Topics

1

General Discussion / Feature request reverse proxy load balancing

« on: May 20, 2016, 11:41:27 am »

Hi,

I'd like to send in a feature request to setup support for NGINX and Varnish to support a more complex reverse proxy load balancer.

- Support for url and domain routing
- Support for varnish caching mechanism on url content

I know this is a request that will take some time to complete and most can be done with Squid I guess but currently I haven't found an option to setup Squid in opnsense as reverse proxy instead of forwarding proxy.
Any changes locally on squid will get overridden when changing entries in the proxy setup.

Ideally I would like to use OPNsense to load balance a web cluster with url and domain routing and have a caching mechanism in the middle or running next to it using varnish cache.

Not sure if the general discussion is where this request should be placed, if not sorry for posting it in general section.

Really like the way the OPNsense project is heading to.

Keep up the good work!

Thanks

Matthew

2

16.1 Legacy Series / [SOLVED] Port forward not working ( RDR )

« on: May 19, 2016, 03:57:20 pm »

Hi,

I seem to have run into a problem that I can't seem to be able to get port forwarding ( NAT RDR ) working.


So lets say I have the following:

vip ip <--RDR NAT --> internal ip

When I create the forwarding rule for ftp for example I do see it listed as RDR rule but the rule doesn't seem to work.

pfctl -s nat shows:
No ALTQ support in kernel
ALTQ related functions disabled
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on bce1_vlan3 inet from 127.0.0.0/8 to any port = isakmp -> 130.117.75.121 static-port
nat on bce1_vlan3 inet from 192.168.1.0/24 to any port = isakmp -> 130.117.75.121 static-port
nat on bce1_vlan3 inet from 10.0.0.0/24 to any port = isakmp -> 130.117.75.121 static-port
nat on bce1_vlan3 inet from 127.0.0.0/8 to any -> 130.117.75.121 port 1024:65535
nat on bce1_vlan3 inet from 192.168.1.0/24 to any -> 130.117.75.121 port 1024:65535
nat on bce1_vlan3 inet from 10.0.0.0/24 to any -> 130.117.75.121 port 1024:65535
nat on bce3_vlan200 inet from 127.0.0.0/8 to any port = isakmp -> 178.22.83.68 static-port
nat on bce3_vlan200 inet from 192.168.1.0/24 to any port = isakmp -> 178.22.83.68 static-port
nat on bce3_vlan200 inet from 10.0.0.0/24 to any port = isakmp -> 178.22.83.68 static-port
nat on bce3_vlan200 inet from 127.0.0.0/8 to any -> x.x.x.x port 1024:65535
nat on bce3_vlan200 inet from 192.168.1.0/24 to any -> x.x.x.x port 1024:65535
nat on bce3_vlan200 inet from 10.0.0.0/24 to any -> x.x.x.x port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
no rdr on bce0 proto tcp from any to (bce0) port = https
no rdr on bce0 proto tcp from any to (bce0) port = http
no rdr on bce0 proto tcp from any to (bce0) port = ssh
rdr on bce3_vlan200 inet proto tcp from any port = ftp to x.x.x.x port = ftp -> 192.168.1.148
rdr on bce3_vlan200 inet proto udp from any port = ftp to x.x.x.x port = ftp -> 192.168.1.148
rdr on bce3_vlan200 inet proto tcp from any to x.x.x.x port 1024:65535 -> 192.168.1.148

Also created inbound rule to accept ftp connection but when I try the connection it doesn't work:

External connection:

tcpdump: listening on bce3_vlan200, link-type EN10MB (Ethernet), capture size 65535 bytes
15:56:12.182354 80:71:1f:c0:84:b2 > 10:60:4b:af:d2:96, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 50, id 34416, offset 0, flags [DF], proto TCP (6), length 64)
    149.235.255.3.54915 > x.x.x.x.21: Flags , cksum 0xdef5 (correct), seq 4153531766, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 758637770 ecr 0,sackOK,eol], length 0
15:56:14.188624 80:71:1f:c0:84:b2 > 10:60:4b:af:d2:96, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 51, id 11713, offset 0, flags [DF], proto TCP (6), length 64)
    149.235.255.3.54915 > x.x.x.x.21: Flags , cksum 0xd725 (correct), seq 4153531766, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 758639770 ecr 0,sackOK,eol], length 0
15:56:15.190539 80:71:1f:c0:84:b2 > 10:60:4b:af:d2:96, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 51, id 29698, offset 0, flags [DF], proto TCP (6), length 64)
    149.235.255.3.54915 > x.x.x.x.21: Flags , cksum 0xd33d (correct), seq 4153531766, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 758640770 ecr 0,sackOK,eol], length 0
15:56:16.191868 80:71:1f:c0:84:b2 > 10:60:4b:af:d2:96, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 51, id 15010, offset 0, flags [DF], proto TCP (6), length 64)
    149.235.255.3.54915 > x.x.x.x.21: Flags , cksum 0xcf55 (correct), seq 4153531766, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 758641770 ecr 0,sackOK,eol], length 0

Local connection:

# telnet 192.168.1.148 21
Trying 192.168.1.148...
Connected to 192.168.1.148.
Escape character is '^]'.
220 Welcome to the FTP server

Anyone know what I am doing wrong or what's up with the RDR option of PF?

3

16.1 Legacy Series / Multiple routing tables

« on: May 18, 2016, 04:22:52 pm »

Hi,

I'd like to know if OPNsense tends to start supporting multiple routing tables, kernel needs to be recompiled with:

# Multiple routing tables
options         ROUTETABLES=2

When this done it would be possible to setup multiple default gateways instead of having to go around the current way of doing the multi-wan setup

From the looks of it only one fib is currently allowed:

/home/matthew # setfib 0 netstat -rn | grep default
default            x.x.x.x      UGS    bce1_vla

/home/matthew # setfib 1 netstat -rn
setfib: 1: invalid FIB (max 0)

Thanks in advance

Matthew