Messages

1

Tutorials and FAQs / Re: Help with the WAN & LAN port in mini PC with 2 ethernet using proxmox

« on: March 30, 2024, 05:15:27 am »

I have got this to work, and use this approach on an experimental basis only...
Its a bit weird running your router in a vm on proxmox... because the vm has to come up before you home network can get served with ip addresses. This is why bare metal is much easier to deal with for the noob. It is easier to have your network infrastructure run out of band from your trusted services.

I use a Lenovo 1 litre pc, with a 4 x port ethernet card in it... works fine.

For proxmox... you will really need 3 x nic's to keep things simple.
- Wan (connects to your router/modem for internet)
- LAN (serve your home with trusted network services and dhcp)
- Proxmox management port (part of your lan. this is where the proxmox UI is defined)

In prox, you can define Lan and Wan as bridged interfaces... which is the easier way to go... The other alternative is to do PCI passthrough of the nic's, so prox will use the hardware directly, without added software layer of a bridge. The latter is more perfromant, but not really a big issue at the 1Gbit interface level.

Stick with it... its fun to do if you have the time...

2

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: March 30, 2024, 04:59:16 am »

Thanks monviech...  I gave caddy another try... I currently run HAProxy, but dont really need load balancing for the home network, caddy is simpler.
My results were uneven... thus far. Here is what I did....
- Turned off ddns as relying on opnsense for that
- Gave the domain a custom cert located in the opnsense trust store.
- Gave the domain a custom port of 30000, as haproxy is currently binding to 443 and 80.
- With this approach, caddy does not terminate the connection. Seems to work however if I give it default 443

- Further to this... I disabled haproxy, and enabled caddy
- created a brand new domain and opnsense LE cert.
- bound caddy to 443 and seemed to work ok
- Home assistant loaded fine, the backend is unencrypted
- when backend was encrypted however, I checked the tls box for the backend, but alas failed to certify
  - this was the opnsense gui... which I put on a different port (41443)
  - Gui failed to load.
  - Similar approach seems to work in haproxy... where you check tls but dont bother to certify.

I will try again in a few days... to see if I can work around some of these things...
best regards,

3

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: March 28, 2024, 10:44:26 pm »

nice plugin... super simple !

Is it possible to defer certs to the opnsense trust store ? 
I already have LE generating certs there... and would like to use those, rather than have caddy own the process of creating/renewing the cert ?

------------ answer ------
I can see now, that you can select other cert if you use advanced option for the domain.

4

24.1 Legacy Series / wireguard road warrior documentation

« on: March 22, 2024, 09:48:24 pm »

my road warrior setup was not properly connecting, so I consulted latest release documentation to see if everything was setup properly.
Ther doco appears corrupted. The instructions point to items that do not exist, and has become very confusing.

Perhaps a close reading is needed to see if the document remains to be fit for purpose.

5

Tutorials and FAQs / Re: Routing iKVM/VNC traffic over HAProxy plugin in Opnsense

« on: March 02, 2024, 06:19:02 am »

i have this problem too... still wondering how to overcome this.

6

23.7 Legacy Series / Re: htop installation fails

« on: January 01, 2024, 03:10:21 am »

trying to install htop from mimugmail repo.... but its not there.
Am i missing something ?

7

General Discussion / forum search within a specific topic

« on: December 19, 2023, 10:37:37 pm »

Is this possible ?
I searched around and could not find anything.
I have a topic that is some 40 pages and would like to search through it...
the search feature on the forum does not seem to provide this...
anyone ?

8

Tutorials and FAQs / Re: Batch create VLANs, Interfaces, DHCP Server, CARP, NAT, Firewall Rules, etc

« on: December 04, 2023, 07:57:01 pm »

cool stuff...

9

Tutorials and FAQs / Re: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: December 03, 2023, 11:46:53 pm »

techsolo12

It is probably a dns issue. You need to setup a nat reflection solution, so that internal dns names will map to the gateway, where haproxy can do its work.(much the same as when you are coming from external).

I use unbound for dns, and setup a wildcard DNS entry much the same as I did on cloudflare and desec. This wildcard entry points to the opnsense gateway, and haproxy then does its magic.

hope that helps... (worked for me)

First of all, a huge thank you to TheHellSite for this detailed tutorial!

Unfortunately, I need your help. I have configured HAProxy as described in the tutorial. However, with my own domain.

All services that are to be reached externally work as desired. Only the internal service does not seem to be "noticed" by HAProxy. Unfortunately, no accesses to the "node2-ipmi" service from the source IP from the "10.10.10.0/24" network appear in the log. I cannot connect to the service "node2-ipmi".

In firefox i got this warning "SEC_ERROR_UNKNOWN_ISSUER".

Since no log entries appear in the log, I cannot attach any.

Config export:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (listening to 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
    bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_65612d875c4e55.24914702 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_65612d875c4e55.24914702

# Frontend: 1_HTTPS_frontend (listening to 127.0.0.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6561dfa723cb35.23136075.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_FQDN_condition
    acl acl_6563927a593ba4.09519486 src domain.tld
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_65627ea0efa5d5.95729048 src 10.10.5.0/28 10.10.10.0/24 10.10.11.0/24
    # ACL: nextcloud_caldav
    acl acl_65626936202592.20944712 path_beg -i /.well-known/caldav
    # ACL: nextcloud_carddav
    acl acl_656269439b5220.54434789 path_beg -i /.well-known/carddav

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/656277f5815fc5.43737480.txt)] if acl_6563927a593ba4.09519486 || acl_65627ea0efa5d5.95729048
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/65612e0d931f69.06203948.txt)]
    # ACTION: nextcloud_dav
    http-request set-path /remote.php/dav if acl_65626936202592.20944712 || acl_656269439b5220.54434789

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy

# Backend: cloud_backend ()
backend cloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server cloud_server 10.10.20.5:80

# Backend: vw_backend ()
backend vw_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server vw_server 10.10.20.7:80

# Backend: office_backend ()
backend office_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server office_server 10.10.20.8:80

# Backend: rezepte_backend ()
backend rezepte_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server rezepte_server 10.10.20.9:3000

# Backend: cash_backend ()
backend cash_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server cash_server 10.10.20.10:5006

# Backend: node2-ipmi_backend ()
backend node2-ipmi_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server node2-ipmi_server 10.10.5.6:443 ssl verify none



# statistics are DISABLED

With best regards,
techsolo12

10

Tutorials and FAQs / Re: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: December 03, 2023, 11:33:09 pm »

tadchilly:

adding another domain was simple for me... easier than you might first think.... no need to change the mapfile either as subdomain names do not change with both domains.

in  1_https_frontend, simply add another wildcard cert here... and everything should work as normal.
my existing cert was (acme) *.expand.net.au, and to this I added another cert of *.expand.dedyn.io

Obviously need to ensure your wildcard dns will resolve properly. I found for local use, I can set a wildcard in unbound, the same way I do in cloudlfare, and will will resolve internally just fine.

hope this helps

I've been using this for months and really like it... but has anyone tried adding another domain?  What steps would I need to take?

For now the PUBLIC_SUBDOMAINS_rule is used to "Map domains to backends using a map file" and

Test Type is "IF", conditions are "Nothing selected", execute function "Map domains to backend pools using a map file".

What conditions would I use to specify one or the other?

11

Tutorials and FAQs / Re: Tutorial 2023-11 Bridge Modem access - using VIPs

« on: November 17, 2023, 10:54:14 pm »

I strongly suspect the first item... since it generates a firewall rule by default disallowing the 192.x.x.x ip addresses from reaching the wan interface.
I have this ticked atm, and it still works. I suspect because the floating rule is being assessed first.

Go ahead... put it in temporarily... they will never know.

12

Tutorials and FAQs / Re: Tutorial 2023-11 Bridge Modem access - using VIPs

« on: November 17, 2023, 09:08:50 pm »

your setup looks clean to me.... Mystery however abounds....
A couple of things to try...

• On your WAN interface, uncheck "Block local  networks" (at least temporarily)
• ping 2.1 and 2.2 (from 0.7), what do you get ?
• perhaps post modem setup, can be some wacky modem setup thing that interferes - try to dumb down as much as possible.
• might help to post vip setup too
• Are you getting an error or is there just lack of connectivity ?

13

Tutorials and FAQs / Re: Tutorial 2023-11 Bridge Modem access - using VIPs

« on: November 11, 2023, 07:41:23 pm »

no issues.
My vigor was originally 192.168.5.1/24 and worked fine in this scenario. This is actually desirable at first, since you can't really manage the modem until you have the scheme working. Best to use your existing /24 subnet, and then adapt later once you got things working.
I chose to narrow the size of the network with /30, so as to minimise the threat surface.

By the way, I have 2 x modems, since lightning strikes are famous for blowing modems out of the water. Can always keep your spare modem on your desk, configure it, and then when ready place it into your network.

14

Tutorials and FAQs / Tutorial 2023-11 Bridge Modem access - using VIPs

« on: November 11, 2023, 11:14:57 am »

2023-11-11 Initial tutorial published
~
This is similar to another tutorial on the subject, but going to use Virtual IP's rather than an additional wan interface to accomplish the task at hand. For original tutorial and inspiration see here :   https://forum.opnsense.org/index.php?topic=33497.0

Who is this for?
opnsense only accepts ethernet as physical connection for your wan.
If your ISP is using older vdsl protocols to connect you to the internet, you will need another device (modem) which you'll need to configure. Usually this a spare router you have lying around which you will dumb down and run it in bridged mode. Physically you plug an RJ11 line from wall to modem for adsl/vdsl, and then plug an ethernet port from the bridged modem to the router's wan port. This way your router will perform all the handshaking with your ISP, and the modem only worries about protocol translation between vdsl and ethernet.

This arrangement works fine, but you lose access to the modem gui, which is very annoying. The modem is behind the wan port, and its management ip is not accessible, since the wan port is busy connecting you to the internet. Should you wish to consult the modem gui to have a look at your sync rate, well you can't. You would need to pull the modem out of its position, reset to defaults and then connect to a pc sitting on your desk. What  a pain.

Solution:
opnsense does have a solution which is a little complex though only uses a couple of configuration lines, hence this tutorial. Once you get your head around some of the key concepts it is very gratifying as it teaches you quite a bit about networking... so worth giving it a go in my opinion.
The nature of the solution is to use your physical wan link to to run 2 x different networks. Network 1 is your normal wan, and network 2 is a small subnet we create to talk directly to the modem. We use a virtual ip address as a means to create this second network. Piece of cake. Read on...

There are 4 x steps in this tutorial as follows: We will show each step in some detail... so please stop stressing.

• Configure your modem's GUI IP address
• Create a virtual IP address
• Configure Outbound NAT to direct traffic to the modem over the wan link
• Firewall rule to allow flow between your lan and the new subnet targetting your modem

IP addressing:
Before we start let me say I will be using a set of addresses that suit my personal situation. I don't like using standard addressing schemes as these are constantly being probed for security flaws. For this tutorial please adapt IP addressing schemes to suit your own installation.

LAN
192.168.92.1/24  mask 255.255.255.0 (254 usable ip addresses)

Modem network - A tiny subnet is created to connect opnsense to the modem via its own subnet.
192.168.5.1/30 mask 255.255.255.252

• 4 x addresses of which only 2 are usable
• 192.168.5.0 - network id
• 192.168.5.3 - Broadcast
• 192.168.5.1 - usable address pointing to the modem
• 192.168.5.2 - usable address pointing to the vip

Hardware:
I use a 4 x port qotom box for my opnsense platform
I use a draytek vigor 130 router/modem. Turn off dhcp and set into bridged mode.

Step 1: Setup modem
I put the modem into bridge mode.



Assign it an ip address of 192.168.5.1/30 (note subnet mask of 252)



Step 2: Create the vip
In opnsense navigate to: Interfaces-> virtual IP's->Settings, and add a new vip like this. Make sure to tunnel it via the physical wan interface
I give the vip an ip address of 192.168.5.2


Step 3: Outbound NAT
In opnsense I need a way to shuffle all traffic bound for the modem subnet, via the wan physical interface, Outbound NAT is your friend here
Navigate to Firewall-> NAT -> Outbound, and create a rule which looks like this:


step 4: Firewall
Since in opnsense all subnets are configured to reject traffic by default, we need to specifically open up traffic from Lan to the modem subnet. I use a simple fw rule to acheive this.
Navigate to Firewall-> rules -> Floating, and add a rule like this:



Time to test this config... fire up a web page, and enter the modem gui address:


Job done....

For extra credit you can try some of the following ideas....

if you run a reverse proxy best to use it, rather than trying to remember a pesky ip address. I added an entry to my reverse proxy, and can access the modem gui with my domain... eg. modem.mydomain.net. Nice one....

When starting out... you may wish to point your vip at the existing subnet defined in your router. Otherwise you cannot get to the modem without pulling it out and resetting to defaults. Once you have the scheme working you can configure your modem in a more exact way.

15

Tutorials and FAQs / Re: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: October 27, 2023, 06:57:24 am »

Part 6 - Access from internal networks using split DNS

I would like to get internal access working... the tutorial is a revelation. Thanks again.

I need some help to understand what you are trying to do here: 
I don't recognise the IP address of the plex server you are pointing to. I did not see that IP address anywhere else in the tutorial.
Essentially I'd like the internal plex be directed to the reverse proxy, as if it originated from outside... that way no changes needed in the backend.

What IP address should I use in the override? Should I point to haproxy front end or directly to the backend service ? What ip are you using in this section?

I'm somewhat confused by this...
---------------------------------------------------
I played with this a little more, and solution is simple. The IP address in part 6 of the tutorial sample threw me.

Using unbound... create an A record with multiple cname records pointing to the lan ip. (opnsense interface). This is similar to what I'm doing today with nginx... so no problems.
When inside the network, directs to the https request to my LAN IP which is my router and haproxy interface. it works well....