Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - tomk_1313

#1
Quote from: fbeye on December 15, 2024, 01:02:43 AMI guess I feel I would struggle with the DNS stuff because like I said, the FW itself has a .182 WAN IP and no domain, but my .181 [set as a virtual ip] does have cloudflare and a domain. So the DNS stuff would sort of get my brain to hurt.

I don't think you understand reverse proxy. If you have Caddy installed and it's "working" - ie, you can connect from the internet to a service you run on local lan, what is stoping you from pointing caddy at you router LAN web service ?
Let's say your:
- whatever service is 192.168.0.2:80 - first service your have on your caddy with example.org
- your router being 192.168.0.1:4343 - a second service that your caddy can serve at router.example.com
It's pretty academic. it's actually one of the most popular low effort cracking into someones network - just setup a reverse proxy at target edge and you browse like it's your home ... and super low effort is ssh pipe facility that everybody forgets to disable.
#2
Quote from: fbeye on December 14, 2024, 11:18:06 PMOne last question, maybe maybe not relevant BUT I know the "default" answer to "can i expose my opnsense gui to the internet in case I wanna remote in" is NO! And makes sense, but is there a safe way to allow WAN Access to the OPN GUI? I mean even restricting to specific WAN IP's. Or connect via WG or Caddy?
Technically: yes
Practically: HELL NO
Insanely: "if there is a will there is a way"

So, IF, and only IF you are prepared to jump through few burning hoops, you "_can_" get a safe admin access to your router.
There are two ways of doing it:
1. setup an VPN, then you VNP to your local network and can administer it.
2. for more crazy people (like me)
- setup caddy / HAproxy, that you already do.
- get your self a cloud flare account.
- setup your DNS is such a way that your router access is only cached.
- get your access working with proper signed keys that are exchanged with cloudflare, and nobody else has those (possible in HAproxy, haven't looked in caddy for that) - so even if somebody tries to spoof them self as CF, they won't have the keys.
- allow your caddy to only accept connections from CF IP addresses (easy in HA, haven't tried in caddy)
- set your CF policies to "paranoid level".
There are few more things you can do, but ... I'll leave it to reader to imagine more ways to get this secure.

Now, remember two things: 1. the old adage "you're not paranoid if there are people actually going after you" and 2. "Internet is full of people that are going after anybody".
#3
Bud, you need to understand something about the interbewz ( no offence to you, it's not knowledge everybody learns in school ):
unless you have some specific interface with given IP address, your operating system (router, and by that extention - caddy) will not listen to it.

So let's work through your scenario:
You were given a range of 6 IP addresses
by default, when your router connects, it needs an IP, but it will only use ONE IP address, because you know, you might want to use the others somewhere else.
Your DNS traffic points towards the IP that your router does not have assigned to the interface, so it ignores it because it's possibly for different machine.
If you had some routing that pushed this traffic to your LAN, you could have a separate server in so called DMZ zone, which would consume one of the additional IP addresses and everything for given IP would be forwarded to it (yes I know there are other setups possible, but I'm using this for illustration).

This is why somebody is suggesting here to you to give WAN another IP address (an alias). Then your router will also "catch" this traffic because .... you know it's for the router, right ? router has this IP so it should receive it !

Now, if you set this up. Great, but what people tend to miss is that by default ALL routers will just reject all the traffic from the evil internet. So you need to setup a firewall rule to allow traffic to port 80 & 443. Now you also need to allow this traffic going to your "alias IP", not only to your WAN default IP address.
#4
It might be an issues with MAC address of your WAN interface. Some (not all) ISP do look at your MAC address and if it changes they will reject even valid PPPOE creds. Second thing is cred. I've had this in the past, when I was migrating between routers, I've failed to store updated pppoe creds and was scratching my head why it works on old router, but not the new one ... all while I was using old pppoe password.
#5
Hi,
So I've got a setup where there is a router with WAN being server by pppoe. This router has several interfaces for local net. I need one of those interfaces to be serving traffic that over the VPN, and nothing more

local_pc -> switch -> porton the router "vpn_lan" -> magic + nat -> stuff goes out through the VPN tunnel to the internet.

however I don't want any other traffic to go through this VPN interface (hence later deleting routes for it).

So, I've setup:
- lan facing interface "vpn_lan" with it's own iprange, dhcp etc.
- VPN (openvpn entities -> client) and set in miscellaneous "route-noexec" to make sure that router traffic or any other traffic won't get pumped through the vpn link. Client shows as stably connected, and has its own IP from the vpn tunnel.
- firewall, allows everything on vpn_lan to any (same as typical LAN interface).
- new interface "vpn_wan" through interfaces assignment and enabled it. I've left the IP part blank to let it be controller by vpn tunnel client.
- the NAT to behave the same way as LAN, just with relevant interfaces and addresses changed to serve this contraption.
- dhcp (but that's out side of this exercise).

Clients switch plugged to this port obtain IP without a problem. I can ping the router address, without the problem - however pinging anything in the internet gives "no cigar".

"Any ideas ?"
#6
OK, so I will admit that you are right in 99.9999% of cases, however (since I'm a moron and love to complicate my own life) I've had two interfaces (by design) with overlapping IP ranges.
I've redesigned stuff to eliminate the overlap, but for me it's suboptimal - would be nice to be abble to assign "subnets" to interfaces, but "it is what it is".
Thanks for your help.
#7
Hi,
I'm missing something in configuration of KEA. I would like KEA to server two different IP pools on two different interfaces, but GUI configuration doesn't seem to support that.
For example:
LAN - 192.168.0.1/24
OPT1 - 192.168.1.1/24
OPT2 - 192.168.2.1/24

Or shall I just drop back to ISC ?

etc etc.
#8
Hi Chaps, I'm kinda at the end of the rope with this one. Problem is relatively academic:
setup two instances of open sense (let's call those opnsense1 & opnsense1).
Setup both in pretty mych identical form, using PPPOE as WAN interface, as much vanilla as possible - not even an mss clamp !
Set both up as per HA guide - everything work OK, those can synchronize it's own configs, all is great in router land.
Reboot one machine, and everything fails over to a second one just perfectly.

Problem here is that is on node that is marked as "master carp" the PPPOE disconnects for ANY reason, "slave carp" will gladly jump in and establish the pppoe connection. Problem here is that virtual IP did change between opnsense1 & opnsense2 ... I know that WAN failure shall not cause carp failover, however why selecting in HA settings "Disconnect dialup interfaces" means absolutely nothing and slave can still try to use PPPOE ?!?!

I know that I'm pretty dumb, so please let me know that there is some magical setting or secret handshake that I'm not privy to - becuase PPPOE disconnects happen pretty regurarly on my FTTP.


OK some details:

both of routers are VM's

both have identical 4 interfaces, 3 physical 1 virtual.
first interface is connected to the switch connected to the ONT
second interface is for PFsync
third interface is for LAN
fourth interface - this one is for future fun stuff with VPN etc.

WAN is setup as ipv4 PPPoE (which makes vtnet0 free in assigments window) and dhcpv6 (Request the IPv6 information through the IPv4 PPP connectivity link)

on both routers there are two gateways, one for PPPOE and one for ipv6, an on car slave PPPoE gateway shows as "defunct".

IF pppoe connection disconnects on carp slave, pppoe rapidly connects on slave and shows valid IP address in the dashboard, WHILE gateway still shows as "defunct" - beats me, but that might be a bug ?! Duno, but the pppoe daemon might've been accidentally left running even thou it's supposed to be "defunct" ?