Messages

Ran through a test scenario again yesterday and sadly state killing didn't help with the larger issue of the default route.

Is anyone aware of any alternative methods of providing the upstream gateway that may be more 'dynamic' or ways of automatically deleting the default route when the Wan gateway is offline?

Sent from my ONEPLUS A5000 using Tapatalk

Oh, I'll take a look at state killing though. Thanks.

Sent from my ONEPLUS A5000 using Tapatalk

Hi,

Sorry I probably should have outlined my scenario but wanted to try and keep the question simple.

So, I have this firewall pair in site A. Frr advertises the default route into the core with metric 100 via bgp. I have a second firewall pair in site B, frr advertises the default route into the core with metric 200 via bgp. When the Wan gateway fails on firewall pair A I want the default route to stop getting advertised into the core so the backup route via site B firewalls takes precedence.

For this to occur, the default route on firewall pair A must be removed from the kernel routing table when the gateway goes down. I thought gateway monitoring could do this but that doesn't seem to be the case?

Thanks

Sent from my ONEPLUS A5000 using Tapatalk

I'm not sure if I'm misunderstanding how gateway monitoring is supposed to work or if I'm missing some configuration. What I am trying to achieve is that when the Wan/upstream gateway is unreachable and goes offline, the default route should be removed from the kernel routing table.

Is something that is achievable?

Thanks

Sent from my ONEPLUS A5000 using Tapatalk

Nvm found it:

https://github.com/opnsense/plugins/issues/1703

Sent from my ONEPLUS A5000 using Tapatalk

Sure, can you link me to the correct place?

Sent from my ONEPLUS A5000 using Tapatalk

Hi,

I'm on 19.7.10 with nginx plugin and have an issue with TLS decrypt / recrypt using http server -> location - > backend. The upstream server terminates TLS and performs SNI matching to route traffic into a kubernetes cluster. The Ingress is not matching anything and during debugging it was noticed that the 'Server Name Indicator' header was empty post nginx plugin. Performing a curl directly to the upstream shows a complete SNI header.

Looking at the core nginx documentation I would need to set 'proxy_ssl_server_name = on' however there doesn't appear to be an equivalent setting in the plugin UI. Is this something that is planned to be added at all or is there a way I can customise the configuration to inject this value?

Thanks


Sent from my ONEPLUS A5000 using Tapatalk