Messages

This was the culprit:

Code Select Expand

Register DHCP Static Mappings

Code Select Expand

Register ISC DHCP4 Leases

I know how to flush the client DNS. I also have dozens of different clients to test on.

The point of my post is that my DNS is not configured to point to both, and my cache is flushed, yet this is the output of the dig, doggo, & nslookup commands.

[What am I missing here?]

I'm trying to set up a handler to a machine I have running the UniFi Server OS to manage my UniFi access points. Like many other times I've set up a handler on the Caddy plugin, it has given me nothing but problems. Sometimes it works fine, sometimes it doesn't. I do not understand the inconsistency with this. It should be pretty straightforward, but it's not.

References for the logs:
-

Code Select Expand

192.168.128.4 is my OPNsense IP
-

Code Select Expand

192.168.128.32 is the actual server IP but i should not have duplicate DNS records.
- My internal domain is an actual Cloudflare domain, which is why I use Unbound DNS Host Overrides.

What am I missing here? I can't lose three hours of my day every time a reverse proxy needs to be setup. Frustration is an understatement.

Code Select Expand

fakebizprez@scum-studio: /Users/fakebizprez
➜   curl -v https://unifiserver.******.cloud
* Host unifiserver.******.cloud:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.128.32, 192.168.128.251, 192.168.128.4
*   Trying 192.168.128.32:443...
* connect to 192.168.128.32 port 443 from 192.168.128.10 port 54358 failed: Connection refused
*   Trying 192.168.128.251:443...
^C
fakebizprez@scum-studio: /Users/fakebizprez
➜   nslookup unifiserver.******.cloud
Server:         192.168.128.4
Address:        192.168.128.4#53

Name:   unifiserver.******.cloud
Address: 192.168.128.4
Name:   unifiserver.******.cloud
Address: 192.168.128.32

fakebizprez@scum-studio: /Users/fakebizprez
➜   doggo unifiserver.******.cloud
NAME                            TYPE    CLASS   TTL     ADDRESS         NAMESERVER
unifiserver.******.cloud.     A       IN      3600s   192.168.128.32  192.168.128.4:53
unifiserver.******.cloud.     A       IN      3600s   192.168.128.4   192.168.128.4:53


Solved: NAT Outbound rules were misconfigured.

Obviously, yes.

Thank you, but when it comes to networking, nothing is obvious to me anymore 😭

Shameless bump. Really could use some help on this.

AFAIK, wildcard certificates work only via the ACME plugin, not via Caddy's own certificate mechanism.

So I should use the ACME plugin to get a wildcard cert, and then select that cert in the drop down when configuring Caddy?

Only if you want automatic certificates.

Thank you for the response. Can you elaborate on this more? What are the alternatives?

I am trying to setup a wildcard certificate so all addresses on the LAN have a secure connection.

I'm hesitant in setting up this way because I currently do not have any ports open (everything is configured via tunnels) and was hoping to keep it that way, if possible.

I run a WireGuard VPN server via the OPNsense plugin. It works fine when listening on the main WAN IP (XXX.XXX.1.106). Recently I tried to move WireGuard over to one of my VIPs (XXX.XXX.130.203) so that it uses that public IP. After making this change, clients can no longer complete a handshake.

Current setup:
    •    VIP XXX.XXX.130.203 is added on WAN.
    •    Outbound NAT forces the WG tunnel network (10.50.50.0/24) to egress via XXX.XXX.130.203.
    •    Client endpoint updated to XXX.XXX.130.203:51820.
        •      Screenshots attached of firewall rules.

Example of Client Config:

Code Select Expand

Name
linehaulVPN

Addresses
10.50.50.6/32
DNS servers
192.168.128.4

Peer
Allowed IPs
0.0.0.0/0, ::/0
Endpoint
XXX.XXX.130.203:51820
Persistent keepalive
every 25 seconds

Questions:
    1.    Do I need to enable service binding on the VIP for WireGuard to listen properly?
    2.    Do I need NAT:One-to-One in this case, or is that only for forwarding a public IP to an internal host?

Any guidance or examples would be appreciated.

If you see anything in my configuration that needs to be adjusted please shout it out.

[Is this still required for my use case?]

Hello,

I have never used a reverse proxy plugin on OPNsense. I am testing out Home Assistant OS, and would like to route this, and the add-on containers on Home Assistant OS via the OPNsense Caddy Plugin without exposing these ports to the public internet.

The documentation states:

Creating a Simple Reverse Proxy:

The domain has to be externally resolvable. Create an A-Record on a public DNS server that points your domain to the external IP address of your OPNsense.

Is this still required for my use case?

I had it working and then i woke up the next day and the connection was down. 🤷�♂️

Have you gone down the Zenarmor/single-threaded rabbit hole, yet?

That's seems like a lot of power for OPNsense, not sure I would use an MS-A2 for this function unless I had a lot of clients and a lot of filtering setup. Maybe if I had a lot of VPN users I would want that much CPU, but that's a powerful computer for what most of us are doing.

👀

And how much power does that consume? My little Xeon (similar to an older i3) shows mostly the same CPU use, but I only have 16GB of ram. It's TDP is much lower as well.

The HP T740 showed very similar results when I was using it, and that would be at around 40 watts during use.

But again, depends on how many things you are trying to do with a firewall, if you have a lot of VPN, that extra power would certainly be justified over an n150.

haha, in my defense, my entire organization connects to that machine for our Wireguard VPN server. It's also running as a Tailscale exit node for me personally, as well as Unbound/DHCP,IPS,Reverse Proxy, Prometheus, several static IPs, and ZenArmor until I had to give it up because the the platform is single-threaded, and was crushing the LAN's bandwidth.

With that said, I have placed an order for two Minisforum MS-01 Work Station Refurbished (Core-i5-12600mh). Maybe it's good to be true, but the specs on these are unreal, then after you factor in the cost, it's very hard to pass up.

Given all the value I get from OPNsense, I don't mind running it on the PowerEdge R730, but having to run a second machine for H.A./CARP, makes me cry a little bit.

I still can't over how much machine you can get for $448 (i9 12th gen). You don't even miss out on U.2 capability, I guess the only major drawback is no ECC?

Thank you to whoever posted this, lol

i got tied up at work, but i'll check afterwards. I think i recall them using both one.one.one.one and cloudflare-dns.com; one as a backup and one as a primary.

We're going to be transitioning from Wireguard to Cloudflare's ZeroTrust/Access WARP platform by Q4, and then we'll have another DNS from them that comes with Carrier Grade NAT. I'll be practicing my captcha skills until then.

[one.one.one.one]

I think the official CN for Cloudflare DNS is "cloudflare-dns.com", not "dns.cloudflare.com", see: https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/. Thus, your certificate verification could fail, although IDK if Cloudflare uses multi-domain certificates.

they have so many it gets confusing but this is from the link you sent me:

kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com