OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of zerwes »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - zerwes

Pages: [1] 2 3 ... 9
1
22.1 Legacy Series / Re: Floating rule issues
« on: May 20, 2022, 07:26:15 am »
https://docs.opnsense.org/manual/firewall.html#processing-order
And the "quick" setting might be important here ...

2
Development and Code Review / Re: Python Jupyter Notebook for Generating OPNsense Configuration XML Files
« on: May 19, 2022, 07:33:00 am »
Quote
... I will push to Github and you can take a look.
Great! Always interested and curious
Quote
There is a new feature in OPNsense that allows the importer to find CDs, and this fits perfectly.
Yes, I have followed the thread and seen the new feature with interest too ... The ideal for me would be a similar process like we do for linux since ages: build a customized preseeded cd image that will bring up the device with a working basic configuration and pass it over to the config management tool in use for finishing ...
Quote
For WireGuard, because it is a plugin, there needs to be a triggering event for the packages for the plugin to be installed.
Thanks for the hint, but I am aware of this ...
Using ansible we install packages and plugins too (https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-plugpack), but maybe something went wrong in the order ...
The trick with the update process sounds quite interesting ... will notice this, thanks.

Thanks for the feedback and looking forward for your github repo..

3
Development and Code Review / Re: Python Jupyter Notebook for Generating OPNsense Configuration XML Files
« on: May 18, 2022, 11:42:23 am »
Sounds interesting ...
btw. the ansible playbook I linked surely can be used to create a initial config:
https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-playbook/blob/main/firewalls.yml#L24:L31
and we use it right this way: initial deploy and continuous maintenance based on the same tool and configuration  ... but that is another story, don't mind ...

Is the wireguard cfg you generate working if you apply it on a virgin install?

In the env where we use the generated cfg from scratch we use IPSec VPNs, and these work out of the box: (generate cfg, install opnsense, copy generated config.xml in place, reboot, works)
Just as a test  I tried once a device with additional wireguard config from scratch, but no wg instance was started ... as it is not our prod env and not the main problem at the moment, I did not dive deeper into it. (was at least more then a year ago, maybe the updates since then changed behavior ...)
Just interested if your approach creates a working wg config or the approach of just injecting a valid wg config in xml format is not sufficient ...

So some notes on the deploy experience would be appreciated ...

4
Development and Code Review / Re: Python Jupyter Notebook for Generating OPNsense Configuration XML Files
« on: May 13, 2022, 06:36:51 am »
off topic, as it is not a jupyter Notebook.
But the ansible playbook from https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense uses a (fetched) config.xml and ensures some settings based on configurations made in yaml files  before provisioning them back to the device ...
So if you skip the config.xml fetch and push step, you have the same effect ... validating could be surely be implemented if someone is willing to contribute this ...

5
General Discussion / Re: Unbound blocklists do not block subdomains
« on: May 12, 2022, 07:04:41 pm »
I have implemented this in our ansible role for unbound + dnsbl (https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-role-unbound)
If I find the time, I can open a PR, or if you like, you can do this too .. the main lines are https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-role-unbound/blob/main/templates/unbound-dnsbl-updater.py.j2#L82:L96 ... it is open source ...

6
General Discussion / Re: How to re-order firewall rules?
« on: May 12, 2022, 06:46:29 pm »
Quote
It is not as intuitive as it could be
... at least the docs are updated.

7
General Discussion / Re: Unbound blocklists do not block subdomains
« on: May 12, 2022, 05:39:00 pm »
I would prefer the usage of
local-zone: "donaldtrump.com" redirect
local-data: "donaldtrump.com A 0.0.0.0"
in order to block duck.donaldtrump.com and f... and s... etc…
As it will have the same behavior of returning 0.0.0.0 instead of NXDOMAIN ...

8
General Discussion / Re: How to re-order firewall rules?
« on: May 12, 2022, 07:26:28 am »
To give a broad hint here: if you miss something from the documentation fell free to complete it and create a pull request. Those who use the opnsense firewall regularly will find things obviously and will newer miss it from the documentation. Those who just start using it now are the people who should are not yet blind by habit and fill realize some things are missing ... everyone can help ...
https://github.com/opnsense/docs/pull/402

9
General Discussion / Re: How to re-order firewall rules?
« on: May 12, 2022, 06:34:30 am »
Quote
I don't think it's confusing at all.
I agree ... You just have to get used to it. So pointing the OP to the right direction it the way to help.
I just realized this is really missing in the docs ...
And regarding the confusing reordering: I think it is still better then those just allowing to push lines only step by step up and down one position ...

10
German - Deutsch / Re: Seltsames / DNS / Netzwerkproblem
« on: May 11, 2022, 08:14:10 pm »
Anhand nur der einen Zeile kann ich zwar nur mutmaßen aber in der Regel sind das nur callbacks z.B. mit RST flag die da geblockt werden (oft komisches Verhalten der Applikationen ...), ergo nicht mal wirklicher Traffic  ... das sollte IMHO nicht das große Problem sein, insofern davon nicht ganz viele im Log vorbeirauschen ...
Genauere Diagnose ist ohne exakte Beschreibung echt schwierig ...
Du müsstest schon etwas genauer beschreiben als "nur zur Hälfte die Weboberfläche" ... HTTP(S) funktioniert oder nicht, aber halbe Zustände kennt es IMHO nicht ... es sei denn dein VPN ist mehr als instabil und hat vielleicht noch MTU Probleme ...
Also: analysieren, auf den Kern herunterbrechen und dann kann wird einem in der Regel recht gut geholfen ...
BSP: analysiere mal den traffic mit tcpdump/wireshark wenn alles wie erwartet funktioniert und dann mit den Problemen. Mitschnitte vergleichen und schon hat man oft das Problem geknackt ...

11
General Discussion / Re: Hosting Unifi Controller behind HAProxy
« on: May 11, 2022, 04:56:51 pm »
Code: [Select]
$ curl -s  http://www.haproxy.org/ | grep -i "<title>"
    <title>HAProxy - The Reliable, High Performance TCP/HTTP Load Balancer</title>... no UDP mentioned there ...
AFAIK haproxy supports udp just for dgram syslog, no other udp is supported ...
And as portforwarding is working several layers below the URL, I am afraid you will be out of luck with this ...
Maybe nginx can help you here (but this is not my field of expertise ...)

12
German - Deutsch / Re: Seltsames / DNS / Netzwerkproblem
« on: May 11, 2022, 04:47:34 pm »
Von wo funktioniert nun was nicht so richtig? Vom RZ -> HQ?
Hier wären da die DNS Config der Geräte nicht ganz uninteressant ... ist die opn box als forwarder mittels dnsmasq oder unbound involviert?
Und natürlich FW Regeln auf der OPN und der HQ FW ...
Wenn ja, dann würde ich mal auf der opn box auf dem internen iface mittels tcpdump od.     Interfaces: Diagnostics: Packet Capture bei einem Verbindungsaufbau mal mitlauschen und prüfen was da schief geht oder im nichts landet ...


13
German - Deutsch / Re: OPNSense DNS Problem
« on: May 11, 2022, 02:52:17 pm »
dns diag nimmt die auf der opn configurierten dns server und versucht die abzufragen.
dns diag in der WEB Gui kann leider (noch) kein source interface/ip konfiguriert bekommen.
Hier kanns du entweder die console verwenden
bereits gechrieben:
Code: [Select]
dig +noall +answer -b LANIP @IPOFREMOTEDNS test.deoder
Code: [Select]
drill -I LANIP @IPOFREMOTEDNS test.deAnsonsten
System: Settings: General: DNS server options: Do not use the local DNS service as a nameserver for this system  UNCHECKED
Dann kannst du zumindest auf der OPNsense box auch namen auflösen die über unbound forwarding stattfinden.
Interfaces: Diagnostics: DNS Lookup wird aber ... leider immer noch nicht (zumindest nicht immer bzw. in allen Fällen) funktionieren, da .. siehe die Anmerkung mit der source IP am Anfang.
Aber "Do not use the local DNS service as a nameserver for this system" sollte schon mal helfen. (apply / save nicht vergessen)
good luck




14
German - Deutsch / Re: OPNSense DNS Problem
« on: May 11, 2022, 01:51:41 pm »
oder zum "schnell mal testen" auf der console
Code: [Select]
dig +noall +answer -b LANIP @IPOFREMOTEDNS test.de

15
German - Deutsch / Re: OPNSense DNS Problem
« on: May 11, 2022, 01:22:20 pm »
Wenn du die OPNSense box direkt via dig oder ähnliches abfragst, finktioniert da DNS, i.e. bekommst du eine Antwort?
Kannst du von der OPN Box denn DNS queries an die als Weiterleitungen eingerichteten Server erfolgreich absetzen?

Wenn DNS von der OPN Box via IPSec VPN durchgeführt werden soll, dann solltest du
Services: Unbound DNS: General: Outgoing Network Interfaces auf LAN setzen ...

Pages: [1] 2 3 ... 9
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2