Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - ezra55

Pages: [1]

Hardware and Performance / Mellanox SN2010 as hardware for OPNsense

« on: April 26, 2021, 07:00:33 pm »

Hello!

I've stumbled upon a used Mellanox device that has just a plain linux OS running on it. Would anyone know if OPNsense could run on it? https://blog.mellanox.com/2017/11/mellanox-sn2010-the-best-hyperconverged-infrastructure-switch/

it has 18 10G/25G sfp+ ports and 4x 40G/100G uplink sfp+ and 2x mnmt 1GB ports. Would this even make (opn)sense to reflash this?

Thanks

20.7 Legacy Series / How to route opnsense WAN traffic over specific gateway

« on: August 03, 2020, 06:22:57 pm »

Hello!

How would i go about routing the internet traffic for OPNsense itself over one of my VPN client gateways? Where would i add these firewall rule since my firewall has 10 VLANs i know how to setup internet traffic for clients in those vlans, just not on what interface or floating rules i have to add to route my opnsense (updates, NS lookups) traffic over a secure tunnel

Please advise, thanks.

Ezra

20.1 Legacy Series / Upgrade to 20.7 fails with repo's not found

« on: August 03, 2020, 06:19:45 pm »

Hello all!

Im on 20.1 and when trying to update in the UI i get:

Code: [Select]

Firmware status check was aborted internally. Please try again.
When using the console opnsense-update or pkg update i get:

Code: [Select]

# pkg update
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/20.1/latest/meta.txz: Not Found
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/20.1/latest/packagesite.txz: Not Found
Unable to update repository OPNsense
Error updating repositories!

I've tried nearly every mirror, no go so far...

Please advise, thanks!

Ezra

General Discussion / IGMP Proxy Chromecast, I'm lost

« on: March 09, 2019, 10:50:46 pm »

Hey guys,

I want to be able to use my chromecasts (and home automation server) auto discovery and use it like everything is on 1 subnet. which it isnt of course.

I have multiple vlans containing clients that need access to my chromecast vlan.

Now reading up on IGMP Proxy, it only confuses me more.

Like: what to set as upstream? I dont think this needs to be WAN? I just want to use this locally, what subnets need to be in the upstream, only the chromecast vlan?

And what to set as downstream: vlans that need access to it?

Also can this be used for Wake On Lan accross subnets?

Thanks

edit: also have Mdns enabled on all vlans

18.1 Legacy Series / How to change what type of notifications are sent

« on: March 30, 2018, 06:54:10 pm »

Hello!

I'd like to adjust what notifications are sent via SMTP. Now all gateway down notifications spam my inbox because of 5x VPN gateway, can i adjust this?

Kind regards,

Ezra

18.1 Legacy Series / DNS over specific gateway with VPN clients

« on: March 11, 2018, 08:05:16 am »

Hello,

I have 5x VPN Tunnel, where i want to route all my traffic over.

I use the Unbound DNS server and selected all my VPN gateways to route it over.

Now when my VPN tunnels are down they can't resolv anymore.

I've added a floating rule: pass -> tcp/udp -> out -> DNS -> dest (alias for vpn addresses) -> WAN gateway
Then a floating to block all outgoing DNS over WAN gateway just to be sure.

This just does not work as expected. Any idea how to solve this?

Thanks,

Ezra

17.7 Legacy Series / WOL to another subnet

« on: January 26, 2018, 08:19:15 pm »

Hey all!

I've been trying to Wake On Lan from "LAN" to "LAB" but it fails. It works from OPNsense itself. I've been reading and searching, got square eyes right now. Just can't seem to figure it out.

I've tried mDNS repeater, selected the 2 interfaces, enabled, rebooted. Just not sure if this is the intented package for it...

Might anyone know a solution?

Kind regards,

Ezra

17.7 Legacy Series / Monit for OpenVPN clients

« on: January 23, 2018, 12:04:28 pm »

Hey guys,

Quick question, my VPN clients (5x) seem to fail quite often. I've setup different monitoring IP's in the corresponding gateways for each client.

I have a 'Killswitch' in place to not use my WAN ISP only for the VPN client Ports DNS and Ping from the firewall to connect to the vpn and nothing else.

At random they all stop and not get back up. Does anyone has some experience setting this up in Monit to get fixed?
I use monit CLI but this GUI stuff is hard to figure out.

Thanks!

General Discussion / New setup, need expert eyes and suggestions

« on: December 24, 2017, 04:03:29 pm »

He guys,

Been working on this setup for quite a while now. I'd like some pointers and expert views on how I've setup the system. I cannot test it yet since I'm away from home for a few more weeks. I'd like to have it ready for when I return home. I have an OPNsense box with:

Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (4 cores)
4 GB RAM DDR3
16 GB SSD
2GB SWAP, VAR and TMP in RAM
4x Port - Interfaces: ESXi, LAN, LAN2 (unused for now), WIFI, WAN
OPNsense 17.7.5-amd64
FreeBSD 11.0-RELEASE-p12
OpenSSL 1.0.2l 25 May 2017
1x Wifi Onboard (Used as guest network/IOT devices with no access to other NIC's only HTTP/HTTPS/DNS)
1x Wireless AP (2.4 and 5 ghz) attached to Interface LAN
DHCP server enabled on: ESXi, LAN, WIFI
Static DHCP entries created with MAC addresses for all existing devices
Aliases for all existing devices and networks
WAN address is for now local to have some internet connection, this will change once I install the router in my network for real

My goals are the following:

Setup 4x OpenVPN client (done)
Setup 1x OpenVPN server (done)
Setup a FailoverVPN gateway group for all of the 4 VPN clients (done)
Block all access to google's DNS (done)
Route Netflix IP's over default ISP DHCP WAN (done)
Route OPNsense traffic over the FailoverVPN
Route All traffic over the FailoverVPN traffic https://forum.opnsense.org/index.php?topic=4979.0 See screen (done)
Block All traffic to my default ISP DHCP gateway See screen(done)
Use 2x DNS server for the entire network/system (VPN company provided DNS servers: 209.222.18.218 & 209.222.18.222)(done)
Block all DNS requests to only use unbound DNS which in turn uses the servers mentioned above (done)
Block traffic from WIFI to all interfaces, only allow internet access and OPNsense as DNS
For now allow ESXi, LAN to access all interfaces. Later I will tighten these to only allow certain ports in and out on ESXi to LAN with aliases
Block all Plex metrics traffic with alias metrics.plex.tv, floating rule?

Port forwards:
https://imgur.com/zStbMCR

Rules:
Floating
https://imgur.com/P0gGbkJ

ESXi
https://imgur.com/qz9W80U

LAN
https://imgur.com/UCeeTdV

LAN2
https://imgur.com/5yQlyCc

OPENVPN (server)
https://imgur.com/VUGazFX

PIA
https://imgur.com/XtkCUSa

PIA2
https://imgur.com/iEVnFfx

PIA3
https://imgur.com/7FhKVu0

PIA4
https://imgur.com/O5rtTdR

WAN
https://imgur.com/IsLO9Kt

WIFI
https://imgur.com/UjpZsvc

Outbound NAT:
https://imgur.com/HLwHexX
https://imgur.com/Y3jRUbi
https://imgur.com/fgOMWwY

Gateways:
https://imgur.com/3dfOYes
groups:
https://imgur.com/a/AilFa

Interfaces:
https://imgur.com/r9WwokQ

General settings (DNS):
https://imgur.com/RdKVSKv

Unbound DNS:
https://imgur.com/m2DMyAK

DNS redirect rules:

Code: [Select]

To restrict client DNS to only the specific servers configured on a firewall, a port forward may be used to capture all DNS requests sent to other servers.

Before adding this rule, ensure the DNS Forwarder or DNS Resovler is configured to bind and answer queries on Localhost, or All interfaces.

In the following example, the LAN interface is used, but it could be used for any local interface. Change the Interface and Destination as needed.

Navigate to Firewall > NAT, Port Forward tab
Click fa-level-up Add to create a new rule
Fill in the following fields on the port forward rule:
Interface: LAN
Protocol: TCP/UDP
Destination: Invert Match checked, LAN Address
Destination Port Range: 53 (DNS)
Redirect Target IP: 127.0.0.1
Redirect Target Port: 53 (DNS)
Description: Redirect DNS
NAT Reflection: Disable

Quote

This procedure will allow the firewall to block DNS requests to servers that are off this network. This can force DNS requests from local clients to use the DNS Forwarder or Resolver on OPNSense for resolution. When combined with OpenDNS, this allows DNS-based content filtering to be enforced on the local network.

Setup OpenDNS servers (or whatever DNS servers are preferred) in System > General.
Add a firewall rule on Firewall > Rules, LAN tab permitting TCP/UDP source:any to the firewalls LAN IP Address, port 53 (destination IP and port)
Move this newly created rule from step #2 to the very top of the LAN rules
Add a new rule blocking protocol TCP/UDP source:any destination:any.
Move the rule created in step #4 to the second position behind the permit rule that was moved in step #3.
That’s it. Enjoy the fact that the hosts behind OPNSense can only talk to the built in DNS resolver running on LAN which uses your DNS.

Hope you guys can help me out to achieve some of my goals!
Thanks and merry Christmas!!

16.7 Legacy Series / Searching for advice - Virtualization and OPNsense

« on: January 07, 2017, 10:18:33 pm »

Pages: [1]