Topics

Hi

I was patching up this situation using OPNsense, but I would like a second opinion.
This question is about how to set up OPNsense as a GW itself.

Setup is:

Code Select Expand

WAN (dhcp) <=> INET/29 (owned WAN subnet) <=> one or more OPNsenses.

I know the subnet basics and initially did it using basic routing/ default GW/firewall in Linux, but would like to do it with OPNsense if that makes sense, performance-wise, because OPNsense has some features I would include.

What I did is creating the INET/29 subnet as if it were a LAN, and add up all the flags like BOGUSIPS, Firewall, Special exceptions etc myself, plus deactivating OUTBOUND NAT.

However I don't trust it as there are questions.

• For one, OPNsense doesn't know the INET/29 is a WAN port. I cannot tell for sure that there is no special internal edge case that gets traffic to escape the WAN<->INET/29 highway.
  
• OPNsense does identify WAN/LAN, and I don't know if thats just visual or if it means something more.
  
• Also, if the endpoint-router behind the GW restarts, connections through the GW are unstable. I have to restart the GW to make it work again (that is: let clients from WAN access HAproxy on the INET/29 endpoint again). It seems to me I converted a solution into another that is not meant to be.
  

Somebody/your opinion?

thanks

Hi folks

I need to mask LAN-HAproxy traffic with my WAN IP.

it seems I cannot get an outbound NAT for HAproxy working.
The conditions are never met for the Outbound-NAT to hook in.

I used: Outbound NAT
- Interface: WAN
- Source: The complete 10.24.0.0/16
- Dest: WAN (HAproxy port)
- Translate IP: Interface
... still the http server sees my LAN IP.

As soon as I route the traffic via a masked outside GW loopback, the Outbound-NAT works (useless, just to illustrate).

Somebody knows a solution?
What kind of hidden shortcut is in place here?
Thanks

Hi all

Edit: Sorry this belongs to the other (Suricata) forum, but it seems I cannot delete this.

I read in this doc
https://suricata.readthedocs.io/en/suricata-4.0.1/configuration/multi-tenant.html

that it's possible to distinguish configs by VLAN IDs using multi-detect.

My questions here:

• are the default baremetal interfaces in "netmap" the ones where the VLANs tenants are based on?
  
• if I want filters on VLAN-1, but empty rules on VLAN-2: will there be an inspection and latency on VLAN-2? (I ask because I had lags with openvpn going through suricata. a pass rule didn't help. only disabling did.
• what is the most stable way for opnsense to eat my "multi-detect" config? just add it in the custom.yaml file, and reference (+TARGETS) the additional yamls?

Thanks a lot.
Best
Manu

Hi,
I'd like to know, if anyone..., and how difficult it was to get CUDA in Suricata on Opnsense up and running.
Thanks
Manu

[On which internal IP do I set HAproxy for LAN access?]

Hi all

I have a basic question that I don't seem to find an answer for.
Say I use HAproxy as a SSL/Non-SSL reverse-proxy of my Non-SSL webpages in a DMZ.
I have an interest to also use HAproxy from the LAN1, because it handles the LetsEncrypt Certs, and the servers dont have SSL enabled.

On which internal IP do I set HAproxy for LAN access?

- I use split-horizon DNS
- loop-back on WAN is blocked because of the (useful) privatenet/bogus-rule I guess?
- There will be more LANs, this IP should be shared accross them

I tested that using the DMZ Router IP works, publishing it via the internal DNS. But I guess that way traffic passes through the router twice?

Thanks a lot
Best Manu

Hi

I think this thread perfectly describes my problem
https://serverfault.com/questions/155618/remote-logging-with-syslogd-can-i-change-the-hostname

Basically in syslogd's messages to a remote, the hostname is missing.
On the remote logger it mixes up with rsyslogd's messages from others, that prepend a hostname (seen as a source).

Is this intended behaviour or syslogd-only?

best
manu

Hi all
My question is somewhat basic concerning IDP on opnsense:

As SSL connections through the router are encrypted, is there a way for Suricata to inspect those too? Is it possible with a web proxy? Or is the Suricata Concept already including a webproxy?
And: How about SSL-mail...?

Couldn't find it mentioned in the docs.

Thanks a lot!

Best
Manu

Hi all
I noticed it is needed to also define WAN interface-addresses, if there should be NAT traffic from WAN into DMZ for example. (I didn't know it would affect WAN OUT directions too if I only put the WAN interface, without the WAN-dest-address).

My situation is that I have a WAN pool with 2 GWs.
But when trying to setup NAT for both GW i therefore need to DOUBLE every entry in FW/NAT (each with the intf-address of the corresponding WAN port).

Is there a way to substitute all WAN interface-addresses?
Would "this Firewall" be a safe choice? I'm not sure of this term.

Thank you
Best
Manu

Hi all
I'm struggling to connect from a Mac inside the LAN to an internet IPsec/L2TP server (brand Zyxel).

I tested it successfully without the opnsense router in between (different net, different router).
I unsuccessfully tried without the automatic outbound NAT rules.
It seems the attempt doesn't write anything to the Firewall log.

We got a gateway failover installed.
DNS resolves right.

Any hints?

Thank you very much for your help!
best
Manu