OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of maweber »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - maweber

Pages: [1]
1
General Discussion / Concept Question: OPNsense as a GW?
« on: June 01, 2020, 12:10:37 am »
Hi

I was patching up this situation using OPNsense, but I would like a second opinion.
This question is about how to set up OPNsense as a GW itself.

Setup is:

Code: [Select]
WAN (dhcp) <=> INET/29 (owned WAN subnet) <=> one or more OPNsenses.
I know the subnet basics and initially did it using basic routing/ default GW/firewall in Linux, but would like to do it with OPNsense if that makes sense, performance-wise, because OPNsense has some features I would include.

What I did is creating the INET/29 subnet as if it were a LAN, and add up all the flags like BOGUSIPS, Firewall, Special exceptions etc myself, plus deactivating OUTBOUND NAT.

However I don't trust it as there are questions.
  • For one, OPNsense doesn't know the INET/29 is a WAN port. I cannot tell for sure that there is no special internal edge case that gets traffic to escape the WAN<->INET/29 highway.
  • OPNsense does identify WAN/LAN, and I don't know if thats just visual or if it means something more.
  • Also, if the endpoint-router behind the GW restarts, connections through the GW are unstable. I have to restart the GW to make it work again (that is: let clients from WAN access HAproxy on the INET/29 endpoint again). It seems to me I converted a solution into another that is not meant to be.
Somebody/your opinion?

thanks

2
19.7 Legacy Series / Loopback NAT/ Outbound NAT with HAproxy?
« on: November 15, 2019, 01:33:15 am »
Hi folks

I need to mask LAN-HAproxy traffic with my WAN IP.

it seems I cannot get an outbound NAT for HAproxy working.
The conditions are never met for the Outbound-NAT to hook in.

I used: Outbound NAT
- Interface: WAN
- Source: The complete 10.24.0.0/16
- Dest: WAN (HAproxy port)
- Translate IP: Interface
... still the http server sees my LAN IP.

As soon as I route the traffic via a masked outside GW loopback, the Outbound-NAT works (useless, just to illustrate).

Somebody knows a solution?
What kind of hidden shortcut is in place here?
Thanks

3
18.7 Legacy Series / Suricata: Multi Tenancy (VLAN)/ Latency Question
« on: December 12, 2018, 09:22:29 pm »
Hi all

Edit: Sorry this belongs to the other (Suricata) forum, but it seems I cannot delete this.

I read in this doc
https://suricata.readthedocs.io/en/suricata-4.0.1/configuration/multi-tenant.html

that it's possible to distinguish configs by VLAN IDs using multi-detect.

My questions here:
  • are the default baremetal interfaces in "netmap" the ones where the VLANs tenants are based on?
  • if I want filters on VLAN-1, but empty rules on VLAN-2: will there be an inspection and latency on VLAN-2? (I ask because I had lags with openvpn going through suricata. a pass rule didn't help. only disabling did.
  • what is the most stable way for opnsense to eat my "multi-detect" config? just add it in the custom.yaml file, and reference (+TARGETS) the additional yamls?


Thanks a lot.
Best
Manu

4
Intrusion Detection and Prevention / Did anyone try CUDA with IDS?
« on: July 08, 2018, 01:14:45 am »
Hi,
I'd like to know, if anyone..., and how difficult it was to get CUDA in Suricata on Opnsense up and running.
Thanks
Manu

5
Web Proxy Filtering and Caching / Concept Question: HAproxy plus LAN access - internal IP
« on: July 03, 2018, 02:33:01 am »
Hi all

I have a basic question that I don't seem to find an answer for.
Say I use HAproxy as a SSL/Non-SSL reverse-proxy of my Non-SSL webpages in a DMZ.
I have an interest to also use HAproxy from the LAN1, because it handles the LetsEncrypt Certs, and the servers dont have SSL enabled.

On which internal IP do I set HAproxy for LAN access?

- I use split-horizon DNS
- loop-back on WAN is blocked because of the (useful) privatenet/bogus-rule I guess?
- There will be more LANs, this IP should be shared accross them

I tested that using the DMZ Router IP works, publishing it via the internal DNS. But I guess that way traffic passes through the router twice?

Thanks a lot
Best Manu

6
17.7 Legacy Series / syslogd to remote: all facilities appear as hostname?
« on: October 20, 2017, 04:03:58 am »
Hi

I think this thread perfectly describes my problem
https://serverfault.com/questions/155618/remote-logging-with-syslogd-can-i-change-the-hostname

Basically in syslogd's messages to a remote, the hostname is missing.
On the remote logger it mixes up with rsyslogd's messages from others, that prepend a hostname (seen as a source).

Is this intended behaviour or syslogd-only?

best
manu

7
17.1 Legacy Series / Suricata with SSL connections?
« on: March 11, 2017, 02:24:25 pm »
Hi all
My question is somewhat basic concerning IDP on opnsense:

As SSL connections through the router are encrypted, is there a way for Suricata to inspect those too? Is it possible with a web proxy? Or is the Suricata Concept already including a webproxy?
And: How about SSL-mail...?

Couldn't find it mentioned in the docs.

Thanks a lot!

Best
Manu

8
16.7 Legacy Series / MULTI-WAN dest adresses in FW,NAT (double entries needed?)
« on: January 23, 2017, 09:33:17 pm »
Hi all
I noticed it is needed to also define WAN interface-addresses, if there should be NAT traffic from WAN into DMZ for example. (I didn't know it would affect WAN OUT directions too if I only put the WAN interface, without the WAN-dest-address).

My situation is that I have a WAN pool with 2 GWs.
But when trying to setup NAT for both GW i therefore need to DOUBLE every entry in FW/NAT (each with the intf-address of the corresponding WAN port).

Is there a way to substitute all WAN interface-addresses?
Would "this Firewall" be a safe choice? I'm not sure of this term.

Thank you
Best
Manu

9
16.7 Legacy Series / outbound IPsec/L2TP from LAN, passing through opnsense, not possible?
« on: July 30, 2016, 09:33:02 pm »
Hi all
I'm struggling to connect from a Mac inside the LAN to an internet IPsec/L2TP server (brand Zyxel).

I tested it successfully without the opnsense router in between (different net, different router).
I unsuccessfully tried without the automatic outbound NAT rules.
It seems the attempt doesn't write anything to the Firewall log.

We got a gateway failover installed.
DNS resolves right.

Any hints?

Thank you very much for your help!
best
Manu

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2020 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2