Messages

1

General Discussion / Re: WAF for Online Website

« on: October 05, 2022, 02:19:09 am »

Ah, perhaps like this:
- WAN1 (11.11.11.11) receives the packets and passes onto WAN2
- WAN2 (22.22.22.22) then sends the packets to the Website
- The Website (33.33.33.33) processes and returns the packets back to WAN2
- WAN2 receives  the packets and passes back to WAN1
- WAN1 sends the packets back to the user

I was able to get it working... well, with multiple devices in between, rather than a single firewall. Mush like a Port Forwarding daisy chain with NAT Outbound Rules.
But for two interfaces on the same firewall, I haven't been able to try yet.
But it does look like it is of:
- WAN1 Port Forward to WAN2
  (WAN2 will then send the packets to the website on its own, as it has its own Gateway)
- NAT Outbound to Manual, with Rule set:
-- Interface: WAN2, Source: Any, Source Port: Any, Destination: The Website's IP, Dest Port: HTTP (as example), Translation: Default, Trans Port: Default
--- Repeat for any other Ports

At that point there should be no rules needed for the returning packets, as the NAT Outbound would be returning those packets to WAN1.

Does that make sense?
I am hoping to give that a try later in the week.

2

General Discussion / Re: WAF for Online Website

« on: October 01, 2022, 12:13:23 am »

I have been able to send traffic, but only with one interface (not ideal for a few reasons).
- Port Forward from WAN (11.11.11.11) from Source: ANY to Destination: WAN Address (11.11.11.11) Port HTTPS, Redirect: 33.33.33.33 Port HTTPS
- NAT Outbound to Hybrid (or manual)
-- Rule set with WAN Interface, Source: ANY, Destination: 33.33.33.33, mapped to WAN Address

But to get it to the Second WAN Interface (22.22.22.22), though it should work similar to above:
- Port Forward, same as above, but Redirect to the Second WAN (22.22.22.22) Port HTTPS
- NAT Outbound similar, but replace First WAN with the Second WAN in both cases.

3

General Discussion / Re: Gateway group as the destination in firewall rule?

« on: September 30, 2022, 01:20:30 am »

Trying to load balance for incoming traffic from an external source, well that is different as normally for outgoing traffic from internal sources. I think you may need to explore a plugin for that purpose.
But may work... though not likely, have you tried to use just, "This Firewall" as the Destination?

4

General Discussion / Re: Using OPNsense as gateway to LANs

« on: September 30, 2022, 12:36:56 am »

If I understand correctly, you are using a dual firewall arrangement (OPNsense and Cisco ASA), which therefore likely to have Double NAT'ting going on. Assuming that both the OPNsense and ASA are set to NAT'ting.
If that is the case, you can either place the ASA or OPNsense to use Static Routing, depends which is easier.
In this arrangement, the ASA would be best to do so as it has just one internal link.
Unfortunately, I do not know how to do the Static Route for the ASA.

I have done static routes for a forward OPNsense firewall, but since this is at the backside, it should be the one handling the NAT'ting. Reason would be due to the amount of manual work needed for it and if different networks are involved.

For the ASA, the Static Route would need to designate then internal network (the link between the ASA and OPNsense; example 10.1.1.0/30 - ASA:10.1.1.1 OPN:10.1.1.2) and likely need a Gateway with it. Then if the ASA has something like OPNsense NAT Outbound, it would be to (in OPNsense terms) set to Manual and create a Rule in which the WAN interface is tied to Source Address of the Internal Network (10.1.1.0/30), the Destination Address would be blank.

5

General Discussion / Re: Help: Change Current WAN with new ISP Public IP

« on: September 30, 2022, 12:18:32 am »

Ah, glad you got it working.
I would recommend though to update to the latest version, unless there are legacy reasons not to of course.

6

General Discussion / Re: WAF for Online Website

« on: September 30, 2022, 12:07:27 am »

Thank you for the reply.
M'yeah, NAT'ting is the issue for me trying to solve, which if disabled, then would static routes be used?
Outside of that trying to figure of how to pass the traffic from the 11.11.11.11 Interface (in the diagram, from user) to then go out from the 22.22.22.22 interface for its way through the Internet to 33.33.33.33 webserver. As the 33.33.33.33 IP Address is out of the 22.22.22.22 subnet.

I used "Client" to refer to as a remote site, that is not part of the internal or local network. When using the word "remote", majority of the searches lead to "remote access", hence avoid using it. In this case, can replace 'client' with 'remote site'.

If an IPSec tunnel is used, I think would make things easier (and secured) as it would be then a matter of Port Forwarding or Static Routing as the IPSec tunnel would have its own private IP network. Unfortunately, not able to take that option.

7

General Discussion / Re: OPNsense Keeps Booting and running from Live Mode.

« on: September 29, 2022, 02:31:38 am »

A couple of possibilities:
- Just in case this was not done, to be Capt. Obvious... shutdown the machine and remove the ISO. Power up and see if it works.
- Otherwise, the WAN's IP Address with DHCP may be of the same subnet (192.168.1.0/24) and I have seen causes issues when it is the same as the LAN's IP. Before installing, log in as "root" and change the LAN IP schema to something else, like 192.168.2.1 /24. Then log out and log in as "installer".

8

General Discussion / Re: Help: Change Current WAN with new ISP Public IP

« on: September 29, 2022, 02:27:17 am »

When changing the WAN Static IP, for the Gateway, have you tried with creating a new Gateway from within the WAN Interface?
That is, at the WAN Interface Config page, scroll down to IPv4 Upstream Gateway (I assume IPv4), and click the Plus sign (+).
- Select Default Gateway (checked)
- Provide a unique name (ex: WAN_GW_New)
- Gateway IPv4, set to the ISP's Gateway IP

This may work rather than creating a Gateway in the Gateways Menu (within System).

9

General Discussion / WAF for Online Website

« on: September 29, 2022, 12:40:47 am »

I am attempting to see of how to implement OPNsense as a WAF in which the target system is an external site and not internal. I have provided a simple diagram to help better explain it.
I have done searches and reviewed of HAProxy and Nginx, but have not been able to crack the puzzle of using another Public IP and not a Private IP, and especially of when the Public IP's are all different from another. So a networking issue I am trying to solve.

So the problem is:
A user types in a domain name (URL), which then goes to the assigned Public IP (ex: 11.11.11.11) from the DNS Records. This IP is the WAF's WAN, from which it exits from another interface (ex: 22.22.22.22) to then go back to the Internet to the client's Public IP. I assume that the WAF will need two Public IP's to support this.

I do understand there are some weaknesses, such as an attacker will discover the client network's IP and bypass the WAF.

So what is the setting or requirements to allow for this work properly?
Example, one WAN and an OPT (or LAN) configured with their own Public IP's, but then is there a 1:1 NAT involved? Or use HAProxy/Nginx with the target IP being the Public IP of the client.
Or is there material that helps to explain this that I have not yet found (And if so... where)?

10

21.7 Legacy Series / Re: 21.7.3_1 - higher system load after upgrade caused by Suricata

« on: October 18, 2021, 10:56:14 am »

I concur with the increase in CPU utilization, system loading and unstable packet performance with the latest update.
Using a virtual platform (Xenserver) with pass through network interfaces and clean install. Disabling Suricata and Netflow seems to help, but the WAN gateway is unstable (packet losses). Bandwidth also seems to be impacted as well.