on LAN interface:
from 192.168.2.0/24 to 192.168.6.0/24 Pass
from 192.168.3.0/24 to 192.168.6.0/24 Pass
doing so I'm able to reach my services from office networks.
The only thing that doesn't work is, for example, to contact port 80 from network 192.168.6.0/24.
From the webserver itself
Code Select
nmap -p 80 1.2.3.4 -Pn
PORT STATE SERVICE
80/tcp filtered httpFrom the webserver to a mailserver
Code Select
nmap -p 25 1.2.3.5 -Pn
Starting Nmap 6.47 ( http://nmap.org ) at 2018-05-11 09:38 CEST
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39478 > 1.2.3.5:25 S ttl=59 id=47236 iplen=44 seq=707988922 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39479 > 1.2.3.5:25 S ttl=40 id=38922 iplen=44 seq=707923387 win=1024 <mss 1460>
Nmap scan report for server.domain.com (1.2.3.5)
Host is up.
PORT STATE SERVICE
25/tcp filtered smtpSuggestions?
#5
18.1 Legacy Series / Re: Problem with nat 1:1 reflection
May 08, 2018, 12:46:26 PM
Hi Animosity022, I do agree that dns override is a better solution but consider to more webserver, hosthing 100 domains.
All these domains and all their record shall be overridden to be able to reach them from the internal netwrok.
That's why I'm opting for nat reflection.
If it was matter of few dns records, I wasn't going to use nat reflection.
I'm aware that this way the traffic goes through the firewall but there will be not many requests in my case.
Anyway, I made it work!
I have to lan netwroks: 192.168.2.0/24 and 192.168.3.0/24.
My LAN interface has ip 192.168.2.254 and the virtual ip 192.168.3.250.
They are the gw for the relative netwroks.
I added two rules on LAN interface:
from 192.168.2.0/24 to 192.168.6.0/24 pass
from 192.168.3.0/24 to 192.168.6.0/24 pass
traceroute www.domain.com
traceroute to www.domain.com (1.2.3.4), 30 hops max, 60 byte packets
1 webserver-jessie.domain.com (1.2.3.4) 0.425 ms 0.457 ms 0.479 ms
2 webserver-jessie.domain.com (1.2.3.4) 1.689 ms 1.682 ms 1.697 ms
Note: I was in doubt if it was necessary to disable the option "Block private networks" on the WAN interface but it isn't.
All these domains and all their record shall be overridden to be able to reach them from the internal netwrok.
That's why I'm opting for nat reflection.
If it was matter of few dns records, I wasn't going to use nat reflection.
I'm aware that this way the traffic goes through the firewall but there will be not many requests in my case.
Anyway, I made it work!
I have to lan netwroks: 192.168.2.0/24 and 192.168.3.0/24.
My LAN interface has ip 192.168.2.254 and the virtual ip 192.168.3.250.
They are the gw for the relative netwroks.
I added two rules on LAN interface:
from 192.168.2.0/24 to 192.168.6.0/24 pass
from 192.168.3.0/24 to 192.168.6.0/24 pass
traceroute www.domain.com
traceroute to www.domain.com (1.2.3.4), 30 hops max, 60 byte packets
1 webserver-jessie.domain.com (1.2.3.4) 0.425 ms 0.457 ms 0.479 ms
2 webserver-jessie.domain.com (1.2.3.4) 1.689 ms 1.682 ms 1.697 ms
Note: I was in doubt if it was necessary to disable the option "Block private networks" on the WAN interface but it isn't.
#6
18.1 Legacy Series / Re: Problem with nat 1:1 reflection
May 07, 2018, 10:00:53 AM
I forgot to mention I'm using multi wan it that matters.
By the way, I'm not looking for work around but to find the way to make nat reflection works.
By the way, I'm not looking for work around but to find the way to make nat reflection works.
#7
18.1 Legacy Series / Re: Problem with nat 1:1 reflection
May 05, 2018, 07:16:40 PM
Unfortunately this is an option I can't take.
#8
18.1 Legacy Series / Re: Filter rule association: "Rule Nat" repeated 4 times
May 05, 2018, 03:18:30 PM
Ok, now it's clear.
I'll add rules descriptions.
Thank you.
I'll add rules descriptions.
Thank you.
#9
18.1 Legacy Series / Problem with nat 1:1 reflection
May 05, 2018, 03:05:32 PM
Hi all, I have 2 webservers behind OPNsense 18.1.6-amd64:
(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)
I set nat reflection advanced options
I set a firewall rule on wan interface
The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,
Any suggestion?
(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)
I set nat reflection advanced options
I set a firewall rule on wan interface
The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,
Any suggestion?
#10
18.1 Legacy Series / Re: Filter rule association: "Rule Nat" repeated 4 times
May 01, 2018, 08:08:07 PM
This is what I see.
#11
18.1 Legacy Series / [SOLVED] Filter rule association: "Rule Nat" repeated 4 times
April 29, 2018, 03:32:32 PM
This really looks like a bug to me:
- create a firward rule.
(it doesn't matter what you choose in "Filter rule association".
- click on the pencile to edit the forward rule and try to change the "Filter rule association", you'll get this list:
Pass
Rule Nat
Rule Nat
Rule Nat
Rule Nat
What do you think?
OPNsense 18.1.6-amd64
- create a firward rule.
(it doesn't matter what you choose in "Filter rule association".
- click on the pencile to edit the forward rule and try to change the "Filter rule association", you'll get this list:
Pass
Rule Nat
Rule Nat
Rule Nat
Rule Nat
What do you think?
OPNsense 18.1.6-amd64
#12
18.1 Legacy Series / Filter rule association: add unassociated filter rule
April 29, 2018, 03:28:51 PM
Hi, I created a port forward as test:
2222 -> 192.168.178.99:22
I chose "add unassociated filter rule".
I expected to find a rule in Firewall / Rules / Wan that I was able to edit but I see no related rule.
Is it a bug or am I misunderstanding the meaning?
Nontheless, If I click on the pencile to edite the "Nat / Port forward rule", the Filter rule association is "None".
Thank you.
OPNsense 18.1.6-amd64
2222 -> 192.168.178.99:22
I chose "add unassociated filter rule".
I expected to find a rule in Firewall / Rules / Wan that I was able to edit but I see no related rule.
Is it a bug or am I misunderstanding the meaning?
Nontheless, If I click on the pencile to edite the "Nat / Port forward rule", the Filter rule association is "None".
Thank you.
OPNsense 18.1.6-amd64
#13
18.1 Legacy Series / Filter rule association: Associated filter rule VS Pass
April 29, 2018, 03:13:31 PM
Hi all, if I redirect a port (Firewall / Nat / port forwarding) I have 3 choises.
In this topic I consider only two of them:
It adds a rule in Firewall / Rule / Wan.
This rule can't be edit.
If I choose "Pass", no firewall rule will be checked.
I both cases, any request on the forwarded port will be accepted.
So, when is the case to prefeare "Associated filter rule" instead of "Pass"?
In this topic I consider only two of them:
- Associated filter rule
- Pass
It adds a rule in Firewall / Rule / Wan.
This rule can't be edit.
If I choose "Pass", no firewall rule will be checked.
I both cases, any request on the forwarded port will be accepted.
So, when is the case to prefeare "Associated filter rule" instead of "Pass"?
#14
18.1 Legacy Series / Virtual IP / IP Alias netmask
April 26, 2018, 05:50:07 PM
This may be a trivial question:
Considering my LAN nic with ip 192.168.1.1/24, I create a new virtual ip of type (Mode 'IP Alias') 192.168.2.1.
Shall I set 24 or 32 as netmask?
Considering my LAN nic with ip 192.168.1.1/24, I create a new virtual ip of type (Mode 'IP Alias') 192.168.2.1.
Shall I set 24 or 32 as netmask?
#15
18.1 Legacy Series / Re: WAN address explanation
April 26, 2018, 02:10:35 PM
Ok, now I know I better set the ip instead of 'WAN address' when I have aliases.
Thank you for you reply.
Thank you for you reply.
