Messages

I previously had a situation where both modem and Opnsense were tagged with PPPoE vlan 10. This obviously does not work. I had to then pass though PPPoE from modem to Opnsense and set vlan 10 in Opnsense. It worked.

So, can you please clarify if vlan2 is setup only in Opnsense on Protecli box and not on modem ?

i agree its a valid option and that's what i use now. All i am searching is an alternative.

Why? Don't you trust VPN or SSH technology and modern cryptography?

If you open SSH, use public key authentication only, keep your private key on e.g. a Yubikey device ... there is no way in this universe someone will get unauthorised access as long as the key never leaves your possession.

the post is not about unauthorised access to a device or cryptographic technologies. Its about accessing the device without opening ports. As mentioned in the previous posts if a ssh server is running in a vps, then there is no need to open ports as the internal device can already make a tunnel connection to vps. I looking into what if vps is not an option.

Would it not be simpler and just as safe/secure to have a small VM always on as a listening ssh server. Lock down the access to it from OPN and additional hardening on the VM itself with the likes of fail2ban, etc.?
Or maybe I miss something.

wouldn't the firewall then needs to have an open port for that small vm with a listening ssh server ?
I am trying to find a way to access the internal networks behind opnsense at home without opening ports or using a ssh server on a vps.

Thanks. I agree with updates wiping the config. I use bind plugin for internal dns and wanted to have bind views. So, modified the bind template. Now most times when there is an update to bind plugin, it overwrites the template file which i have to replace manually to get my bind views to work.

Thanks for sharing the article, I have come across about konckd. Its interesting. Unfortunately, its not secure enough as the following two shows:

https://vickieli.dev/system%20security/port-knock-sniffing/
https://security.stackexchange.com/questions/71134/is-there-any-practical-attack-on-port-knocking-method

I did find couple of repos that discuss about secure port knocking:
https://github.com/Jiab77/cryptknock  --> this repo was updated 7 years ago
https://github.com/moxie0/knockknock --> this repo was updated 11 years ago, from moxie0 founder of signal messenger

Nevertheless, there is a detailed article about Single Packet Authorization (SPA) based on fwknop in ubuntu documentation here:
https://help.ubuntu.com/community/SinglePacketAuthorization

And one more article discussing port knocking with OTP: https://armin.su/port-knocking-with-otp-to-secure-ssh-port-53f2724a07cd?gi=9c55f87bc9c0

I will have to spin up a opnsense development vm and some test vms to explore by testing them.

I would be hesitant to have ssh to the firewall from wan without a lot restrictions. Instead, i would setup a tightly controlled management device behind opnsense and allow ssh to this device and use it as a jumphost only via ssh keys.
But, since the setup which you have implemented already works for you, you can keep track of it and try out for few weeks.

yes, but that's something i am thinking about, how to leverage this ssh option without compromising the convenience of access. There is a mention of fwknop(link below) in this forum, a tool to port knock and allow temporary port opening. I am not familiar with the tool and have explore it.

https://forum.opnsense.org/index.php?topic=23915.0

While i explore, i would like to keep third parties away as much as possible. Cloudflare tunnel is good but their ssl termination is bit concerning for me as they might have the possibility to sniff packets in between.

I have been thinking about remote access to my services sitting behind dedicated opnsense firewall at home. I see there are many options to achieve this including setting up vpn on opnsense or vpn on vps or tailscale/zerotier, etc., I also see there is an option to setup reverse ssh to a vps hosted ssh server, so that no ports are needed to be opened as the traffic originates from the inside.

But, i got a thought what if the ssh server is run on a laptop instead of vps. I am not sure if this even makes sense or doable, i would like to explore. Intention is to avoid opening any ports in Home-A and to avoid vps. Opening port in Home-B temporarily is fine.

scenario: opnsense and homelab services are installed in Home-A. Home-B is a remote location where i go once a month. I also have two domains mydomainA.com and mydomainB.com. Both places have dynamic ip from isp. I use ddns to update the dns entries on both places. I now need to setup reverse ssh to access Home-A from Home-B and set the ssh server on the laptop which i can switch on or off on-demand.

How to ensure ssh connection is only established when the laptop's ssh server is switched on ? One way i can think is to set up opnsense to keep trying every 15 minutes for 10 tries to establish ssh pointed to Home-B domain. Like:

Code Select Expand

ssh -R user@mydomianB.com:fw.mydomainA.com

isn't this what tailscale or zerotier plugin or vpn config enanles opnsense to act as jump host ?

The previous solution with unbound interface outgoing is working only partially. For some reason unbound send out queries in random interface causing wrong Views.
Anyone can guide me what to do ?

I think i have figured it out.

Previous setup:
unbound listening on all interfaces; unbound outgoing interface set on wan and lan only.
bind listening on localhost and lan only


Present setup: unbound listening on all interfaces; unbound outgoing interface set on wan, lan, opt1
bind listening on localhost, lan and opt1

Expected:

Lan IPs should get response from View-A only
opt1 IPs should get response from View-B only

Result: Its working. Now, opt1 IPs get response from View-B and Lan IPs get response from View-A. Can confirm using dig and can also see the view based query logged in bind  :D

But, this works only for the very first lookup. For further lookups unbound is responding from cache. So, if Lan looked up for View-B domain, then gets NXDOMAIN which is correct. But, a couple of seconds later when opt1 tries to do the same gets back NXDOMAIN from unbound cache instead getting the record from View-B.

How can i tell unbound to not cache and not respond from cache for specific domains ?

on my OPNsense device, Unbound@53 is set with domain override for internal resolution of testsite.com to os-bind@5335. Bind serves as SOA for this domain with A records, CNAMEs and reverse zones are also set. In bind, named.conf i have setup two different views with two acl list. View-A is restricted only to acl-1 IPs because View-A serves zone for management network including opnsense gui and has its A record fw.testsite.com pointing to 10.10.10.1 for example. View-B is set with entries for other services such as service1.testsite.com, service2.testsite.com and serves to acl-2 IPs.

I used dig to verify this as follows:
- From a desktop within management ip lsit, for fw.testsite.com I am getting response from bind View-A as 10.10.10.1 and getting NXDOMAIN for service1 and service2. But, from a laptop with ip under acl-2 i am still getting response from View-A for fw.testsite.com and NXDOMAIN for service1 and service2. Can confirm from bind query_log that the response is from View-A.
- what is expected is any query from acl-2 ips should be responded by bind View-B, particularly fw.testsite.com should not be accessible for acl-2 ips.

- Curiously, when i do a dig with bind port directly (dig -p 5335 @10.10.10.1 service1.testsite.com) i get correct responses from View-B and all works well. Can confim from bind query_log that the response is from View-B. Similarly, dig -p 5335 @10.10.10.1 fw.testsite.com gives NXDOMAIN. All good.
- So, i can confirm few steps here, dns is working, bind views are set correctly and working, unbound is forwarding the overriden domain to bind.

now comes the questions:
1) Is unbound sending the query to bind as if its coming from opnsense ip instead of origin ip ?
1.1) How do i tell unbound to not ignore or rewrite originating ip so that bind can effectively respond with views ?
2) In case, it is not possible to use unbound and bind views together for the mentioned use case, Should I simply use bind as main dns with internal resolution for testsite.com only and forward all other queries to unbound ?
2.1) For now i wish to use unbound as main dns with bind for internal resolution as i can use A, AAAA, CNAME, MX, etc., with bind and not with unbound. But, open for alternative ways.

Thanks for your responses !