Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - nzkiwi68

Pages: [1] 2 3 ... 12

Web Proxy Filtering and Caching / Re: HAPROXY add GeoIP capability and run rules inside HAPROXY based on GeoIP

« on: November 24, 2023, 03:01:34 am »

Quote from: WhiteTiger on November 18, 2023, 11:16:31 am

Perhaps these instructions refer to a previous analysis, because I did not understand the need to establish paths that begin with /login/.
In any case, I don't see in the code where you check for /login/

What is the goal you aim to achieve?

No these instructions do not refer to previous analysis or set of instructions.

There is nothing in the code about /login/ - I am merely talking about the concept on using these instructions to satisfy a need to do something like:

The URL requested starts with a path, say /login
and the request is coming from a GeoIP of Australia
Then allow the request, else block the request

In my concept above, you could then allow logins to a website only from Australia IP addresses.

The instruction are for:
How to add GeoIP capability and run rules inside HAPROXY based on GeoIP

Then, how to add the GeoIP capability for HAPROXY starts in my post:
*****************************************************
ONE: These two files need to get added to the system
*****************************************************
... and so on

You do need a high understanding of how HAPROXY works for any of this to make any sense.

Web Proxy Filtering and Caching / HAPROXY add GeoIP capability and run rules inside HAPROXY based on GeoIP

« on: November 17, 2023, 05:29:55 am »

Firstly, let me credit Brett Merrick for huge assistance. This is not all my own work.

Here's the steps to get GeoIP working inside HAPROXY, not at the firewall rule layer, but inside HAPROXY and still utilising OPNsense GeoIP alias function.

You can write conditions such as:
Condition: Paths starts with /login/
Condition: GeoIP matches Australia

Then write a rule that does things like:
Rule: Only permit login from Australia (Permit http_request if matches "Paths starts with /login/" and "GeoIP matches AU"

Very cool! Any many, many more possibilities for protection, reject excessive error rates or connection rates from certain countries, use Tarpitting on some countries and not others, and so on.

Ok - how:

*****************************************************
ONE: These two files need to get added to the system
*****************************************************

File1
filename: actions_custom.conf
location: /usr/local/opnsense/service/conf/actions.d/

Code: [Select]

[update]
command:/usr/local/opnsense/scripts/custom/haproxy-alias.sh
parameters:%s
type:script
message:Updating HAProxy Alias %s
description:Update HAProxy Alias

File2
filename: haproxy-alias.sh
location: /usr/local/opnsense/scripts/custom/

Code: [Select]

#!/bin/csh
if ( $#argv == 0 ) exit 1
configctl filter list table "$1" > "/var/haproxy/$1.lst"
chown 80:80 "/var/haproxy/$1.lst"
exit 0

************************************************************
TWO: Build the GeoIP alias "acl_geoip_au" (for say Australian IP addresses
************************************************************
If you haven't setup for the GeoIP downloads to get the GeoIP databnase list, then follow the OPNsense documentation first:
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
Normal firewall GeoIP settings
Firewall > Aliases > GeoIP settings

*** make sure to only use ipv4 if you don't have ipv6 ***

*******************************************
THREE: Create the cron job and run it ONCE
*******************************************
Then set to run overnight after midnight sometime ideally running after GeoIP DB update and before HAPROXY reload. You will need an HAPROXY reload to pickup the new GeoIP tables.

************************
FOUR: Now setup a condition
************************
e.g.
Name: GEOIP_AU
Condition type: Source IP matches specified IP (from the drop down list)
Parameters: -f /var/haproxy/acl_geoip_au.lst

(see the acl_geoip_au.lst - that needs to match the firewall GeoIP alias name. In my example the alias name is acl_geoip_au)

*****************************************************************************
FIVE: Go make a rule that uses your condition and attach it a backend or frontend as appropriate
*****************************************************************************

Want more GeoIP ranges?
Start at step two and rinse and repeat for more aliases with different country combinations.
Each aliases needs a CRON job and don't forget you need to run the CRON job once to get the alias ready for HAPROXY to use.

Intrusion Detection and Prevention / Re: crowdsec firewall bouncer does not start

« on: October 17, 2023, 06:04:04 am »

Same issued here - fresh install on two new 23.7.6 firewalls

/var/log/crowdsec/crowdsec-firewall-bouncer.log:

Code: [Select]

time="17-10-2023 16:07:54" level=warning msg="unexpected ${BACKEND} mode"
time="17-10-2023 16:07:54" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-freebsd-af6e7e2"

High availability / Re: CARP awareness for Wireguard 2.0 & follow a single interface - 23.7.3

« on: September 10, 2023, 03:26:06 am »

My updated script 10 Sep 2023 - now working excellently to enable super fast fail-over for WireGuard for clustered firewalls.

Quote

#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("util.inc");
require_once("interfaces.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($subsystem != "1@igb0") exit;

if (!in_array($type, ['MASTER', 'BACKUP'])) exit;

switch ($type) {
case 'MASTER':
shell_exec("/usr/local/sbin/pluginctl -s wireguard start");
log_msg("Starting WireGuard due to CARP event '$type' on '{$subsystem}'");
break;
case 'BACKUP':
shell_exec("/usr/local/sbin/pluginctl -s wireguard stop");
log_msg("Stopping WireGuard due to CARP event '$type' on '{$subsystem}'");
break;
}

Important notes

**** ONE ****
You MUST change the line "if ($subsystem != "1@igb0") exit;" to follow an interface.
This is normally your LAN since that's where for most people the WireGuard tunnels will be tunneling VPN traffic to and from.

The "1" must be the VHID number and the "igb0" must equal the interface "Device" name.
If your interface is using a vlan, then it could look like this:

if ($subsystem != "2@vlan01") exit;

**** TWO ****

Place the script in this location "/usr/local/etc/rc.syshook.d/carp/"
Call the script "10-wireguard" - no extension
Make sure the script has execute permissions

**** THREE ****
Make sure the WireGuard package is set to replicate to the backup firewall.

Code: [Select]

System > High Availability > Settings > WireGuard "selected"

**** FOUR ****
If you are using a dynamic routing protocol, I recommend the FRR package and setup BGP.
Then FRR does NOT need to follow CARP, it can remain on and alive on both the MASTER and the BACKUP firewall at the same time.

Virtual private networks / Re: 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears

« on: September 10, 2023, 03:09:46 am »

I've tested the above and it seems very good.

Also, I no longer need to have
System > High Availability > Settings > WireGuard "unselected"

In fact, I need that set as selected and it is looking very, very good.

The Firewall "WireGuard (Group)" now consistently appears.
Transition for a failover is the loss of a single ping.
I have FRR running on the primary and the backup firewall, alive, NOT following CARP and I rely on the WireGuard tunnels going up and down according to CARP and this is working excellently.

Thanks Franco!

Virtual private networks / Re: 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears

« on: September 10, 2023, 01:55:56 am »

Thanks.

So on transition to BACKUP, don't write

Quote

config['OPNsense']['wireguard']['general']['enabled'] = '0';

But, then, the code:

Quote

use OPNsense\Core\Backend;
$backend = new Backend();
$backend->configdRun('template reload OPNsense/Wireguard');
$backend->configdpRun('wireguard configure');

Well, that won't actually stop WireGuard anymore because it's "enabled"...

Will this command from be the better fit?
https://forum.opnsense.org/index.php?topic=35578.msg172989#msg172989

Quote

pluginctl -s wireguard stop

Therefore my CARP script would become:

Quote

#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("util.inc");
require_once("interfaces.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($subsystem != "1@igb1") exit;

if (!in_array($type, ['MASTER', 'BACKUP'])) exit;

switch ($type) {
case 'MASTER':
         shell_exec("/usr/local/sbin/pluginctl -s wireguard start");
         log_msg("Starting WireGuard due to CARP event '$type' on '{$subsystem}'");
break;
case 'BACKUP':
         shell_exec("/usr/local/sbin/pluginctl -s wireguard stop");
         log_msg("Stopping WireGuard due to CARP event '$type' on '{$subsystem}'");
break;
}

Thanks.

Virtual private networks / Re: WireGuard "Local" missing "Shared Secret" in GUI 23.7.3

« on: September 10, 2023, 01:22:39 am »

Thanks, sounds good!

And, I've learnt a little more too.

Virtual private networks / Re: WireGuard "Local" missing "Shared Secret" in GUI 23.7.3

« on: September 09, 2023, 11:01:28 am »

ok!

Thanks very much Patrick M. Hausen for the explanation.

So... peer side at each end is where you use a PSK, like this:
peer / endpoint for Site A > B
and
peer / endpoint for Site B > A

But not the local "server" settings, because that's not really a server at all, it's actually just a wg interface.

Naming consistency
"Local" should be renamed to "Interface"
"Endpoints" should be renamed to "Peer"

This is in keeping with Wireguard terminology.
Reference: https://www.wireguard.com/#simple-network-interface

Virtual private networks / Re: 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears

« on: September 09, 2023, 10:52:51 am »

No, I don't think so.

#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("util.inc");
require_once("interfaces.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($subsystem != "102@igc0") exit;

if (!in_array($type, ['MASTER', 'BACKUP'])) exit;

switch ($type) {
case 'MASTER':
         $config['OPNsense']['wireguard']['general']['enabled'] = '1';
         write_config("Enable WireGuard due to CARP event on '{$subsystem}'", false);
         log_msg("Starting WireGuard due to CARP event '$type' on '{$subsystem}'");
break;
case 'BACKUP':
         $config['OPNsense']['wireguard']['general']['enabled'] = '0';
         write_config("Disable WireGuard due to CARP event on '{$subsystem}'", false);
         log_msg("Stopping WireGuard due to CARP event '$type' on '{$subsystem}'");
break;
}

use OPNsense\Core\Backend;
$backend = new Backend();
$backend->configdRun('template reload OPNsense/Wireguard');
$backend->configdpRun('wireguard configure');

Virtual private networks / Re: 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears

« on: September 07, 2023, 11:35:51 pm »

I'm wondering if this is because of clustered firewalls and CARP and my WireGuard CARP script.

The script does get fired for start and stop quickly during a CARP standup and I wonder if the mechanism that creates the Firewall rule group "WireGuard (Group)" gets a bit lost.

Virtual private networks / Re: Firewall rules not applying properly to wireguard

« on: September 07, 2023, 11:32:09 pm »

Did you have the allow rules at the remote end again the "WireGuard (Group)", perhaps that firewall rule group is now missing?

Virtual private networks / WireGuard "Local" missing "Shared Secret" in GUI 23.7.3

« on: September 07, 2023, 11:30:06 pm »

Am I missing something?

VPN > WireGuard > Settings > Endpoint
You can specify a "Shared Secret"

On the remote site, where this Endpoint connects to:
VPN > WireGuard > Settings > Local/b]
I cannot see any way to add the "Shared Secret"

Or am I missing something?

Virtual private networks / 23.7.3 Wireguard firewall rule group "WireGuard (Group)" appears then disappears

« on: September 07, 2023, 10:21:50 pm »

I have had a really good go at trying to figure out the logic of when and how but I wasn't able to deteremine what's going on. What I can say is on 90% of the firewalls, the "WireGuard (Group) firewall rule group is missing despite rebooting, stopping and starting WireGuard, etc.

This is happening across many different firewalls, different hardware, Hyper-V based VMs, clustered and not clustered. I realised the problem when I had one way traffic, because the remote end had allow firewall rules only on the "WireGuard (Group)" that disappeared so blocked all inbound wg tunnel traffic.

What happens
If you're quick enough in the GUI, you see the "WireGuard (Group)" firewall rule group appear and then after a while, disappear.

Work around
1. Add every wq interface inside:
VPN > WireGuard > Settings > Local
(e.g. wg1, wg2, wg3...)

2. Assign these as an interface in:
Interfaces > Assignments

3. Then create allow firewall rules on these individual firewall interfaces

4. If you are running clustered firewalls
You need to start WireGuard on the backup firewall to be able to also add the interfaces to the backup firewall.

High availability / Re: Virtual IP Status weird.

« on: September 07, 2023, 01:45:43 am »

Maybe you can use less CARP addresses too.

You can "stack" addresses onto a single CARP VHID using IP Alias for the same interface. I use this for WAN a lot.

Example:
WAN CARP = 202.202.202.202/24 with VHID 100

You can add additional WAN addresses onto the same interface:
WAN IP Alias = 202.202.202.203/24 with VHID 100
WAN IP Alias = 202.202.202.204/24 with VHID 100

See the attachment for an example I added to my LAN for you to see....

See https://docs.opnsense.org/manual/firewall_vip.html

High availability / Remove 20-openvpn CARP script unless OpenVPN is actually being used

« on: September 07, 2023, 01:35:55 am »

Have a master "Enable OpenVPN" that writes the 20-openvpn script into /usr/local/etc/rc.syshook.d/carp/ directory, otherwise the script does not exist.

If you unselect "OpenVPN" then the CARP script /usr/local/etc/rc.syshook.d/carp/20-openvpn is removed.

Why?
Because the script gets called and runs again and again and again for CARP events of INIT, BACKUP and MASTER events even when your are not running OpenVPN.

Pages: [1] 2 3 ... 12