Messages

1

High availability / no DHCPv4 logs on master

« on: November 17, 2023, 05:11:10 pm »

Have a HA setup, everything seems to work fine, except I'm unable to see ANY DHCPv4 logs on the master, no matter if using real or VIP IP. Always shows up empty in GUI, although in /var/log/dhcpd/ there is a dhcp_<date>.log with actual data and latest.log linking to it.

On backup node I can access the log from the GUI just fine, but just as long as it is backup. As I becomes master (by powering off the first node), the problem moves to the second node.

It seems you somehow can't access the DHCPv4 logs in the GUI on a node that is master...

Any ideas?

2

Web Proxy Filtering and Caching / Re: WAF violation status code 403

« on: May 12, 2023, 11:17:54 pm »

Tnx! I think I can live with that for now.
What’s the best way to do suggestions to get things like this probably embedded in a next version?

3

Web Proxy Filtering and Caching / Re: WAF violation status code 403

« on: May 08, 2023, 09:21:39 pm »

Not any idea how to return a more formal correct status 403 for WAF violation?
Unlike as in haproxy there no such thing in NGINX to do custom options?

4

Web Proxy Filtering and Caching / Re: WAF violation status code 403

« on: May 02, 2023, 04:23:10 pm »

or even better: add a  "Violation status code" setting in the gui, setting the required status code

5

Web Proxy Filtering and Caching / Re: WAF violation status code 403

« on: May 02, 2023, 03:45:45 pm »

Ok I can see in the config:

location = /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;

If i add return 403; it works as expected, WAF is detected fine by different security scanners.

But it's overwritten/deleted evertime I hit Aplly in the GUI.
Any way to make a permanant custom config? Or any other way to add the return 403; ?

6

Web Proxy Filtering and Caching / WAF violation status code 403

« on: May 01, 2023, 07:27:34 pm »

Is there a way to let nginx give a status code of 403 in case of violation of the NAXSI rules?
Some security scanners now can’t detect a WAF and flag that as a security issue. The cause seems to be the 200 response instead of a 403, even if the request is actually denied. Setting a custom error violation page won’t work too, cause “Only the page content itself is used. Status code rewriting and redirection is not supported”

Any ideas how to get a 403?

7

General Discussion / Re: Switching from KPN PPPoE to IPoE

« on: July 22, 2019, 05:35:14 pm »

Really nobody with a similar setup?

8

General Discussion / Switching from KPN PPPoE to IPoE

« on: July 17, 2019, 11:19:51 pm »

My fiber provider in Holland (KPN) offered me a free upgrade from 100Mb to 200Mb, but told me I need to switch from PPPoE to IPoE.
Current situation: WAN is PPPoE, getting first IP automatically from my /29 subnet from provider, and configured the remaining IPs as an alias, working perfectly fine. LAN is on 192.168.1.0/24.
As I was unfamiliar with IPoE I started looking around and read everywhere I should just change the WAN type to DHCP and asked KPN for confirmation for that.

To my surprise they told me it was quite different and gave me a example config for Cisco looking quite strange to me. This was the only example they could provide. The Cisco config they gave me seem to tell to configure the WAN on a static IP in a different /30 subnet (calling it a “interlink subnet”) with a gateway in that same subnet and configure my current /29 subnet on the LAN side…

!## Guide, instelling IPOE met Cisco Router.
!## Poortype kan afwijken
!-------
!------- WAN poort ----
!------- interface GigabitEthernet0/0/0 description Connection to WAN ip address 145.54.111.62 255.255.255.252 speed 100 duplex FULL MTU 1500
!
!
!
!-------
!------- LAN ------
!-------
! interface GigabitEthernet0/0/1 description to Customer LAN ip address 31.149.115.137 255.255.255.248
!
!
! ip route 0.0.0.0 0.0.0.0 145.54.111.61
!

That looks ridiculous to me, as I don’t want my public IPs on the LAN! And I also don’t want to buy a another router to put in front of OPNsense so I could use my public IPs on my OPNsense WAN.
Any idea how to configure this right on the OPNsense WAN interface? Could I probably just use the /30 subnet as suggested as primary and configure the /29 as aliases on the WAN also?
Anyone familiar with IPoE in general and/or KPN setup in particular?

Regards,

Julian

9

19.1 Legacy Series / Re: IPoE

« on: July 12, 2019, 12:12:22 pm »

Did you ever made this work?  KPN told me I could upgrade my fibre connection, but need to switch to IPoE as well.
Is this simply setting the WAN to DHCP or Static IP instead of PPPoE what is currently used?

10

17.7 Legacy Series / Ipsec NAT/BINAT option missing

« on: September 09, 2017, 03:28:47 pm »

Reading the docs it seems there should be a NAT/BINAT options in the ipsec phase2 settings to do translation before the traffic enters the tunnel. However, in my setup (17.7.1) it is missing. Has this changed and are the docs not updated or am I missing something else?

Julian