Messages

What I will do is get another same exact Qotom Q575-G6 with 16GB RAM and 200GB storage hardware and deploy that with new 23.7 and can play around until all issues are resolved.  That way, if I'm stuck, simply plug back the old device and all is back on-line.  Is not just a matter of providing internet access but I have haproxy there for inbound connections,  DNS, DHCP, VPN server running OPENvpn so there's a lot to fix if something breaks.

Thanks for suggestion,  will try that once I get my 2nd unit to play with.

I managed to get the local DNS working but is weird, some hosts work and some do not.  Something is definitely broken on this release.  I gave up, rolled back to 23.1 and upgraded to latest 23.1.11_2 and restored from a backup from last week.  All working perfect.  Also some plugins are not available in 23.7.4.  I had os-dyndns plugin that is no longer available on this release.

All is working fine for now.

I have not touched the outbound config.  Always used the automatic as the attachment shows. 

I have not used any other resolver.   On my windows 10 desktop after I flushdns and do an ipconfig /all,  I see external DNS servers on it which is wrong.   

IPv4 Address. . . . . . . . . . . : 192.168.2.112(Preferred)
   Subnet Mask . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . : Sunday, September 24, 2023 6:48:20 AM
   Lease Expires . . . . . . . . . : Sunday, September 24, 2023 7:50:31 PM
   Default Gateway . . . . . . .  192.168.2.1
   DHCP Server . . . . . . . . . .  192.168.2.1
   DNS Servers . . . . . . . . . .  1.1.1.1
                                             1.0.0.1
   NetBIOS over Tcpip. . . . . : Enabled

Not sure why this changed.  It was showing DNS as 192.168.2.1 before.    All I did is upgraded to 23.7.4

Attached is the Outbound config.

My OPNsense was running fine on 23.1.  Once I upgraded to latest 23.7.4 and unit rebooted I lost connectivity and could not get internet connectivity and internal DNS was lost. 

Looking around I had to disable this rule I had for years on FIREWALL---NAT--PORT FORWARDING.  Pic of rule is attached here.  If I disable this rule then external connectivity is fine and I can connect on internet from LAN interface.

Still no internal DNS,  I can no longer ping by name all static reserved addresses I have created.  All this was ok before the upgrade.  I do not use any dnsmasq or OpenDNS.   I have ticked the option to Register DHCP static mapping in Unbound DNS--General.

Any help how to overcome this?  I was planning to roll back to 23.1 but I know I will hit this again if I wanted to upgrade at some point.

Yes, of course if possible, I would prefer to not get out on internet and come back to access my internal server. 

Let me give some more info on this.  This is a webserver running confluence that has a base directory as https://myserver.mydomain.com.   It can also be accessed as http://myserver:8090

I have deployed HA-Proxy in OPNsense that has all SSL certs for offloading SSL and also re-directing traffic to appropriate internal server. There is a real webserver set in haproxy where the request for https://myserver.mydomail.com maps to http://myserver:8090. All is working well when things are accessed externally. 

So I guess my question is how do I forward my request to HAproxy from an internal LAN PC?  I need to reference the SSL certs that are in the Proxy but when I type https://myserver.mydomain.com  (same as I can access extenally) I cannot access the server.   I can access from my PC in LAN the server in DMZ as http://myserver:8090  which is not the base directory for it.  It is expecting to be accessed as https://myserver.mydomain.com

No, there is no deny from LAN to DMZ. 

Yes, both PC on LAN and Server in DMZ use the gateways on OPNsense. 

I basically need a Loopback rule

You should be able to create loopback rules from destination NAT rules to allow internal hosts to communicate with other internal hosts over the external IP address or the domain name.

With Sophos UTM I had before I was able to accomplish this with what they call a FULL NAT rule.

Full NAT is DNAT with the Source IP/traffic also changed. 

See attachment.


How do I do this in OPNsense?

Thanks for looking,  No, it does not work by entering IP address of the webserver.

I need to have a PC on internal LAN (Interface1 on OPNsense) to access a confluence webserver on DMZ (interface2 on OPNsense). 

My current setup:
1. There is a rule in place that blocks all traffic from DMZ to LAN.
2. All traffic from LAN to DMZ is allowed.
3. HA-proxy is setup and all traffic from WAN gets forwarded properly based on certs to servers in DMZ.

I have no problem accessing the confluence server as https://myconfluence.mydomain from externally.

I need to have access at the same https://myconfluence.mydomain from my PC that is on LAN network.  It appears that OPNsense does not allow traffic to get out on WAN and come back for an internal server.

What rule do I need to setup to allow for this traffic only for a specific alias (IP address of my laptop) on LAN network?

Thanks,

I kind of resolved this.  I think my mistake was I was using separate front ends for all web portals that need to be accessed from internet.  I read about it and the doc says if you have multiple domains mapping to one WAN IP and all services are on same port, usually 443 then use one single Front end Public server and specify unique rules per each domain. 

After doing so all is working fine and the external web-portals map correctly and use the correct certificates that are imported under system--> trust.

I'm having this issue with HAproxy module.  The service does not start after configuring correctly:

1. Backend server
2. Backend pool
3. Condition
4. Rule
5. External webserver.

Starting the service for HAproxy fails.  I looked at the logs and I saw this when I tried to start the service;

root@myrouter:/usr/local # /usr/local/etc/rc.d/haproxy onestart
Starting haproxy.
[ALERT] 044/221323 (92978) : Starting frontend media_fe: cannot bind socket [10.0.a.b:443]
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy

I think I see where the issue is: Here is what I found;
When I configured the External Webserver I gave the FQDN of the server as someone would connect externally via https  so in the "Listen Addresses"  I gave   myserver.domain.com:443 

If I save this then the Haproxy service goes down and this is because that name myserver.domain.com resolves internally to 10.0.a.b address that shows on the log file.  That is the IP address of the real backend server.

I use internally the same domain name, for instance mydomain.com that is used externally.  When I configured opnsense under System-->Settings-->General-->domain  I put mydomain.com and not mydomain.local 
Is this a bad thing?  I have been using same domain name internally due to some apps on the phone that require this to operate seamlessly on wi-fi (local LAN) and 4G (external)

I tested this and changed the internal domain to mydomain.local instead and haproxy service started fine and with no issues. 

The other test I did was to switch back the internal domain as it was to mydomain.com and did the following:

I changed the Listen address on Public Server in the HAproxy config to 0.0.0.0:443 and saved it and the haproxy service started fine and now I can connect externally via haproxy to the backend server and doing SSL offloading on hadproxy via a certificate I imported and used in the configs.

Is there a downside of binding to 0.0.0.0:443 for the listening address field in the public sever config?  I'd like to enter the specific address in the listen field like myserver.mydomain.com:443

Is there a way to tie the Public Server in haproxy config with WAN interface only and not resolve internally? Yes, I forgot to mention that i use the opensense as a DHCP server and DNS server using DHCP static mapping for most of the devices.


Any help is appreciated.  Thank you!

Thanks for the tutorial.  I have followed it and done everything correctly but the service won't start on nginx.  Something is not right on it.  When I try to enable nginx under general settings and try to start the service it won't start.  If I disable nginx on general settings the service starts (at least the green arrow) shows up but it cannot be stopped with the square icon.  I have to go on dashboard and then stop it from there. 

Not sure why it is doing this.  Do you need to reboot after you set this up?

Thanks,

Thank you guys.  Found it. installed the plugin and trying to configure it.  I actually have three certificates that I have purchased and are valid till end of 2022 so I was going to import them in the "trust" menu.  Is there a rule on how to import them? There are only two fields
1.X509 PEM cert
2. private key. 

I have

1. .crt file
2. ca-bundle file
3. privkey.pem file

Should I combine .crt and ca-bundle into one pem file and enter it in the cert field?  Is there a particular order for this?  I could not find any details on the doc for this.

Thanks!

I would be interested to know too for the sophos AP.  I have AP 55C and would be great if I can re-purpose it for usage with OPNsense.

Hello, this is my first post here as I decided to try out OPNsense and setup a new hardware Qotom-Q575G6-S05 with
OPNsense 21.1-amd64
FreeBSD 12.1-RELEASE-p12-HBSD
OpenSSL 1.1.1i 8 Dec 2020

Hardware is Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz (4 cores)  and 16GB RAM

The basic installation went fine and main rules are in place.  All is working fine so far.  Today is my 3 day of running it.

I was using before sophos UTM and thought to try OPNsense and while I'm doing so I have the following question?

I have about 4 websevers that need to have external access from internet via HTTPS.   In sophos I was using WAF feature (Web Application Firewall)  where I would create a "Real" webserver (you basically tell define the real http or https path of the internal server) and link it with an external one created in the sophos UTM where I would upload the certificate and so the mapping is done via SNI and no ports were opened in the firewall to allow https traffic.  This also helped with the fact that I can use the same 443 port for all servers connections coming from the single WAN address.

How would I accomplish this in OPNsense?  can this be done in the webproxy section?  I also saw a plugin called
"Nginx HTTP server and reverse proxy"  would this help for the issue I'm having?

Thanks in advance.