Messages

1

23.7 Legacy Series / Re: NGINX + LetsEncrypt(ACME) Plugin help

« on: September 01, 2023, 08:14:56 pm »

One additional note, if I do a TCPDUMP of that port on the upstream server, I see traffic when I attempt to go to the subdomain.

also the HTTP Access logs give a 502 status code

2

23.7 Legacy Series / NGINX + LetsEncrypt(ACME) Plugin help

« on: September 01, 2023, 08:08:47 pm »

So the jist of what I am trying to do is setup the OPNSense NGINX plugin as a reverse proxy so that I can forward all my subdomains to the correct ip/port, all over HTTPS.

I setup the ACME plugin and have that working fine with letsencrypt and cloudflare.

I turned on the WAP stuff.

I setup a upsteam server / upstream / location / http server and when I try to navigate to the subdomain I get this.



Upstream Server


Upstream


Location
- URL Pattern = /
- Enable Security Rules = Checked
- Upstream Servers = SeionServer NodeRed
- Force HTTPS = Checked

HTTP Server
- HTTP Listen Address = 80,[::]:80
- HTTPS Listen Address = 443,[::]:443
- Server Name = {MySubdomain.domain here}
- Locations = NodeRed Location (Location above)
- TLS Certificate = mysubdomain.doman (ACME Client)
- Client CA Certificate = R3 (ACME Client)
- HTTPS Only = Checked

Cloudflare has SSL Strict Mode on and Proxy "Cloud" off

I put the ACME Client Cert and Key on the upstream server and told nodered to use them also.

I need to know how to do this properly because I have a bunch of services running on the upstream server on different ports.

I had NGINX running on the upstream server just fine doing reverse proxy, so trying to transfer that config to the OPNSense NGINX Proxy Plugin.

3

23.7 Legacy Series / Re: Intercept External DNS Request

« on: August 31, 2023, 09:41:57 pm »

Figured it out. The files are in /usr/local/AdGuardHome and updated the yaml file to bind to 0.0.0.0 and that fixed my package problem and my other problem. Thanks all

4

23.7 Legacy Series / Re: Intercept External DNS Request

« on: August 31, 2023, 09:24:25 pm »

I'll start digging into AGH on how to change on what ip its listening on, unless you can tell me pretty quickly lol

5

23.7 Legacy Series / Re: Intercept External DNS Request

« on: August 31, 2023, 09:10:05 pm »

This fixed the issue, I changed the port forward to forward to the LAN Router Address (11.12.13.1) also ran the the sockstat

root@SeionRouter:~ # sockstat -l | grep :53
root     AdGuardHom 77597 15 udp4   11.12.13.1:53         *:*
root     AdGuardHom 77597 21 tcp4   11.12.13.1:53         *:*

I was also having an issue with domains resolving directly from the router shell (pkg update was not working) and I think its the same reason.

Is there a way make it work so that 127.0.0.1 works because the /etc/resolv.conf is pointing to itself and that wont work for the same reasons as this original post. Make AdGuardHome listen on all interfaces (except wan??)

6

23.7 Legacy Series / Intercept External DNS Request - SOLVED

« on: August 31, 2023, 03:29:08 pm »

So here is my current setup:
- OPNSense, latest version
- Unbound Turned OFF
- AdGuardHome Plugin on OPNSense running on 53

I have 2 rules to BLOCK any 53/853 traffic that is not "This Firewall" which worked just fine. (See screenshot with 2 rules attached).

My issue is that random stuff in my house wont work because they are hard coding google DNS into them. So my idea was to intercept those requests and point them to my internal DNS (AdGuardHome). So I looked it up in google and a couple of pages showed how to setup a port forward rule to redirect 53 to 127.0.0.1. I set this up but I cannot get it to work.

When I do a `nslookup google.com 8.8.8.8` it times out.

Attached are some screenshots of my rules, I left the blocks in place but put them after the redirect rule. If anyone has some ideas on how to get this to work, please let me know.

7

23.1 Legacy Series / Re: Playstation 5 / Diablo 4 / UPNP / Battle.net Firewall and Port Troubleshooting

« on: July 18, 2023, 03:32:19 am »

I am seeing another issue I can't figure out...

If I curl or try to browse to duckduckgo.com it never gets the website.

I can browse and curl other websites just fine, but can't figure out what is blocking that page...

I can see it go out    
WAN   <- 2023-07-17T21:27:59-04:00   MyPublicIPHERE:10265   52.149.246.39:80   tcp   let out anything from firewall host itself (force gw)

I disabled blocklists and dns over tls and unbound all together and still the same issue.

I am not sure where its getting blocked

I can ping or dnslookup from the same machine duckduckgo.com just fine

8

23.1 Legacy Series / Re: I am stuck on trying to figure out why I can't get Diablo 4 to work on my normal

« on: July 17, 2023, 09:58:06 pm »

Screenshot below of current firewall rules

9

23.1 Legacy Series / Playstation 5 / Diablo 4 / UPNP / Battle.net Firewall and Port Troubleshooting

« on: July 17, 2023, 09:57:31 pm »

I am stuck on trying to figure out why I can't get Diablo 4 to work on my normal LAN interface.

My setup is Fiber ONT -> (WAN) OPNSense Router -> (LAN) Managed Switch (Nothing really configured/managed on it) -> Un-managed Switch -> Playstation 5

I have not really configured much of the firewall rules in OPNSense, I did add a few port forwards for another device, but that was about it.

If I put the PS5 on an additional interface I configure on OPNSense and then copy the "Default allow LAN to any rule" to it, the game Diablo 4 works fine on it. But on the original LAN interface it wont work.
My setup is Fiber ONT -> (WAN) OPNSense Router -> (Another LAN Interface, diff from the first) -> Playstation 5

I have Unbound DNS configured using blocklists and DNS over TLS, I disabled both to see if either was an issue and still would not work.

I installed the UPNP Plugin and allowed UPNP for the static IP I gave to the PS5 and deny everything else and that did not fix the issues. It did add a few UPNP ports though so it does seem to be working, but the game is not.

I am not sure how to go about troubleshooting this because the firewall live logs are very busy. I am not sure whats getting blocked and where...

The screenshot attached is my current firewall rules, I also tried adding in a NAT ->Outbound "Manual Rule" for Static Port Mapping