Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Monviech (Cedrik)

#1
It's getting a little hard to keep the expectation in sync to the reality. I'm not sure yet we can add every case here since the backend decides this via runtime values.

What you see (In the automatic rules in SNAT) is just an approximation of the reality, the real rules (which are generated independent by the backend) can be seen via:

# pfctl -s nat

Not sure yet how to really display everything, but we probably have to postpone fixing more a little while or we chase each little edge case. We probably need some generic solution first.


Your most reliable fix is to create manual SNAT rules because those will ensure you always see and generate the full reality.
#2
Don't worry.

The Outbound NAT rules are generated here:
https://github.com/opnsense/core/blob/70be6992f8e30cd8b35cedb7fc985f3942ccd29b/src/etc/inc/filter.inc#L208-L243

What you see as automatic rules in the Source NAT grid, is only a synthetic approximation:
https://github.com/opnsense/core/blob/70be6992f8e30cd8b35cedb7fc985f3942ccd29b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php#L52-L54

This means your automatic Wireguard rules most likely exist, they are just not displayed in the grid right now.

Check that via:

# pfctl -s nat
#3
Did the automatic wireguard network outbound rule ever work? What I have seen is that most users created manual rules for that.
#4
What kind of ppp interface is WAN cellular? A pppoe interface?

https://github.com/opnsense/core/issues/10479
#5
Heres the example setup from the documentation:

https://docs.opnsense.org/manual/how-tos/dynamic_routing_ospf.html#ipsec-failover-with-policy-based-tunnels-gre-and-ospf

I wrote that, but Im not an expert on GRE, but I didnt have issues with it not establishing with the firewall enabled.

Maybe what you have is a new issue, or something that wasnt noticed yet.

Though I know others who e.g., get Hurricane Electric IPv6 nets over GRE and there arent too many reports that something is wrong with that either.

So the simplest assumption is that the firewall rules are wrong somehow.
#7
Wenn sie nicht auf dem aktuellen stand ist geht es nur über die Kommandozeile.

Z.b "pkg install os-dyndns".

Würde ich aber nicht machen wenn die opnsense version zu alt ist da abhängigkeiten fehlen können.
#8
Caddy is not a general purpose ACME certificate tool.

The ACME capabilities of caddy without its reverse proxy core would be certmagic:
https://github.com/caddyserver/certmagic

CertMagic is designed to be embedded into Go applications, with certificate management tightly integrated into the application itself.

The whole framework is for packaging the ACME capabilities with the tools, not having a swiss army knife for any application like for example the acme.sh project.

All in all there is nothing we can or should do here, the generic tool for the job is acme.sh.
#9
I know how nice it works but there is no plan to make the certificates available in other components. I do not want to maintain a connection between the certificate authority model of the OPNsense and Caddies certificate deployment, which are very different by nature.

Potentially you could use Caddys Layer 4 proxy to TLS offload the Mail Port, but not sure if it works with STARTTLS as the module currently has no support for it: https://github.com/mholt/caddy-l4/issues/384


#10
Mit dem Reverse Proxy funktionieren die Outlook Clients nicht mehr, das NTLM Plugin musste entfernt werden da es nicht mehr maintained wurde.

Die einzige Möglichkeit wäre den Layer 4 Proxy zu verwenden und zu versuchen ob es damit funktioniert, und zwar ohne TLS terminierung. Hier würde nur Anhand von SNI der Verkehr zum Exchange transparent weitergeleitet werden. Es ist also nur bedingt besser als ein einfaches Port Forwarding wenn man eine eigene IP Addresse für den Exchange verfügbar hätte.

https://docs.opnsense.org/manual/how-tos/caddy.html#tls-sni-multiplexing-on-https-port

Falls die Business Edition benutzt wird, hier gibt es das OPNWAF plugin welches die externen Outlook Clients auch proxien kann, aufgrund von viel Feedback kann ich aber sagen dass es auch nicht mehr bei allen Umgebungen richtig funktioniert und es zu NTLM bedingten Authentifizerungsfehlern kommen kann.

https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server


TLDR: Falls es genug externe IPs gibt, ein einfaches Destination NAT ist die beste Lösung mit am wenigsten Problemen.
#11
Huh I never said that nor have any issue anywhere that states that. Sounds like misinformation.

What I did was splitting the Caddy plugins up, into one with all DNS providers and a xcaddy plugin here:
https://github.com/Monviech/os-caddy

And the standard one with just Cloudflare here:
https://github.com/opnsense/plugins/tree/master/www/caddy

But thats already like this since a year or so now. Nothing more is planned around these facts.
#12
Hmm no nothing about caddy will be changed. It will still issue its own certificates.

But they cannot be used in other services on the OPNsense, and there is no plan to add such capability.
#13
The new rules are populated with old rules read only, they still only exist in the old rules.

Old rules have a distinct command button that opens the legacy rule page, and cannot be deleted/cloned in the new GUI

You still have to migrate eventually.

In 26.7 the old rules will be turned into a plugin, so they will still work. No pressure to migrate yet.
#14
Well you dont have to manually migrate them one by one, we enhanced the Firewall Migration assistant to include a download for Outbound NAT rules.

And /all/ NAT rule pages now also have CSV upload and download (you're welcome :))
#15
The Outbound NAT mode affects both the old Outbound NAT rules and the new SNAT rules.

There was an issue here for quite a while that SNAT rules didnt take the global Outbound Rule mode into consideration and always rendered into the ruleset regardless.

https://github.com/opnsense/core/pull/10472

If you used both GUIs at the same time with different intentions, thats not going to work anymore. Both GUIs adhere to the same Mode now.

TLDR set your mode to hybrid if you need both automatic and manual rules at the same time.