Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - OPNjk

Pages1
#1
General Discussion / Re: http_proxy for bogons-update (and possibly others?)
Today at 05:24:38 PM
Thanks for your answers, franco!

(Honestly,) I only tried the bogons download from the command line (and it failed). But I had only tried because there was no bogons files on the secondary firewall while there was one on the primary - this is why I suspected this to be a problem. I will update the cronjob to run more often and check if (updated) files appear! I'll let you know.

> That's not a usual setup and most people in stricter environments don't care too much about not having outside access for stray components since everything is configured to use local services.

All services I found I configured to use local services as well (although I'm not doing the stunt because I need a "stricter environment" but I am constrained with the public IPs, unfortunately 😕). I will have an eye on it - luckily there is a nice error message from arpresolve that indicates once the secondary firewall tries to access the default gateway... 🙃

Looking forward to using OPNsense in the environment!
#2
General Discussion / http_proxy for bogons-update (and possibly others?)
Today at 10:07:14 AM
TL;DR

Is there a(n easy) way to proxy cronjobs in OPNsense (like for bogons download, ...)?

Network Setup

I am currently prototyping a (non-standard) firewall setup with an HA pair of OPNsense gateways (the gateways are only doing firewalling and NAT, no services like dhcp/dns/squid/vpn/...). The challenge I have is that the provider uplink is currently configured with a /30 transport network (official IPv4 addresses) so that obviously I can only have one IPv4 address for the communication - the transport network is used by the provider to send additional networks to me.

Idea

I have found script-driven solution(s) for such scenarios but did not really like having additional scripting (that might break in the future) applied and came up with following idea:

  • Use a private IP network on the wan interfaces of the OPNsense gateways fw1 (192.168.0.1/24) and fw2 (192.168.0.2/24).
  • Add my IP address from the /30 transport network as a CARP address: 192.0.2.86/30 (provider has 192.0.2.85)
  • Add a (default) gateway: 192.0.2.85 (which works fine once you have the CARP address configured)
  • Configure Outbound NAT, firewall rules, etc.

Findings

I really like how this works without any scripting and for all communication traversing the OPNsense (Clients<->Internet) this seems to work fine from my testing. Also the CARP failover works like a charm with all connections and NATs being preserved properly. 🥳

Obviously all gateway-originating traffic will be a challenge from the secondary firewall as it does not have an official IP to communicate towards the Internet. For configd there is a documentation snippet how to add a proxy configuration which allows the firewalls (the primary but also especially the secondary) to update packages (and install plugins, ...) via a proxy. As there is no services running on the firewalls there is only some outbound connections left that can be fixed easily: NTP (obviously easy to fix with internal NTP servers), DNS (same), syslog (same).

There is at least one job that does not seem to use the proxy configuration which is the bogons download that is triggered by crontab.

... and finally the Questions

  • Is there a(n easy) way to make fetch in the bogons-download use the http_proxy as well? Also without breaking other stuff? 
  • Is there other cronjobs/daemons/functions that I missed that may have the same problem when no Internet is available on the secondary firewall?

Thanks.
Pages1