Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - nibblerrick

#1
Hi,

I am a little bit stuck with this situation:
Using letsencryptlugin with http-01 challenge and haproxy. Default configuration works.
Now I like to redirect the incoming http/port 80 traffic to ssl/443, which works fine by defining a condition in haproxy for not-ssl-traffic to be redirected.
But this redirect-rule seems to match before the acme-challenge-rule.
I thought if I modify the acme-rule to use the acme-condition AND not-ssl-condition it should work because it's more specific. But it doesn't.
I tried to find something about this behaviour and read somewhere http-redirect rules are always executed before the other rules but don't know if that's right.

So... what's the correct way to catch the acme-condition and send it to the backend before the ssl-redirect-rule takes effect?

Only similar thin in this forum I could find was in the german section https://forum.opnsense.org/index.php?topic=7880.msg36600#msg36600 but there isn't an answer.

Thanks
#2
Hi,

I'm playing around with zerotier and it's really a nice and easy solution. Now I tried to make a site2site-VPN and discovered the following:

Setup zerotier like in the documentation, static IP for the OPNSense-boxes, no auto-assignment.
Routes for the networks setup as managed routes in my.zerotier, configured the network in OPNSense, everything was fine and running.
Managed routes where availible on the OPNSense-boxes and everything works - till you reboot.

When rebooting or just restarting the zerotierservice the routes from zerotier are gone.
Under the networkinformation-tab the routes are shown but they aren't in the routingtable.
Disabling the network in the zerotierplugin and re-enabling it a moment later works, the routes are there on the OPNSense-box.
It's just not really a good option to disable the network on the remotebox because re-enabling is quite hard then... :-)

So is this expected behaviour, a bug, or some setting I have to set to get the routes registered on the automatic servicestart?
I couldn't really find an option or something for the local.conf which made sense to me yesterday in the evening.

So back to OpenVPN for now, but I really like make it work with zerotier.

Thanks

  Nico
#3
Hi!

My problem is, I have a router which I have to use (Speedport Hybrid) so OPNSense is behind this router. I can't get a static public IP.
So at the moment DynanimcDNS-check works either with the default interval or a cronjob which can be defined to check e.g. every minute.
I think checking is done with the dyndns-service which is hardcoded. As far as I read they'll block you if you don't have >10min intervals.
So question is, is there anything possible (don't has to be GUI-configurable) to get OPNSense notice an IP-change?
Other methods than check X minutes eventually? Having an open connection to anywhere and recheck when it drops? I really have no idea atm, so I am asking.
10 Minutes doesn't sound so much but if you want e.g. a VPN connected this ten minutes it takes to get the update will everytime be the moment you need it, you know what I mean... :-)
#4
Hi there,

I think I am a blockhead here as it is probably easy: When I get a routed /48 subnet from he.net tunneled to my router and want to use multiple smaller /64 out of it and route between them, how to do that?
Just create different interfaces and assign the /64 to it?
Made with the pfsense tunneling howto you have a gateway setup for the tunnel which has the tunneladdresses. But where is the routing done of the incoming /48 and opnsense will choose where to route what? Is it done just with the interefaces that are there oder have gateways to be created?
I really have the feeling I am missing something obvious here.

Thanks in advance

    Nico