Messages

For both plugins, there are detailed setup guides in the tutorial section, including all the aspects you asked for.

Thank you, installed Caddy according to the documentation and indeed the configuration was straightforward (ways easier compared to nginx).

Hello,

Here is my context:

• I'm currently running a Jitsi instance on server S1 which is located in a DMZ of my network.
• The Jitsi instance (call it SE1) is accessible via https://olddomainname.com:custom_port/.
• On S1, Another service is also running (call it SE2) which is listening to port 443.
• Both SE1 and SE2 also use other ports for UDP.
• My Opnsense firewall's NAT is configured to forward required ports.
• Access from the WAN is limited to the ports required by these two services (i.e. all other incomming traffic is blocked).

Now I need to do the following:

• SE1 has now to be accessible via https://meet.newdomainname.com/ (port 443).
• As the port is already in use by SE2, and as SE1 and SE2 are to be reachable using different domain names, I need to use a reverse proxy and configure OpnSense accordingly.

So my question is: how do I have to configure Opnsense to achieve this ?

My guess is that I will need to install a reverse proxy plugin on Opnsense, however...:

• Which plugin should I select and what criteria should I use to select it ? (haproxy, nginx, other ?)
• Once installed, what do I have to configure exactly ? The plugin itself seems obvious, but what else should I be aware of ? I guess that I'll have to remove existing NAT and firewall rules corresponding to SE1 and SE2 for instance.
• Will I have to create new rules in the firewall (or are the plugins creating them automagically as for NAT rule ?)
• Will I have to configure Opnsense to handle the certificates for  meet.newdomain.com and olddomain.com (as currently this is handled on S1 and not on Opnsense)
• Will I have to to reconfigure SE1 and SE2 to work in HTTP mode instead of HTTPS (as they will now be behind a reverse proxy) ?
• Anything else ?

Note: The DNS is already pointing meet.newdomainname.com to my WAN IP.

Thanks in advance for your help !

Michel

Hi,
I currently have nut server running on a separate device with what I would call an "advanced configuration" (multiple users, certificates, custom notifications script, etc.) In order to save power, I was thinking about using my opnsense box instead of a dedicate device, however the plugins' UI only provides limited configuration means. I found that nut configuration files are located in "/usr/local/etc/nut/" but some state that "Please don't modify this file as your changes might be overwritten..." which makes me think that my configuration may be lost quite easily.

My questions are:

• is there a way to have an advanced configuration with os-nut plugin which remains persistent after reboots / upgrades ?
• If yes how should I proceed ?

Thank you in advance !

The way I have it working now is a different OpenVPN server and access server per security group but I don't want to make new OpenVPN and access servers if I need to create a new AD group...

Is it even possible to do with OPNsense in a better more scalable way?

None I am aware of. However did you have a look at https://openvpn.net/access-server/ (https://openvpn.net/product-comparison/ for feature details) ? it seems that you can map AD groups to access groups (https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/ or https://openvpn.net/vpn-server-resources/integrating-active-directory-with-access-server-using-radius-and-post_auth/).

I think you could follow the same argument about other auto generated rules too. For example, why are there all those "IPv6 RFC4890 requirements (ICMP)" if somebody doesn't even use IPv6?

I think it's a design choice to prevent common mistakes generating lots of support.

I'm not choosing a side here though, just contributing my opinion.

(My opinion is I like those rules because they save me time and prevent human error while not impacting security)

Indeed, this might also apply to the case you just listed.

I'm not against generating rules whenever it allows to avoid common mistakes: that's a great helper feature which needs to be kept. I'm against generating them when they are not needed as it has a performance impact and configuration readability impact.

Regards,

Well, I see the two "CARP defaults " rules on all my interfaces: WAN, LAN, DMZ, all vlans, OpenVPN, and even Loopback. If they are only generated once as floating then inherited, fine.

The question was about the rationale for having these two rules (+ the NAT ones @Monviech spotted).

• Generating them when having at least one virtual IP with CARP mode declared in "/ui/interfaces/vip" is understandable and required.
• But if no virtual IP in CARP mode are declared I don't understand the rationale, and thus I suggest to have it would be great if someone could have a look at the ticket #6556 (see first post).
  

But again, maybe I'm missing something.

@Franco: I read the ticket you're providing, let me quote some messages AdShellevis sent to rudiservo the author of the ticket I was writing about:

the ticket is for a different issue

Please keep discussions on the forum.

don't mind if you open a new ticket for it to put it up for debate

In the end rudiservo did it and it resulted in the ticket I linked in my question. He never got an answer since May. He forgot to link back his ticket to the ticket you're mentioning. I just added the link to make things clear.

In other words:

• The ticket you're referring to is for a different issue
• I have not created a new ticket, I linked to the ticket which has been open in May about the issue I'm talking about
• this is an open topic
• i reopen the discussion here on the forum as requested on github

That being said:

• why is there a "page not found" when clicking on the looking glass ?
• If it is due to the fact that no virtual IP are configured: why having the CARP rules being generated if CARP is not configured ?
• If it is mandatory for some reason I cannot yet understand: why having a looking glass next as it leads to a page not found?

To me it looks like there is a bug somewhere:

• There should not be a "page not found" OR
• There should not be CARP generated rules if CARP is not used OR
• There should not be a looking glass next to the rule

Or maybe I'm missing something. If that's the case, please explain.

Hi,

When you say that you have tested wan link, I guess that it was without the opnsense box, i.e. conecting a computer directly into your ISP router. If that's the case:

• Check the negociated speed of your WAN interface. You can check negociated speeds on opnsense dashboard in "interfaces" widget
• If the speed is negociated to 100Mbps, check that the cable is plugged correctly on both ends / replace wan cable to a cable which is at least CAT5e, if it doesn't work try forcing to 1Gbps full duplex on both ends (isp router/opnsense)
• Check if there is no traffic shaping: type "pipe" without quotes in the opnsense search box and check if any pipe is limiting to 100Mbps. If there is one check in the rules tab to which interface it applies
• Last but not least, sorry to ask, but are you sure that it's 100 Mbps and not 100 MBps ? (easy to confuse, and 100MBps is 800Mbps, and depending on your hardware / configuration the difference might be related to the firewall's overhead)

Good luck

Hello,

After having read the "hot" topic about automatically generated rule, I had a look at the generated rules on my opnsense instance. I was surprised to see that two "CARP default" rules are generated for each interface.

As I'm not using CARP, nor virtual IPs, this looked strange, so I clicked on the looking glasses icon next to the two rules, which lead me to a "page not found" (firewall_virtual_ip.php).

If there was no "looking glass" and no "page not found" I would have said nothing, but this looks like a UI bug to me. Or am I missing something ?

Note: Since I started writing this post, I checked the github repository and someone suggested to only add these rules only if Virtual IP interfaces are configured. However he got no answer since last may. https://github.com/opnsense/core/issues/6556

Thanks in advance and kind regards,

M.

1. If you have a cron job which updates the tables, why don't you use an @reboot entry in crontab to call that update script on reboot as well?

2. If the file is from a URL, you could as well use one or more "URL Table (IPs)"-type alias(es).

Hi,
1. This is what I'm doing, but it's a workaround
2. No it isn't, it is built from multiple sources that are processed/filtered

I am curious why there isn't more discussion of what I would label middle-ground options that lie somewhere between Decisio and Supermicro on the one hand and stuff you can buy on AliExpress on the other hand. They would seem to offer a better balance of price/performance/quality. Less pricey than the former but much better manufacturing quality control than the stuff being sold on AliExpress and, presumably, also better support. I am thinking of gear from Taiwanese companies like AAEON, Jetway, Up Systems (all affiliated in some way with Asus), GigaIPC (Gigabyte) and Lanner.

Well the initial question was to help me "select the right hardware based on requirements", but yes as a next step, I agree with you. I already had a look at the brands you listed as well as at lanner and other brands too. The problem is their availability, factory lead times (for instance there is a 27 week factory lead time on one product I'm interested in) shipping costs and "how to make sure that it will work as expected" as nobody seems to have tried before to run opnsense on it (and who wants to be a "guinea pig" ?)

There is an API which you can use for handling aliases: https://docs.opnsense.org/development/api/core/firewall.html

Cheers
Maurice

Once again, thanks a lot Maurice.

Hello,

I have a script which updates an alias twice a day (it replaces its content with a list of IPs taken from various sources). The script and cron job both (seem to) work fine. I only have one issue: if the opnsense box is rebooted, the alias is empty, it does not keep the last values which have been set by the script.

Here is the last part of the script which updates the alias:

Code Select Expand


# Update table from temp file
RESULT=`/sbin/pfctl -t ${ALIAS_NAME} -T replace -f ${TMP_FILE} 2>&1`


Is there a way to make this persistent in order to not have an empty list after reboot ? Is there another problem (such as alias flush at reboot) ?

Thank you in advance!

Translation target for the outbound NAT rule is "Interface address", static port shouldn't be required. Other than that, sounds good. 👍

Ok it works thank you, I only have strange issues when adding routes/subnets I have to enable/disable the route to make it work.

Have a nice day!

@Maurice : thank you.

I understand that I have to do the following, is it correct ?

• create a "single" gateway for the "Lan interface" with IP address 10.100.100.2
• For each subnet behind router, create a route to the subnet through the created gateway
• Switch outbound NAT from automatic to hybrid
• add all subnets behind router to an alias "myalias"
• add an outbound NAT rule on interface WAN, with "myalias" as source, "Interface address" as "NAT address" and "static port"

Edit: it works, but is it the most optimal way to do it ?
Edit 2: it does not work...  :'(
Edit: looks lke it works... erratically... will check tomorrow.