Topics

1

General Discussion / Request Suggestions for Caching OPNSense Updates

« on: December 17, 2020, 07:13:15 pm »

I have a home lab in which I study networking and pen testing.  Unfortunately, my ISP has a data cap which limits me to 1.2 TB/month.  I have set up a SQUID proxy to cache my windows/LINUX updates but it is unable to properly cache my OPNSense updates (the initial download completes but when subsequent OPNSense VMs try to download the same update from the cache, the files fail to download (update fails).

I have looked at maintaining a local update server via RSYNC, however, since every update (including betas) consists of hundreds of megs, keeping the local repo in sync will tax my data cap as well.  That is why I am looking at only caching the files I am actually using/need.

Since I am not finding luck using SQUID to cache and keeping a local repo in sync will not help my data cap, are there other methods/setups people have found to work?

Thanks

2

Web Proxy Filtering and Caching / Squid Peer Configuration Possible?

« on: June 05, 2020, 08:04:06 pm »

I am looking at setting up a pair of SQUID proxies to cache linux updates in an HAproxy configuration.  Since ideally I want to minimize the number of times a package is downloaded, I want to configure the proxies to either sync caches (not seeing how to do that within Squid) or configure each instance to query the other instance as a peer.  The plugin looks like it only has an option for a parent.

Any help/guidance would be appreciated.

Thanks

3

20.1 Legacy Series / OPNsense 20.1.4 VM on KVM Not Allowing Inbound Connections aside from ICMP

« on: April 21, 2020, 08:16:17 pm »

I am in the process of setting up a test lab using KVM (Ubuntu Server 20.04 running KVM and Cockpit).  I am able to install and update OPNsense without issues and the client behind OPNsense has full connectivity.  However, even after I permitted incoming non-routable IP address traffic and set the appropriate rules to permit inbound HTTPS and SSH, the traffic times out and I see no entries in the firewall logs.  However, when I try to connect from the same source to the same destination on HTTP (still blocked by rule),  the traffic also times out but I DO see entries in the firewall logs.  I should also note that incoming ICMP is permitted by rule and is working correctly.

To further test if the issue was related to KVM or OPNsense, I downloaded and installed PFsense (latest) in parallel on the KVM server.  Same base rules and I am able to successfully connect to the webgui and SSH through the WAN interface.

I am not sure where to look to troubleshoot this issue further.

Please let me know what you need from me (screen shots or logs).

Thanks

4

17.1 Legacy Series / On My Wishlist - Caching Proxy Option for Downloading Updates

« on: November 06, 2016, 05:21:53 pm »

I have found OPNSense to be a full featured, well documented and easy to use solution that can have a small memory/processor footprint (depending on what features are actively in use).  I am therefore using it as my standard firewall not only for my home but also for my test labs.  This means that when all of my labs are running, I have 10 to 20 OPNSense VMs running at once.  When a series of patches are then released, I have to go through the update process on all of the instances.  Since, at the end of the update process the downloaded files are deleted and I am unable to find a way to point to a dedicated caching proxy where the update files can be downloaded again locally, the same files need to be downloaded from the internet again and again (consuming bandwidth).

I was wondering if there are any plans to support configuring a dedicated caching proxy for updates only.  Alternatively, is there a way to download and centrally maintain update files for select platforms (similar to what Ubuntu offers) so that I could have an internal mirror I could point my VMs to?

Thanks

5

17.1 Legacy Series / [SOLVED] Requesting Background on CARP Work for 17.1

« on: November 06, 2016, 04:56:00 pm »

I was going through the list of what is to be completed prior to release 17.1 and saw the line "reverting CARP usage back to BSD standards."  I was hoping for more information on how the current CARP implementation deviates from BSD standards and what functionality would be lost in doing so.

Thanks