Messages

Did you get Coraza working? As I understand it's the replacement for modsecurity.

While googling for an OPNsense aware WAF I ran into OpenAppSec. This free WAF supposedly integrates in Crowdsec, so I was instantly curious. Has anybody here has experience running it together with OPNsense? Unfortunately it doesn't integrate with it, nor does it run on Freebsd, so I'm curious about how to implement it as a standalone docker or VM. I must admit that I haven't looked into it much more than the introduction and some lightweight reading, but before diving into it I wanted to ask you guys first.

Never mind the below question, found it in /conf/config.xml
Wonder why this isnt cleaned up upon uninstallation. What a mess!

==================

I've been experimenting with both HAProxy and the ACME client, and things have become messy.
So, my first idea would be, uninstall both and start anew. This isnt as straightforward as one would think, because the configs aren't being deleted upon uninstallation of the plugins. So removal and reinstallation doesn't mean a clean set up, all the old and messy configs are still there.
How do I clean up these configs so I can make a fresh start? Where are these configs stored? Hopefully not in some megalithing xml file  :-\

I'm following this great tutorial, but am running in to some issues;
First the VIP, that doesn't work. As soon as I create the HTTP_frontend Public Service (Part 5, step 10), and apply, HAProxy doesn't start anymore. When I leave the VIP part out and use localhost it does work.
Furthermore, when I get to Part 6, Option B step 2, a NAT rule which supposedly is created in Part 4 - Step 3 must be altered. However, in that particular step no NAT rule is created, only a WAN rule. Did I somehow miss this NAT rule?
Lastly, I get 503 when I try to browse to the public url. I can curl the server's IP from the OPNsense shell and my pc. Is this the missing NAT rule?
Should anyone want to take a look at this, my config is attached :)
Oh, and I'm on OPNsense 23.7.7_3

I know, my home office is set up like that. But this particular situation is logistically difficult, so for the time being I have to settle with a little less desirable config. Whenever I get the chance I will most certainly replace the router with a managed AP.

That would be an idea, yes. I'd prefer having HA firewalled, but as it relies on mDNS discovery I forsee all kind of problems putting it in a different VLAN. I think I'll go for your suggestion, Maurice.
Thanks

Yes, that would solve it. However, it's a fiber router of which the settings page is shielded from the end user, so replacing it with something else is next to impossible. The router is also in a remote location, 2000km away from me, so going there and fiddle with it is also undoable. Asking the provider is also a mission impossible, because its a Spanish ISP. Don't know if you've ever had to do with anything Spanish, but let's say customer support is still in its infancy there ;)
The main reason for replacing the DHCP isnt so much for security, but for the horrendous DNS server on it. It doesnt register hostnames, so resolving a local domain isnt possible. OPNSense would solve all my problems, if only.
Maybe there's another way of doing this? Like putting OPNSense in the same subnet as the router? But then I have to configure OPNSense as a router and I havent found any clear info on how to do that.

Hi everybody, I have a seemingly impossible situation for which I'd like to ask your help.
The situation is as follows.

I have a wireless internet router from my provider, which also serves as a DHCP.
What I'd like to do is, disable the router's DHCP and use the OPNSense one's.
The router has no DHCP relay option, so I can't forward the requests to OPNSense. But, the router being on the WAN side of the OPNSense I don't see how I can serve IP's to the IoT devices that connect to the wireless router.
The IoT devices need to connect to the Home Assistant server on the LAN side of OPNSense, which has a different subnet than the ISP router.

Is there a way to achieve this?

I've tried to make sense of my situation in this drawing

Thanks for your thoughts. I'll get a decent router when I get back from my holiday in 2 weeks. I'm sure that'll help for the vlan bit

[Why is your static route disabled?]

In the GW configuration Egress Interface "LAN" thats the L3 Interface to which you have the AP connected?

Yes, the AP is connected to LAN

Also your AP is a routed AP not a dummy AP?

It supports port forwarding and have fwd'd all needed ports. It basically works, yet unstable.

On your AP you have several Subnets/Interfaces? One for the IP of the AP 192.168.10.0/24 and one for the Pi 192.168.1.0/24?

It has 192.168.10.3 on the LAN side (WAN for the AP) and 192.168.1.2 on the AP's LAN side.
When I connect wirelessly to the AP I get my 192.168.1.x from the AP's DHCP. (asuming that's what you're asking)

When you connect your Pi via WiFi does it get IP from 192.168.10.0/24 or from 192.168.1.0/24?

The Pi isnt getting a DHCP IP, its fixed 192.168.1.51 on eth0. Wifi is disabled on the Pi.

Also I forgot to ask before, how to you identify that you loose the connectivity to the Pi?

I have Home Assistant on the Pi and I get constant Connection Lost messages and the gui becomes unresponsive until connection is reestablished.

As well you said static route keeps dropping, can you during the time, check routing tables and ARP tables on OPN and the AP?

[/size]

Will look in to this. I think I have to set logging to debug first (somewhere ;))

Why is your static route disabled?

Because it is unworkable, I now use a wireless connection through the AP, but want to have this routed. My ultimate goal is to make the 192.168.1.0 network a stretched VPN VLAN to a remote location. Thats my next challenge.

I hear you think, why not make a 192.168.1.0 VLAN? I've been experimenting with that, but for some reason I can't get that to work (yet). Also, I need an AP in the VLAN for my IoT devices. It is a test set up for a to-be remote production location .

Maybe I should replace my crappy TP-Link TD-W9970 AP for a proper one that I can flash with DD-WRT, so I can make VLANS and working relayed DHCP. Any suggestions?

Thanks for helping me so far :)

No the Pi is wired to the AP, but can be connected to wirelessly. If I connect wirelessly the connection is stable. So either something with the AP, or the OPNsense config.
The AP is configured as a wireless AP and has all needed ports forwarded to the Pi.

GW config and routing is like this:

Hi all,

First of all, I'm new to OPNsense, so my question might be based on a lack of knowledge.
My issue is that I have made a static route to a raspberry pi4 that's connected to a wireless AP, but the connection is being reset every few minutes. If I connect to the pi through the AP's wifi, then everything is stable.
What I'm trying to accomplish is this:



I've added a gateway on LAN and a route through it pointing to 192.168.10.3. This basically works, but instable.
Don't see anything happening in logs, but could be that I look in the wrong place.
What am I missing?
Questions? Fire away :)