Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - sidekick

Pages: [1]

General Discussion / @meyergru - Re: OPNsense and AES/AES-NI

« on: July 21, 2023, 07:13:39 pm »

Hello meyergru
Thank you for the brief but helpful response - and the link! Much appreciated. Well, I'll just have to find another use for my boards, whenever and whatever that may be.
Thanx again
Edwin

General Discussion / OPNsense and AES/AES-NI

« on: July 19, 2023, 09:00:13 pm »

Hello everybody

I picked up two old jetway ITX motherboards with built-in cpu's, for next to nothing at a charity fund raiser. The pair would make ideal HA OPNsense firewalls, since they each have four Gigabit NICS. Unfortunately, they have two flaws that may make or break my dream of building a HA "cluster" of OPNsense firewalls
Firstly, they have old Intel Atom D525 64bit cpu's - dual core and no AES/AES-NI.
Secondly, the motherboard only supports a maximum of 4GB ram.

I am running a home lab with a few single board computers using docker swarm, a database, file server (NAS), etc. for development and also seven live, low use websites. My current HA OPNsense firewall is made up of two identical desktop motherboards (the only "big" boards in my home lab), each with an i5 gen 8 cpu, 8gb ddr4 ram and one onboard Gigabit NIC (two dual NIC cards added in PCIE slots, giving me 5 NICs each).

Which brings me to my obvious question: Will my new motherboards be good enough for OPNsense for at least the next three years?

Thanx in advance.

Edwin

General Discussion / Help to setup Haproxy firewall rules

« on: April 13, 2023, 12:57:56 pm »

Hello everyone
Sorry I accidentally had this in Tutorials/FAQ forum.
I've been searching for days to find a solution, and I have tried many examples I encountered, but none have worked for me so far. I think its the firewall rules that are giving me hell. So I hope I will get some help on this forum.
Here is my plan: Run docker swarm on its own network via Opnsense/Haproxy. No ssl/tls/https/443, just http on port 80. I let traefik and docker handle https on the backend.
So far I have haproxy running, but haproxy stats page shows my backend servers as always down. Here is my haproxy auto-generated cofig file:
# Frontend: public (public)
frontend public
bind 0.0.0.0:80
mode http
option http-keep-alive
default_backend swarm

# logging options

# Backend: swarm (Docker swarm managers)
backend swarm
# health check: health
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.1 hdr Host localhost
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server mngr21 192.168.81.21:80 check inter 2s port 80 proto h2
server mngr22 192.168.81.22:80 check inter 2s port 80 proto h2
server mngr23 192.168.81.23:80 check inter 2s port 80 proto h2

What firewall rules do I need for this to work?

Any help or links to documentation would be greatly appreciated.

Thank you

Tutorials and FAQs / Help to setup Haproxy firewall rules

« on: April 13, 2023, 04:06:45 am »

Hello everyone
I've been searching for days to find a solution, and I have tried many examples I encountered, but none have worked for me so far. I think its the firewall rules that are giving me hell. So I hope I will get some help on this forum.
Here is my plan: Run docker swarm on its own network via Opnsense/Haproxy. No ssl/tls/https/443, just http on port 80. I let traefik and docker handle https on the backend.
So far I have haproxy running, but haproxy stats page shows my backend servers as always down. Here is my haproxy auto-generated cofig file:
# Frontend: public (public)
frontend public
bind 0.0.0.0:80
mode http
option http-keep-alive
default_backend swarm

# logging options

# Backend: swarm (Docker swarm managers)
backend swarm
# health check: health
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.1 hdr Host localhost
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server mngr21 192.168.81.21:80 check inter 2s port 80 proto h2
server mngr22 192.168.81.22:80 check inter 2s port 80 proto h2
server mngr23 192.168.81.23:80 check inter 2s port 80 proto h2

What firewall rules do I need for this to work?

Any help or links to documentation would be greatly appreciated.

Thank you

General Discussion / Do I need a DMZ when haproxy is in OPNsense?

« on: March 19, 2023, 08:21:02 pm »

Hello all
I am a bit confused so my question may seem quite silly.
My previous dev setup was all local. I had vlans setup on my managed switch. So haproxy was a standalone pc, hitting on the docker swarm managers which in turn hit on the docker swarm workers. It all worked well even with traefik and letsencrypt on the mangers, issueing certificates and load balancing everything. I could run domains I had registered, for short periods, for testing and https purposes.
Now the plan is to put the firewall (Opnsense) in front of the swarm, using the built-in haproxy plugin to hit the docker swarm managers in the back. That's the plan.
But I have been battling with the question of whether I now still need a DMZ zone. If Haproxy is run as a Opnsense plugin, doesn't that make Opnsense a loadbalancer/proxy? And if so, isn't Opnsese (or a part of it) also a DMZ?
Or do I have it all wrong? If haproxy will now be an opensense plugin, do my docker swarm managers still have to remain in a DMZ?
Your input will be highly appreciated.
Thank you

Pages: [1]