Messages

1

High availability / Re: CARP with DHCP on WAN

« on: November 01, 2021, 10:51:17 pm »

EDIT2: I misunderstood the use of pre-empt.  As I now read it, pre-empt will address keeping all interfaces in a consistent state.  More testing!

EDIT:  I have done some additional digging and found that a script placed in /usr/local/rc.syshook.d/carp/ will be called when a carp event occurs.  I have play around with this and now have something that works in the case that all 3 CARP interfaces on the primary go down - i.e. power failure; however, if there is a problem that say affects only  the WAN interface, then the LAN interface is still pointing to the primary.  More reading and testing needed lbe 11/02/2021

Has anyone found a hack that facilitates the OP request?  Like the OP, I am fine with losing state.  I would like to use the HA to keep everything else synced and just have a poor boy solution that will bring up the WAN interface (vtnet1) configured with an LAA MAC shared between the two firewalls in DHCP mode and then taking the WAN interface down when the primary is back in service.

I'm still too new to OPNsense (and HardenedBSD) to know how to implement the event detection and action.  I do have many years of experience in Linux and other Unices and am glad to take a shot at writing the control scripts if someone know what hooks/APIs to use.

Thanks!

lbe

2

General Discussion / Re: Info Request: WAF/Publishing Web Sites & Web Sockets

« on: September 28, 2018, 12:31:23 pm »

Thanks for your response!  I will research and test this weekend.

3

General Discussion / Info Request: WAF/Publishing Web Sites & Web Sockets

« on: September 26, 2018, 05:51:17 pm »

All,

About five years ago, I used pfSense but left it to go to Sophos UTM primarily because of ease of configuration for the Sophos Web Application Firewall (WAF).  I am currently running into one problem and one major inconvenience that I would like to address.  I "think" OPNsense may be a solution and am requesting validation assistance before I jump totally onboard.

The problem is that Sophos UTM WAF cannot handle web sockets.  The only work around is to use NAT to forward a specific port.  This does not work at my work locations where I am limited to ports 80/443.

The inconvenience is that managing LetsEncrypt certificates is still a somewhat manual process.  I prefer a solution that handles the renewals in an automatic manner.

My representative givens are:

• Home Network
• Network Geometry - Internal <=> FW <=> External
• Reverse proxy on FW
• LetsEncrypt on FW
• Internal web servers:
• http://sabnzbd.example.com:9000
• https://sickrage.example.com:9100
• https://guac.example.com (websockets)
• https://proxmox1.example.com:8006 (websockets)
• Separate DNS internal and external

Functionality Requirements:

• Access above web servers using the following names both internally and externally on TCP/443:
• https://sabnzbd.example.com
• https://sickrage.example.com
• https://guacamole.example.com with upgrade to websockets
• https://proxmox1.example.com with upgrade to websockets
• Configure LetsEncrypt for each of these web servers via web user interface
• Have LetsEncrypt automatically update certificates prior to their expiration

There are additional functional requirements regarding custom firewall rules and port forwarding that I know OPNsense can perform based upon my previous experience with pfSense.  I have purposely excluding these to focus on the issues that are not as clear to me from my current investigation?

My questions are:

• Can my functional requirements be met with OPNsense?
• If so, what are the recommended modules (i.e. I assume haproxy for the for the reverse proxy, ...)?
• Are there any howtos or guides for this type of configuration?
• Are there any warnings or gotchas that I should be aware of?

Thanks in advance for your assistance!

LBE