Messages

Solved!

I mistakenly set the ports 45 and 47 as tagged ports and both the IPMI and UPS network card have no VLAN set whereas the Wifi-AP has. Therefore it could be accessed.
Changed the ports from tagged to untagged for VLAN99 et voila, it's working.

I have set up 2 VLANs:
1) VLAN 3 (For Guest/IoT Network): 192.168.2.0/24
2) VLAN 99 (For management): 192.168.0.0/24
and there is the (native) VLAN 1 (main network): 192.168.1.0/24

Those VLANs are passed onto port 1 (a trunk port) of the switch where VLAN1 is the native VLAN.
Port 3 is connected to a Wi-Fi AP where VLAN 3 is the Guest network, (native) VLAN 1 is the main network and VLAN 99 is the management interface. Everything works great so far.

A few days ago, I tried to add the IMPI Interface of a server and the network card of my UPS to that VLAN and tagged ethernet ports 45 and 47 on the switch for VLAN 99.
Both devices can not be pinged and a traceroute command shows only one hop from the main network to the 192.168.1.1 GW.
Then I tried to connect the Wi-Fi AP to the newly tagged port and I could access its configuration interface. Of course no internet connection as port 47 only carries the VLAN 99 - but that was expected.

So here's the question:
Why does only the AP work?
So the issue can not be with the rules or the switch.

The switch configuration:

Code Select Expand


SSH@ICX6450-48 Router(config)#sh run
Current configuration:
!
ver 08.0.30uT313
!
stack unit 1
  module 1 icx6450-48-port-management-module
  module 2 icx6450-sfp-plus-4port-40g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 3 by port
tagged ethe 1/1/1 ethe 1/1/3
!
vlan 99 by port
tagged ethe 1/1/1 ethe 1/1/3 ethe 1/1/45 ethe 1/1/47
router-interface ve 99
!
!
!
!
!
errdisable recovery cause all
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
ip dhcp-client disable
ip route 0.0.0.0/0 192.168.0.1
!
username root password .....
snmp-server community ..... ro
!
!
clock timezone gmt GMT+09
!
!
ntp
disable serve
server 192.168.0.1
server 192.168.1.1
!
!
!
!
!
interface ethernet 1/1/1
dual-mode
!
interface ethernet 1/1/3
dual-mode
!
interface ve 99
ip address 192.168.0.250 255.255.255.0
!
!
!
!
!
!
!
!
!
end


The FW rule for the management interface:

Code Select Expand

Protocol Source Port Destination Port Gateway Schedule Description
  IPv4 * MNGMT net * This Firewall * * *    
  IPv4 * MNGMT net * This Firewall * * *    
  IPv4 * * * * * * *

* The last rule is not active but it does not change anything. Besides that, the Wifi-AP works fine with the same rules intact.

A few days ago I have replaced my aging Cisco ASA 5505 with a Server running Opnsense. I am very happy with this product as it is (mostly) doing what it is supposed to do and it comes with a nice, clean UI.

I have managed to setup OpenVPN with self-issued certs and pointed Cloudflare's DynDNS service to the WAN IP.
There are no issues regarding the updating of my external IP and I can access the VPN without any issues.

So here comes the question:
Since I only have one external IP (dynamic, but it usually doesn't change for months, unless the router is restarted), I would like to point all subdomains to that IP.
Normally I would just use a reverse proxy and set a rule in the firewall to forward the required ports to that machine, which then would forward the URL to the required webserver.

But I also use the Opnsense router as an OpenVPN Server which is listening on port 1194(?).
Now, I can set the subdomain vpn.domain.com to point at the external IP and VPN is connecting fine.

My requirements:
1) The VPN should only be accessible from this subdomain. (E.g. not if the user would change the *.ovpn file to something like web.domain.com)

2) If someone is accessing the subdomain web.domain.com, it should automatically open the website BEHIND the firewall. - On the other side, if someone types vpn.domain.com in their browser, it should not redirect to the webserver.

What would be best practice to achieve this? I know that Opnsense comes with packages like squid (or even nginx plugin(?)) but I'm not sure if it is a good idea to let the FW/Router work as the reverse proxy. The server running Opnsense definitely has enough power (multicore Xeon) for it but I'm a little bit concerned security wise.

Thanks in advance
Eric