Messages

Hi and welcome to OPNsense, it really is an awesome little router/firewall/Swiss army knife.

First off, I'd follow this tutorial and see how you get on.
Then post in the same thread if you get stuck.

https://forum.opnsense.org/index.php?topic=23339.0

I used to run three sites behind OPNsense using HAproxy quite successfully, so it is doable!
One of them was also Home Assistant, another was Guacamole.
It requires following the tutorial above closely. You'll learn a lot about how HA works with OPNsense.

Something else you might want to investigate is running Cloudflared tunnels to each of your web services.
I do this now, it's extremely easy to setup, no more certs plus you get Cloudflare WAF and access challenges.
All within their free stuff

But HAproxy is also good :)

Edit: Have you moved your OPNsense web front end away from 443? I seem to remember this was one of those changes needed that might cause weird stuff like you're describing.

Yeah I was thinking a Firewall rule created for that specific MAC on 'block'.
And then removed on 'unblock'.

I agree on the randomisation of the MAC, but it would probably still work for the purposes of a 'Block' for an amount of time (Hours).

https://source.android.com/docs/core/connect/wifi-mac-randomization-behavior

If I read this right then it could be circumvented easily, but would be annoying to do so, and then just blocked again. lol

Probababy won't progress past this chat :)

Hi,

Any thoughts on adding a 'Block' button next to the 'Add Static Mapping' and 'Delete' buttons in the DHCP lease section?

For when my kids piss me off and I want to quickly block their access for a specific MAC at that time.
And then an unblock for after they apologise.

lol

I'm sure it would have other uses..

HI,

Does anyone know if it's possible to have a simple failover using unbound and round robin DNS?
Also configurable within OPNsense?

From the unbound documentation it seems possible... assuming I'm reading this right...

https://nlnetlabs.nl/documentation/unbound/unbound.conf/
       rrset-roundrobin: <yes or no>
              If yes, Unbound rotates RRSet order in response (the random num-
              ber  is  taken  from the query ID, for speed and thread safety).
              Default is yes.

Just not sure how to implement or if it would actually work?

My requirement is a simple failover of a web GUI presented by Proxmox hosts.
Currently, each host presents the GUI and allows access to the cluster underneath. I can browse to each host directly and have this experience.
When a host restarts for maintenance etc. perhaps DNS Round Robin would resolve to another host.

I do currently use HAproxy for this so understand this approach, however I'm looking to remove the proxy entirely as I have moved to Cloudflared tunnels for my other services.
But not for this last simple fail over scenario with Proxmox.

This is not production and just my home lab. But I still strive for 'good' :)

Found some answers
https://github.com/home-assistant/core/issues/40421#issuecomment-1667019787

Hi all,

I'm trying to get my internally hosted services to report the originating client IP when going through a proxy chain starting with Cloudflare then to HAproxy. Currently HAproxy logs shows the local CloudFlare CDN address.

Cloudflare is setup to proxy and is Full (Strict) meaning I'm using the Cloudflare origin cert offloaded at HAproxy

I've found that cloudflare do collect the Client IP within cf-connecting-ip
https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

And I have found this post that helps someone with pfSense to do what I want
https://forum.netgate.com/topic/176777/haproxy-cloudflare-restoring-original-ip/3

What I'm not sure about is how (if possible) to get HAproxy to reference the cloudflare IP address list to know what sessions to insert the cf-connecting-ip into x-forwarded-for
Ideally this is in the form of some alias or map that dynamically checks https://www.cloudflare.com/ips-v4

Thanks for any help with this, also it's not urgent at all and just for my home setup and for fun really.

Found some answers
https://github.com/home-assistant/core/issues/40421#issuecomment-1667019787

Hi all,

I'm trying to get my internally hosted services to report the originating client IP when going through a proxy chain starting with Cloudflare then to HAproxy. Currently HAproxy logs shows the local CloudFlare CDN address.

Cloudflare is setup to proxy and is Full (Strict) meaning I'm using the Cloudflare origin cert offloaded at HAproxy

I've found that cloudflare do collect the Client IP within cf-connecting-ip
https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

And I have found this post that helps someone with pfSense to do what I want
https://forum.netgate.com/topic/176777/haproxy-cloudflare-restoring-original-ip/3

What I'm not sure about is how (if possible) to get HAproxy to reference the cloudflare IP address list to know what sessions to insert the cf-connecting-ip into x-forwarded-for
Ideally this is in the form of some alias or map that dynamically checks https://www.cloudflare.com/ips-v4

Thanks for any help with this, also it's not urgent at all and just for my home setup and for fun really.

@meyergru thanks for your help so far

I'll ask in that thread

@meyergru I found this link which closely relates to OPNsense

https://forum.netgate.com/topic/176777/haproxy-cloudflare-restoring-original-ip/3

Do you know how/where to set HAproxy via GUI in OPNsense for the above?

Specifically I'm stuck with the 'Source IP matches IP or Alias'
I can create the Alias for cloudflare IP's within Firewall>Aliases
But can't see where to reference this alias in HAproxy GUI
Closest is HAproxy>Conditions>Condition Type>Source IP Matches Specified IP
But this only seems to want a single IP address

Thanks for any help with this. I'm obviously learning as I'm going here :)

Thanks I'll check that out and see how I get on

Upgraded to 24.1 successfully

This version has HAproxy 4.2 which is moving the x-forwarded-for to the backend pool config and adding additional options.

Still need some help/advice on how to get this working to pass on the Client IP though when passing through Cloudflare if anyone has any ideas?


Thanks

hmmmm...

It looks like OPNsense 24.1 includes HAProxy 4.2 which changes and adds some X Forward stuff.

I might need to also upgrade and check this out.

Has anyone done this already... tested X Forwarding with HAProxy 4.2 plugin?

Hi all,

I currently proxy through Cloudflare (strict/full) then to HAproxy (OPNsense plugin) then to a local instance of Home Assistant.

I'd like to keep the Client IP intact so I can see in Home Assistant what originating Client IP connected.
Currently I see the Cloudflare IP which is not 'ideal' for me :)

From reading I see that Cloudflare, being the first Proxy in my chain, DOES pass on the Client IP but not using the usual X-Forwarded-For but instead within the http header as CF-Connecting-IP
https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

This means my HAproxy cannot pass this onto Home Assistant through X-Forward-For currently

From further reading, I see I could 'possibly' configure my HAproxy to pick up the CF-Connecting-IP and add to X-Forward-For when a Cloudflare IP Address is seen
https://github.com/haproxy/haproxy/issues/90#issuecomment-718286982

Can anyone help me with how I can apply this configuration to my OPNsense/HAProxy?

Thanks for any help with this

Furthermore, I have X-Forwarded-For disabled in HAProxy for my Public Service as I've read this should only be added once at the first proxy, all other proxies in the chain should add their respective IP's to this header as they are passed. Enabling this also breaks Home Assistant for me, complaining it sees two when there should only be one.

Also... :) I have aliases for Cloudflare IP ranges which would be good to use for this if possible, to replace what is in the linked script... 

Late reply - sorry

I followed your advice and configured an Alias using URL Table (IP's)
Pasted in the Cloudflare IP list URL and set to check every 7 days

Works really well!

Thanks

Didn't get an understanding of those errors in the config file, but have resolved my issue.

My Public Service had two URL's that it was listening for, both with their FQDN specified.
I removed these and just added *:443

Now it works great

I have a public service for external using the Cloudflare Origin cert and Full Strict
Also have a public service for internal that has a single URL specified that it listens for, also uses a lets encrypt cert

Happy days