Messages

I am new to opnsense and trying to learn. I recently setup an opnsense that run nginx plugin with version 23.1 and followed a guide that I couldnt find anymore, now I installed a new version 23.7.4 OPNsense and couldnt make it run like it was on 23.1. on the firewall Log files: Live view I saw that there is a rule that blocks the request on port 8080(please see attachment), which I immediately find that its an auto generated rules, but I have a firewall rules that will let all pass on both lan and wan, just to see if that will work, but it doesnt behave like that and keeps on blocking it.

How can I pass thru this auto generated rules?

I'm running OPNsense 23.7.4 but only uses it for the nginx plugin and firewall, I open port 80 and 443 to the wan firewall, I have virtual IP to use as carp. my upstream server is pointing on a vm in my syste, I had my opnsense gui to open in a different port.

pfctl -d will let the flow of traffic to my upstream server, but when this is enable it wont let the traffic in. I was able to make this work on version 23.1, but not with 23.7.4 it wont work.

I also have accept all rules on my firewall rules.

Code Select Expand

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7.4 at Fri Sep 15 01:02:12 UTC 2023
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
1508 bytes from 89.149.222.99: icmp_seq=0 ttl=57 time=150.329 ms
1508 bytes from 89.149.222.99: icmp_seq=1 ttl=57 time=147.039 ms
1508 bytes from 89.149.222.99: icmp_seq=2 ttl=57 time=142.024 ms
1508 bytes from 89.149.222.99: icmp_seq=3 ttl=57 time=142.005 ms

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 142.005/145.349/150.329/3.532 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 854 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
PING6(1548=40+8+1500 bytes) 2607:63c0:1:40::212 --> 2001:1af8:5300:a010:1::1

--- 2001:1af8:5300:a010:1::1 ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
***DONE***

I installed an opnsense  version 23.7 on a proxmox VM, how do you guys install a plugins? when I check on the plugin page System > Firmware > Plugins for 2 days now it is now showing a lift of plugins unlike in version 23.1.

I've run update a couple of times now but no luck with the list of plugins that I can install.

is there a way to add shift_jis support on the nginx plugin in opnsense? the only options that I see on the charset is utf-8 and none, but I want to load a page that is in shift_jis

how to add DNS challenge to get a certificate for your domain, when you have your own DNS server. On the challenge type DNS-01 what DNS service should I use?

I use a CARP/HA IP for each virtual public IP, because that's how I am used to do it on other platforms, Cisco, Sidewinder, ...

Don't know if that is the canonical way on OPNsense, but "works for me"  ;)

The idea to use aliases never occurred to me, to be honest.

I tried your suggestion and it did work. nice thank you very much

The IP alias is for the nginx to use when serving  a domain.

I have multiple IP Alias on my Virtual IPs on the master, do I have to copy it manually to my backup? coz I notice that it's not copying that to my back up, but when I tried to copy it over my service went down and inaccessible. is there something that I am doing wrong with this set up?

nevermind, I found it is on the adv

I'm following a guide from this https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration
and I have OPNsense 23.1.11


from my version of opnsense I'm trying to look for this settings

Code Select Expand

Advertising Frequency: Base 1 / Skew 0

but I only have

Code Select Expand

advbase

SO I was wondering, how to setup skew from this version of opnsense?

is it possible to use 1 Public IP for the Public Service that will be use by different sub domains with port 80 as its port.

    sub1.domain.com Real Server  172.16.100.20 Port 80
    sub2.domain.com Real Server  172.16.100.21 Port 80
    sub3.domain.com Real Server  172.16.100.22 Port 80
with the condition prefix base on the subdomain

Public Service has the public IP 443 and 80

I was actually trying this setup but it end up loading the same content on all subs.

Yes it is possible.

I would love to learn how to do it. cause I've been stuck with the content of my other vm that should be on another subdomain and showing up on the other subdomain.

I need help on configuring HAProxy properly. I got this configuration from Config Export

Code Select Expand

# Frontend: domain1 (domain1.com)
frontend domain1
    bind public.ip:80 name public.ip:80 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6491e75b20ea54.02766459.certlist
    bind public.ip:443 name public.ip:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6491e75b20ea54.02766459.certlist
    mode http
    option http-keep-alive
    default_backend domain1

    # logging options
    # ACL: domain1
    acl acl_6491e70d7556b9.18780762 hdr_beg(host) -i domain1.com

    # ACTION: domain1Rules
    use_backend domain1 if acl_6491e70d7556b9.18780762

# Frontend: tgwdomain1_PUBSERV (tgw.domain1.com)
frontend tgwdomain1_PUBSERV
    bind public.ip:80 name public.ip:80
    mode http
    option http-keep-alive
    default_backend tgwdomain1_BKENDSERV

    # logging options
    option httplog
    # ACL: tgwdomain1_COND
    acl acl_649cc5f09372a0.09326053 hdr_beg(host) -i tgw.domain1.com

    # ACTION: tgwdomain1Rules
    use_backend tgwdomain1_BKENDSERV if acl_649cc5f09372a0.09326053

# Backend: domain1 (domain1.com)
backend domain1
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server domain1 10.35.2.32:8091

# Backend: tgwdomain1_BKENDSERV (tgw.domain1.com)
backend tgwdomain1_BKENDSERV
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server tgwdomain1SERV 10.35.2.30:80



# statistics are DISABLED



Log says

[28/Jun/2023:17:42:42.203] tgwdomain1_PUBSERV tgwdomain1_PUBSERV/<NOSRV> -1/-1/-1/-1/3 0 0 - - PR-- 22/1/0/0/0 0/0 "<BADREQ>"


I want to use public.ip for all my subdomains, it was able to load domain1.com properly but for tgw.domain1.com it doesn't load, before I was able to make it load but the issue was the subdomain will load what's in domain1.com and vice versa.

is it possible to use 1 Public IP for the Public Service that will be use by different sub domains with port 80 as its port.

    sub1.domain.com Real Server  172.16.100.20 Port 80
    sub2.domain.com Real Server  172.16.100.21 Port 80
    sub3.domain.com Real Server  172.16.100.22 Port 80
with the condition prefix base on the subdomain

Public Service has the public IP 443 and 80

I was actually trying this setup but it end up loading the same content on all subs.