Messages

1

General Discussion / having problem to round-robin with very simple ha-proxy config on opnsense ...

« on: April 28, 2020, 07:33:48 pm »

Good morning Everyone,
I have MS 2016 Server in my LAN, and two CentOS 7, web- servers in the DMZ, both are identically configured, and with very simple, test- web- page showing some identification. Both web- pages are accessible from the LAN's server, and I intentionally, for testing purposes, have configured what is shown on the browser to be different -  the one with ip - 192.168.125.200 shows at its end _2, and the one with 192.168.125.204 - _1. The both web- pages accessed by their ip- addresses are showing what is expected.
I did the simplest possible configuration into HA-Proxy in my OPNsense- firewall, and attached the screenshots of it. When I try to access from the LAN, the DMZ- interface on the firewall - 192.168.125.254:8080, it is showing the first web- page, when I refresh, I expect to see the other one (I am using Round-Robin) but it doesn't do it. I tried to configure the "public service" in HA-Proxy with 127.0.0.1:8080, and then with 0.0.0.0:8080 too, and it doesn't show anything on the browser then.
To be sure all is done properly, temporarily I have installed into the DMZ a third web- server, installed, and configured HA-Proxy on it (basically the same settings as with the OPNSense one) and there was no problem to "round-robin" thru the back-end web- servers as expected.
Could you, please help me to resolve the issue into HA- Proxy with the OPNSense ? I feel, that I am maybe doing something wrong with the "public service" setup.
Thanks, and Best,
rickey

2

General Discussion / Re: cannot join an AD DC on a LAN from DMZ

« on: April 22, 2020, 05:33:02 pm »

Thank you very much @hbc !
Let me do as advised, and I will revert to you tomorrow.
Best,
rick

3

General Discussion / Re: cannot join an AD DC on a LAN from DMZ

« on: April 22, 2020, 02:18:56 pm »

Sorry for this @hbc 
The limitation of 256 KB for file does it. If you are on Windows, you can right click on it, and "Edit", and when "Paint" opens it, "Resize", "Pixels", and anything bigger than 1500 into "Horizontal" will make it back pretty.
Basically, I used the attached one.
In the link you sent me I need to open the "Server" ones ?
Best,
rick

4

General Discussion / cannot join an AD DC on a LAN from DMZ

« on: April 22, 2020, 01:44:12 pm »

Good morning Everyone,
I couldn't find a similar one to the topic I am starting so I apologize if a repetition occur.
I am trying to join an MS Win 10 from my DMZ to an AD- server (MS Server 2016) into my LAN.
I did a research, and the port listed into the attachment are the ones that supposed to be opened but I think, I still miss something because I am still not able to join the domain.
Can you, please give a hand with this issue ?
Best,
rickey

5

General Discussion / two firewalls - ext. and int. the dig is working "internally" but no web- access

« on: April 21, 2020, 02:38:08 am »

Hello Everyone,
I hope All is doing well !

Please, see the attached image for a small infrastructure with two firewalls.
There is an "external" firewall - fw1, and "internal" one - fw2.

On fw1's e1- interface is configured as opt1, and e0, as wan. There is also a lan- interface on fw1 (lan1) but for simplicity it is not shown on the diagram.
The wan1 ip- address on fw1's e0 is not the real one, and just implies that it is connected to the public net.
A range of 192.0.2.0/30 is used between fw1, and fw2.
On fw1's e1- interface icmp, dns (tcp, and udp), http, and https rules are configured, and a static route to 192.168.1.0/24 thru 192.0.2.2 is done too.

On fw2's e0- interface is configured as wan, and e1 is configured as lan.
On fw2/e0 a static route to 1.1.1.0/24 thru 192.168.1.1 is configured too.

From "Interfaces"-"Diagnostic"-"Ping" of fw2's wan (e0) I am able to ping google.com (the reply is ok from 8.8.8..
From "Interfaces"-"Diagnostic"-"Ping" of fw2's lan (e1) I am able to ping google.com, and 8.8.8.8 (the reply is OK from 127.0.0.1).

From pc1, when I try to ping google.com, or 8.8.8.8 there is no reply (very strange because the dig google.com from the same pc1 is working perfectly !) - Could you give a hand with this, please ? The OS is Pop!_OS, and ufw is stopped, and disabled. No firewalld, and iptables presented, and I just ask the Pop!_OS community and they have confirmed that nothing else should block the ping by default. There is no Proxies enabled on neither firewalls, and pc1 ...
I ahve an additional question for the static route on fw2 - Does 0.0.0.0/0 as destination network, instead of 1.1.1.0/24 will work ?

Thanks, and Regards,

rick

6

General Discussion / Re: cannot ping "internet" from DMZ on VirtualBox after changing the wan from Bridge

« on: April 09, 2020, 08:41:57 pm »

So finally, the resolution happened to be as I thought.

In the initial case, HOST-ONLY adapters from VirtualBox for the WAN of the FW, and Win 10 are configured with DHCP, and as mentioned there is no Default Gateway applied.
Simply, stopped the DHCP into VirtualBox, and applied static IP with Upstream_Gateway=ip_Win_10_PC on WAN- interface of the Firewall.
On the Win 10 PC, same procedure with DG=ip_WAN_Firewall should be executed.
Important:
Crated Hybrid Outbound Rule on DMZ- interface:
Source-any/icmp,  Dest.-wan_address/icmp,  NAT-wan_address
Thank you for the resolution @eddys, and @franco !  -  https://forum.opnsense.org/index.php?topic=3050.msg9401#msg9401

Then the PING from the DMZ's web- server goes to the Win 10 ("Internet"), and back. If you use 192.0.2.0/24 for the static configuration of your WAN, you can check back in the "Block private...", and "Block bogon..." check- boxes into "Interfaces"- section.

Isolated like this, I can install the PentestBox- tools into Win 10, and I can do all types of web- attacks onto DMZ, including the reverse- shell.
Another possible use could be for creation of authoritative, and cashing BIND- DNS into the "Internet"- zone, so split- horizon between WAN, and LAN to be tried. I will keep you posted.

Best,

rickey

7

General Discussion / Re: cannot ping "internet" from DMZ on VirtualBox after changing the wan from Bridge

« on: April 09, 2020, 05:42:59 pm »

Hello again Everyone,

Here is some update:

I noticed something strange:
I have changed FW's WAN- adapter, and the one on Win 10 from HOST-ONLY to NATNetwork.
In VirtualBox, NATNetwork provides IP via internal DHCP (same as with HOST-ONLY) but also have Default Gateway, and DNS assigned so you are able to go to Internet from the Virtual PC.
As soon as I did this, I was able to ping from DMZ the new ip of Win 10's, but now I cannot access from Win 10 my web- page into the DMZ ...

Here's how my FW- Rules look like at the moment:
DMZ - Source, In:
1. ipv4, icmp - allows ping from DMZ-to-WAN
2. ipv4, tcp/udp, dns - allows name resolution from DMZ-to-WAN
3. ipv4, tcp, 80/443 - allows web- access from DMZ-to-WAN
WAN:
4. Destination - DMZ_ip_as alias:80 - automatically generated rule
5. Source, In - ipv4, icmp - needed with HOST-ONLY VirtualBox- adapter so to be able to ping from Win 10 to the WAN- Interface of the FW

Here's how the NAT is configured:
Port- Forwarding:
6. wan/tcp,  source-any/any,  dest.-wan_address/8888,  nat-alias_for_dmz_address/80  -  wan-to-dmz access of the web- server

I think, there is a need of Default Gateway into the WAN- part of the lab ...

Any suggestions ?

Best,

rickey

8

General Discussion / cannot ping "internet" from DMZ on VirtualBox after changing the wan from Bridge

« on: April 08, 2020, 10:42:11 pm »

Hello Everyone,
I hope all is OK with you, and you are healthy, and safe !
In VirtualBox I created an OPNsense- firewall with LAN, and DMZ, both using Host-Only- adapters (so to be able to remote (SSH) from my Host- PC into LAN, and DMZ easily). My WAN has Bridged- adapter and accepting its IP- address from my home- network's DHCP. The VirtuaBox' DHCPs on LAN, and DMZ are stopped, and are configured on the Firewall so any dynamically configured client- pc to take an ip- address automatically. I have also a small web- server with a simple test- page into the DMZ. After adding PAT:8888, and Rules for ICM, :53, :80, and :443 on the Firewall, I am able to access from my Host by http://WAN:8888 the web page into the DMZ'z web- server, and to access, and ping Internet- web- pages from the DMZ.
I needed to isolate more my WAN so I have changed the VirtualBox' WAN interface from Bridged to Host-Only adapter too, but for it I left the DHCP- server of the VirtualBox active (it doesn't provide a Default Gateway, and DNS). I have changed all other Firewall' settings accordingly. I started a MS Win 10 Virtual PC with the same Host-Only interface as the WAN, and I am still able to access from it the web- page into the DMZ by http://WAN:8888 (with the new WAN- address of course). I am able to ping from the DMZ the WAN IP, but I am not able to ping from the DMZ the IP of Win 10 PC (its firewall is stopped).
Could you give some hand, what might be the issue here, please?
Thanks, and Best,
rickey

9

General Discussion / Re: home network with two opnsense firewalls, and split- DNS

« on: February 10, 2020, 05:49:08 pm »

the other one...

10

General Discussion / Re: home network with two opnsense firewalls, and split- DNS

« on: February 10, 2020, 05:48:06 pm »

.oO(Small home project with this company like network schema?)

GNS3 is very versatile nowadays, and easy to use   

Is there a browser plugin or alike? Would be nice for the forum...

It is coming with a web- interface too, which is still in dev.
See the attached.
Best,

P.S.

Here's two more finished one "in action",

Best,

11

General Discussion / Re: home network with two opnsense firewalls, and split- DNS

« on: February 10, 2020, 12:22:35 am »

.oO(Small home project with this company like network schema?)

GNS3 is very versatile nowadays, and easy to use   

Is there a browser plugin or alike? Would be nice for the forum...

It is coming with a web- interface too, which is still in dev.
See the attached.
Best,

12

General Discussion / Re: home network with two opnsense firewalls, and split- DNS

« on: February 07, 2020, 11:28:54 am »

.oO(Small home project with this company like network schema?)

GNS3 is very versatile nowadays, and easy to use   

13

General Discussion / home network with two opnsense firewalls, and split- DNS

« on: February 04, 2020, 08:56:08 pm »

Hello Everyone!

I am doing a small home project with a second LAN protected by a second, internal firewall (# 2).
The DMZ will be used for a "honey- pot/net".
There will be also "Management VLAN" working within the networks, and having no Internet.
The DNS resolution indeed is done by couple caching DNSes installed as bind into a cloud provider. All the local resolvers will forward the DNS- requests to the cloud ones. There are ACLs applied there so only designated IP- addresses are allowed to query. This part already is finished, and works fine with the vpn, proxy, tor, pihole, etc.

1. The major question is how to configure the interfaces, and network between the two firewalls?
I red part of the book about OPNsense, and the author was using for the labs the 192.0.2.0/24 (reserved for documentation). Most similar configurations, I have seen up to now indeed are using DMZ- ports, and public IP- addresses between the firewalls.
I am not really sure that I need to use the above range, and how to configure interface "e2" on "opnsense1" - as "second wan", or "second lan" ? Same applies for "GigabitEthernet0\0" on "opnsense2"?
How to configures the Rules, Routing, and NAT afterwards on both firewalls so the "internal" firewall to have the Internet "passed thru", and basically just that... (some DNS too) ?
For inter- subnet communication that cannot be avoided I will use vpn.

2. Overall I am also not really sure how the concept of "second LAN" is working on OPNsense so to act like the "initially installed LAN" into it - Do I create it, and then just copy the same pre- installed rules as into the original one ? If there is a "shortcut"- way to do it ?

3. If so, and if I go a little bit further, how to configure additional "management network" that supposed to be "blind" to Internet, and "works" with all crucial devices on all networks (it will be the only interface to access the web- interfaces of the firewalls too) - My guess is just to create "additional LAN" interfaces on the firewalls, and remove all rules but the anti-lookout one ?
The rest is easy - just create the same vlan on all switches, connect all needed devices thru their designated "management ports" and it is done.

Please, tell me what do you think from overall perspective, and how to resolve the particular questions if you think the "general plan" is basically ok

The Schema is attached.

Thank you very much for your kind help!

Best Regards,

Rick