Messages

1

19.1 Legacy Series / Re: Site to Site VPN

« on: May 25, 2019, 09:28:30 am »

I didn't try that. I figured IPSec would be harder than ZeroTier. If I couldn't get ZT or OpenVPN working I didn't think my chances with IPSec would be any better.

2

19.1 Legacy Series / Site to Site VPN

« on: May 24, 2019, 08:49:08 pm »

I'm having difficulty with this. I've spent days searching online and following different guides, but haven't been able to complete this yet. I've tried using OpenVPN using the guide on the opnsense site, and I've tried using ZeroTier using several online guides.

As for where I'm going wrong - I don't know. The problem is the connection fails.

Here's what I'm trying to do:
I have a remote OpnSense firewall with a static IP hosted in a datacenter
I have my home OpnSense firewall with a dynamic IP hosted at home

The home network is 192.168.0.0/24 and the remote network is 192.168.1.0/24

What I want to accomplish is to bind the two networks together so I can access any 192.168.1.0/24 network asset from any 192.168.0.0/24 network asset. And vice versa. Since my home network has a dynamic IP, I imagine I would have to set up the remote firewall as the vpn server and connect to it from my home firewall.

If it matters, I'm using the remote firewall as my Certificate Authority and that seems to be working fine, at least as far as providing any website server certificates. I have added the CA and Intermediate CA certificates to the home firewall. Again, not sure if this matters or not.

Anything I'm missing. It seems like it should be straightforward enough, but the implementation is anything but. At least, I would imagine this is a fairly common scenario?

So I guess my question is, what are the basic steps to set up an OpnSense VPN server from a static IP and connect to it from another OpnSense server and allow access between the two private networks managed by each?

3

19.1 Legacy Series / Anti Lockout and port redirection

« on: May 24, 2019, 08:36:25 pm »

How would I redirect one port to another on a specific ip address through the firewall?

What I want is, if I go to ip 192.168.0.180:80 in my browser, from a machine on the local net, I will be transparently forwarded to 192.168.0.180:37780. That is, the firewall will sense an internal ip trying to connect to port 80 on 192.168.0.180, but route all traffic to 192.168.0.180:37780

The anti-lockout rule is, I think, preventing this since it applies to all http/https ports from any ip. If I could move my rule before the anti-lockout rule, it would handle this particular case, while the antilockout rule would apply in other instances.

4

19.1 Legacy Series / Multiple Public IPs

« on: April 18, 2019, 11:03:13 pm »

I have 5 public IPs available from my host provider. OPNSense is running as a Proxmox VM. Proxmox uses one of the IPs, I would like to assign the other 4 IPs to my OPNSense router to route those IPs to various other Proxmox VMs, which will be connected via a separate proxmox bridge.

Essentially, simulating a private/public network. I only have one gateway address given by the host provider

It seems like this should be doable, but I can only assign a gateway to one network controller. Each external IP can be it's own network as long as I can route it through the same opnsense instance to any of the VMs on the 'private' network.

This would allow me to, for example, route domain1.com port 80 through IP#1, route domain2.com port 80 through IP#2 - maybe to the same internal webserver listening on a different port through port forwarding, etc.

I could set up 4 different instances of opnsense, but I don't see a reason why this shouldn't be doable using a single instance.