"
Hallo,
hast du hierfür schon eine Lösung gefunden?
hast du hierfür schon eine Lösung gefunden?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Web Proxy Filtering and Caching / Re: [HAproxy] Condition: If SNI is present
May 04, 2023, 11:13:03 PMQuote from: pmhausen on May 04, 2023, 09:24:36 PM
Please check for yourself what it does and report back.
Another issue I found is that HAproxy behind sslh only sees request coming from localhost instead of the client IP address. Regarding to the documentation of sslh the option "--transparent" should be used to make sslh a transparent proxy and to forward the client IP. However, this option seems to be not available in os-sslh :'(
Addition:
I found the commit https://github.com/opnsense/plugins/pull/2729/commits/d882e31712c4edb99d2e5f3a08ee60f1918be76a which states "Remove transparent functionality: Documentation reports this as a "Linux only" feature, remove since there is no provision for using this on FreeBSD."
I am wondering about this, because the documentation of sslh states for the Transparent Proxy "On Linux and FreeBSD you can use the --transparent option to request transparent proxying." (Source: https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md).
My feeling is at the moment that the os-sslh implementation is far from complete and does not allow a lot of the features sslh provides.
#3
Web Proxy Filtering and Caching / Re: [HAproxy] Condition: If SNI is present
May 04, 2023, 09:13:53 PMQuote from: pmhausen on May 04, 2023, 09:59:54 AM
The os-sslh plugin can multiplex OpenVPN and TLS traffic on the same port, then hand off to HAproxy.
I installed the os-sslh plugin. Could you tell me please what the preferred way is to configure the unused targets in os-sslh in the OPNsense WebGUI? If I keep them empty, they show in a light gray color "localhost:<port>". Do I have to let requests to those targets bang against an closed firewall rule or can I tell os-sslh to not use those targets?
Thanks.
#4
Web Proxy Filtering and Caching / Re: [HAproxy] Condition: If SNI is present
May 04, 2023, 01:02:39 PMQuote from: pmhausen on May 04, 2023, 09:59:54 AM
The os-sslh plugin can multiplex OpenVPN and TLS traffic on the same port, then hand off to HAproxy. In my experience it is small, fast and reliable.
Thanks for the hint, I will definitely have a look on this. I never heared of this tool before :)
But to also improve my understanding of HAproxy: Could someone give me a hint on how to do it with HAproxy and checking the SNI?
Thanks.
#5
Web Proxy Filtering and Caching / [HAproxy] Condition: If SNI is present
May 04, 2023, 08:43:52 AM
Hi,
currently I'm trying to setup a condition that checks if a SNI is present in a request (HTTPS) or if there is no SNI (OpenVPN traffic). However, in the dropdown for the "Condition Type" there are multiple SNI related entries, but all seem to need a server name configured.
Is there a way to simply check if SNI is there, ignoring which server name exactly is requested?
Thanks a lot in advance,
Thomas
currently I'm trying to setup a condition that checks if a SNI is present in a request (HTTPS) or if there is no SNI (OpenVPN traffic). However, in the dropdown for the "Condition Type" there are multiple SNI related entries, but all seem to need a server name configured.
Is there a way to simply check if SNI is there, ignoring which server name exactly is requested?
Thanks a lot in advance,
Thomas
#6
General Discussion / Re: Best Static IPv4 Address Organization Scheme
April 30, 2023, 01:07:33 PM
Thanks a lot for the hint.
For IPAM tools I already had a look and found some interesting tools.
What tool are you using for the drawings? Is there any free tool available for such drawings (talking about special network drawing tools and not stuff like Visio, Inkscape, etc.)?
For IPAM tools I already had a look and found some interesting tools.
What tool are you using for the drawings? Is there any free tool available for such drawings (talking about special network drawing tools and not stuff like Visio, Inkscape, etc.)?
#7
General Discussion / Best Static IPv4 Address Organization Scheme
April 24, 2023, 10:31:52 AM
Hi,
I am wondering if there is a cool idea, best practice, etc. for the assignment/organization of static IPv4 addresses on devices with multiple network interfaces on different subnets (to easily see which IPs belong to which device).
For example, a router has a downstream interface where it acts as a gateway and, therefore, uses the x.x.x.254 address. However, on its upstream interface the router is only a "client" to the next router and, therefore, uses maybe the x.x.x.100. So it is hard to see that the 100 on subnet A and the 254 on subnet B is on the same device.
If a device is not a router but acts in multiple VLANs, it would be nice to have something like x.x.x.25 and y.y.y.25 on its interfaces, so that it is (for humans) easy to remember that 25 is this specific device in all subnets. I am fully aware that this will not work in all use-cases, but an uncontrolled growth of IP assignments could be even worse.
Simply assigning everything via DHCP and not considering any static addresses is not an option, because subnets like "Management" shall use static addresses that the management subnet still works in case a DHCP server would fail.
How do you organize your static IPv4 addresses in your subnets?
Thanks a lot in advance,
Thomas
I am wondering if there is a cool idea, best practice, etc. for the assignment/organization of static IPv4 addresses on devices with multiple network interfaces on different subnets (to easily see which IPs belong to which device).
For example, a router has a downstream interface where it acts as a gateway and, therefore, uses the x.x.x.254 address. However, on its upstream interface the router is only a "client" to the next router and, therefore, uses maybe the x.x.x.100. So it is hard to see that the 100 on subnet A and the 254 on subnet B is on the same device.
If a device is not a router but acts in multiple VLANs, it would be nice to have something like x.x.x.25 and y.y.y.25 on its interfaces, so that it is (for humans) easy to remember that 25 is this specific device in all subnets. I am fully aware that this will not work in all use-cases, but an uncontrolled growth of IP assignments could be even worse.
Simply assigning everything via DHCP and not considering any static addresses is not an option, because subnets like "Management" shall use static addresses that the management subnet still works in case a DHCP server would fail.
How do you organize your static IPv4 addresses in your subnets?
Thanks a lot in advance,
Thomas
#8
General Discussion / Re: Multiple mDNS Repeater "Groups"
March 05, 2023, 10:36:58 AM
Has really noone any experience?
#9
General Discussion / Multiple mDNS Repeater "Groups"
March 03, 2023, 01:48:01 PM
Hi,
is it possible to have different groups in the mDNS Repeater plugin?
Meaning that one mDNS Repeater instance works between VLAN 10 and VLAN 20, while another mDNS Repeater instance works between VLAN 30 and VLAN 40? The goal shall not be to have all four VLANs on the same repeater.
Thanks a lot in advance,
Thomas
is it possible to have different groups in the mDNS Repeater plugin?
Meaning that one mDNS Repeater instance works between VLAN 10 and VLAN 20, while another mDNS Repeater instance works between VLAN 30 and VLAN 40? The goal shall not be to have all four VLANs on the same repeater.
Thanks a lot in advance,
Thomas
#10
General Discussion / Re: ACME DNS Server (Simple DNS Server for TXT entries only)
January 19, 2023, 01:04:07 PM
Thanks for the information.
I did not want to blame someone with my question, I am just wondering if there is someone who already created a plugin for this use-case on his own. I can only hardly believe that none of the users here came to the same topic before.
I did not want to blame someone with my question, I am just wondering if there is someone who already created a plugin for this use-case on his own. I can only hardly believe that none of the users here came to the same topic before.
#11
General Discussion / Re: ACME DNS Server (Simple DNS Server for TXT entries only)
January 19, 2023, 08:02:32 AM
Really noone here who has done something similar? ???
#12
General Discussion / ACME DNS Server (Simple DNS Server for TXT entries only)
January 17, 2023, 02:50:29 PM
Hello,
does someone know if there is any user plugin available for OPNsense which provides a simple DNS server for only serving TXT records?
I would like to run something similar to https://github.com/pawitp/acme-dns-server on OPNsense with port 53 open to the Internet to provide a minimalistic DNS server for only providing TXT records used for DNS-01 wildcard certificate validation. The linked project describes the purpose as "This is a very simple DNS server written in Python for serving DNS TXT records for the purpose of ACME (Let's Encrypt) DNS-01 validation, which is required for generating wildcard certificates.".
Is something similar already available on OPNsense (without having to install it manually via console)?
Thanks a lot in advance,
Thomas
does someone know if there is any user plugin available for OPNsense which provides a simple DNS server for only serving TXT records?
I would like to run something similar to https://github.com/pawitp/acme-dns-server on OPNsense with port 53 open to the Internet to provide a minimalistic DNS server for only providing TXT records used for DNS-01 wildcard certificate validation. The linked project describes the purpose as "This is a very simple DNS server written in Python for serving DNS TXT records for the purpose of ACME (Let's Encrypt) DNS-01 validation, which is required for generating wildcard certificates.".
Is something similar already available on OPNsense (without having to install it manually via console)?
Thanks a lot in advance,
Thomas
#13
General Discussion / Re: OPNsense behind Proxy
January 17, 2023, 12:53:28 PM
Thanks for this hint. This helps me definitely :)
Is OPNsense also able to authenticate itself against a proxy?
Is OPNsense also able to authenticate itself against a proxy?
#14
General Discussion / OPNsense behind Proxy
January 17, 2023, 09:52:17 AM
Hello,
if OPNsense is installed behind a proxy server, is there any way to make Internet access possible to clients behind OPNsense without using proxy settings on them?
I am thinking about simply configuring the IP address of OPNsense as DNS server and Gateway to those clients network configuration and OPNsense redirects all those requests coming from the clients via the proxy to the Internet (also including authentification at the proxy done by OPNsense).
I'm aware of the fact, that this would not allow "full" Internet access, but only limited to HTTP traffic (or whatever the proxy allows).
Can this be done with OPNsense? If so, any hints?
Thanks a lot in advance,
Thomas
if OPNsense is installed behind a proxy server, is there any way to make Internet access possible to clients behind OPNsense without using proxy settings on them?
I am thinking about simply configuring the IP address of OPNsense as DNS server and Gateway to those clients network configuration and OPNsense redirects all those requests coming from the clients via the proxy to the Internet (also including authentification at the proxy done by OPNsense).
I'm aware of the fact, that this would not allow "full" Internet access, but only limited to HTTP traffic (or whatever the proxy allows).
Can this be done with OPNsense? If so, any hints?
Thanks a lot in advance,
Thomas
#15
German - Deutsch / Offene WAN-Ports nicht aus dem LAN erreichbar
August 05, 2022, 10:25:43 PM
Hallo,
mein aktuelles Setup sieht wie folgt aus:
LAN [192.168.10.0/24] <----> OPNsense <----> DSL-Modem <----> Internet
(inkl. Webserver)
OPNsense ist via PPPoE und einem DSL-Modem mit dem Internet verbunden (dynamische IPv4).
Im internen LAN gibt es einen Webserver, welcher problemlos aus dem Internet über Portforwarding + HAproxy (auf der OPNsense) erreichbar ist.
Mein Problem ist, dass der Webserver mit seiner URL aber nicht aus dem LAN erreichbar ist. Die URL wird korrekt in die WAN-IP aufgelöst und anschließend routet OPNsense die Anfrage in das Internet weiter, anstatt diese an sein eigenes WAN-Interface (als eingehender Traffic) umzuleiten.
1) Wie kann ich OPNsense mitteilen, dass Traffic vom LAN an die WAN-IP und nicht ins Internet gesendet wird, sondern als "eingehender Traffic" auf dem WAN-Interface behandelt werden soll? Wo in OPNsense muss ich das Routing anpassen und was ist dabei die korrekte Konfiguration?
2) Ist dies ohne Modifikation der DNS-Auflösung möglich? Dies würde ich gerne vermeiden, für den Fall, dass ein User im LAN einen eigenen DNS-Server verwendet.
Vielen Dank,
Thomas
mein aktuelles Setup sieht wie folgt aus:
LAN [192.168.10.0/24] <----> OPNsense <----> DSL-Modem <----> Internet
(inkl. Webserver)
OPNsense ist via PPPoE und einem DSL-Modem mit dem Internet verbunden (dynamische IPv4).
Im internen LAN gibt es einen Webserver, welcher problemlos aus dem Internet über Portforwarding + HAproxy (auf der OPNsense) erreichbar ist.
Mein Problem ist, dass der Webserver mit seiner URL aber nicht aus dem LAN erreichbar ist. Die URL wird korrekt in die WAN-IP aufgelöst und anschließend routet OPNsense die Anfrage in das Internet weiter, anstatt diese an sein eigenes WAN-Interface (als eingehender Traffic) umzuleiten.
1) Wie kann ich OPNsense mitteilen, dass Traffic vom LAN an die WAN-IP und nicht ins Internet gesendet wird, sondern als "eingehender Traffic" auf dem WAN-Interface behandelt werden soll? Wo in OPNsense muss ich das Routing anpassen und was ist dabei die korrekte Konfiguration?
2) Ist dies ohne Modifikation der DNS-Auflösung möglich? Dies würde ich gerne vermeiden, für den Fall, dass ein User im LAN einen eigenen DNS-Server verwendet.
Vielen Dank,
Thomas
