Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Goldorak92

Pages1 2
#1
21.1 Legacy Series / Re: Dns load balancing
January 28, 2021, 09:28:17 AM
Ok, thanks for your feedback @Wirehead
#2
21.1 Legacy Series / Re: Dns load balancing
January 27, 2021, 10:16:45 AM
Hi,

That's my main problem also !
I have 3 swarm managers, so any traffic must be load balanced between those 3 managers.
So, for each service exposed on the swarm, I have:
- a dns entrie to resolve the service (ie: wordpress.local.domain), which points to a HAproxy
- on the HAproxy, for each service:
  - a public front (ie: 443)
  - a rule (ie: wordpress.local.domain)
  - a backend (ie: wordpress) which contains 3 "real" servers: the 3 swarm managers + the port of wordpress in the swarm

This is not my favorite solution, and that why I'm asking about a DNS load-balancing service:
- a dns entrie for wordpress.local.domain, and 3 possibilities to resolve: the 3 swarm managers's IP

Goldorak92
#3
21.1 Legacy Series / Dns load balancing
January 16, 2021, 08:26:02 PM
Hi everyone,
I have a little question... I'm using unbound dns and Haproxy for all my stuff.
I'm publishing services on a swarm cluster.
Some services are available through Haproxy, but I'm thinking about a dns load balancing service: not publishing the service trough haproxy public service (front public port de number), but through a dns load balancing service which is able to serve all ports...
Is there a service/plugin for that on Opnsense?
Regards,
Goldorak92
#4
20.7 Legacy Series / Re: [SOLVED] GEOIP blocking no longer working 20.7
September 11, 2020, 05:42:01 PM
Hi @joseoliveirapt,

As said in other threads, you just have to go to firewall=>settings=>advanced, and modify the max entries in firewall table up to 400.000 (default is 200.000), and save again your geoip aliases to apply.

Goldorak92
#5
20.7 Legacy Series / Re: Current list of bugs/issues I've encountered in 20.7
August 18, 2020, 04:28:11 PM
Ok cool, glad that fixed it
(and this is thanks to @Julien who detailled it in https://forum.opnsense.org/index.php?topic=18628.0)

Goldorak92
#6
20.7 Legacy Series / Re: Current list of bugs/issues I've encountered in 20.7
August 18, 2020, 04:01:55 PM
@FullyBorked,

Not "max firewall states", which is 806000, but "max pfTables entries"...

Goldorak92
#7
20.7 Legacy Series / Re: Current list of bugs/issues I've encountered in 20.7
August 18, 2020, 03:03:27 PM
Hi,
Have you went to firewall->params and change the max entries pfTables up to 400.000 (default is 200.000)?

Goldorak92
#8
20.7 Legacy Series / Re: [Unresolved] GeoIP
August 07, 2020, 12:36:20 PM
Hi Julien,

Topic title changed.

And no, IDS's not using the GeoIP alias...

Goldorak92
#9
20.7 Legacy Series / Re: [SOLVED] GeoIP
August 06, 2020, 08:57:45 PM
Hi,

I went a little further....
Looking in files corresponding to my GeoIp alias in /var/db/aliastables:
Code Select
:/var/db/aliastables # nl GeoIPWanAllow.txt
...
...
59858  99.78.160.0/21
59859  99.78.168.0/23
59860  99.82.161.0/24
59861  99.82.163.0/24
59862  99.82.169.0/24


When I go to "Firewall => Diagnotics => pfTables" for the same alias, it's showing "only" 19048 entries...
When additionning lines of files in " /usr/local/share/GeoIP/alias/" for checked countries in my alias defintion, result is 59862....

When I use the "Find references" button in pfTables, if I search an IP in the first 19048 entries, process find the entry. If I search an entrie between 19048 and the end of the alias file, process doesn't find the entry.

It seems that writing the alias is well done from countries's files, but the load "in pfTables" doesn't go at the end...

Goldorak92
#10
20.7 Legacy Series / Re: [SOLVED] GeoIP
August 04, 2020, 07:26:03 PM
@FullyBorked
I had to add an IP in the pfTables menu, then go back to alias, empty selection and save, go back in alias, add one country, save, go back to pfTables to verify,... And so on to add 2 to 4 countries....

Goldorak92
#11
20.7 Legacy Series / Re: [SOLVED] GeoIP
August 04, 2020, 07:04:18 PM
@FullyBorked,

You just have to go in the menu "firewall => Diagnostics => pfTables", and select your alias in the drop menu to see if the alias is populated.

Goldorak92
#12
20.7 Legacy Series / Re: GeoIP - Any change ? Help needed
August 04, 2020, 01:30:45 PM
Hi,

I did a new test: went in pfTables, listed entries for the GeoIp alias = empty.
Added the range off my public IP by "Quick add address", GeoIp alias got one entry

And the rule is evaluated and packets pass...

Ok, got it.... next...

Then went in alias, add a new country, save and apply
Back in pfTables and..... the alias is fully populated (with all countries's ranges).

The first rules (with GeoIp alias) is now fully evaluated.

Edit:
Seems that there was a problem with writing in alias's file before I forced that via pfTables.
Just tried to add more countries and.... it breaks the alias (no more populated).
I tested to add country by country, and the amount off entries growed too 19048 and no more, even if adding more countries.
I'm going to test that more

If it can help someone :)

Cheers,
Goldorak92
#13
20.7 Legacy Series / Re: GeoIP - Any change ? Help needed
August 03, 2020, 06:18:42 PM
Hi @FullyBorked,

The date of the last "update" is relating to the last date of files on Maxmind's website, with is the 28th for GeoLite2 Country file: "Updated: 2020-07-28 "

To see the update / integration, you can go to "systeme / Logs / General" and apply filter "Geo" :
Code Select
2020-08-03T17:27:25 /update_tables.py[76199]: geoip updated (files: 499 lines: 402405)
Last integration today for me, but still not working... :'(

Goldorak92
#14
20.7 Legacy Series / [Unresolved] GeoIP
August 03, 2020, 03:27:45 PM
Hi everyone,

I've just upgraded my firewall to 20.7, and I'm experimenting a change in the GeoIP's functionalities.

I have a GeoIP-alias with 4 countries: BE-FR-DE-UK
I have a wan rule, just after the "automatically generated rules":
- source: GeoIP alias ; port: *, proto: IPv4 TCP/UDP
- destination: this firewall

Before the upgrade, this rule was working as expected.
Since the upgrade, the rule seems not to be applied, packets are dropped by the default deny rule.

Here is a test, from an ip in 37.164.0.0/14:
- with source=GeoIP alias, packets dropped by defaut deny rule

Code Select

        WAN Aug 3 15:09:58 37.164.x.y:z 8.x.y.z:w tcp Default deny rule
WAN Aug 3 15:09:58 37.164.x.y:z 8.x.y.z:w tcp Default deny rule
WAN Aug 3 15:09:54 37.164.x.y:z 8.x.y.z:w tcp Default deny rule

- changing source from GeoIP alias by the public ip of the device, packets allowed by the rule
Code Select

        WAN Aug 3 15:11:26 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_In
WAN Aug 3 15:11:26 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_In
WAN Aug 3 15:11:25 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_In

I had a look in the alias GeoIP settings:
- last update: 2020-07-28T16:43:02
- Total number of ranges: 402405

Just to be sure, I had a look in /usr/local/share/GeoIP/alias, in FR-IPv4, the range of the device is present:
37.164.0.0/14

Edit: I went in pfTables, and the alias is not populated.
BTW, the corresponding file in /var/db/aliastables is populated...

Is this normal?

Any advice ?
Thanks,
Goldorak92
#15
20.7 Legacy Series / Re: [SOLVED] GEOIP blocking no longer working 20.7
August 02, 2020, 10:05:52 PM
Hi,

Same here, a GeoIp rule which was working before the 20.7 upgrade seems to change the drop actions.
I have a negate GeoIp rule (ie: "invert" + alias="my country" => drop) and even if I re-save the GeoIp alias, packets are dropped.
If I change the rule with a "allow" action, it works, but I can't see if other countries are dropped from this rule.

G.
Pages1 2