Messages

[THANK YOU TheHellSite]

...

I just wanted to say thank you for this great tutorial. Without it, I probably wouldn't have been able to get HAProxy working properly so quickly. I have to admit, I did encounter some challenges along (caching issues with my browser) the way to get it working. Persistence pays off.

THANK YOU TheHellSite



Small question:
If I use https://www.ssllabs.com/ssltest/ to check my rating I get a A rating and not a A+ rating.
Everything is working fine (Both internally and externally). I would like to get an A+ score. Where can I best look for this in my config?

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    ocsp-update.mindelay 300
    ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_6858481c927846.22561467 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6858481c927846.22561467

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3.:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/68584d170605b3.78042743.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_685d465d816dc2.01366113 src 192.168.1.0/24 192.168.10.0/24 192.168.20.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/685d45a1ac5eb2.67005920.txt)] if acl_685d465d816dc2.01366113
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6858488725c281.06683664.txt)]

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: MIRAGE_backend ()
backend MIRAGE_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server MIRAGE_server 192.168.10.22:8443 ssl verify none

# Backend: BUMBLEBEE_backend ()
backend BUMBLEBEE_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server BUMBLEBEE_server 192.168.10.2:443 ssl verify none

# Backend: SPRINGER_backend ()
backend SPRINGER_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server SPRINGER_server 192.168.10.26:8123



# statistics are DISABLED

Snippet from https://www.ssllabs.com/ssltest/
For some reason the test indicates that:

Code Select Expand

Session resumption (caching) No (IDs assigned but not accepted)
Strict Transport Security (HSTS) No


Code Select Expand

Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Mitigated server-side (more info) 
POODLE (SSLv3) No, SSL 3 not supported (more info)
POODLE (TLS) No (more info)
Zombie POODLE No (more info) 
GOLDENDOODLE No (more info) 
OpenSSL 0-Length No (more info) 
Sleeping POODLE No (more info) 
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compression No
RC4 No
Heartbeat (extension) No
Heartbleed (vulnerability) No (more info)
Ticketbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107) No (more info)
ROBOT (vulnerability) No (more info)
Forward Secrecy Yes (with most browsers)   ROBUST (more info)
ALPN Yes   h2 http/1.1
NPN No
Session resumption (caching) No (IDs assigned but not accepted)
Session resumption (tickets) No
OCSP stapling No
Strict Transport Security (HSTS) No
HSTS Preloading Not in: Chrome  Edge  Firefox  IE
Public Key Pinning (HPKP) No (more info)
Public Key Pinning Report-Only No
Public Key Pinning (Static) No (more info)
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance No
Incorrect SNI alerts No
Uses common DH primes No
DH public server param (Ys) reuse No
ECDH public server param reuse No
Supported Named Groups secp384r1
SSL 2 handshake compatibility No
0-RTT enabled No


I got it all working after some good debugging sessions. On this page I found the hints I needed.

1. The sequence just determines the sorting order in the GUI - the help text for the item says: "priority sequence used in sorting the groups".
2. Your NAT config seems to miss many of the automatic rules that I would deem necessary, like one for the LAN networks.

Thanks for the help.

Regarding your response:
1: Thanks for the hint, is there any documentation where I can read this is indeed only a view thing?
2: I will double check https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#interface-groups and compare with my config.

[One:]

I was using pfsense in the past and was using the popular pfSense baseline guide setup. After some searching I came across https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/ Great howto, thanks schnerring for the great work!

Unfortunately I don't quite understand two items.
One:
In section interface-groups the use of interface groups is explained. I understand the principle. But with version OPNsense 25.1.8_1-amd64 FreeBSD 14.2-RELEASE-p3 OpenSSL 3.0.16 you also have to specify the Sequence of a group. Aka "priority sequence used in sorting the groups".
Can someone tell me what the Sequence of the Interface Groups should be for the interface groups as specified in the howto?
Below the config I have:


Two:
In section NAT the usage of Outbound NAT is explained. I understand the principle, but I can't get my setup to work properly when I set Manual outbound NAT rule generation. I have to set Hybrid outbound NAT rule generation which is not explained as such.
I have the idea that this is not working because it is not configured correctly with the Sequence of the Interface Groups. I believe this is causing the firewall rules to not work as intended.
Can someone confirm my assumption regarding NAT config is correct and help me further to get this resolved?
Below the config I have:


Summary of my two questions:

• Can someone tell me what the Sequence of the Interface Groups should be for the interface groups as specified in the howto?
• Can someone confirm my assumption regarding NAT config is correct and help me further to get this resolved?

Any help is appreciated, thanks in advance!

I made a clumsy mistake that I kept looking over. Apologies. This topic can be closed.

Could you share a

Code Select Expand

/tmp/rules.debug

See https://github.com/opnsense/core/issues/7017 why I'm asking. I got a good hint from @AdSchellevis

I haven't quite figured it out yet either. I have this issue with Aliases type Port(s)

I added a github bug issue: https://github.com/opnsense/core/issues/7017

Hello,

I think there is a seriously issue with OPNsense 23.7.8_1-amd64 and Alias and Port(s). If I would like to add a Alias Port(s) in Firewall: Aliases. The web interface is working. The alias with the name is nicely added. But in Firewall: Diagnostics: Aliases it is not shown. Also the firewall rule where I would like to use the alias is also not working.

By checking:
pfctl -t $ALIAS -T show
returns an error
pfctl: Unknown error: -1.

If a use the same cmd with a existing Network(s) alias. It works and shows the IPs.

Am I doing something wrong? Or have I indeed found a bug in this version?



 

Here is a python script which creates a json file for upload.

@trumee would you be willing to explain how to use your script?

Of course you don't want that, I'm going to study the pictures even better. Thanks!

Thanks for sharing great help. How is a nesting looking like?

I am perfectly on board with nesting.

Create aliases like

Port_Application
Host4_Description
Net6_Description

and use groups. I am not missing anything and I would consider this best practice. I have been managing firewalls for 30 years.

Thank you for responding so quickly. Would you mind taking some screen shots? I would like to learn from your experiences, but I don't fully understand your post.

Used adding this link for interested readers (Feature request: proper administration of aliases): https://github.com/opnsense/core/issues/6619

Does it work? If it does, I guess so?

Yes it did, sorry for late response.

[bugsmanagement]

Hello,

You not getting what you expected perhaps because the Nameserver you have configured for the firewall. Eg, Settings -> General: DNS Servers. Unless you manually configure Unbound upstream nameservers and switch DNS Server to 127.0.0.1, you will not get the expected result.

Note, if you leave Unbound unconfigured to contact nameservers on it's own, it will use the firewall DNS servers. So simply setting DNS Servers to 127.0.0.1 blindly will have undesired consequences.

Regards

THANKS bugsmanagement

In "System: Settings: General" I disabled the setting below (the box is not checked).


If I test with this setting the behavior is as expected.

Code Select Expand

Trying "testing.lan"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14785
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;testing.lan.                      IN      A

;; ANSWER SECTION:
testing.lan.               3600    IN      A       192.168.10.15

Received 42 bytes from 127.0.0.1#53 in 0 ms
Trying "testing.lan"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3075
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;testing.lan.                      IN      AAAA

Received 26 bytes from 127.0.0.1#53 in 0 ms
Trying "testing.lan"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17918
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;testing.lan.                      IN      MX

Received 26 bytes from 127.0.0.1#53 in 0 ms


I use Unbound DNS in my configuration. In "Services: Unbound DNS: General" I have selected the interfaces for Unbound I need, including Localhost. As far as my knowledge is concerned, this configuration is ok. Agree?