OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of catapimba »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - catapimba

Pages: [1]
1
Tutorials and FAQs / Re: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: September 28, 2024, 01:21:24 am »
I think I missed something... I was able to make a service in my LAN to be accessible but others don't. One thing in common is that the ones that failed only expose a http port and the one that is working has https and in the real servers I'm using the https port.

So, I can access https://portainer.mydomain, but I can't https://ollama.mydomain.

Here's my config:
Code: [Select]
global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    2
    hard-stop-after             60s
    no strict-limits
    maxconn                     1000
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 2000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 1_Http_frontend (Responsable to receive http request and redirect to https)
frontend 1_Http_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
    mode http
    option http-keep-alive

    # logging options
    # ACL: NoSSL
    acl acl_66ead35d7f6255.60168678 ssl_fc

    # ACTION: HTTP to HTTPS
    http-request redirect scheme https code 301 if !acl_66ead35d7f6255.60168678

# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_Https_frontend (Listening on localhost:443)
frontend 1_Https_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:443 name 0.0.0.0:443 accept-proxy ssl curves secp384r1  prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66ececbe6b0202.10137700.certlist
    mode http
    option http-keep-alive

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/66ec2bfa712774.56131988.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 0.0.0.0 send-proxy-v2 check-send-proxy

# Backend: Portainer (Portainer's backend)
backend Portainer
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Portainer 192.168.20.10:9443 ssl alpn h2,http/1.1 verify none

# Backend: Ollama (Ollama's backend)
backend Ollama
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Ollama 192.168.20.200:11434

# statistics are DISABLED

2
Tutorials and FAQs / Re: Static route issue: Access problems with some containers (ipvlan L3)
« on: September 28, 2024, 01:06:54 am »
Sorry for only replying today. It was actually a misconfiguration in my docker's ipvlan.

3
Tutorials and FAQs / Re: Wireguard instance allowing internet, but blocking access to other IPs on LAN
« on: June 26, 2024, 02:30:23 am »
I appreciate the help. If I understood correctly, I should change the destination port range. However, as you can see in the image, the destination port is locked, I tried to change the destination to other values to see if I would unlock the selection, but no luck.

4
Tutorials and FAQs / Static route issue: Access problems with some containers (ipvlan L3)
« on: June 25, 2024, 01:24:52 am »
I have a Docker host where I defined an ipvlan L3 network with a subnet of 192.168.95.0/24. I then created containers with specific IPs within this network. On OPNsense, I configured a gateway pointing to my Docker host and a static route for the 192.168.95.0/24 network.

I can ping all the containers and access my MSSQL container, but I can't access other containers like MariaDB, NGINX, and phpMyAdmin. Interestingly, if I change them to Docker's default network, they become accessible again. I suspect firewall rules might be blocking traffic on specific ports, but I cannot add rules for this subnet, right? I also enabled the OPNsense advanced firewall option "Bypass firewall rules for traffic on the same interface," but that didn't make a difference either.

Any help is appreciated.

5
Tutorials and FAQs / Wireguard instance allowing internet, but blocking access to other IPs on LAN
« on: June 25, 2024, 12:24:07 am »
Hi! Newbie here!

I have successfully configured my wireguard following the Road Warrior setup, but i'd like to have another instance with only internet access using my DNS.

If I remove the 2nd rule in step 5 of the tutorial (https://docs.opnsense.org/manual/how-tos/wireguard-client.html), which allow access to any IP in any subnet, my client cannot access internet too. I was not able to identify the problem, what am I missing? Is this possible?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2