Topics

1

19.7 Legacy Series / [solved] HAproxy with https-redirect and letsencrypt http-01

« on: November 13, 2019, 10:31:40 am »

Hi,

I am a little bit stuck with this situation:
Using letsencryptlugin with http-01 challenge and haproxy. Default configuration works.
Now I like to redirect the incoming http/port 80 traffic to ssl/443, which works fine by defining a condition in haproxy for not-ssl-traffic to be redirected.
But this redirect-rule seems to match before the acme-challenge-rule.
I thought if I modify the acme-rule to use the acme-condition AND not-ssl-condition it should work because it's more specific. But it doesn't.
I tried to find something about this behaviour and read somewhere http-redirect rules are always executed before the other rules but don't know if that's right.

So... what's the correct way to catch the acme-condition and send it to the backend before the ssl-redirect-rule takes effect?

Only similar thin in this forum I could find was in the german section https://forum.opnsense.org/index.php?topic=7880.msg36600#msg36600 but there isn't an answer.

Thanks

2

18.1 Legacy Series / Zerotier - managed routes aren't availible when service starts

« on: February 05, 2018, 04:07:42 pm »

Hi,

I'm playing around with zerotier and it's really a nice and easy solution. Now I tried to make a site2site-VPN and discovered the following:

Setup zerotier like in the documentation, static IP for the OPNSense-boxes, no auto-assignment.
Routes for the networks setup as managed routes in my.zerotier, configured the network in OPNSense, everything was fine and running.
Managed routes where availible on the OPNSense-boxes and everything works - till you reboot.

When rebooting or just restarting the zerotierservice the routes from zerotier are gone.
Under the networkinformation-tab the routes are shown but they aren't in the routingtable.
Disabling the network in the zerotierplugin and re-enabling it a moment later works, the routes are there on the OPNSense-box.
It's just not really a good option to disable the network on the remotebox because re-enabling is quite hard then... :-)

So is this expected behaviour, a bug, or some setting I have to set to get the routes registered on the automatic servicestart?
I couldn't really find an option or something for the local.conf which made sense to me yesterday in the evening.

So back to OpenVPN for now, but I really like make it work with zerotier.

Thanks

  Nico

3

17.1 Legacy Series / Fast DynamicDNS updates if OPNSense behind other router? [solved: works oob]

« on: July 27, 2017, 05:29:00 pm »

Hi!

My problem is, I have a router which I have to use (Speedport Hybrid) so OPNSense is behind this router. I can't get a static public IP.
So at the moment DynanimcDNS-check works either with the default interval or a cronjob which can be defined to check e.g. every minute.
I think checking is done with the dyndns-service which is hardcoded. As far as I read they'll block you if you don't have >10min intervals.
So question is, is there anything possible (don't has to be GUI-configurable) to get OPNSense notice an IP-change?
Other methods than check X minutes eventually? Having an open connection to anywhere and recheck when it drops? I really have no idea atm, so I am asking.
10 Minutes doesn't sound so much but if you want e.g. a VPN connected this ten minutes it takes to get the update will everytime be the moment you need it, you know what I mean... :-)

4

General Discussion / IPv6 Subnetting and routing from a /48 tunnelbroker network

« on: January 12, 2016, 04:09:07 pm »

Hi there,

I think I am a blockhead here as it is probably easy: When I get a routed /48 subnet from he.net tunneled to my router and want to use multiple smaller /64 out of it and route between them, how to do that?
Just create different interfaces and assign the /64 to it?
Made with the pfsense tunneling howto you have a gateway setup for the tunnel which has the tunneladdresses. But where is the routing done of the incoming /48 and opnsense will choose where to route what? Is it done just with the interefaces that are there oder have gateways to be created?
I really have the feeling I am missing something obvious here.

Thanks in advance

    Nico