Messages

1

23.7 Legacy Series / Re: Unbound crashing

« on: December 21, 2023, 08:51:04 am »

On my master/slave opnsense setup with a configuration synchronisation per minute (cron command: HA update and reconfigure backup) I've tried to debug further:

Do not do this.
Each config sync will restart the services on the slave firewalls, e.g. an ntp service will never finish its synchronisation and so on.
This will cause more trouble than it is worth.
Increase the interval to at least one hour.

2

Web Proxy Filtering and Caching / [TUTORIAL] Nginx as simple reverse proxy with web application firewall and SSL

« on: September 25, 2020, 09:02:42 pm »

reserved for Web application firewall configuration

3

Web Proxy Filtering and Caching / [TUTORIAL] Nginx as simple reverse proxy with web application firewall and SSL

« on: September 25, 2020, 09:02:11 pm »

Hello everyone,

as some of you requested this, I will write down, how I configured my Nginx, as a simple reverse Proxy (including HTTPS with letsencrypt, and Web Application Firewall enabled).


Step 1: Installation
You need to install the nginx and lets-encrypt plugins.

After that, configure you’re letsencrypt so that you get a valid SSL certificate for your service.
You need to use DNS-01 validation method, because nginx will use the port 80, and the lets-encrypt plugin is not able to use the modify the Nginx configuration for a successful validation.
When youre done, you can continue to Step 2.
(You can also use official paid certificates, if you have one, you need to import the CA, Cert and Key unter System → Trust)


Step 2: Configure Nginx

You need to be sure, that your OPNsense is not using port 80 or 443.
So you need to change the default port of your OPNsense webgui.
This can be done under “System → Settings → Administration”.
You also need to disable the HTTP Redirect.
Restart your firewall when done.

From now on, all steps are meant to configure under Services →Nginx → Configuration

2.1 Configure the upstream server

First of all, you need to configure your upstream server, this is the real server, where your web application runs on.
This could be any host on your LAN, DMZ or whatever.

To do so, navigate to Upstream → Upstream Server and click on the + in the right bottom corner.
Now enter a description, IP and port (80 – HTTP in most cases).
Use 1 as Server priority.

2.2 Configure the upstream
Next you need to configure the upstream, where you link your created upstream server.
You need to do that, because you could also configure multiple servers, for the same upstream for load balancing.
So what we configure, is a “load balancer” with just one host.

Therefore navigate to Upstream → Upstream and create one.
Chose a description, and link the upstream server you just created.
As load balancing algorithm, use weighted round robin.
Leave the rest as it is, if you don’t use HTTPS directly on your upstream server.


2.3 Configure the Location
As the next step, you need to configure the Location (URL) of your web application.
Navigate to HTTP(S) → Location and click on Add.
As URL Pattern, just use slash (/) and match type none.
URL rewriting should be nothing.
Define the Upstream server you created before and leave the rest as it is for now.

Later, you can configure the Web Application Firewall rule here.


2.4 Configure HTTP Server
The last step, to bring your web application online, is to configure the HTTP Server.
Navigate to HTTP(s) → HTTP Server and click on Add.
This should match your need in most cases:

HTTP Listen Port: 80
HTTPS Listen Port: 443
Server Name: The URL your applications listens to (for example: cloud.domain.com)
Locations: the location created in step 2.3
URL Rewriting: Nothing selected
TLS Certificate: The issued Lets-Encrypt or imported certificate for this host

Leave the rest as it is for now.

2.5 Apply changes
When your done, click on General Settings and then on Apply
Your nginx should now be ready to server your web application.
Be sure to have correct firewall rules (from wan to this device, port 80 & 443)


This tutorial is not finished yet, i will explain some steps more detailed and attach some screenshots the next days.
Hope this is helpful :-)

4

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: August 03, 2020, 12:02:57 pm »

So, 20.7 was released a couple of days ago ... and the base is finally bsd 12.1

i will start work again on this in next days or weeks, as soon as i have enough time for this.

i will answer all you questions than, because its not everything in my head right now 

As soon i got a stable way to compile for rpi3 and maybe other devices, i will create a pull request to the official git repo.
Afterwards, everyone should be able to compile there own images from official source.

5

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: July 20, 2020, 11:59:44 am »

Thank you :-)

6

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: July 16, 2020, 10:41:48 pm »

First of all, a big thanks for the work you made here Rene, i ve been pleased to read all that 👍👍
I just put my hand on a pi 4 and i m following the fresh update of openbsd and freebsd on it as they both work now!!! with usb support.
Rene i believed i could make my own image too but after reading your long and hard path i m not so enthousiast at all!!!

Thank you :-)

I saw you was on new project and probably dont have no more so much time for that but could you just try to build a pi 4 image for all of us pleaaaaaase??? Or at least the way the build one now that you resolved the multiple problems you got to build a working one for pi 3...

Yea, more or less, but i am on it.
The current problem is, that freebsd on its own is still not supported for freebsd.
You can track that here -> https://wiki.freebsd.org/arm/Raspberry%20Pi
As soon theres progress, i will start porting opnsense to the pi4, just because i'm interessted at the GBit port performance with opnsense on it 

Sorry for the noobish question

What image you guys used with the Pi. I have a Pi3B+ and I have downloaded the latest nightly image.
The USB adapter seems to be recognized fine however the internal Ethernet  is missing.

What Am I missing. In the initial setup I'm being presented only with 1 interface which is the USB

Thank you

Try the setup walkthrough without any usb adapter, configure the adapter afterwards.


All the best out there,
René

7

Web Proxy Filtering and Caching / Re: NGINX Reverse Proxy - Upload performance [Nextcloud]

« on: July 16, 2020, 10:34:16 pm »

Sorry, didnt looked here for a while.

I will post everything tomorrow :-)

8

Web Proxy Filtering and Caching / Re: NGINX Reverse Proxy - Upload performance [Nextcloud]

« on: March 16, 2020, 12:05:27 pm »

Update:

i disabled Response/Request Buffering in the Location, now i have continuously 10MBit traffic load on the cloud vm.


By the way, its a gigabit network, iperf test was around 890MBit in both directions

9

Web Proxy Filtering and Caching / NGINX Reverse Proxy - Upload performance [Nextcloud]

« on: March 16, 2020, 11:48:17 am »

Hello everyone,

i am currently trying to setup a nextcloud behind the Nginx reverse proxy of opnsense.

So far so good, i set everything up, the rewrites are working, SSL is working, and i can access the cloud from lan and wan.

But when i upload a file to my cloud, its not faster then about 1MB/s (over lan).

On the cloud vm i can see, that there is no continuously incoming traffic (from the firewall), mor there are peaks at about 90mbit/s ever 2-3 seconds.

What could that be?

Already tried allot of settings in the nginx configs.

Currenlty enabled http2 on both sides, and sendfile in the nginx global settings and the vhost.

Kind regards,
René

10

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: December 04, 2019, 09:08:54 pm »

I am currently very busy, i will have a look over the christmas holidays

Greets,
René

11

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: November 24, 2019, 07:16:49 pm »

Hi,

just to be sure, have you tried rebooting it, with plugged in usb lan adapter?

Greets,
René

12

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: November 18, 2019, 03:15:05 pm »

Hi Dirk,

i already noticed that, and described it here: https://github.com/opnsense/core/issues/3818

i have no idea how to fix that currently 

i use a case with a small fan builtin + heat sink, the raspberry is running smoothly on  about 37°C


Greets,
René

13

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: November 15, 2019, 04:05:32 pm »

First off thanks very much for doing this and sharing it with the world. I got the image up and running on my RPi 3 Model B and can see that it is just like the OPNSense instances I have run elsewhere. (I have only recently started labbing with pfSense and OPNSense)

Your welcome 

When I have tried to connect a second one of these it recognises the device but then the system appears to reboot (when watched from the console it just goes blank and then the boot sequence starts). Unfortunately I don't have any other USB NICs to test with. Just thought I would share my experience.

Can you find anythin in the logs after the reboot?

is it the latest run driver ? Also, is it possible you add urtw and urtwn drivers  ? It seems their are missing, as kldload urtw and kldload urtwn return "not found" error.
Xtools says it is possible to compile kernel only,but how to install it after on rpi3b+ ?

Yes, its the latest run driver.

A first try to build the kernel with urtwn enabled failed, i will look closer in the next days.

To build your own image you need a working build environment, explained here: https://github.com/opnsense/tools

The purpose of the minimum 3GB policy is that you have the added benefit of being able to perform upgrades between major versions or even difficult minor version updates. 2GB can and will fail in this regard.

Thanks for the hint, will change that in further builds.

(But the images a build, will anyways resize the root partition on first boot  )

Greets,
René

14

Hardware and Performance / Re: [Work In Progress] OPNsense Ported into ARM Devices

« on: November 14, 2019, 06:43:33 pm »

This could be interesting 

15

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: November 12, 2019, 08:44:32 am »

Good morning Dirk,

thanks a lot for the tests, i am glad that everything seems to work so far, hopefully my wlan adapters will arrive today

In the meanwhile i uploaded a new image, and the following stuff changed:

• the image to be written onto the sd card has now only 2GB
• the root filesystem is now automatically resized on first boot
• the package set is updated to the latest source
• source is now fully migrated to freebsd 12.1 stable

All the best,
René