Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Baender

Pages: [1] 2 3 ... 8

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: October 24, 2024, 08:55:15 pm »

Okay a really complex topic then. Would it be (in theory) possible, to let Caddy read the aliases of the firewall? Would it be a polling, or as it might be in the memory, on the fly change, if I would add the IPv6 address as an alias?

I guess, still out of scope. However, I am just curious.

Edit:
Would it be possible, to set dynamic DNS setting on the domain/subdomain? I mean if it should pass a IPV6 and/or IPv4 address? Maybe the module for dynDNS is not structured for this..

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: October 24, 2024, 07:22:27 pm »

Oh, no. Please don't tell me that.. Yes, it is dynamic.. Could I override the Caddyfile then? I know, that for Caddy there might be such Plugin, but if I would write a script, that checks the current IP? Would that help?

Just a side note from my side: with one of the recent caddy releases on OPNsense, the description for domains and subdomains got a bit out of control. I personally find it problematic, to show the domain and the description, that results in a lot of text, in the selection GUI and on the overview. Do you know what I mean?

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: October 24, 2024, 06:03:44 pm »

Thank you for the explanation.

I have noticed, that since I enabled IPv6 and using Track Interface, most of my subdomains, that are restricted to local IPs, won't work. This is because I only set IPv4 addresses to the access list. How can I allow "local" IPv6 addresses?

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: October 18, 2024, 08:12:13 am »

Hey there, thank you very much, for bringing Caddy to OPNsense. It is a real pleasure, to such wonderful tool on the sense. I even like it that much, that I use Caddy as a webserver or reverse proxy in other projects as well.

I would like to add a TURN and STUN Server (Coturn: https://github.com/coturn/coturn) to my infrastructure. It is a requirement for my Nextcloud. At first I tried to an additional subdomain to Caddy, that extents to my nextcloud.example.com.

nextcloud.example.com
nextcloud.example.com:3478

However, that required to have a wildcard domain with the port 3478 and the actual subdomain nextcloud.example.com:3478. Not to mention opening another port on the firewall.

Would it be possible to use the Caddy: Layer4 Routes feature for my project? Is it an TLS (SNI) type then and moreover, is it still required to open the port 3478 for it?

German - Deutsch / Re: Dect Mit Fritzbox und OpnSense möglich?

« on: October 16, 2024, 07:02:20 am »

Als ich das damals bei 1&1 Versatel eingerichtet habe (nutzt VLANs) hat mir das Live Log der Firewall sehr weitergeholfen. Wenn ich anrief oder rausrief, konnte man gut die Pakete sehen, die ankamen oder rausgingen. Dann war schnell klar, ob die Regeln richtig eingestellt waren.

24.7 Production Series / Need help to get Prometheus data of Crowdsec plugin

« on: October 15, 2024, 10:01:55 pm »

I installed Crowdsec as a plugin on my OPNsense and changed the listening interface of Prometheus, in the config.yml:

Code: [Select]

prometheus:                                                                     
  enabled: true                                                                 
  level: full                                                                   
  listen_addr: 0.0.0.0                                                          
  listen_port: 6060

I try to scrape the data from a docker service with Prometheus. This is the config:

Code: [Select]

global:
  scrape_interval: 15s
scrape_configs:
  - job_name: 'firewall'
    static_configs:
      - targets: ['192.168.1.1:6060']
        labels:
          machine: 'firewall'

However, I am unable to get any data in Grafana..

I used this tutorial for reference: https://medium.com/@ravipatel.it/building-a-monitoring-stack-with-prometheus-grafana-and-alerting-a-docker-compose-ef78127e4a19

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: October 11, 2024, 02:20:32 pm »

I have a similar problem. From time to time, my domains are not reachable. I restricted them to the LAN network. Some services and my vacuum robot. The only thing that helps, is to perform a restart of the OPNsense and to get a new IP and new Records for the domains. A restart of caddy won't work. The services are reachable by their IP, when the problem occurs.

Would it help to set caddy to debug and send the log from the beginning, when it's working until the moment it fails? It could be a lot of log data, because I don't know when it will happen. Moreover I think, that this is related to a problem with IPv6 prefix delegation. In general, would it be a good idea, to combine the caddy logs, with the logs of the OPNSENSE system? Is this only manually possible?

German - Deutsch / Re: Reboot Bug nach Updates

« on: October 02, 2024, 06:35:29 pm »

OK, dann war ich davon wohl auch betroffen. Selber Effekt unter Status. Manuell neu gestartet und Fehler behoben.

German - Deutsch / Re: Passwort für sudo auf der OPNsense wird nicht akzeptiert

« on: October 02, 2024, 08:11:19 am »

Ich weiß nicht, wieso ich auf Englisch geantwortet hab, das ist dieses Springen in Sprachen..

Wie mein Kollege zu sagen pflegt: "Wenn's nicht tut, dann boot." Ein Reboot hat das Problem behoben. Vermutlich wurde entweder die Sense nicht neugestartet, auch wenn es das Update suggerierte oder er brauchte einfach noch einen Neustart. Denn unter System>Firmware>Status sprang er immer direkt auf Updates und meldete, er müsse anschließend neustarten und die Update-Prozedur war noch zu sehen.

[FIXED]

German - Deutsch / Re: Passwort für sudo auf der OPNsense wird nicht akzeptiert

« on: October 01, 2024, 10:45:03 pm »

- Ask Password
- wheels,admins

German - Deutsch / [FIXED] Passwort für sudo auf der OPNsense wird nicht akzeptiert

« on: October 01, 2024, 10:28:35 pm »

Hallo zusammen,

vor sehr langer Zeit habe ich für meinen Nutzer jeff ein Konto auf meiner OPNsense eingerichtet. Für die Sicherheit habe ich einen TOTP-Server eingerichtet und für SSH einen Authorized key hinterlegt. Aus der Vergangenheit weiß ich, dass ich erst das Password und dann den TOTP eingeben musste. Hintereinander. Immer dann, wenn ich sudo-Rechte auf der sense angefordert habe.

Mein Problem ist, dass das Kennwort nicht mehr angenommen wird. Ich habe es bereits nur mit Passwort versucht und auch die Uhrzeit auf meinem Client überprüft. Habt ihr eine Idee?

In das WebGui komme ich genau mit derselben Konstellation: Passwort und TOTP..

General Discussion / Re: Use IPv6 functionality in docker host for dynamic IPv6 address

« on: September 23, 2024, 11:11:46 am »

Thank you, for the information, and the insight. I guess, I can halt my research in IPv6 Docker then. This is wonderful.
As I have no IPv6-only services, it will be enough to use the reverse proxy for now.

General Discussion / Re: Use IPv6 functionality in docker host for dynamic IPv6 address

« on: September 23, 2024, 09:26:05 am »

Do I understand correctly that Caddy can forward IPv6 requests from my OPNsense to my service host as long as the service host also has an IPv6 address?

Code: [Select]

Firewall --> Service Host [Docker --> Caddy:80 (IPv4)]
(Caddy-os)   IPv4/6                   IPv4

The Docker container is exposed on port 80 on the service host and all containers only have an IPv4 address. I have not activated IPv6 in Docker myself.

As I also want to add Uptime Kuma, could you describe it a bit more? Is this an obvious issue, you could run into?

General Discussion / Use IPv6 functionality in docker host for dynamic IPv6 address

« on: September 22, 2024, 09:27:59 pm »

I get more and more into OPNsense and networking in general and my homenetwork, with self hosted services growing.
I run a few services exposed to the Internet, but for now only for IPv4.
For WAN I get a dynamic IPv4 address and via 6To4 a dynamic IPv6 address.

From my first reading, it sounds like IPv6 for docker is special. At least if I want to get IPv6 addresses for my containers, in my special situation. To get a IPv6 address in every subnet, I use Track Interface in OPNsense. This means that I cannot just take a /80 of the docker hosts IP and are done. I chatted with GPT and it suggested a script, to get the current prefix and generate an appertaining subnet from the applied IPv6 address of the docker host.

This sounds really like rocket science to me, but I've come across so many technologies where you have to do such stupid things to achieve something that I'm not surprised. Often it's just not a matter of flipping a switch. But what do you think?

Perhaps it is also important to know that I use Caddy plugin for my OPNsense, to publish the services.

I have to say that I am still relatively new to IPv6 and therefore the question may seem strange.

Intrusion Detection and Prevention / Re: Crowdsec decided today to start blocking my cell phone??

« on: September 22, 2024, 09:09:35 pm »

It happened to me once, too. I used Vernet for Android pretty much in the past and the whitelist AddOn for crowdsec was not enabled. It resulted in an immediate ban. Fixed it by using the whitelisting.

Anyway, does it make sence, to ban local IPs? Like when you have a security issue and a bad guy starts a port scan from one of your infiltrated hosts?

Pages: [1] 2 3 ... 8