Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mauro

Pages: [1] 2

Virtual private networks / Re: Navigate the wireguard subnet

« on: April 15, 2024, 01:17:07 pm »

Hi there,

still working on it and further helps are welcome

After checking around I thoungt that assigning IP as X.X.X.X/32 to peers will cause the issue.

I changed all confs but it seams nothing has reall changed so I was possibly wrong.

Thanks for helping

Virtual private networks / Re: Navigate the wireguard subnet

« on: April 10, 2024, 12:07:30 am »

thanks Patrick for your prompt reply.

I think I have the settings correct as far as I can connect to the server and ping it with no problem. By all mean, I list below briefly my configuration but unfortunately I don't know where the proper config files are stored

Server side
Instance setting

Code: [Select]

Name: wg1
public and private key self generated
Port: 51820
tunnel address: 192.168.2.1/24
Peers: list of peer I allow to connect to this instance

Peer setting (one for all)

Code: [Select]

name: wg1_peer1
public key: as generated by the client
allowerIPs: 192.168.2.100/32 (the other peers have different IPs but same subnet)
endpoint address: blank
Endpoint port: blank
Instance: wg1

Local config file (wg1_peer1):

Code: [Select]

[Interface]
PrivateKey = XXXXXXXX
Address = 192.168.2.100/32


[Peer]
PublicKey = YYYYYYYY
AllowedIPs = 192.168.2.0/24
Endpoint = example.domain:51820

my doubt now about this issue is a forwarding problem. I have also an openvpn server set up and I can surf the openvpn net but obviously on different IPs. Is there anything I might need to specify to wireguard instance?

Regarding firewall rule, there is only one under the wg1 instance which allow everything from everyere

Cheers

Virtual private networks / Navigate the wireguard subnet

« on: April 09, 2024, 01:38:54 pm »

Dear all,
I got stuck somewhere with Wireguard and can't get my head around.

I've installed wireguard and set up an instance which I can reach and connect to. I can ping the WG server with no problem

At the moment I can't connect to the other machines connected to the same WG instance. If I try to ping the IPs all packets are lost. every PC can instead ping the server and revers.

I followed the official OPNSense tutorial but still no clue about why this is happening

Does anyone have sone leads to follow?

thanks

Tutorials and FAQs / Re: FTP Proxy Howto

« on: June 13, 2023, 11:54:28 pm »

Dear all,

I would say I followed this tutorial but I'm still not able to connect to the local FTP server.

I only need to set up access to a local FTP from the LAN to start and then from the WAN once everything works

These my steps not far from this tutorial
-create an alias FTP proxy server: 127.49.49.1
- FTP PROXY - loopback ftp proxy server, 127.49.49.1:8822 to FTP local Server IP:21
- LAN address NAT to ftp proxy server (TCP, LAN Address, dport 21 redirect to 127.49.49.1:8822)

If I check the log on the ftp server there is no logged connection from 127.49.49.1 and also no packets passed through the ftp iptables rules

Ftp proxy is up and running (green light in the dashboard and alocated web page) but seams not forwarding the info. Has anybody faced similar issue?

Thanks in advance

General Discussion / PPPOE and WAN configuration

« on: June 01, 2023, 11:18:49 am »

Dear all,
I have OPNSENSE connected via Ehternet cable to the Modem.

At the moment OPNSense manage the PPPOE connection

My questions are:
1) do I have to assign a network to the interface used between the modem and the FW?
2) which interface should be set as WAN the network to the modem or the actual PPPOE interface?

At the moment I've set the modem - fw network as WAN with related firewall rules but litterally all incoming connections are coming using the PPPOE interface.

Thanks for your advice

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 31, 2023, 12:07:29 am »

Quote from: TheHellSite on May 19, 2023, 09:20:51 am

This is the solution.
Quote
4. However, in your scenario you didn't configure your apache real server correctly since you left the port blank and didn't tell haproxy if the real server expects SSL or not.

Hi @TheHellSite,

it took me the long way to figure out my issue was the map file.
At the moment I haven't understood what is the cause but so far I created several conditions and rules working fine. The map file will be the next step but for the moment, after so many efforts, I need to get away from Haproxy a little.

Thanks for your tutorial

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 18, 2023, 01:15:05 am »

Thanks again for your time.

As I said I'm new to revers proxy and I'm trying to learn. Your tutorial is for a plex server and I'm working on a webserver so at some point I need to take some decision/assumptions based on my understanding and it can be wrong but in the learning curve.

Going over your remarks:

Quote

1. Your apache is listening on port 80 (no ssl) and 443 (probably with ssl).

correct, 443 with SSL

Quote

2. My tutorial assumes that the user wants all connections to be upgraded from port 80 to 443, what you also configured by using the HTTP_frontend on port 80 with the HTTPtoHTTPS_rule.

this is also apache does for my application, redirect any call on port 80 to port 443 and use encrypted communication therefore so far your set up fit the requirements

Quote

3. The HTTPS_frontend has SSL offloading enabled, so it decrypts any connection and then forwards it to the real server based on the real server connection configuration.

Reading your tutorial #9 about SSL connection with the back end I thought ur set ups should work because u use an SSL connection to the plex server.
The webserver listen on port 443 with SSL
This is the tricky part for me and also from your notes I can't follow if and how I should change my reported setup.
Could you please be more specific?

Quote

4. However, in your scenario you didn't configure your apache real server correctly since you left the port blank and didn't tell haproxy if the real server expects SSL or not.

I set up the webserver as u did for the SSL_backend. both listening to port 80,443 and both will use SSL on port 443. If the webserver backend should be different, can you please guide me how to adjust?

bottom line, I read the tutorial several time. This is the CLOSEST tutorial to my needs (u set up a ples server and I a webserver) I have found but not exactly what I need. In this difference come the potential confusion. If I knew what to do I didn't need a tutorial. I found online also other blogs and always arrived to a dead end with error 503. I mention it on previous post under this tthread already

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 17, 2023, 06:06:57 pm »

Quote from: TheHellSite on May 17, 2023, 12:05:48 am

@mauro
HAProxy config export and a basic network diagram. That is what you will have to provide now, not just error codes.

Roger, @TheHellSite

NETWORK Topography (simplified)

LAN (IP address) <--> | FW, lo_IP (127.x.x.x) | <--> DMZ (server_ip)

IP_Address is my FW LAN Address as per OPNsense meaning
lo_IP is the equivalent of your 127.4.4.3 but customized
server_IP is the static ip of the webserver in the DMZ network

To keep the webapp available from the outside world I have the SNI Frontend based on the LAN address, port 80,443. I'm doing this way because I already tried following your tutorial using the WAN address on the SNI frontend with same result plus server unreachable. I created a Firewall rule for LAN to acceppt incoming requests on port 80,443

HAProxy set up file:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 warning
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_Frontend (listening on LAN address port 80/443)
frontend 0_SNI_Frontend
    bind lan_ip:80 name lan_ip:80 
    bind lan_ip:443 name lan_ip:443 
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on lo_ip:80)
frontend 1_HTTP_frontend
    bind lo_ip:80 name lo_ip:80 accept-proxy 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option dontlognull
    option log-separate-errors
    option httplog
    # ACL: NoSSL_condition
    acl acl_6462b25dd3fc08.98092716 ssl_fc

    # ACTION: HTTP2HTTPS_r
    http-request redirect scheme https code 301 if !acl_6462b25dd3fc08.98092716

# Frontend: 2_HTTPS_frontend (Listening on lo_ip:443)
frontend 2_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind lo_ip:443 name lo_ip:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6463bbbf543239.59805119.certlist 
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option dontlognull
    option log-separate-errors
    option httplog

    # ACTION: PUBLIC_SUBDOMAINS_r
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645151c9cb3ae5.07476878.txt)] 

# Backend: s1_backend (s1 server backend)
backend s1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server s1_server server_ip 

# Backend: SSL_Backend (SNI backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server SSL_Server lo_ip send-proxy-v2 check-send-proxy



# statistics are DISABLED

Thanks a lot

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 16, 2023, 07:46:21 pm »

Hi there.

After last post Iand sugestion to follow the tutorial prior to ask advice, I did and I still end up with the same error when I try to browse the webapp

Quote

503 Service Unavailable
No server is available to handle this request.

So I assume:
redirect 80->443 is working fine because I start the connection on port 80
certificate is set well despite it is the staging one giving error

I'd say the issue lays between the firewall and the backend.

The backend (webserver) accept both on port 80 and 443 with a running cert for SSL connection. can this be an issue?

Considering I tried few tutorial included this one I think the issue stays withing the firewall.

The webserver is up and running and has no restrictions to the Apache ports

Any sugestion?

thanks a lot in advance

General Discussion / Dynu DDNS issues / bug

« on: May 10, 2023, 12:23:19 am »

Dear all,

I use Dynu for DDNS service and when the IP changes first I receve these error messages:

Quote

WARNING: found neither IPv4 nor IPv6 address
WARNING: XXXXX.net: unable to determine IP address with strategy use=cmd
Use of uninitialized value $ip in string at /usr/local/sbin/ddclient line 3658.
Use of uninitialized value $_[0] in sprintf at /usr/local/sbin/ddclient line 2179.

Checking the DDNS log I've noticed that after a while the client start to use the API and evenctually update the IP but after several tries.

Let me know if I'm possibly doing something wrong or if I can support with extra info

Cheers

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 09, 2023, 06:12:17 pm »

Quote from: TheHellSite on May 08, 2023, 08:54:15 pm

Honestly please just follow my tutorial. I will not provide support for something else here.
If you want to do it your way then just ask in the appropriate forum.
But I will say if you keep on testing your way you will need much more time.

If it is not working with my way you can simply disable the WAN firewall rule and re-enable the NAT portforward.
This way you can also test this.

I there, I followed the suggestion and at the end of the process i have this 2 issues which I can't figure out:
1) Certificate is not valid. I also run the ssllab test and I received the same answer (rating T) showing certificate not trusted
2) again error 503 Service unavailable

Checking the HAProxy log, it shows:

Quote

Informational haproxy public_IP:9911 [09/May/2023:17:25:07.299] 2_HTTPS_frontend/127.4.4.3:443: SSL handshake failure

which I think I solved removing the SSL tick on the real server set up. I have the apache virtual server only listening on port 80

#1: is it possible it is because at the moment I'm using a staging cert?

#2: this is the issue I'm investigating now for few days without any luck. I'll go over your tutorial but hints are welcome

cheers

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 09, 2023, 12:39:04 am »

hi @TheHellSite,

before posting here I posted in the general forum and considering nobody answered I thhought it was because there is a more specific tutorial.

Anyway, thanks for your help and your tutorial which I found very interesting and I'll give it a go asap with all features

Cheers

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 08, 2023, 04:16:12 pm »

503 Service Unavailable

Dear all,
at the moment I have my webserver onine with portforwarding and before move on with HAProxy I'm thinking to test it setting it up locally. To keep also setting simple and possibly easier I'm considering reverse proxy of port 80 only for test.example.com
In other terms (IP as reference):
LAN (192.168.1.0/24, LAN Address 192.168.1.1)--> |HAProxy| --> DMZ (webserver 192.168.2.0/24, server, 192.168.2.2)

The only achievement I reached so far when I try to browse test.example.com is

Quote

503 Service Unavailable
No server is available to handle this request

this is haproxy setup:

Quote

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 100
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua

defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc

# Frontend: test_http (Test http)
frontend test_http
bind 192.168.1.1:80 name 192.168.1.1:80
mode http
option http-keep-alive
default_backend example_backend

# logging options
# ACL: kanboard_c
acl acl_6452ce5a700492.11355253 hdr(host) -i test.example.com

# ACTION: kanboard_r
use_backend test_backend if acl_6452ce5a700492.11355253

# Backend: test_backend (example pool)
backend example_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server s1_server 192.168.2.1:80 proto h2

# statistics are DISABLED

Any hint?

Next step will be using SSL. the webapplication have individual SSL certificae which I think I can import in opnsense to set up HTTPS redirection. This will be next gig

I've flattened HAProxy few times and reset but I always end up with error 503

I checked the firewall LAN -> DMZ and I don't see anything blocking the connection..

Thanks and please let me know if I can provide more information

cheers

General Discussion / HAProxy - 503 Server Unavailable

« on: May 03, 2023, 05:39:38 pm »

Dear all,I'm new to the whole reverse proxy scene and this can be one possible reason of not getting things working.
At the same time I'm trying to follow tutorials and video getting anywhere.

I run OPNsense OPNsense 23.1.6-amd64 on an APU2C4 machine with PPPOEconnection over a modem

I've a webserver I need to be online and I'm using at the moment port forwarding PPPOE:80,443 -> DMZ:80,443. Let say I'm testing test.example.com (which is available from outside). The apache config doesn't redirect port 80 ->443 because I'm trying to keep things simple

At the moment I'm trying to create a reverse proxy using as frontend IP LAN Address.
So far I only manage to receive

Code: [Select]

503 Service Unavailable
No server is available to handle this request

I tried port 80 and 81 for the frontend, same result

I followed the documentation about HAProxy and below few lines from the log

Code: [Select]

[03/May/2023:17:10:43.527] test test/<NOSRV> -1/-1/-1/-1/0 400 0 - - PR-- 1/1/0/0/0 0/0 "<BADREQ>
[03/May/2023:17:11:13.163] test test/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
[03/May/2023:17:11:13.190] test test/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 1/1/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

I'm trying to test reverse proxy locally before move from port forwarding to reverse proxy.

I'm more then happy to share more information but I can't see which are the most relevant.

Any advice?

Thanks

General Discussion / Unbound DNS: Possible bug?!

« on: March 31, 2023, 12:47:43 am »

Dear all,

after messing up several days with Opnsense, I decide to start with a fresh installation.

I use an APU2C4 and installed OPN 23.1

The machine goes online

What I'm experiencing is that pc on both LAN and GUEST network do have problem to resolv websites.
I try:

Code: [Select]

ping 8.8.8.8 which is fine and if I try

Code: [Select]

ping ms.com it doesn't work

I checked Unbound DNS setups and I've seen that:

service listen to all interfaces
Access list shows the DHCPs of the 2 networks
Deny access is disabled

I had the same issue before the fresh installation but I though it was due to some mistake somwhere else. If it persist on a new installation then things are more serious

If needed I can pass more information and screenshots

Cheers

Pages: [1] 2