Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Bagoline

Pages: [1]

Tutorials and FAQs / IPSEC VTI with HA

« on: April 23, 2019, 05:54:44 pm »

Has anyone done the IPSEC VTI implementation in a HA cluster?

I've tried it and the cluster was broken almost immediatelly.

Any working configuration guide or approach i should be aware of?

Thank you

Greek - Ελληνικά / Re: Ελληνες χρηστες του OPNsense εδω?

« on: April 23, 2019, 05:53:10 pm »

Έχει κάνει κανείς υλοποιήση IPSEC VTI με HA?

Πήγα να το κάνω και διαλύθηκε το σύμπαν, έσπασε το HA, έχασα το remote access.
Έπρεπε να κάνω restore απο backup....

Από'τι κατάλαβα λογικά δεν μπορεί να παίξει γιατί συγκρούονται τα:
1. VTI interfaces, μιας και πρέπει να υπάρχουν και στα 2 για να συχρονίζει το config,
2. Τα IPSEC VTIs μιας και πρέπει να έιναι ενεργό σε ένα απο τα 2.

Έχω καταλάβει λάθος κάτι?

19.1 Legacy Series / Re: Can't select HAProxy rule

« on: March 13, 2019, 03:47:11 pm »

You are correct with your assumption.

For sticky sessions, we always went with F5, Alteon load balancers for specific use-cases like shopping carts etc.
For the above use-cases, our environment would not allow non-officially supported solutions.

19.1 Legacy Series / Re: Can't select HAProxy rule

« on: March 08, 2019, 07:26:57 pm »

Hi boardyuk

Just a clarification which i might have gotten wrong.
You use the HAPROXY as a reverse proxy, and not for load-balancing. Correct?

If that is the case why not use NGINX with the respective reverse proxy config and security modules?

I have never seen HAPROXY deployed as a reverse proxy. Most common deployment are:
Firewall + Forward Proxy (SQUID) + AV (ClamAV) + Reverse Proxy (WAF)

To be honest i haven't deployed the NGINX in opnsense but i believe it will be doable and forwarding paths should be more straightforward in NGINX.

Tutorials and FAQs / Re: SNMP - Basic Config

« on: March 04, 2019, 04:29:37 pm »

The issue was rectified on the primary instance when LibreSSL was removed in favor or OpenSSL.

The standby still has the same issue for some reason.
Unfortunately, there is no available time to TS it.

Regarding the packets, they reach the firewall OK, the SNMP service for some reason does not respond.

Greek - Ελληνικά / Re: Ελληνες χρηστες του OPNsense εδω?

« on: March 04, 2019, 04:27:49 pm »

Αυτή τη στιγμή δεν έχω κανένα θέμα μιας και όλα δουλεύουν μια χάρα.
Οι πολιτικές λειτουργούν, τα NAT μία χαρα, τα IPSEC δεν πέφτουν (αν και θα γίνει μετάβαση σε GRE-o-IPSEC) για να φύγουν τα phase-2 SAs.

Βασικά βοήθαει η οποιαδήποτε εμπειρία με firewalls γιατί στο τέλος της ημέρας όλα λίγο πολύ τα ίδια κάνουν.

Με τι ασχολήσε, εσύ?

19.1 Legacy Series / Re: Can't select HAProxy rule

« on: March 04, 2019, 04:22:39 pm »

The steps which I took to configure the HA proxy rule were the following:
1. Create Real servers
2. Create the Health-Check
3. Create the Back-End pool
4. Create the Virtual service.
For this step i created the virtual service to listen on IP 127.0.0.1 on the TCP port e.g. 12345
5. Create the NAT config with translation to the 127.0.0.1 on the TCP port.

That work flawlessly.

However, the HA proxy service config needs some time to populate the options from the browser and some time errors were produced from firefox. I would recommend selecting HA proxy from the Services and leave it a few seconds for your browser to download all content.

General Discussion / Re: Howto disable brute force login

« on: March 04, 2019, 02:59:51 pm »

Normally, you don't allow access to the firewall from all IP addresses cause you will be locked out when the threshold is reached.

It's better if you access the firewall through an OpenVPN.

We have enabled a temp lockout mechanism but through the LDAP back-end authentication.

Again, not from the WAN interface but from a private least exposed firewall interface.

Tutorials and FAQs / Re: SNMP - Basic Config

« on: February 14, 2019, 01:05:22 pm »

Simple log stating a permit from the OpenNMS system to the firewall interface IP address.

Are there any other logs i can check?

Tutorials and FAQs / Re: SNMP - Basic Config

« on: February 11, 2019, 09:58:56 am »

I saw that the interface/IP is listening to UDP port 161 and the loopback.
Output below:
root snmpd 33879 8 udp4 192.168.121.161:161 *:*
root snmpd 33879 9 udp4 127.0.0.1:161 *:*

In addition, firewall rules permit all traffic to the firewall from the source IP to all interfaces.
I can see the respective log in the live view.

A SNMP version 2c to the firewall returns a "Timeout: No response from 192.168.121.161"
A SNMP version 3 to the firewall returns a "snmpwal: Timeout"

We had the same issue with pfSense that was the main reason we replaced them with opnsense.

Any other suggested steps?

Greek - Ελληνικά / Re: Ελληνες χρηστες του OPNsense εδω?

« on: February 11, 2019, 09:51:21 am »

Καλησπέρα.

Εμεις το χρησημοποιούμε εδω και μερικές εβδομάδες και σχετικά μια χαρά ως τώρα.

Πώς είναι η δικιά σου εμπειρία?

Tutorials and FAQs / Re: SNMP - Basic Config

« on: February 08, 2019, 02:19:46 pm »

Hi Mimugmail

I downgraded to SNMP v 2c and i can SNMPWALL the firewall through the loopback IP 127.0.0.1.

However, when trying the same with the interface IP, even though it is listed as a service IP within the net-snmp I get a time-out.

The logs are a bit strange since while doing the SNMPWALK locally on the device I get an IPSEC ACL permit match log.

Through the NMS i still get the log of permitting the traffic but with no response, hence the timeout again.

Tutorials and FAQs / SNMP - Basic Config

« on: February 06, 2019, 06:03:28 pm »

Hi All

We just deployed our Data Center firewalls with two OPNSense VM firewalls.
The selection was between VyOS and PFSense.

Each one had its pros and cons.

One major issue that we face is that we cannot integrate the OPNSense firewall cluster to the SNMP monitoring service.

The firewall rules have been created and the flow is depicted as allowed in the firewall policies.

The NET-SNMP plugin has been configured with all needed information and the respective listening IP addresses, MGMT IP and loopback.

The service is reported as active in the service summary.

However, all SNMPWALK attempts fail with a time-out since no response is returned.
The same thing happens from within the OPNSense terminal.
"
snmpwalk -v 3 -u [SNMPv3USER] -a SHA -A [SNMPv3AUTHKEY] -x AES -X [SNMPv3PRIVKEY] 127.0.0.1
"

Are we missing something?

All feedback will be greatly appreciated.

Thank you
Best Regards
Konstantinos

Pages: [1]