Messages

Hello all,

I'm trying to setup rust desk server to replace Teamviewer.

So I've my VM setup on my VLAN's server. My client are on my VLAN's computer and I'm trying to add a computer on an other site (no VPN, just internet).

I've setup a NAT rule to redirect all incoming traffic to rustdesk ports to my server on the right VLAN (seems ok).

But on internal, that doesn't work. I think that a good rules is missing but where ?
At the moment, I've a NAT on 3 interfaces (WAN, VLAN computer, VLAN server) to redirect on my server.
I've a rule too outgoing NAT on my VLAN Server interface from VLAN Server address to redirect to VLAN Server interface. (maybe problem is here ?)

Thank's for your help !

Aurélien

Hello,

I will read more seriously documentation next time ;)

so, I've update my firewall, and I've now the Layer4 Menu.

But, when I activate Layer4 Routes I've an error message, who's joined.

Maybe need a reinstall of Caddy plugin ? (but what about my actuel configuration ?)

Hello,

I've setup NextDns as DNS resolvers on one of my VLAN for my kid (just for iPad at the moment). It works good.

Now, I'm building a WireGuard access for his iPad, but I've no idea to force through Wireguard the utilisation of NextDns.

Is it possible ? Or a more accurate solution is available ?

Thanks for your help

Aurlélien

Hello all,

I'm running on Opnsense 24.7 (up to date with last bugfixes), with Caddy and I'm looking to activate Layer4 Routes.

On the doc, it say to enable Layer4 on general settings of Caddy plugin, but I've not the checkbox on advanced menu.

Is a bug, or I'm missing something ?

Thanks for your help

Aurelien

Indeed with this information, it's more clear.

So other question :
What is the best security process ?
Run suricata on wan (like actually) or to be confident on DROP rules on wan side ?

thanks for you help.

It work, it's now solved.

Hello,

I've an interrogation about GEOIP and floating rules.

I've installed GEOIP by Maxmind and Opnsense how to.
I blocked all of the world excepted Europe.

I don't understand why on Suricata I've plenty on entry log from IP "normally" blocked on Wan.
So I think about a misconfiguration on my rules, or on other problem.

I've joined my floating rules. If you can see and say if you detect an error.

I've 10 interfaces because of (WAN + LAN + VPN + VLANS).

thanks in advance !

Aurélien

Hello,

Thanks for your answer.

Just to be sure that I've a good understanding :

If I've domain.com, I setup a A record on my dns provider for subdomain.domain.com.
Then I setup Cname for app.subdomain.domain.com to my previously A record right ?

And no record on unbound.

But a point that I doublt. My reverse proxy hasn't aim to serve app on external (or just one maybe). With this configuration when I try to Connect to app.subdomain.domain.com I will be see by OpnSense coming from external right ? So Acl to restrict to internal ip will always match so I Will never Access ?

Thanks for your informations

Hello,

I've a question about Caddy configuration.

I'm trying to configure on my opnsense (by the plugin), and I am searching about split DNS configuration.

For me I have to write a DNS override on Unbound, but what's is the target on A ?
A = 0.0.0.0 or on other address ?

tank's for your help.

So it seems that problem is solved.

I've configured 2 floating blocks rules based on this https://github.com/duggytuxy/malicious_ip_addresses.

Seems that there is an IP in this list who is causing trouble.

When I disabled my 2 floatings rules, VPN is OK.

Aurélien

Hello all,

I'm coming to you because I've a problem with my Wireguard tunnel.

My WG tunnel was looking good since installation of my Opnsense (long time ago), but with all on IpV4 ;)

I've now installed and configured Ipv6 on WAN and my VLAN (less 2, GUEST and KIDS).

At the moment, WIREGUARD tunnel is connecting, the connection begin on my ipv4 but when connection is established, the endpoint address on client side is changed on a ipv6.

I've authorized on WAN ipv6 on my WG_port, and I've updated rules on Wg_interface to authorize DNS and to authorize exit to internet. But still ko.
I've updated to my client to authorize ::/0 and still ko.

If anyone is able to help me I will be gratefull!.

Thanks

Aurelien

Hello all,

I'm trying to configure DNS over HTTPS and DNS over TLS on my new physical OPNsense installation.

Unbound seems working on "standard" DNS (on port 53), all seems good configured, but when I try on one.one.one.one/help, it say that DNS over HTTPS and DNS over TLS are not working.

I've join my VLAN configuration / unbound configuration / DNS crypt proxy configuration and Nat configuration.
Please let me know if more information are needed.

Thanks in advance for all of your ideas and / or solution !

Aurélien