1
21.1 Legacy Series / Re: Dns load balancing
« on: January 28, 2021, 09:28:17 am »
Ok, thanks for your feedback @Wirehead
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
21.1 Legacy Series / Re: Dns load balancing
« on: January 27, 2021, 10:16:45 am »
Hi,
That's my main problem also !
I have 3 swarm managers, so any traffic must be load balanced between those 3 managers.
So, for each service exposed on the swarm, I have:
- a dns entrie to resolve the service (ie: wordpress.local.domain), which points to a HAproxy
- on the HAproxy, for each service:
- a public front (ie: 443)
- a rule (ie: wordpress.local.domain)
- a backend (ie: wordpress) which contains 3 "real" servers: the 3 swarm managers + the port of wordpress in the swarm
This is not my favorite solution, and that why I'm asking about a DNS load-balancing service:
- a dns entrie for wordpress.local.domain, and 3 possibilities to resolve: the 3 swarm managers's IP
Goldorak92
That's my main problem also !
I have 3 swarm managers, so any traffic must be load balanced between those 3 managers.
So, for each service exposed on the swarm, I have:
- a dns entrie to resolve the service (ie: wordpress.local.domain), which points to a HAproxy
- on the HAproxy, for each service:
- a public front (ie: 443)
- a rule (ie: wordpress.local.domain)
- a backend (ie: wordpress) which contains 3 "real" servers: the 3 swarm managers + the port of wordpress in the swarm
This is not my favorite solution, and that why I'm asking about a DNS load-balancing service:
- a dns entrie for wordpress.local.domain, and 3 possibilities to resolve: the 3 swarm managers's IP
Goldorak92
3
21.1 Legacy Series / Dns load balancing
« on: January 16, 2021, 08:26:02 pm »
Hi everyone,
I have a little question... I'm using unbound dns and Haproxy for all my stuff.
I'm publishing services on a swarm cluster.
Some services are available through Haproxy, but I'm thinking about a dns load balancing service: not publishing the service trough haproxy public service (front public port de number), but through a dns load balancing service which is able to serve all ports...
Is there a service/plugin for that on Opnsense?
Regards,
Goldorak92
I have a little question... I'm using unbound dns and Haproxy for all my stuff.
I'm publishing services on a swarm cluster.
Some services are available through Haproxy, but I'm thinking about a dns load balancing service: not publishing the service trough haproxy public service (front public port de number), but through a dns load balancing service which is able to serve all ports...
Is there a service/plugin for that on Opnsense?
Regards,
Goldorak92
4
20.7 Legacy Series / Re: [SOLVED] GEOIP blocking no longer working 20.7
« on: September 11, 2020, 05:42:01 pm »
Hi @joseoliveirapt,
As said in other threads, you just have to go to firewall=>settings=>advanced, and modify the max entries in firewall table up to 400.000 (default is 200.000), and save again your geoip aliases to apply.
Goldorak92
As said in other threads, you just have to go to firewall=>settings=>advanced, and modify the max entries in firewall table up to 400.000 (default is 200.000), and save again your geoip aliases to apply.
Goldorak92
5
20.7 Legacy Series / Re: Current list of bugs/issues I've encountered in 20.7
« on: August 18, 2020, 04:28:11 pm »
Ok cool, glad that fixed it
(and this is thanks to @Julien who detailled it in https://forum.opnsense.org/index.php?topic=18628.0)
Goldorak92
(and this is thanks to @Julien who detailled it in https://forum.opnsense.org/index.php?topic=18628.0)
Goldorak92
6
20.7 Legacy Series / Re: Current list of bugs/issues I've encountered in 20.7
« on: August 18, 2020, 04:01:55 pm »
@FullyBorked,
Not "max firewall states", which is 806000, but "max pfTables entries"...
Goldorak92
Not "max firewall states", which is 806000, but "max pfTables entries"...
Goldorak92
7
20.7 Legacy Series / Re: Current list of bugs/issues I've encountered in 20.7
« on: August 18, 2020, 03:03:27 pm »
Hi,
Have you went to firewall->params and change the max entries pfTables up to 400.000 (default is 200.000)?
Goldorak92
Have you went to firewall->params and change the max entries pfTables up to 400.000 (default is 200.000)?
Goldorak92
8
20.7 Legacy Series / Re: [Unresolved] GeoIP
« on: August 07, 2020, 12:36:20 pm »
Hi Julien,
Topic title changed.
And no, IDS's not using the GeoIP alias...
Goldorak92
Topic title changed.
And no, IDS's not using the GeoIP alias...
Goldorak92
9
20.7 Legacy Series / Re: [SOLVED] GeoIP
« on: August 06, 2020, 08:57:45 pm »
Hi,
I went a little further....
Looking in files corresponding to my GeoIp alias in /var/db/aliastables:
When I go to "Firewall => Diagnotics => pfTables" for the same alias, it's showing "only" 19048 entries...
When additionning lines of files in " /usr/local/share/GeoIP/alias/" for checked countries in my alias defintion, result is 59862....
When I use the "Find references" button in pfTables, if I search an IP in the first 19048 entries, process find the entry. If I search an entrie between 19048 and the end of the alias file, process doesn't find the entry.
It seems that writing the alias is well done from countries's files, but the load "in pfTables" doesn't go at the end...
Goldorak92
I went a little further....
Looking in files corresponding to my GeoIp alias in /var/db/aliastables:
Code: [Select]
:/var/db/aliastables # nl GeoIPWanAllow.txt
...
...
59858 99.78.160.0/21
59859 99.78.168.0/23
59860 99.82.161.0/24
59861 99.82.163.0/24
59862 99.82.169.0/24
When I go to "Firewall => Diagnotics => pfTables" for the same alias, it's showing "only" 19048 entries...
When additionning lines of files in " /usr/local/share/GeoIP/alias/" for checked countries in my alias defintion, result is 59862....
When I use the "Find references" button in pfTables, if I search an IP in the first 19048 entries, process find the entry. If I search an entrie between 19048 and the end of the alias file, process doesn't find the entry.
It seems that writing the alias is well done from countries's files, but the load "in pfTables" doesn't go at the end...
Goldorak92
10
20.7 Legacy Series / Re: [SOLVED] GeoIP
« on: August 04, 2020, 07:26:03 pm »
@FullyBorked
I had to add an IP in the pfTables menu, then go back to alias, empty selection and save, go back in alias, add one country, save, go back to pfTables to verify,... And so on to add 2 to 4 countries....
Goldorak92
I had to add an IP in the pfTables menu, then go back to alias, empty selection and save, go back in alias, add one country, save, go back to pfTables to verify,... And so on to add 2 to 4 countries....
Goldorak92
11
20.7 Legacy Series / Re: [SOLVED] GeoIP
« on: August 04, 2020, 07:04:18 pm »
@FullyBorked,
You just have to go in the menu "firewall => Diagnostics => pfTables", and select your alias in the drop menu to see if the alias is populated.
Goldorak92
You just have to go in the menu "firewall => Diagnostics => pfTables", and select your alias in the drop menu to see if the alias is populated.
Goldorak92
12
20.7 Legacy Series / Re: GeoIP - Any change ? Help needed
« on: August 04, 2020, 01:30:45 pm »
Hi,
I did a new test: went in pfTables, listed entries for the GeoIp alias = empty.
Added the range off my public IP by "Quick add address", GeoIp alias got one entry
And the rule is evaluated and packets pass...
Ok, got it.... next...
Then went in alias, add a new country, save and apply
Back in pfTables and..... the alias is fully populated (with all countries's ranges).
The first rules (with GeoIp alias) is now fully evaluated.
Edit:
Seems that there was a problem with writing in alias's file before I forced that via pfTables.
Just tried to add more countries and.... it breaks the alias (no more populated).
I tested to add country by country, and the amount off entries growed too 19048 and no more, even if adding more countries.
I'm going to test that more
If it can help someone
Cheers,
Goldorak92
I did a new test: went in pfTables, listed entries for the GeoIp alias = empty.
Added the range off my public IP by "Quick add address", GeoIp alias got one entry
And the rule is evaluated and packets pass...
Ok, got it.... next...
Then went in alias, add a new country, save and apply
Back in pfTables and..... the alias is fully populated (with all countries's ranges).
The first rules (with GeoIp alias) is now fully evaluated.
Edit:
Just tried to add more countries and.... it breaks the alias (no more populated).
I tested to add country by country, and the amount off entries growed too 19048 and no more, even if adding more countries.
I'm going to test that more
If it can help someone
Cheers,
Goldorak92
13
20.7 Legacy Series / Re: GeoIP - Any change ? Help needed
« on: August 03, 2020, 06:18:42 pm »
Hi @FullyBorked,
The date of the last "update" is relating to the last date of files on Maxmind's website, with is the 28th for GeoLite2 Country file: "Updated: 2020-07-28 "
To see the update / integration, you can go to "systeme / Logs / General" and apply filter "Geo" :
Goldorak92
The date of the last "update" is relating to the last date of files on Maxmind's website, with is the 28th for GeoLite2 Country file: "Updated: 2020-07-28 "
To see the update / integration, you can go to "systeme / Logs / General" and apply filter "Geo" :
Code: [Select]
2020-08-03T17:27:25 /update_tables.py[76199]: geoip updated (files: 499 lines: 402405)Last integration today for me, but still not working... Goldorak92
14
20.7 Legacy Series / [Unresolved] GeoIP
« on: August 03, 2020, 03:27:45 pm »
Hi everyone,
I've just upgraded my firewall to 20.7, and I'm experimenting a change in the GeoIP's functionalities.
I have a GeoIP-alias with 4 countries: BE-FR-DE-UK
I have a wan rule, just after the "automatically generated rules":
- source: GeoIP alias ; port: *, proto: IPv4 TCP/UDP
- destination: this firewall
Before the upgrade, this rule was working as expected.
Since the upgrade, the rule seems not to be applied, packets are dropped by the default deny rule.
Here is a test, from an ip in 37.164.0.0/14:
- with source=GeoIP alias, packets dropped by defaut deny rule
- changing source from GeoIP alias by the public ip of the device, packets allowed by the rule
I had a look in the alias GeoIP settings:
- last update: 2020-07-28T16:43:02
- Total number of ranges: 402405
Just to be sure, I had a look in /usr/local/share/GeoIP/alias, in FR-IPv4, the range of the device is present:
37.164.0.0/14
Edit: I went in pfTables, and the alias is not populated.
BTW, the corresponding file in /var/db/aliastables is populated...
Is this normal?
Any advice ?
Thanks,
Goldorak92
I've just upgraded my firewall to 20.7, and I'm experimenting a change in the GeoIP's functionalities.
I have a GeoIP-alias with 4 countries: BE-FR-DE-UK
I have a wan rule, just after the "automatically generated rules":
- source: GeoIP alias ; port: *, proto: IPv4 TCP/UDP
- destination: this firewall
Before the upgrade, this rule was working as expected.
Since the upgrade, the rule seems not to be applied, packets are dropped by the default deny rule.
Here is a test, from an ip in 37.164.0.0/14:
- with source=GeoIP alias, packets dropped by defaut deny rule
Code: [Select]
WAN Aug 3 15:09:58 37.164.x.y:z 8.x.y.z:w tcp Default deny rule
WAN Aug 3 15:09:58 37.164.x.y:z 8.x.y.z:w tcp Default deny rule
WAN Aug 3 15:09:54 37.164.x.y:z 8.x.y.z:w tcp Default deny rule- changing source from GeoIP alias by the public ip of the device, packets allowed by the rule
Code: [Select]
WAN Aug 3 15:11:26 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_In
WAN Aug 3 15:11:26 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_In
WAN Aug 3 15:11:25 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_InI had a look in the alias GeoIP settings:
- last update: 2020-07-28T16:43:02
- Total number of ranges: 402405
Just to be sure, I had a look in /usr/local/share/GeoIP/alias, in FR-IPv4, the range of the device is present:
37.164.0.0/14
Edit: I went in pfTables, and the alias is not populated.
BTW, the corresponding file in /var/db/aliastables is populated...
Is this normal?
Any advice ?
Thanks,
Goldorak92
15
20.7 Legacy Series / Re: [SOLVED] GEOIP blocking no longer working 20.7
« on: August 02, 2020, 10:05:52 pm »
Hi,
Same here, a GeoIp rule which was working before the 20.7 upgrade seems to change the drop actions.
I have a negate GeoIp rule (ie: "invert" + alias="my country" => drop) and even if I re-save the GeoIp alias, packets are dropped.
If I change the rule with a "allow" action, it works, but I can't see if other countries are dropped from this rule.
G.
Same here, a GeoIp rule which was working before the 20.7 upgrade seems to change the drop actions.
I have a negate GeoIp rule (ie: "invert" + alias="my country" => drop) and even if I re-save the GeoIp alias, packets are dropped.
If I change the rule with a "allow" action, it works, but I can't see if other countries are dropped from this rule.
G.
Pages: [1] 2