Messages

I enabled mmonit on opnsense to do some basic monitoring to make sure various virtual and physical machines are alive on the network. I now need to monitor things like making sure backup runs every 24 hours, and license demons are alive. It looks like I need to install instances of monitor systems where I monitor local events.

My question is can I/should I use the opnsense instance of mmonit as the central monitoring system or create a second one for the central node for everything on the internal network?

Thanks for the suggestion. I don't think it's good to work because it doesn't give me the information I want/need. Smoking ping packet loss presentation is really useful.

I'm trying to monitor my network from inside the firewall, onto my local network, and out to the Internet. The immediate need is to determine why SSH connections break and why connections to streaming services "stall" (streaming, aqua speech recognition, video conferencing)

Monit is a possibility but I don't want to send alerts to an email address. in this case, I don't want immediate alerts. I'll review the data as needed. If I need immediate alerts, I prefer sending alerts to my phone, for example, NTFY.

Functionally, I like Smoke Ping because I'm familiar with it and like the way it presents the data. There is a related package called Vaping which presents ping data the same way as smokeping

Are there any other alternatives that I should be aware of?

I have a situation where it would be nice if the user could view the traffic webpage in opnsense. Other than making him an admin and letting him log into the firewall web interface, what's a better solution?

The extended query I've worked out is:

Code Select Expand

&(memberOf=memberOf=cn=vpn_users,ou=Users,o=no-see-me,dc=jumpcloud,dc=com)

BFH... I was staring at the config too long and missed the obvious error..

&(memberOf=memberOf=cn=vpn_users,ou=Users,o=no-see-me,dc=jumpcloud,dc=com)

at least I've documented the jumpcloud ldap connection for others.

Continuation of https://forum.opnsense.org/index.php?topic=37435.msg183770#msg183770 I'm starting a new message thread since it has been 3 months since I was able to look into LDAP and opnsense has moved to a whole new version. 

The TL;DR is System: Access: Tester tells me: Authentication failed and User DN not found. If you look at the message history, you'll see that kind people helped me figure out some of the problems, and the last problem was the extended query expression. I need the log where opsense logs what it looks for in LDAP.

The extended query I've worked out is:

Code Select Expand

&(memberOf=memberOf=cn=vpn_users,ou=Users,o=no-see-me,dc=jumpcloud,dc=com)
The attached image shows what I  get using the extended query string in vscode's ldap browser. To my naive eye, looks correct.  However, the tester still says:

The following input errors were detected:

    Authentication failed.
    error: User DN not found

One of my assumptions is that I don't have to explicitly import users as they are just using openVPN. Of course, the openVPN LDAP connection opens up another set of issues, such as how to create the open VPN package for the user who's only active in LDAP.

Thanks in advance.

Found it.

These are the three containers presented.
       ou=Users,o=xxxx,dc=jumpcloud,dc=com
   cn=ldap_users,ou=Users,o=xxxx,dc=jumpcloud,dc=com
   cn=vpn_users,ou=Users,o=xxxx,dc=jumpcloud,dc=com

I chose the vpn_users because that group contains the set of users I'm granting VPN access to.  If I selected the first container, the authentication test works but login to the web interface does not.

first image (ldap 2023...) is the configuration in the opnsense fw set up according to official opnsense documentation.
second image (ldap_test_2023...) is the test failure
third image (ldap_auth...) was a choice for "Authentication containers"

bind DN: uid=<ldap_account>,ou=Users,o=<org_id>,dc=jumpcloud,dc=com
base DN" o=<org_id>,dc=jumpcloud,dc=com

what else do you need to know?

Apologies. I'll go back and fix the original post to include answers to your questions.

All actions described were on the opnsense firewall itself. I set up the LDAP connection via the web GUI in opnsense. The test interface is the one provided by opnsense. The ldap search command was run on the opnsense firewall in a shell uid root.

[edited to clear up my poorly worded description of testing]

My goal is to create an opnsense user account and generate openVPN credentials from LDAP . Our LDAP service is provided by jumpcloud. I followed the instructions (https://docs.opnsense.org/manual/how-tos/user-ldap.html) to connect to the LDAP server. It appears that everything is set up correctly, but the test interface (System >> Access >> Tester) says my authentication credentials are wrong. however it does not indicate if the wrong credentials are for the ldap connection or the username/password I've entered. I ran an ldapsearch on opnsense and it returned the expected results

command:
ldapsearch -H ldaps://ldap.jumpcloud.com:636 -x -b "o=$ORG_ID,dc=jumpcloud,dc=com" -D "uid=$BINDING_USER,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

result (filtered):
dn: uid=xxx,ou=Users,o=yyyy,dc=jumpcloud,dc=com
homeDirectory: /home/xxx
cn: xxx xxxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uidNumber: 5002
gidNumber: 5002
sn: xxxxxx
initials: z
displayName: xxxx xxxxxx
uid: xxxx
loginShell: /bin/bash
mail: xxxx@example.com
givenName: xxxx
memberOf: cn=vpn_users,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com
memberOf: cn=ldap_users,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com

afaik, the LDAP info is correct. when I run the opnsense Tester with the given uid, it gives me the authentication credentials error.

I don't know where the logs are for LDAP so I have not been able to check to see what the system thinks it's doing. A pointer to where the log files are would be much appreciated.

["advice that tagged networks have a separate interface from your firewall/router."]

That is not fully true "advice that tagged networks have a separate interface from your firewall/router." in the way you present it.
[/quote
I think my misunderstanding came from this article https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/atmg/content/ch01s27.html . Thank you for clearing that up.

"Theoretically, if I leave ports untagged, they will convert the tagged traffic to untagged on the way out of the port and tag it on the way in. At least, that's what I gathered from the VLAN write-ups."
This only works if you have a managed switch cable VLAN TAGs. The TAG and unTAG is done on a port configured as access.

I will look and see if my switch handles or describes VLANs that way. It looked like it was trunk based and any member of the trunk was tagged on the way in.

There are many uses cases you can do the setup. I personally prefer to have a Portchannel so called LAGG between a Switch and the OPNsense, and on this PO create VLANs + GW per VLAN. This way you have more redundant, resilient and higher capacity connection between OPN and a SWITCH. Switch is then per port per End device set to either Trunk mode (multiple VLANs) - where a server is TAGing several VLANs or access mode - single VLAN like for IoT where switch is TAGing.

that sounds like a worthwhile learning experience. I'll give it a shot. Thank you for all the advice and suggestions you gave me.

yes, I am trying to use the (untagged?) LAN interface to also carry the tagged traffic.

You gave me the right question to Google and found from Cisco/HP advice that tagged networks have a separate interface from your firewall/router. I prefer not to do that because I'm running short of ports on this project and don't want to buy another switch at the moment. Another reason an untagged network was important is that I have a mixture of consumer devices on the network that don't have VLAN capability. It is important to keep domestic harmony by not breaking them.

I googled how to convert tagged VLANs to untagged, and it looks like I need to explore is tagging all traffic from the LAN interface and in the switch using one trunk for the DMZ and another for the general network. Theoretically, if I leave ports untagged, they will convert the tagged traffic to untagged on the way out of the port and tag it on the way in. At least, that's what I gathered from the VLAN write-ups.

yes? no?

it looks like I have a VLAN configured, but I don't have the right firewall rules to make it work. there was a help file on the opnsense wiki, but it seems to have vanished after the latest site rework.

What I want should be a relatively simple set of rules but I'm missing some knowledge that keeps me from doing it alone.

   
• VLAN shares LAN interface for inbound/outbound traffic
• switch has a trunk for redirecting VLAN traffic to ports
• no need for DHCP/DNS service. Will use external DNS servers for machines on the DMZ

Rules I think I need:

   
• Permitting LAN to VLAN
• Permitting VLAN use of the LAN interface?
• baring VLAN access to LAN
• VLAN access to the Internet via NAT
• Internet access is VLAN via pinholes in the NAT

what I have tried:

   
• pinging the VLAN machine and looking for the ICMP packet with tcpdump (nothing visible)
• replicating rules that look appropriate from the LAN interface to try and open a connection.
• added rule with DMZ net as the source and asterisks for all the other fields

Since I am not firewall rule fluent at this level, it's not clear how to handle routing through VLAN by the LAN interface. thanks in advance for any help.

is there an "official" way to use checkmk on opensense?  I've found one solution (https://fingerlessgloves.me/2022/04/09/opnsense-checkmk-agent/ but I'd rather use a supported solution if one exists.

thanks!

I agree, it looks that way. Faulty OS disk.

I haven't done this for a while but you may be able to recover the faulty OS drive by putting in a second drive and mirroring it with the old drive. Then fail out the old drive, put in the new one as a mirror and you running the firewall as you should.  ;)