Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - NevadaTech

Pages: [1]

Virtual private networks / What's the direction of VPN - IPSEC or Wireguard?

« on: February 09, 2024, 06:08:46 pm »

This is a broad question. I'm trying to figure out where to migrate my connections.

My IPSEC site-to-site are now labeled as legacy. There is a new connection methodology for that tech. There is also Wireguard as a methodology. But if you add the wireguard plugin there are notes against it.

My use cases are mainly single site-to-site VPNs. Half of the time one side has a static IP. Half the time DuckDNS for both. Also a fair amount of road warriors doing an OpenVPN connection.

One pro of WireGuard is that it works fine with one side static and one side dynamic for site-to-site. From what I've read, the dynamic site is the side that always kicks off the connection. It could also be dual used for road warrior connections.

For road warriors I've had to use only the OpenVPN client bundled in the OPNsense package. New OpenVPN clients don't seem to work with the generated package/key. For me, that'd be another plus for WireGuard. But, the whole

<code>
=====
Message from wireguard-kmod-0.0.20220615_1:

--
At this time this code is new, unvetted, possibly buggy, and should be
considered "experimental". It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission critical environments.
--
===> NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Only useful for FreeBSD 12 which is EoL soon.

It is scheduled to be removed on or after 2023-12-31.
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***
</code>

has me confused. This is from a plug-in install.

Thanks for guidance and opinions!

General Discussion / Security question - domain or no domain

« on: March 26, 2023, 05:43:01 pm »

Hello,

There is probably no firm 'real' answer to this question. If there is please let me know. In general, is your router more secure if you do not have an external domain associated with it's public IP? For example is router.walmart.com less secure than only using it's static IP of 12.34.56.78?

In this scenario, it is an OPNsense router with out of the box security enabled. There are IPSEC VPN connections to the box - both tunnel links and OpenVPN temporary connections. No other WAN ports open. I like the idea of setting a DNS name to it. I don't see how it would be less secure.

General Discussion / Re: manage multiple sites routers

« on: September 10, 2021, 11:01:39 pm »

... I meant for the plugin only.

General Discussion / Re: manage multiple sites routers

« on: September 10, 2021, 11:00:32 pm »

Blah! I looked all about except for the obvious. Thanks.

General Discussion / manage multiple sites routers

« on: September 09, 2021, 07:53:40 pm »

Hello,

I've been looking but not finding, any help?

We have a couple dozen pfSense routers we support. Some of the sites have IPSEC VPNs, some use OpenVPN for remote access. Most sites are basic single segment networks - DHCP, DNS, NTP. The plan is to migrate them to OPNsense. Is there a tool/service that we can manage all of the routers from a single dashboard?

It can be a limited overview/manager. Something that takes care of 80% of the jobs. For all of the features of OPNsense we only use 10% of them. Items we're looking for are
* sends the remote router's firmware/version
* allows remote kickoff of updates (yes, I know this can be dangerous)
* check status and restart of IPSEC VPNs
* alerts on gateway failures and packet loss alerts (pull sided vs remote pushing?)
* pull config backups from remote routers so we have a backup locally for future jobs/recovery
* since this is a wish list, a feature that we could semi prep the router (WAN static or DHCP), a public/private SSH key exchange (?), when the user plugs it in, we could then attach and do a little deeper config
* this tool would send out email/sms notifications

I imagine you could do a lot of the reporting with Zabbix. Is the plugin current?. There is Monit on the boxes but I haven't looked into its features yet.

And, yes, we'd happily pay for a quality product, anything that saves us work.

Thanks for ideas and input!

General Discussion / Re: same old router+VoIP issues

« on: March 23, 2021, 07:24:20 pm »

Here's my working setup...

* I'm running Incredible PBX on a Raspberry Pi4
* I use SIPstation as my SIP provider
* I have an OPNsense router
* I have a static WAN (public) IP
* these are the settings for OPNsense and Incredible PBX

In OPNsense
NAT> Port Forward
* this auto-creates the Firewall> Rules entries
* IncredPBX is an OPNsense Alias pointing to my PBX which uses a static LAN IP

Source    Destination      NAT
Interface Proto    Address    Ports Address      Ports      IP      Ports      Description
LAN    TCP    *      *      LAN address 80, 443      *      *      Anti-Lockout Rule
WAN    UDP    *      *      WAN address 5060 - 5061 IncredPBX 5060 - 5061 IncredPBX 1.1
WAN    UDP    *      *      WAN address 10000 - 20000 IncredPBX 10000 - 20000    IncredPBX 1.2

NAT> Outbound
* set to Hybrid then add the following rule
* the rule could probably be tightened up a bit

Source Destination NAT NAT Static
Interface Source Port Destination Port Address Port Port Description
WAN    LAN net      * * *      WAN address * YES IncredPBX 1.4

In Incredible PBX
Settings> Asterisk SIP Settings> Nat Settings
* make sure your External Address is accurate
* make sure your Local Networks is accurate

Connectivity> SIPstation
* obviously only if your are using SIPstation
* make sure your Primary SIPstation Server is talking, at times you may need to refresh
* make sure your Secondary SIPstation Server
* test External Connectivity
** the Firewall Status will Fail; lots of reason for this - you are not using FreePBX's firewall/you're using OPNsense/your PBX is not directly on the Internet>>> don't worry about it
** External IP should be accurate

The fix was one of those FM (fricking magic) fixes. It just started working. The real fix was one or more of these...
* I was making changes one at at time but not resetting my States
* my Outbound Static Port = Yes was one of my last changes
* Asterisk SIP Settings> NAT was not accurate there although the SIPstation said things were good

General Discussion / Re: same old router+VoIP issues

« on: March 23, 2021, 07:07:59 pm »

Thanks, but no other router. My OPNsense connects to my cable modem.

General Discussion / Re: same old router+VoIP issues

« on: March 19, 2021, 06:13:21 am »

And I've set

Firewall> Settings> Advanced> Firewall Optimization to Conservative

General Discussion / Re: same old router+VoIP issues

« on: March 19, 2021, 06:06:49 am »

I also found these instructions in pfSense docs

Manual Outbound NAT

For Manual Outbound NAT, navigate to Firewall > NAT, Outbound tab, switch from Automatic Outbound NAT to Manual Outbound NAT and press Save. Then at the top of the list, create a rule that looks like so:

* Interface: WAN
* Protocol: UDP
* Source: Network, PBX
* Source Port: [blank]
* Destination: Network, SIP_Trunks – Or Any for the type if the SIP trunk IP addresses are not known
* Destination Port: PBX_Ports (or leave blank)
* Translation: Interface address if using the WAN IP address, or the external VIP for the PBX
* Port: [blank]
* Static Port: CHECKED

Which I interpreted this way

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 10.10.20.20/24 udp/ * * udp/ * 11.22.33.44 * YES IncredPBX 1.4

General Discussion / Re: same old router+VoIP issues

« on: March 19, 2021, 05:49:12 am »

I've tried a number of variations - FreePBX vs Incredible PBX and pfSense vs OPNsense. Since the end result is always the same (calls ring+pick but no audio), I figure it has to be me.

General Discussion / [SOLVED] same old router+VoIP issues

« on: March 19, 2021, 05:46:42 am »

Hello all,

I'm having a devil of the time trying to get my PBX to talk through the router. My belief is that the root cause is my lack of understanding NAT. Any help would be appreciated.

* PBX (10.10.20.20/24) is on the LAN network
* phone (10.10.20.30/24) is on the LAN network
* external/Internet SIP service provider (SIPstation) appears to see/talk to the PBX
* calls ring from my cell (outside network) to PBX phone (inside network)
* calls ring from PBX phone (inside network) to cell (outside network)
* no audio either way
* I've added NAT port forward; in this 11.22.33.44 is my WAN address
Interface Proto    Address    Ports    Address      Ports      IP      Ports    Description
LAN    TCP    *      *      LAN address 80, 443      *      *      Anti-Lockout Rule
WAN    UDP    *      *      11.22.33.44    5060 - 5061 10.10.20.20      5060 - 5061    IncredPBX
WAN    UDP    *      *      11.22.33.44    10000 - 20000 10.10.20.20 10000 - 20000 IncredPBX

* doing that auto-added the Firewall Rules
Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description
IPv4 UDP    *    *    10.10.20.20    5060 - 5061      *      *    IncredPBX 1.1
IPv4 UDP    *    *    10.10.20.200    10000 - 20000 *      *    IncredPBX 1.2

* I've read some that suggest set NAT Outbound to Hybrid then build a manual rule; I built this but I'm not sure it's valid
- Destination = SIPstation which is an alias to trunk.freepbx.com + trunk1.freepbx.com + trunk2.freepbx.com
- Destination Port = SIPports which is an alias to UDP 5060:5061 + UDP 10000:20000
Interface Source    Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN     LAN net    udp/ *    SIPstation    udp/ SIPports Interface address    *      NO      IncredPBX

Pages: [1]