Messages

1

General Discussion / Re: HAproxy plugin not working & giving "unknown directive"

« on: May 06, 2023, 05:11:19 am »

Whelp, after MANY hours spent wondering what could possibly be wrong it turns out that it was actually Prometheus Node Exporter.  I fat fingered the address when I put it in.  I understand this means I'm an idiot, but some sort of notification about this would be nice.  Or even stop the metrics but start HAProxy? At least that would help me narrow down debugging.

For anyone else who has this problem, is there a log that would show you this?  I knew to doublecheck check HAProxy's listening IP & port, but I didn't think to check the metrics.

2

General Discussion / Re: Simple Feature Request - Export/Save config before update

« on: May 05, 2023, 08:58:53 pm »

Hah, right? Everyone has some story (or will).  How do you do an automated backup? Where does the backup live?

3

General Discussion / Simple Feature Request - Export/Save config before update

« on: May 05, 2023, 08:34:19 pm »

Wanted to throw out a simple feature request--some form of idiot reminder to export your config before applying an update.

This could be as simple as a static string with a link to the backup/export page--or could be more complicated like storing whether there's been an export of the config.


Note: Tying it to time or change could also work.  Just though that dummy reminder could be appreciated!

4

General Discussion / HAproxy plugin not working & giving "unknown directive"

« on: April 29, 2023, 03:36:32 am »

I am trying to use HAProxy as a reverse proxy in OPNSense.  This SHOULD be straightforward (no?) but I'm getting some errors that are out of my depth....the current error is that HAProxy is refusing to start (immediately stops when start button is pushed).

I tried using the GUI to create the reverse proxy components and I believe they are all correct (test button says no issues).  However when I try to press start--it immediately stops. I don't see anything in any logs but I'm happy to look around more  if anyone knows some useful places to look.

Much troubleshooting & googling has gotten me to running the command below and seeing the following error:
"unknown directive '.'" from running

Code: [Select]

haproxy -c -f /usr/local/etc/rc.d/haproxy
I know that

Code: [Select]

. filename allows bash to source the file name, but I don't know whether that's standard in BSD or what would be required or missing for that to work.  It's also the first line in my file so it may be a red herring?  As I said, I'm out of my depth here! Any help is appreciated.

Also, no idea WHY I'm getting this problem.  If anyone could point me towards a default version of this file (and possible other files or tell me the best way to restore a default version of this file--I would happily try that too.

Thanks in advance!

5

23.1 Legacy Series / sshlockout (auto) rule blocking port 443

« on: March 29, 2023, 04:50:52 am »

I'm configuring a new OPNSense installation and I've been having trouble connecting to the webGUI when the firewall is enabled--which is problematic.

After some digging, I found an automatic rule to block all TCP traffic to 443 commented with "sshlockout". (See attached image)

I tried changing the default port for the webgui but this rule actively seems to track that.

What is creating these sshlockout rules? Why is something (seemingly) related to ssh creating a rule on port 443 (not just 22)? And how did you go about finding this out so I can do it if I run into other problematic automatic rules with minimalistic descriptions?


Image of full rules here because I couldn't get it below 300KB 
https://imgur.com/a/pxOSQct

Edit: I just realized I don't have any sort of auto-lockout rule!  Is that something I need to select outside of the wizard?

6

High availability / Re: HA with 3 nodes

« on: September 13, 2022, 06:40:49 pm »

I was just about to ask this too!

It seems trivial to do with CARP, but I don't see a way to sync any of the info to more than 1 node using PFSync

7

High availability / Re: am I using CARP incorrectly?

« on: September 13, 2022, 06:38:52 pm »

I hope so! I'm looking to do something similar (with less VLANs) but I don't see how else you do it unless you can change state of all VLANs/networks on change of CARP state (after all, OPNSense is aware of the state of all networks)?

8

General Discussion / Re: Interface bug (or misunderstanding)

« on: August 08, 2022, 03:23:50 pm »

Ok, found some more quirks.  I thought I had a functioning setup, the trick was to only add WAN interface on initial setup (not add LAN).  I later added a bunch of OPT interfaces.

Now, somehow, the firewall seemingly added rules about blocking BOGON/local IP addr on the WAN (I want those allowed & I am certain I unchecked those), and it moved the "anti-lockout rule" to one of the OPT interfaces.  Is there a way to disable those rules apart from the wizard?

I did not check this as I was adding the OPT interfaces as it did not occur to me that anything like this would happen >_<


As for the previous questions--I can't confirm I checked the firewall logs or applied the allow all rule when everything was in the correct state so it's hard to say as things have changed.  If I can get the "Automatically generated rules" back the way I want them, I will happily check firewall logs & try making an allow all rule again.  After going through the wizard I was able to get BOGON/localIP addr to be allowed on WAN (we'll see if that stays) but I was NOT able to change the anti-lockout rule from OPT1 to WAN.


Thanks for showing me the health check.  While it came out fine, I had not heard about that before, so that was a new one! Learned something new that will definitely be useful in the future

9

General Discussion / Re: Interface bug (or misunderstanding)

« on: August 06, 2022, 04:15:46 am »

DNS rebind check is disabled, but I'm currently accessing it via IP address.

Listen Interfaces is currently all (recommended & default) but I do want to make it only WAN eventually.

10

General Discussion / Interface bug (or misunderstanding)

« on: August 05, 2022, 04:45:16 am »

I'm doing weird things and I found OPNSense behaving different than I would expect.  Is it a bug or a misunderstanding on my part?

I am trying to setup OPNSense to have the web interface accessible on the WAN! (Don't worry, it's nested behind a standard OPNSense router so WAN != internet for THIS router)

I have been having weird issues with this setup, and I eventually did a factory reset of OPNSense & I noticed 2 things:
1) A package (HAProxy) is still installed.  While I'm happy it's there as I did want it, I don't know if there's a separate way to clear packages if that's not desired?
2) The web interface stopped working when I tried to access it via the WAN.

#2 made sense, as the sane default is WAN block all & LAN allow all.  No big deal, this is good design & I proceeded to disable the firewall with the cli "pfctl -d".  And as expected, it worked like a charm, webgui was there

The problem arose when I went through the wizard and allowed bogon & private networks on the WAN (remember, not the internet in this case).  I checked firewall rules, and WAN even has the "anti-lockout rule"! Great! Exactly what I want, now just "pfctl -e" and -- wait, now I can't access the webgui.  "pfctl -d" and the webgui loads.

So my question is, why is the webgui blocked by the firewall on the WAN even with the anti-lockout rule on the WAN?  I have no manually set firewall rules & have done nothing beyond the wizard.

Is there another toggle somewhere I'm missing to prevent this (as, I get it, this is normally a terrible design)? Or is this just a design nobody ever tested?



Notes:
I'd be happy to explain my setup if that's needed to debug -- whether the solution is re-architect my network, fix this "bug" (if it is a bug), or find a hidden toggle--please let me know! I want to get this system to a stable & functional state.

If there's any logs/debug info that would help please let me know what it is!

Attached is a screenshot of the firewall rules on the WAN.

11

General Discussion / Difference in WAN vs LAN vs OPT (specifically regarding webgui access)

« on: July 20, 2022, 05:57:04 pm »

I'm running into a weird issues that are making me question some underlying assumptions about OPNSense...and I'm not quite sure where the issue is since there's two routers....but they're both OPNSense so here it goes:

The network was designed to allow internet access to a specific part of the network but limit the visibility of that part of the network.  I also wanted to keep the primary router as simple as possible so that a bad config doesn't take internet down.  Anyway, this image is an overview of the network (simplified but should have everything needed), I've got a main router that has VLANs for my LAN & my Server.  The Server has a 2nd router on a VM that has an internal network connecting to other VMs that actually have the webfacing services.  So far this seems pretty straightforward--but this is where things get confusing!

On a fresh install of OPNSense on Router #2 the default assignment is LAN to Database & WAN to Router #1 & OPT #1 to WebServices.   This seems fine to me, since I think the default gateway is the WAN so OPNSense will look for the internet on the WAN.  So far so good, except for getting to the web interface to config (I'm trying to get there from my LAN).  This problem held even after disabling the firewall via console

Code: [Select]

pfctl -d

Further weirdness when I tried to ping the WAN on the router #2:  Router #1 could ping it fine from OPT1 interface just fine but not from router #1 LAN interface, but router #1 LAN can ping other devices on router #1 OPT1 just fine (and is allowed to ping all from it's own firewall rules)

I should also mention that router #2 WAN is getting dhcp (static assignment) from router #1 just fine, so it does not seem to be firewall issues.

Furthermore, if I swap interfaces so router #2 LAN is facing the primary router, then I can access router #2 webgui just fine, and ping it from everywhere!

All of this has me wondering about an assumption I've been making:  Are all ports (LAN/WAN/OPT) from the perspective of OPNSense the same.  I mean, sure there are default differences (the lockout rule on LAN & default gateway to WAN, plus the default block all on WAN and allow all on LAN) but if those were changed, would there l be any OTHER differences that are not apparent?

I suppose a follow-up issue here is how to assign the interfaces on the 2nd router, if there's a better approach to that.