Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - maweber

#1
Hi

I was patching up this situation using OPNsense, but I would like a second opinion.
This question is about how to set up OPNsense as a GW itself.

Setup is:

WAN (dhcp) <=> INET/29 (owned WAN subnet) <=> one or more OPNsenses.

I know the subnet basics and initially did it using basic routing/ default GW/firewall in Linux, but would like to do it with OPNsense if that makes sense, performance-wise, because OPNsense has some features I would include.

What I did is creating the INET/29 subnet as if it were a LAN, and add up all the flags like BOGUSIPS, Firewall, Special exceptions etc myself, plus deactivating OUTBOUND NAT.

However I don't trust it as there are questions.

  • For one, OPNsense doesn't know the INET/29 is a WAN port. I cannot tell for sure that there is no special internal edge case that gets traffic to escape the WAN<->INET/29 highway.
  • OPNsense does identify WAN/LAN, and I don't know if thats just visual or if it means something more.
  • Also, if the endpoint-router behind the GW restarts, connections through the GW are unstable. I have to restart the GW to make it work again (that is: let clients from WAN access HAproxy on the INET/29 endpoint again). It seems to me I converted a solution into another that is not meant to be.
Somebody/your opinion?

thanks
#2
Hi folks

I need to mask LAN-HAproxy traffic with my WAN IP.

it seems I cannot get an outbound NAT for HAproxy working.
The conditions are never met for the Outbound-NAT to hook in.

I used: Outbound NAT
- Interface: WAN
- Source: The complete 10.24.0.0/16
- Dest: WAN (HAproxy port)
- Translate IP: Interface
... still the http server sees my LAN IP.

As soon as I route the traffic via a masked outside GW loopback, the Outbound-NAT works (useless, just to illustrate).

Somebody knows a solution?
What kind of hidden shortcut is in place here?
Thanks
#3
Hi all

Edit: Sorry this belongs to the other (Suricata) forum, but it seems I cannot delete this.

I read in this doc
https://suricata.readthedocs.io/en/suricata-4.0.1/configuration/multi-tenant.html

that it's possible to distinguish configs by VLAN IDs using multi-detect.

My questions here:

  • are the default baremetal interfaces in "netmap" the ones where the VLANs tenants are based on?
  • if I want filters on VLAN-1, but empty rules on VLAN-2: will there be an inspection and latency on VLAN-2? (I ask because I had lags with openvpn going through suricata. a pass rule didn't help. only disabling did.
  • what is the most stable way for opnsense to eat my "multi-detect" config? just add it in the custom.yaml file, and reference (+TARGETS) the additional yamls?

Thanks a lot.
Best
Manu
#4
Hi,
I'd like to know, if anyone..., and how difficult it was to get CUDA in Suricata on Opnsense up and running.
Thanks
Manu
#5
Hi all

I have a basic question that I don't seem to find an answer for.
Say I use HAproxy as a SSL/Non-SSL reverse-proxy of my Non-SSL webpages in a DMZ.
I have an interest to also use HAproxy from the LAN1, because it handles the LetsEncrypt Certs, and the servers dont have SSL enabled.

On which internal IP do I set HAproxy for LAN access?

- I use split-horizon DNS
- loop-back on WAN is blocked because of the (useful) privatenet/bogus-rule I guess?
- There will be more LANs, this IP should be shared accross them

I tested that using the DMZ Router IP works, publishing it via the internal DNS. But I guess that way traffic passes through the router twice?

Thanks a lot
Best Manu
#6
Hi

I think this thread perfectly describes my problem
https://serverfault.com/questions/155618/remote-logging-with-syslogd-can-i-change-the-hostname

Basically in syslogd's messages to a remote, the hostname is missing.
On the remote logger it mixes up with rsyslogd's messages from others, that prepend a hostname (seen as a source).

Is this intended behaviour or syslogd-only?

best
manu
#7
17.1 Legacy Series / Suricata with SSL connections?
March 11, 2017, 02:24:25 PM
Hi all
My question is somewhat basic concerning IDP on opnsense:

As SSL connections through the router are encrypted, is there a way for Suricata to inspect those too? Is it possible with a web proxy? Or is the Suricata Concept already including a webproxy?
And: How about SSL-mail...?

Couldn't find it mentioned in the docs.

Thanks a lot!

Best
Manu
#8
Hi all
I noticed it is needed to also define WAN interface-addresses, if there should be NAT traffic from WAN into DMZ for example. (I didn't know it would affect WAN OUT directions too if I only put the WAN interface, without the WAN-dest-address).

My situation is that I have a WAN pool with 2 GWs.
But when trying to setup NAT for both GW i therefore need to DOUBLE every entry in FW/NAT (each with the intf-address of the corresponding WAN port).

Is there a way to substitute all WAN interface-addresses?
Would "this Firewall" be a safe choice? I'm not sure of this term.

Thank you
Best
Manu
#9
Hi all
I'm struggling to connect from a Mac inside the LAN to an internet IPsec/L2TP server (brand Zyxel).

I tested it successfully without the opnsense router in between (different net, different router).
I unsuccessfully tried without the automatic outbound NAT rules.
It seems the attempt doesn't write anything to the Firewall log.

We got a gateway failover installed.
DNS resolves right.

Any hints?

Thank you very much for your help!
best
Manu