OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of csmall »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - csmall

Pages: [1] 2
1
19.7 Production Series / [Solved] Need help with wireguard
« on: July 19, 2019, 04:32:53 am »
I used the doc here to configure wireguard.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I am connecting an Android client and it seems to connect to the server fine but traffic send to only be sent and not received.

What could be wrong? I cannot get to the Web interface of opnsense when connected to the time or the internet.

I configured the client to use 0.0.0.0/0 for allowed ip's.

On the endpoint config I have allowed ip's set to the client_ip/24

I added the interface wg0 to assignments and enabled it with prevent removal.

I added the NAT rule for outbound NAT

I created the WAN firewall rule

I'm not sure what I could be missing... I expected at the very least to get to the webui of opnsense and maybe have a dns issue but I can't even get to that.





2
19.7 Production Series / Wireguard Plugin Road Warrior Tutorial/Doc
« on: July 18, 2019, 12:42:33 pm »
Is there a tutorial or doc on how to configure the new wireguard Plugin in 19.7 for road warrior?

3
19.1 Legacy Series / IPsec VPN on mobile Question
« on: June 26, 2019, 01:49:36 pm »
How can I prevent the tunnel from being split tunnel? I want to force all traffic over the tunnel.

I'm using ikev2 and strong swan client on Android.

My main goal is using my pihole for dns remotely. So if that is possible without forcing all traffic over the tunnel then if be happy with that as well.

Any help much appreciated.

Right now it is split tunnel

4
19.1 Legacy Series / Road Warrior IPsec & Split-Tunnel
« on: June 16, 2019, 06:13:24 am »
I followed this guide to get IPsec VPN working with Android using strongswan client and IKEv2.

https://wiki.opnsense.org/manual/how-tos/ipsec-rw-srv-eaptls.html

I connect just fine and can access the the firewall web interface on the LAN address but it is split tunnel.

I would like to force the Android phone to force all traffic over the tunnel. How can I do that?

If I can't force all traffic over the tunnel I would at least like to force dns resolution to take advantage of my pihole on mobile.

5
19.1 Legacy Series / Problem with letsencrypt validations and haproxy
« on: June 14, 2019, 02:18:21 am »
I use haproxy and letsencrypt integration with http validation

I had it working fine with renewing certificates for a while but now it fails validation. The log said timeout likely a firewall problem.

I've gone over the settings and I've tried adding additional firewall rules but nothing seems to work.

What can I check and verify? It was great when it was working :(

6
Intrusion Detection and Prevention / Emerging Threats Rule Descriptions
« on: June 07, 2019, 12:27:12 pm »
I came across this and thought it might be useful to others.

From Proofpoint:

https://www.google.com/url?sa=t&source=web&rct=j&url=http://tools.emergingthreats.net/docs/ETPro%2520Rule%2520Categories.pdf&ved=2ahUKEwi1s5eLlNfiAhWEVN8KHV0dDgkQFjABegQIBxAN&usg=AOvVaw0VeLizsYuRFk0ekY3FOOZz&cshid=1559903175835

7
19.1 Legacy Series / Clam av plugin
« on: June 07, 2019, 02:09:02 am »
Is the clam av plugin useful for anything other than when used with a proxy?

8
Intrusion Detection and Prevention / Direction
« on: May 21, 2019, 07:20:51 pm »
With IPS, generally speaking, does it make more sense to do it on outbound traffic or inbound?

Doing it on both sounds like a performance impact will be greater.

But, if your firewall is already restricting inbound traffic to specific ports for services.. then would outbound make more sense so you can see and prevent nasty stuff that is actually on your network?


9
General Discussion / Question about the LetsEncrypt plugin
« on: August 24, 2018, 04:29:38 am »
If I have already pulled certificatees from LetsEncrypt with certbot by running it individually on web servers behind OPNsense/HAProxy, can I still use the LetsEncrypt plugin to take over the management of the certificates?

If so, how? If not, what would be the best way to cut over to the plugin so I don't have to deal with the individual servers renewing certificates?

10
18.7 Legacy Series / Haproxy ssl-passthrough help
« on: August 15, 2018, 05:37:58 pm »
Can anyone explain to me how I would setup haproxy in OPNsense to do ssl-passthrough instead of offloading?

I currently have a single public ip listening on 443 via haproxy with certainty for a couple of servers/services added to it with ssl offloading configured. There are rules that look at host contains and based on the sub domain name of the url, they are routed to the proper pool of servers.

This is currently working for me.

I am more curious on how I would do this with ssl-passthrough instead of offloading and also how I could still use rules to determine which server pool a sub domain url hits.

Any guidance would be much appreciated.

11
18.7 Legacy Series / Haproxy issue
« on: August 14, 2018, 12:57:54 pm »
I have one service running behind haproxy with ssl offloading enabled and it works fine.

I added another service to a new backend pool of servers and going to the site over ssl fails with ssl protocol error.

If I go to the site directly to the backend ip it works fine. I only get the protocol error when I go to haproxy address.

What could be the issue? It is nginx with and ssl site on 443.

12
18.1 Legacy Series / Block outbound icmp to external address?
« on: June 05, 2018, 06:13:21 am »
What rule would I need to create to block outbound icmp to 8.8.8.8?

In the log live view I see int wan with the wan ip as the source icmp to 8.8.8.8

13
General Discussion / Cloudflare DNS over TLS with Unbound
« on: April 04, 2018, 04:02:59 am »
Looking at this article https://www.netgate.com/blog/dns-over-tls-with-pfsense.html?utm_campaign=DNSoverTLS&utm_content=69532200&utm_medium=social&utm_source=twitter

I enabled unbound and added the custom settings from this article to enable dns over tls on 1.1.1.1 and 1.0.0.1.

It seemed to work fine for a short period of time and then I start getting these errors and the unbound service stops running.

unbound: [58716:1] notice: ssl handshake failed 1.1.1.1 port 853

unbound: [58716:1] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available

Is anyone using cloudflare dns over tls successfully?

14
General Discussion / Suggestions for multiple servers running port 443 behind OPNsense
« on: December 16, 2017, 01:34:53 am »
Suggestions for multiple servers running port 443 behind OPNsense With a single public ip?

What would be a good option for handling this?

example:

a.domain.com:443 —-> single public ip ——> internal_server1:443

b.domain.com:443 —-> single  public ip ——> internal_server2:443

Can any plugins for OPNsense handle this or would something like nginx/reverse proxy be required? Maybe a layer 7 load balancer like kemp or netscaler etc.

Haproxy can’t do this can it?

15
General Discussion / Can haproxy do content switching similar to a netscaler?
« on: December 10, 2017, 03:25:10 pm »
Can haproxy do content switching like a netscaler? Allowing you to host multiple services on the same port via one IP address.

Pages: [1] 2
OPNsense is an OSS project © Deciso B.V. 2015 - 2020 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2