Messages

Hello,

Just letting you know everything worked now. I went back and delete and re-add the configuration in the ddns and it were able to update the ip address now.

I had the exact same configuration and uses the same token and it worked now but not before. I don't know what changed but it worked. THank you so much

Hello sir,

Attached is my DDNS configuration.

I think I understand what you are saying a little bit. So what I configured is right but you afraid my DDNS doesn't push the right update to my desec domain correct? I think i did it right since I have username is my domain name i.e. "example.com" password is my token. then hostname is just my domain name which is "example.com" correct? or do you want me to have it at *.example.com?

The weird thing is everything were working well. It just suddenly doesn't resolve if i just type in example.com. I have to use mysubdomain.example.com to get it working.

Hello sir,

Attached is my DDNS configuration.

I think I understand what you are saying a little bit. So what I configured is right but you afraid my DDNS doesn't push the right update to my desec domain correct? I think i did it right since I have username is my domain name i.e. "example.com" password is my token. then hostname is just my domain name which is "example.com" correct? or do you want me to have it at *.example.com?

The weird thing is everything were working well. It just suddenly doesn't resolve if i just type in example.com. I have to use mysubdomain.example.com to get it working.

Hello,

Attached is my screenshot on my desec

main domain name is example.com
sub domain is truenas.example.com
dns zone content (attached in screenshot)
dydns update followed your guide ( using custom dydns2) username is my domain password is the token

I do hope I provide the information you have asked for.

Thank you so much for your help

Hello,

I read your suggestion and just blindly tried to add the A Record in my desec, with my public IP address and voila, I were able to access my public IP. May I ask what happened or changed? I apologize if my question is not very smart. If I add my A record like this, will I be able to have my IP address automatically update? I know with your guide, through the token management, It receive IP update from my Opnsense dynamicDNS. However, if my record is using A Record, I have to manually enter the IP in myself.

THank you so much for your time.

Hello sir,

Thank you for getting back to me.

Attached is my HAProxy config

Code Select Expand


logo

    root@localdomain

Lobby
Reporting
System
Interfaces
Firewall
VPN
Services
ACME Client
Adguardhome
Captive Portal
DHCPv4
DHCPv6
Dnsmasq DNS
Dynamic DNS
FreeRADIUS
HAProxy
Settings
Statistics
Maintenance
Log File
Config Export
Intrusion Detection
Monit
Network Time
OpenDNS
Unbound DNS
Wake on LAN
Web Proxy
Zenarmor
Power
Help

    Services: HAProxy: Config Export

    Config Export
    Config Diff

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_630c2xxx9944 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_630c25xxx249944

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/630c280xxx7137226.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_630c2982907624.21524463 src 20.xxx.0/24 20xxx0/24 20xxx.0/24

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c2909dfxxx.10265915.txt)] if acl_630c2xxx7624.21524463
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c262xxx9c50.82551607.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: opnsense_backend ()
backend opnsense_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server opnsense_server 20.14.0.1:55443 ssl verify none

# Backend: truenas_backend ()
backend truenas_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server truenas_server 20.xxx.4 ssl verify none

# Backend: proxmox_backend ()
backend proxmox_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server proxmox_server 20.xxx47:8xxx6 ssl verify none

# Backend: ad_backend ()
backend ad_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server ad_server 20.xxx.1:56xxx43 ssl verify none

# Backend (DISABLED): proxmox_backend_1 ()

# Backend (DISABLED): truenas_backend_1 ()



# statistics are DISABLED



OPNsense (c) 2014-2023 Deciso B.V.

As for my domain for the certificate I followed your guide and have it at
Common name *.xxxan.to

As for the DNS Zone I'm using your guide https://desec.io
CNAME is *.mydomainname.to
I don't have A record (I didn't see it in your guide)

I checked and my dyanmic DNS server still update my IP address to desec. Also when I tried to restart my authentication service, I see my token on desec being rewnewed. So I think that aspect it work.

I can access my domain if i have that server running i.e. adguard, plex. However, if I just type in my domain name it doesn't resolve my public ip anymore. I think it at desec end but I've tried to add and delete my domain but nothing seemed to work.

Hello sir,

I followed your guide and everything worked for the past year. However, today for some reason, my server doesn't respond to my domain anymore. I have adguard and truenas setup so when I run those command ad.xxxx.xxxx, it resolved. However, if I just run mydomain.xxx then it doesn't resolve to my public IP address anymore.

May I ask what maybe the problem?

Thank you so much for your time sir.

Hello everyone,

I'm currently running OPNsense 22.7.10_2-amd64

Before the update, I were able to access my smb drive via wireguard. However, after upgrade, i seems to not be able to connect my Truenas server when connecting via wireguard. I've tried to ping my Truenas server within my local network it worked. However, when I connected via wireguard, I cannot ping nor access the smb share drive from Truenas server. I tried to ping other servers and other devices on my local network while connecting wireguard and I can communicate. Hoewver, only Truenas server is the one that are giving me problem.

May I ask if anyone having the same issues?

Thank you

Hello everyone,

I'm running into a problem and I hope that someone can help point out what happened to my firewall that it doesn't allow me to do facetime Video or Audio calling.

Currently I'm running Opnsense 22.7.2.

My setup ISP's router -> Opnsense -> W Accesspoint (I have to run behind ISP router because I'm renting the place)

Right now I have HAProxy + UnboundDNS + Adguard running DNS over HTTPS

Everything worked well and I don't remember I've changed anything but for some reason my Facetime video/audio calling doesn't work.

I looked up on apple support and they recommended certain port to be open, so I did allow the Rules on WAN and LAN port but that seems to not working as well

I'm not sure what information I need to provide more but please let me know if there are anything else that you guys need me to provide.

Thank you all so much.

Hello,

I finally got it.

I think my problem were that my firefox browser keep pusing the connection to http thus my ISP router log-in page keep pop up. However, when I use edge or chrome the https connection pushed through and I were able to access the service.

May I ask how would I fix this problem? I tried to delete the certificate from firefox and tried to re-install the firefox but when I tried to access my service it keep asking me this connection is not secured and forced me to use http.

Thank you again.

Hello,

I think I figured it out.

My mistake were at the very last step where you now have everything setup and wildcard which is *.zzzz.com. I copied the screenshot without understanding what I'm doing so I remove my host and kept it as zzzz where my domain is .com and I were able to access my TrueNas.

Then I understand about the public and local domain if I put my map at my local domain then i can only access it via local network. if I put it at the public map files then I can  access it at the external network and local network. Do I have it understand correctly?

However I have this one last problem I hope you can help me point out. I have adguard installed on the same IP as my opnsense. I changed my port https of my opnsense according to your guide and the port adguard's web UI listening is also different. However, when I add them in the Real server according to their port which they currently listening to. I cannot get them working. It still happening where my external network connect to it, I have the 503 error which make sense since I am only allow local. But when I access them locally I hit the ISP main router log-in page.

I hope what i wrote make sense. I'm so close, I hope someone can guide me to the right direction.

Thank you all.

Sorry, I forgot to add my config log

Hello,

I've tried to fresh re-installed Opnsense and followed your step again and finally i got A rating. not A plus but i think it worked.

Thank you so much.

This time I read your comment and got to accessed the local as well. However, for some reason I'm still getting blocked by my ISP router.

If I connected from external network I received 503 Service Unavailble. I think this make sense since I didn't allow external IP to connect my server yet (which is one of your last step)

When I connected from my lan network, my ISP router log-in page keep popping up. I've tried to put my Opnsense router to the DMZ port and tried to port forward 80 and 443 of my router internal LAN ipaddress but still didn't work. I couldn't get pass my ISP router's log in page.

Thank you again for taking your time and write this.

Hello,

Sorry for bothering you again. I have to restart my opnsense because my piHole were messing it up so I did a clean install. However, this time I am getting stuck at the last step verifying SSL to get the A+ score.

I received an error "Assessment failed: No secure protocols supported" I've tried to went back and double check my setting and I couldn't find any error. Checked my ACME and registered, my cert is verified okay. The ip of my domain is updated automatically on the server.

My goal is to aim to get this certified so I could use my domain to add to my adguard to implement DNS over HTTPS to block ad that route as well.

I'm also included the attachments you have requested.

THank you so much for your time.

Hello,

Thank you so much for writing this guide.

I were able to get this working and got the A+ authentication as well as access my server from outside network. I tested using VPN and everything work including the lock on https.

However, I'm running in to problem with the very last part which is accessing my server using https within my network.

Attatched is the screenshot of my setting in unbound dns. I also made sure that unbound dns service is running as well.

Thank you again.

Hello,

I'm running the latest update 22.1.10 I tried to download the adguard plug-in but couldn't search for it for the plugin package.

I've tried to run  fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf pkg update

but got this returned "fetch: /usr/local/etc/pkg/repos/mimugmail.conf is not a directory"

May I ask if anyone happened to faced the same problem?

Thank you so much