Messages

The Problem is, for internal RDP Access or internal Exchange CA, we need a CRL Url, as MS forces it to be present.
It is not about OCSP/CRT which one is better or if it is useful. It is just about what MS dictates. Thats the law.

Currently we can make CRL files, but the URL is not included in the Certificate.
We just would need a simple Attribute for the CRL, which could be manually entered (or defaulted).
This would be no security risk. it does not need to be managed.
Also it would be good practice and a useful optional feature to just set the url.
It would be very easy to implement (i guess 10 minutes ;-), it has not disadvantage and is logical, as it adds a connection to the already offered crl.
Currently it is strange, that we can make CRL but not add them to certs anyway.

Nevertheless if opnSense would upload and maintain the CRL list using sftp on a webserver it would be perfect.
But this would be much work todo, so i did not suggest the full feature.

It is good practice, to use your own CA for management devices etc.
The own CA is better than any third-party one imho.
Also for internal IPs it is not possible to gain Certs from big CAs.
If a CRL is not set, we are forced to use the self-signed snail certs from MS or have to deploy AD Certs...

Hi,

referring to my Feature Request, is it possible to get a CRL Attribute quickly into a new Server Certificate?
MS Exchange Server, MS Remotedesktop, ... all need an valid CRL URL.
Its just a simple string...
Maybe there is a way to edit a template or pass sth?

Hi,

let's start giving sth. to the community, before posting ask-posts...

How-To Setups IONOS API with Dynamic DNS?

1. Install ddclient Package
2. Goto Services>Dynamic DNS
3. Check if General Settings is to "native" for backend
4. Use the Update URL from IONOS Manual [1]
5. Add Account (+) with: Service: custom, Protocol: Custom GET
   For Server put: https://ipv4.api.hosting.ionos.com/dns/v1/dyndns?q=xxxxxxxxxxxxxxxxxxxxxxSECRETxxxxxxfromxxxxAPIxxxxPortal&ipv4=__MYIP__
   Hostname: Your DynDNS Hostname which should be the same as in API command
   Check ip method: Interface [IPv4] if direct dialin/connection (OPNsense knows WAN IP)
   Interface to monitor: WAN IF (e.g. VLAN 7 or PPoE)
   Force SSL: enabled (default)

The main difference which can cause problems is:
1. You try POST instead of GET (because IONOS writes about POST...)
2. You can use the GET URL in your Browser and it works without &ipv4=__MYIP__ but if you dont add this in this Server URI, it wont work.
Logs are so bad, even on verbose, there should be a much more detailed Web-UI for debugging this...

Anyway i hope someone finds this information usefull.
if so, please just reply if it worked for your.





[1] https://www.ionos.de/hilfe/domains/ip-adresse-konfigurieren/dynamisches-dns-ddns-einrichten-bei-company-name/

Maybe you should take a look at snapshots, which would probably solve all of those problems - and they do not use double the HDD space...

This seems to be a quite intelligent solution, so we can define a snapshot in a good well known state and set it to recover on next boot.
then play and fiddle with the config and lets see if we can do 1-2 days.
then make a new snapshot and set it as default.

seems to be a good solution, maybe we can automate this a bit?

If someone needs WOL, it needs to be easy for users. Users arent admins, users are lazy, they need scripts etc.

If we inject WOL Packets from another Router using NAT or over same Router using IPSec, we cant WakeUp using Wake-On-LAN.
We can use the UDP Relay Plugin, so the NAT Router will forward Port x UDP to the goal subnet for a specific IP...

Imagine we use a wakeup tool, which creates an UDP Packet with dst-pc-for-wakeup like aa:bb:cc:dd:ee:ff and as parameter for UDP packet an IP Address like 192.168.x.123 or 192.168.x.255.
In the first case, we will know that this IP Address is not there, as the device is sleeping. so no response of being heared..
in this case, the router should be intelligent, and detect, that the package is for broadcast ff:ff:ff:ff:ff layers 2 and resend it here.
maybe we can add a dummy alias ip as neighbour like 129.168.x.222 with broadcast ff.. mac.. so if proxy arp for this IP is enabled.. the OPNsense will send to broadcast.. anyway thats tricky. there should be a simple thing like:
  forward and obey magic packets correctly
 OR
  add an alias ip, when this ip is pinged from IPsec connection n, then wakeup this host. maybe it could be the same ip of the host.
 OR
  just notice that an UDP packet to ...255 broadcast address should just be resend on ff:.... even if in routing mode for IPSec client etc. or behind NAT.

maybe someone may understand whats my concern ;)

If we dont need to be compatible or world-open, we just dictate... just use SHA512 or better, just use aes-256 etc..
okay for Webservers we need to obey (maybe) some minimal algos, but...
i think we just need to support current firefox, chrome, edge, and lynx/wget.
so we need paranoia-templates, so we can save them once and reuse them everytime we create a new ipsec dialin, a new cert, etc.
also we need presets for lame vendors who just support RSA2048+SHA256.. maybe we could name these presets like the vendor netg*** and so on.

Off-topic: also we need export options for exporting certs in different styles like binary/ms rdp style etc...

Currently we are not state-of-the-art, we can change settings and apply them.
But why do we force them to save?

i would prefer the normal CLI way, that every setting (not for CA, etc, but for Firewall/IFs/..), we should have no immediate save.
Instead after changing settings and/or pressing apply, all settings should be inside a running-config.
If and only if we do a logout with save confirmation or manually save action using write-memory from CLI (shell) or GUI, we wont persist on the current conf.

Another variant would be, to have some tagged configs, which work fine, so if we go to our OPNsense and know it was running fine, we make a tagged config.
This tagged config should be selectable, maybe we could have 20 or more of them with a description like an svn commit.

Anyway if we put the power plug, running-config needs to be dropped and we want to start with startup-config instead so we cant ever lockout ourself.
okay plugging out is ancient, but another way would be:
If OPNsense notices, that the Web or SSH connection which initiated the change is not communicating anymore, it should do a rollback to a well known state.
Also it needs to check a new handshake... and some more tests..

Maybe its ancient, but its well prooven. we could have a watchdog, which notices, that the admin is not connected anymore, and then it could rollback.

a bit offtopic but also same thing:
add dual firmware image / dual installation like android project treble with AB image.
if update fails, we need a super quick way to get back.
no time for playing BSD admin on shell or sth else.. nobody wants this...
we just want to go back to previous installation before update.
means just use double HDD space for installation.

Currently we are allowed to obey CIDR if configuring IPs inside a Pool for IPSec Clients.
If we dont need routing, we dont need CIDR, because we use Proxy ARP, so please allow to enter an IP Address range like 192.168.x.123-192.168.x.125,
so we can save many IP Addresses inside a Subnet, when we just use Proxy ARP for some Homeoffice Users.

Please add "crlDistributionPoints" Attribute to the own Trust->CA. (means to every new Certificate)
Currently MS Remotedesktop, MS Exchange Server, etc. forces an CRL to be present, even if it is useless in many cases.
So we need to have an option to set this cert value to an CRL url like http://crl.example.com/crl/root.crl

Also please preserve several settings like DNS Names, and all other values, if updating a certificate.
Also add an option to sync Trust/CA on 2 OPNSense firewalls as CA Backup, without having to import/export whole config.
Maybe a CA only export/import including all certs.

About the CRL Download: Pfsense already fixed it [1], we need an empty CRL as download.
nobody starts with an 1+ CRL size, most we a clean and dont need a revocation.

Also offer automatic upload like OPNsense could upload the current CRL to a sftp server after a change.

[1] https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e

Kind Regards
BGP4