Messages

Hello meyergru
Thank you for the brief but helpful response - and the link! Much appreciated. Well, I'll just have to find another use for my boards, whenever and whatever that may be.
Thanx again
Edwin

Hello everybody

I picked up two old jetway ITX motherboards with built-in cpu's, for next to nothing at a charity fund raiser. The pair would make ideal HA OPNsense firewalls, since they each have four Gigabit NICS. Unfortunately, they have two flaws that may make or break my dream of building a HA "cluster" of OPNsense firewalls
Firstly, they have old Intel Atom D525 64bit cpu's - dual core and no AES/AES-NI.
Secondly, the motherboard only supports a maximum of 4GB ram.

I am running a home lab with a few single board computers using docker swarm, a database, file server (NAS), etc. for development and also seven live, low use websites. My current HA OPNsense firewall is made up of two identical desktop motherboards (the only "big" boards in my home lab), each with an i5 gen 8 cpu, 8gb ddr4 ram and one onboard Gigabit NIC (two dual NIC cards added in PCIE slots, giving me 5 NICs each).

Which brings me to my obvious question: Will my new motherboards be good enough for OPNsense for at least the next three years?

Thanx in advance.

Edwin

Hello everyone
Sorry I accidentally had this in Tutorials/FAQ forum.
I've been searching for days to find a solution, and I have tried many examples I encountered, but none have worked for me so far.  I think its the firewall rules that are giving me hell. So I hope I will get some help on this forum.
Here is my plan: Run docker swarm on its own network via Opnsense/Haproxy. No ssl/tls/https/443, just http on port 80. I let traefik and docker handle https on the backend.
So far I have haproxy running, but haproxy stats page shows my backend servers as always down.  Here is my haproxy auto-generated cofig file:
# Frontend: public (public)
frontend public
    bind 0.0.0.0:80
    mode http
    option http-keep-alive
    default_backend swarm

    # logging options

# Backend: swarm (Docker swarm managers)
backend swarm
    # health check: health
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.1 hdr Host localhost
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    http-reuse safe
    server mngr21 192.168.81.21:80 check inter 2s port 80  proto h2
    server mngr22 192.168.81.22:80 check inter 2s port 80  proto h2
    server mngr23 192.168.81.23:80 check inter 2s port 80  proto h2

What firewall rules do I need for this to work?

Any help or links to documentation would be greatly appreciated.

Thank you

[# Frontend: public (public)frontend public bind 0.0.0.0:80 mode http option http-keep-alive default_backend swarm # logging options# Backend: swarm (Docker swarm managers)backend swarm # health check: health option httpchk http-check send meth OPTIONS uri / ver HTTP/1.1 hdr Host localhost mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server mngr21 192.168.81.21:80 check inter 2s port 80 proto h2 server mngr22 192.168.81.22:80 check inter 2s port 80 proto h2 server mngr23 192.168.81.23:80 check inter 2s port 80 proto h2]

Hello everyone
I've been searching for days to find a solution, and I have tried many examples I encountered, but none have worked for me so far.  I think its the firewall rules that are giving me hell. So I hope I will get some help on this forum.
Here is my plan: Run docker swarm on its own network via Opnsense/Haproxy. No ssl/tls/https/443, just http on port 80. I let traefik and docker handle https on the backend.
So far I have haproxy running, but haproxy stats page shows my backend servers as always down.  Here is my haproxy auto-generated cofig file:
# Frontend: public (public)
frontend public
    bind 0.0.0.0:80
    mode http
    option http-keep-alive
    default_backend swarm

    # logging options

# Backend: swarm (Docker swarm managers)
backend swarm
    # health check: health
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.1 hdr Host localhost
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server mngr21 192.168.81.21:80 check inter 2s port 80  proto h2
    server mngr22 192.168.81.22:80 check inter 2s port 80  proto h2
    server mngr23 192.168.81.23:80 check inter 2s port 80  proto h2

What firewall rules do I need for this to work?

Any help or links to documentation would be greatly appreciated.

Thank you

Hello all
I am a bit confused so my question may seem quite silly.
My previous dev setup was all local. I had vlans setup on my managed switch. So haproxy was a standalone pc, hitting on the docker swarm managers which in turn hit on the docker swarm workers. It all worked well even with traefik and letsencrypt on the mangers, issueing certificates and load balancing everything. I could run domains I had registered, for short periods, for testing and https purposes.
Now the plan is to put the firewall (Opnsense) in front of the swarm, using the built-in haproxy plugin to hit the docker swarm managers in the back.  That's the plan.
But I have been battling with the question of whether I now still need a DMZ zone. If Haproxy is run as a Opnsense plugin, doesn't that make Opnsense a loadbalancer/proxy? And if so, isn't Opnsese (or a part of it) also a DMZ?
Or do I have it all wrong? If haproxy will now be an opensense plugin, do my docker swarm managers still have to remain in a DMZ?
Your input will be highly appreciated.
Thank you