Messages

1

23.7 Legacy Series / Re: Help with relayd plugin

« on: October 13, 2023, 03:29:32 am »

I just realized that this config crashes after a while I think because too many connections stay open. I saw that you can add

Code: [Select]

match response header set "Connection" value "close"

but that kills Websocket connections, so I tag those and then change the header value back. Final (for now ) version:

Code: [Select]

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
ext_addr = 0.0.0.0

log state changes
log connection

table <apu2> { 192.168.1.96 }
table <syno> { 192.168.1.12 }

http protocol "www" {
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"

  match url log

  match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

  tcp { nodelay, socket buffer 65536, backlog 100 }

  pass request quick header "Host" value "*.domain1" forward to <syno>
  pass request quick header "Host" value "*.domain2" forward to <apu2>

  return error

  block
}

http protocol "wwwtls" {
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
  match url log

  match header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  match header set "Keep-Alive" value "$TIMEOUT"

  http websockets

  match request header "Connection" value "*Upgrade*" tag "ws"

  tls keypair domain1
  tls keypair domain2

  tcp { nodelay, socket buffer 65536, backlog 100 }

  match request header set "X-Forwarded-Proto" value "http"

  match response header set "Connection" value "close"
  match response tagged "ws" header set "Connection" value "keep-alive, Upgrade"

  pass request quick header "Host" value "*.domain1" forward to <syno>
  pass request quick header "Host" value "*.domain2" forward to <apu2>

  return error
  block
}

relay "www" {
  listen on $ext_addr port 80

  protocol "www"

  forward to <apu2> port 80 check tcp
  forward to <syno> port 180 check tcp
}

relay "wwwtls" {
  listen on $ext_addr port 443 tls

  protocol "wwwtls"

  forward to <apu2> port 80 check tcp
  forward to <syno> port 180 check tcp
}


2

23.7 Legacy Series / Help with relayd plugin

« on: October 13, 2023, 01:06:54 am »

I want to use relayd to forward requests based on domain to either box1 or box2 in my LAN. I tried using HAProxy in the past, but the configuration UI is confusing, so I was looking for alternatives and found relayd - and OPNSense has a plugin for it too, so I tried using it.

Alas, the UI this time is limiting, because I got relayd to work, but had to edit the /usr/local/etc/relayd.conf file by hand. How can I replicate the following config (that works and suits my use case perfectly) on the plugin's UI?

Code: [Select]

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
ext_addr = REDACTED

log state changes
log connection

table <apu2> { 192.168.1.96 }
table <syno> { 192.168.1.12 }

http protocol "www" {
    match header log "Host"
    match header log "X-Forwarded-For"
    match header log "User-Agent"
    match header log "Referer"
   
    match url log
   
    match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
    match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
   
    tcp { nodelay, socket buffer 65536, backlog 100 }

    http websockets

    pass request quick header "Host" value "*.domain1"  forward to <syno>
    pass request quick header "Host" value "*.domain2" forward to <apu2>
 
    block
}

http protocol "wwwtls" {
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
 
  match url log
 
  match header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  match header set "Keep-Alive" value "$TIMEOUT"

  http websockets

  tls keypair domain1
  tls keypair domain2

  tcp { nodelay, socket buffer 65536, backlog 100 }

  match request header set "X-Forwarded-Proto" value "http"

  pass request quick header "Host" value "*.domain1"  forward to <syno>
  pass request quick header "Host" value "*.domain2" forward to <apu2>

  block
}

relay "www" {
  listen on $ext_addr port 80
  protocol "www"
  forward to <apu2> port 80 check tcp
  forward to <syno> port 180 check tcp
}

relay "wwwtls" {
  listen on $ext_addr port 443 tls
  protocol "wwwtls"
  forward to <syno> port 180 check tcp
  forward to <apu2> port 80 check tcp
}


3

21.7 Legacy Series / Re: Help with Firewall plugin

« on: December 06, 2021, 10:26:38 am »

True that! I'm just not used to this kind of API (I'm a web developer by day). But then again I'm on the Ruby/Elixir camp, which is a bit closer to the present than PHP

4

21.7 Legacy Series / Re: Help with Firewall plugin

« on: December 06, 2021, 09:57:17 am »

I just think it's poorly structured. Why have core Firewall API functionality in another plugin? Why have it work on separate rules instead of the ones you want to toggle or change? It's needlessly confusing. 

5

21.7 Legacy Series / Re: Help with Firewall plugin

« on: December 06, 2021, 09:51:01 am »

I find this solution a bit easier to understand than a plugin that introduces yet another layer of rules

6

21.7 Legacy Series / Re: Help with Firewall plugin

« on: December 06, 2021, 09:37:19 am »

Yeah, the Automation plugin doesn't have that - it's either Source NAT or Filter.

Anyway, I fixed it by changing the IP associated with an alias instead. Now all rules are the same, the only difference is what is the content of my `server` alias.

Here's the Ruby script I ended up using:

Code: [Select]

#!/usr/bin/env ruby

require 'rest-client'
require 'json'
require 'base64'

raise "must provide IP!" unless ARGV.size == 1

ip = ARGV[0]

KEY = "your API key"
SECRET = "your API secret"

ALIAS_UUID = "your alias UUID"
BASE_URL = "https://192.168.1.1:8443/api/firewall"

def empty_alias
  puts "emptying alias..."

  response = RestClient::Request.new(
    method: :post,
    url: "#{BASE_URL}/alias/setItem/#{ALIAS_UUID}",
    verify_ssl: OpenSSL::SSL::VERIFY_NONE,
    headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{KEY}:#{SECRET}"),
      content_type: :json
    },
    payload: {
      alias: {
        name: "server",
        content: ""
      }
    }.to_json
  ).execute

  raise "error" unless response.code == 200
end

def set_alias_to(ip)
  puts "setting alias to #{ip} ..."
  response = RestClient::Request.new(
    method: :post,
    url: "#{BASE_URL}/alias_util/add/server",
    verify_ssl: OpenSSL::SSL::VERIFY_NONE,
    headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{KEY}:#{SECRET}"),
      content_type: :json
    },
    payload: {
      address: ip
    }.to_json
  ).execute

  raise "error" unless response.code == 200
end

def apply
  puts "reconfiguring..."
  response = RestClient::Request.new(
    method: :post,
    url: "#{BASE_URL}/alias/reconfigure",
    verify_ssl: OpenSSL::SSL::VERIFY_NONE,
    headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{KEY}:#{SECRET}"),
      content_type: :json
    },
    payload: {}.to_json
  ).execute

  raise "error" unless response.code == 200
end

empty_alias
set_alias_to(ip)
apply()

puts "done!"

Now I can just `set_server_alias 192.168.1.12` to change its content. Not super awesome, but OPNSense's API is a bit on the terrible side.

7

21.7 Legacy Series / Help with Firewall plugin

« on: December 04, 2021, 04:42:12 pm »

I want to quickly toggle rules between hosts, and the Firewall API plugin seems perfect for it (even though I think this should be part of the normal API, but alas).

This is made more complicated by the fact that the plugin's rules have to be separate from the actual port forwarding rules I'm using. So, I've tried to replicate my SSH redirect to a certain host rule, but I always get a syntax error on the rule.

Here's the original port forward rule:

https://imgur.com/a/CJAZfmi

And here's the one in the Firewall -> Automation -> Source NAT section that I'm trying to get to do the same thing:

https://imgur.com/a/FngGR1V

Right off the bat, the "Destination" filter in the Automation rule doesn't allow me to use "WAN Address" like the proper port-forwarding rule. And when I disable the port-forward rule and activate this Automation one, I get syntax errors:

Code: [Select]

12-04-21 15:31:16 [ There were error(s) loading the rules: /tmp/rules.debug:64: syntax error - The line in question reads [64]: nat on igb1 inet proto TCP from any port any to any port 22 -> 192.168.1.12 port 22 # qoob_ssh ]

What am I doing wrong? Thanks in advance!

8

Virtual private networks / Problem with WireGuard

« on: May 30, 2021, 08:20:49 pm »

Hello!

I've followed the docs, and managed to add my OPNSense box as a peer to my existing WG server. However, I can't ping it from any other peer in the WG network, and I can't forward traffic to the LAN it protects.

I've tried replicating my `WAN<->WAN address port` forwarding rules to work with my WG interface instead, with no success.

How can I explain this better? I just want to access the LAN the OPNSense box is guarding from other WG peers.

Thanks for any help