Messages

I followed this tutorial a while back to access my web services from outside my network and it's worked pretty well via IPv4. Now I'd like to enable IPv6 access but I can't seem to get it working. When I run the Qualys SSL server test it works via IPv4, but it gives the message "Unable to connect to the server" under the IPv6 test. I added the IPv6 address assigned to my router to my DNS hostname (should it be the IPv6 address(es) of the web service(s) instead?).

I've assigned static IPv6 addresses to my services and I checked that they can be pinged. I tried adding just a couple of them under 'HAProxy > Real Servers' with their IPv6 addresses and added them alongside their IPv4 server in the corresponding backends just to test it, but I still get the same error (is this the right way to do it?).

I also have the following in my firewall rules (I added the ICMP rules after reading this article):



Have I missed something?

There's something else I've noticed as I write this - if I run the SSL test on the google.co.uk domain:



I see that their IPv6 address seems to have some sort of 'hostname' attached to it as well as the IPv4. Mine only has a 'hostname' on the IPv4 address. Is this also a factor?

I'm having problems with my certificate not renewing, automatically and manually. I get the error 'domain validation failed (dns01)' in the 'System log' tab under ACME. I haven't changed my DNS hostname and it can still be accessed from the web (albeit with the 'NET::ERR_CERT_DATE_INVALID' error), including from the SSL Labs server certificate test website. I haven't made any recent changes to my HAProxy config either.

I thought maybe my internal DNS was a problem since I have query forwarding enabled in Unbound that redirects to the DNSCrypt-Proxy app in OPNsense, so I tried disabling it so that my ISP's DNS is used instead and the same thing happened. I also tried resetting the ACME client under Settings and again the same thing happened when I tried to manually renew.

What else should I try, or what other info do I need to give for troubleshooting?

Got it working by changing the API key for my desec hostname. Not sure why the old one stopped working, but just in case anyone else is in the same boat as me try deleting your API key, create a new one, then paste that into the challenge type settings.

I'm having problems with my certificate not renewing, automatically and manually. I get the error 'domain validation failed (dns01)' in the 'System log' tab under ACME. I haven't changed my DNS hostname and it can still be accessed from the web (albeit with the 'NET::ERR_CERT_DATE_INVALID' error), including from the SSL Labs server certificate test website. I haven't made any recent changes to my HAProxy config either.

I thought maybe my internal DNS was a problem since I have query forwarding enabled in Unbound that redirects to the DNSCrypt-Proxy app in OPNsense, so I tried disabling it so that my ISP's DNS is used instead and the same thing happened. I also tried resetting the ACME client under Settings and again the same thing happened when I tried to manually renew.

What else should I try, or what other info do I need to give for troubleshooting?

Hi,

I followed this tutorial and my services now work as intended by typing https://[service].[hostname] for each web service I have (in Docker containers). Now I have a Docker called Organizr installed which I want to act as a 'homepage' that displays links to those services, and I want this to be accessible by just typing https://[hostname] and still use the same Let's Encrypt certificate to secure it.

How can I do this within the framework of this setup?

OK I tried by adding my full hostname as a new entry to the sub-domains mapping file followed by the corresponding backend for the Organizr service. When I type the hostname without https:// it doesn't load any SSL certificate or try to auto-redirect to HTTPS.  If I manually type https:// with the hostname, it gives an 'ERR_SSL_VERSION_OR_CIPHER_MISMATCH' error in my browser.

Hi,

I followed this tutorial and my services now work as intended by typing https://[service].[hostname] for each web service I have (in Docker containers). Now I have a Docker called Organizr installed which I want to act as a 'homepage' that displays links to those services, and I want this to be accessible by just typing https://[hostname] and still use the same Let's Encrypt certificate to secure it.

How can I do this within the framework of this setup?

Hi,

Just updated to 23.1.1 and I noticed that I don't seem to get an IPv6 address on my WAN. I didn't change any settings before updating. I currently have the following settings for WAN for IPv6:

Code Select Expand

IPv6 configuration type: DHCPv6
Configuration mode: Basic
Request only an IPv6 prefix: [ticked]
Prefix delegation size: 56
Use IPv4 connectivity: [ticked]

This is my LAN setup for v6:

Code Select Expand

IPv6 configuration type: Track interface
IPv6 interface: WAN
IPv6 prefix ID: 1
Manual configuration (Allow manual adjustment of DHCPv6 and Router Advertisements): [ticked]

When I go to Services > DHCPv6 > [LAN], it says 'No available address range for configured interface subnet size'. Again I didn't change anything here before updating and it was working previously.

This worked before updating to 23.1.1 so I'm not sure what's happened. Where could I look to troubleshoot why my router doesn't get a v6 address anymore?

Hi,

I currently have a DDNS hostname which points to my IP address and this is currently setup to redirect to one of my Docker containers on my server in the HAProxy settings. I have a second container which I also want to access remotely and I was wondering if I can do this in such a way that I could type a "folder" name after the hostname that would correspond to the container I want to access.

For instance, if I have Docker containers named 'first' and 'second', I would like to be able to type the following in the web browser to access each one respectively:

https://[hostname]/first
https://[hostname]/second

Is this possible in HAProxy?

Greetings,

I have Nextcloud setup on my home server and I want to be able to access it from both inside and outside my network via my DDNS hostname, which I've managed to get working...sort of.

It loads the login page fine if I use Firefox, Chrome or Brave (Chromium-based). But it turns out not all browsers are created equally after all...well either that or my configuration is wrong somewhere.  If I use Microsoft Edge it takes its time to give the error text "ERR_CONNECTION_TIMED_OUT", which is weird since it's now also Chromium-based. I also tested with a couple of mobile browsers including Samsung Internet Browser, SmartCookieWeb (both of which timed out in similar fashion), and Bromite (Chromium-based, this one works).

What could Firefox and Chrome be doing to load it which apparently Edge cannot do? Is this even an HAProxy issue? Any ideas?

Thanks for the input, at least that should reduce setup time :)

I'm investigating the possibility of upgrading the PC on which my OPNsense installation runs for something newer, and I wanted to ask about configuration backups. At the moment I have a few plugins installed and running on my existing setup and wondered whether the plugins (or the record of them being installed) and/or their data get backed up when you create a config backup. Or would I need to manually reinstall/reconfigure the corresponding plugins on any new installation?

When I look at the Restore section under System > Configuration > Backups and open the drop-down menu to choose what to restore, I couldn't see anything mentioning plugins so I wasn't sure if it gets grouped under something else without explicitly listing it.

OK, maybe I'll run both together and see how it goes.  Thanks  :)

I recently heard about this OPNsense plugin called Sensei, which by the sounds of it basically adds all sorts of network protection tools as well as extra web filtering to your installation.  Is this like Suricata on steroids?  Would Sensei replace all its functionality making Suricata unnecessary, or could the two work side-by-side?

You could try moving the script into one of the folders mentioned in this link:

https://docs.opnsense.org/development/backend/autorun.html

Depending on which folder you put it in, the script will run under different conditions (e.g. the 'monitor' folder for "scripts handling gateway monitoring events").  You could then update the .conf file accordingly with the path.

Bump.

Perhaps there's an internal command that could be run on the server instead?  Even if it saved a local copy of an encrypted XML config I could probably work out the rest in a script in order to push the file elsewhere (e.g. local file server) for safer keeping as well as scheduling the task.

I found the following thread on this forum...

https://forum.opnsense.org/index.php?topic=15349.0

...but it's just over a year old so I thought I'd start a new thread to ask my question about this.  Is it possible to use some of the commands in that script to also set a password for the config before downloading, just like you'd set one in the web GUI when manually downloading the config?