Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Hektor

#1
General Discussion / CARP and MAC Address Spoofing?
February 09, 2020, 11:15:50 PM
Hello,

I have 2 servers and 2 public IPs (1 IP for each server). I want to configure HA via CARP and pfsync.

LAN CARP interface is up and running via Virtual IP.

As far as my understanding goes:
I need a 3rd public IP for the WAN CARP interface, don't I?

Maybe it's possible to use 2 different IPs from another network on the 2 existing WAN interfaces and use 1 of the public IPs on the CARP interface? Problem is that the provider is using MAC address filtering so I would need to spoof the MAC address on the WAN CARP interface.

Any suggestions how to accomplish that?
#2
Hello,

So far everything is working fine BUT:
Only 1 firewall is used as a gateway for both machines and the other one acts like a passive backup.

To improve I'm thinking about using OPNsense with CARP  for HA and automatic failover without changes on all servers and VMs. OPNsense is running as Hyper-V guests on each host already but without CARP.

Here is a network diagram (thanks a lot to https://textik.com ):
                                                 +----------+                                             
                                                 | INTERNET |                                             
                                                 +----------+                                             
                                                       |                                                   
                                                 +-----|----+                                             
                                +----------------- Gateway  -----------------+                             
                                |                +----------+                |                             
                                |                                            |                             
                       +-----------------+                          +-----------------+                   
                       | NIC1: Public IP |                          | NIC1: Public IP |                   
                       +-----------------+                          +-----------------+                   
                 +-----------------------------+              +----------------------------+               
Hyper-V Host1   |                             |              |                            |  Hyper-V Host2
                 |  +---------+                |              |  +---------+               |               
                 |  | VM: FW1 |                |              |  | VM: FW2 |               |               
                 |  +---------+                |              |  +---------+               |               
                 |       |                     |              |       |                    |               
                 |  +----|----+                |              |  +----|----+               |               
                 |  | VM: DB  |                |              |  | VM: TS  |               |               
                 |  +---------+                |              |  +---------+               |               
                 |             |               |              |         |                  |               
                 |             |               |              |         |                  |               
                 +-------------|---------------+              +---------|------------------+               
                                +-----------+                    +-----------+                             
                                | NIC2: LAN +--------------------- NIC2: LAN |                             
                                +-----------+                    +-----------+


The main idea is to have all VMs and also the host behind a firewall. Access will be possible only via VPN -> WireGuard is up and running already. That is working already but only with 1 firewall which is not ideal.

My questions are now:

  • How to change the network to implement CARP (if that's possible)?
  • Do I need a 3rd public IP for the new "virtual WAN gateway" or can I use one or both of the 2 available already?
  • Does it make sense to somehow use both public IPs for the 2 firewalls?
  • I think the 2 virtual IPs for WAN + LAN can be configured on top of the 2 existing NICs, can't they?
  • Is XMLRPC needed to sync the configuration?
  • Seems that WireGuard doesn't work with CARP? Any recommendation/solution?
    Reference: https://forum.opnsense.org/index.php?topic=14269.0

The provider is using MAC address filtering to allow access to the gateway but I managed that successfully with MAC address spoofing already.
#3
OPNsense 19.7.10 + 20.1 - just updated.

WireGuard crashes and doesn't start anymore when you add a peer without a public key.

Steps to reproduce:
- Set up WireGuard
- Create a WireGuard peer -> leave the Public Key empty
- Add the peer to the configured WireGuard instance
- Save -> WireGuard seems to crash and will not start anymore until you remove the "empty" peer

Probably it's a WireGuard issue but since I didn't find any logs I'm not sure.

Solution:
- Check if it's a WireGuard issue
- Allow adding valid peers only
- If available: check the WireGuard configuration before applying them and cancel if there's an error
#4
Hello and Happy New Year!

I'm running the following OPNsense version at the moment with an OpenVPN server for road warriors:
OPNsense 16.1.20-amd64
FreeBSD 10.2-RELEASE-p19
OpenSSL 1.0.2h 3 May 2016

The OpenVPN Server Mode is set to "Remote Access (SSL/TLS + User Auth)" and everything was running just fine without any issues. I think I'm required to create a new certificate based on the old one and create some certificate chain? I also think I need to increase the OpenVPN server setting "Certificate Depth" from "One" to "Do Not check" just to be sure.

Unfortunately the OpenVPN server certificate expired recently and I'm unable to renew it or create a new certificate based on the original one.

If anyhow possible I don't want to update each and every client but only the server side.

How can I fix that? Any openssl magic is needed I think.

Btw. I located the OpenVPN configuration here:
/var/etc/openvpn/server1.[ca|cert|key] and so on

I found that link but it's pretty verbose and a really complicated topic:
http://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal

Please let me know if you need more details.
#5
Hello,

I think it would be a nice addition on the website (perhaps under Download?) to get a ChangeLog so one can check if an update makes sense and what has changed etc.

I know it's accessible via the Blog but that is kinda hidden and not very obvious.

A good example for a ChangeLog can be found here:
https://www.jtl-software.de/JTL-Wawi-Changelog

My problem with OPNsense is that it works too good so I don't need to keep up2date all the time :-)

ChangeLogs provide a very good overview to decide if an update makes sense or not.

Cheers and thx for the really nice firewall which just works!
#6
16.1 Legacy Series / opnsense-update killed my machine?
February 01, 2016, 05:45:31 PM
Hello,

I'm using OPNsense as a Hyper-V Server 2012 R2 VM since some weeks but it's running on a test machine so far - fortunately!

I was running the following version:
OPNsense 15.7.25-amd64
FreeBSD 10.1-RELEASE-p27
OpenSSL 1.0.2e 3 Dec 2015

I just ran opnsense-update in the hope to get the 16.1 version at the console and did a reboot aas suggested after the update.

Now it doesn't mount the root partition anymore and says:
Mounting from ufs:/dev/ada0s1a failed with error 19

... some more generell lines ...

mountroot>

So what can I do now and why did this happen while running the opnsense-update command?

There is nothing fancy installed and no advanced configuration. No Captiva, no IDS etc. Only simple NAT and OpenVPN tests with the wizard.

If everything fails:
Can I simply extract the /conf/config.xml and import it into a freshly installed OPNsense 16.1 VM?
#7
Hello,

I tried to set up OPNsense to do NAT for the LAN to WAN so nothing fancy. But I failed so far.

I have the following set up:
- SDSL line with a static IP address
- OPNsense running on Hyper-V Server 2012 R2
- System -> Gateways -> All -> WANGW which points to the router of the SDSL line and is the "Default Gateway"
- The "Default allow LAN to any rule" exists, too
- OPNsense is up2date and was restarted - but it never worked so far

Reaching the internet from the OPNsense box is working. Clients from the LAN cannot reach the internet though.

To my understanding the Firewall -> NAT -> Outbound -> Mode set to "Hybrid Outbound NAT rule generation" should generate some automatic rules for the Outbound NAT.

I compared to my pfSense set up which was working but I cannot find any differences.

Looking at pfctl -sr doesn't show any nat-to rules ... at least I didn't see them? And AFAIK the firewall and pf configuration is not done via a pf.conf file but with /conf/config.xml, isn't it?

I've also found the pfInfo, pfTop and pfTables Diagnostics menus but I cannot see any nat or nat-to rules there, too.

Any idea and hints how I can find the error? Which logs or tools like pfctl (-s), tcpdump etc. can help?

Regards
#8
Hello,

when I create a firewall rule the Destination field must be typed manually. I would expect so select it from the defined Aliases? At least that would be very helpful :-)

Is this a forgotten field/bug or does it have some other good reason?

Regards
#9
Hello,

I did set up OPNsense as a Hyper-V virtual machine which should act as a firewall replacement to our FRITZ!Box router and some pfSense I did set up for testing. WAN is changing also from ADSL to a fixed IP and some SDSL line. So I can set it up without taking everything offline - just switching the gateway on all clients when I'm done.

The box should primarily do some NAT and firewalling.

Configuration was ok so far but I'm not sure what this Interfaces -> Upstream Gateway setting means and what it is used for?

I can reach the internet from this machine's console so the default gateway is set to the SDSL router already. I can do OPNsense updates as well.

Regards
#10
Hello,

I wonder if it's supported to set up 2 OPNsense firewalls as two separate but identically configured virtual machines on Microsoft Hyper-V Server 2012 R2 with full CARP support?

I know that it's possible to set up an active/active firewall with CARP from some years ago when CARP was introduced to and by OpenBSD. I did that with "real" hardware though :-)

I need the following functionalities:
- NAT and basic firewall rules
- if available some content filtering especially for HTTP and SMTP/mail traffic
- perhaps some HTTP proxy/squid
- perhaps some guest network access
- perhaps some snort/IDS/amavisd
- perhaps some monitoring with darkstat/ntop or something similar

Since the current firewall is just a so called "FRITZ!Box" (some very nice and stable Linux-based hardware router) everything above that is better :-)

If it's possible:
How could I install and configure the 2nd VM? Can I simply export the 1st Hyper-V VM with all settings, VHDX files etc. and set it up on another Hyper-V host? Changing hostname, IP addresses and setting up CARP, of course.

Has anybody done this before? Perhaps with pfSense?

Regards