Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - ezra55

#1
Hello!

I've stumbled upon a used Mellanox device that has just a plain linux OS running on it. Would anyone know if OPNsense could run on it? https://blog.mellanox.com/2017/11/mellanox-sn2010-the-best-hyperconverged-infrastructure-switch/

it has 18 10G/25G sfp+ ports and 4x 40G/100G uplink sfp+ and 2x mnmt 1GB ports. Would this even make (opn)sense to reflash this?

Thanks
#2
Hello!

How would i go about routing the internet traffic for OPNsense itself over one of my VPN client gateways? Where would i add these firewall rule since my firewall has 10 VLANs i know how to setup internet traffic for clients in those vlans, just not on what interface or floating rules i have to add to route my opnsense (updates, NS lookups) traffic over a secure tunnel

Please advise, thanks.

Ezra
#3
Hello all!

Im on 20.1 and when trying to update in the UI i get:
Firmware status check was aborted internally. Please try again.

When using the console opnsense-update or pkg update i get:
# pkg update
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/20.1/latest/meta.txz: Not Found
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/20.1/latest/packagesite.txz: Not Found
Unable to update repository OPNsense
Error updating repositories!


I've tried nearly every mirror, no go so far...

Please advise, thanks!

Ezra
#4
General Discussion / IGMP Proxy Chromecast, I'm lost
March 09, 2019, 10:50:46 PM
Hey guys,

I want to be able to use my chromecasts (and home automation server) auto discovery and use it like everything is on 1 subnet. which it isnt of course.

I have multiple vlans containing clients that need access to my chromecast vlan.

Now reading up on IGMP Proxy, it only confuses me more.

Like: what to set as upstream? I dont think this needs to be WAN? I just want to use this locally, what subnets need to be in the upstream, only the chromecast vlan?

And what to set as downstream: vlans that need access to it?

Also can this be used for Wake On Lan accross subnets?

Thanks

edit: also have Mdns enabled on all vlans
#5
Hello!

I'd like to adjust what notifications are sent via SMTP. Now all gateway down notifications spam my inbox because of 5x VPN gateway, can i adjust this?

Kind regards,

Ezra
#6
Hello,

I have 5x VPN Tunnel, where i want to route all my traffic over.

I use the Unbound DNS server and selected all my VPN gateways to route it over.

Now when my VPN tunnels are down they can't resolv anymore.

I've added a floating rule: pass -> tcp/udp -> out -> DNS -> dest (alias for vpn addresses) -> WAN gateway
Then a floating to block all outgoing DNS over WAN gateway just to be sure.

This just does not work as expected. Any idea how to solve this?

Thanks,

Ezra
#7
17.7 Legacy Series / WOL to another subnet
January 26, 2018, 08:19:15 PM
Hey all!

I've been trying to Wake On Lan from "LAN" to "LAB" but it fails. It works from OPNsense itself. I've been reading and searching, got square eyes right now. Just can't seem to figure it out.

I've tried mDNS repeater, selected the 2 interfaces, enabled, rebooted. Just not sure if this is the intented package for it...

Might anyone know a solution?

Kind regards,

Ezra
#8
17.7 Legacy Series / Monit for OpenVPN clients
January 23, 2018, 12:04:28 PM
Hey guys,

Quick question, my VPN clients (5x) seem to fail quite often. I've setup different monitoring IP's in the corresponding gateways for each client.

I have a 'Killswitch' in place to not use my WAN ISP only for the VPN client Ports DNS and Ping from the firewall to connect to the vpn and nothing else.

At random they all stop and not get back up. Does anyone has some experience setting this up in Monit to get fixed?
I use monit CLI but this GUI stuff is hard to figure out.

Thanks!
#9
He guys,

Been working on this setup for quite a while now. I'd like some pointers and expert views on how I've setup the system. I cannot test it yet since I'm away from home for a few more weeks. I'd like to have it ready for when I return home. I have an OPNsense box with:

  • Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (4 cores)
  • 4 GB RAM DDR3
  • 16 GB SSD
  • 2GB SWAP, VAR and TMP in RAM
  • 4x Port - Interfaces: ESXi, LAN, LAN2 (unused for now), WIFI, WAN
  • OPNsense 17.7.5-amd64
  • FreeBSD 11.0-RELEASE-p12
  • OpenSSL 1.0.2l 25 May 2017
  • 1x Wifi Onboard (Used as guest network/IOT devices with no access to other NIC's only HTTP/HTTPS/DNS)
  • 1x Wireless AP (2.4 and 5 ghz) attached to Interface LAN
  • DHCP server enabled on: ESXi, LAN, WIFI
  • Static DHCP entries created with MAC addresses for all existing devices
  • Aliases for all existing devices and networks
  • WAN address is for now local to have some internet connection, this will change once I install the router in my network for real
My goals are the following:

  • Setup 4x OpenVPN client (done)
  • Setup 1x OpenVPN server (done)
  • Setup a FailoverVPN gateway group for all of the 4 VPN clients (done)
  • Block all access to google's DNS (done)
  • Route Netflix IP's over default ISP DHCP WAN (done)
  • Route OPNsense traffic over the FailoverVPN
  • Route All traffic over the FailoverVPN traffic https://forum.opnsense.org/index.php?topic=4979.0 See screen (done)
  • Block All traffic to my default ISP DHCP gateway See screen(done)
  • Use 2x DNS server for the entire network/system (VPN company provided DNS servers: 209.222.18.218 & 209.222.18.222)(done)
  • Block all DNS requests to only use unbound DNS which in turn uses the servers mentioned above (done)
  • Block traffic from WIFI to all interfaces, only allow internet access and OPNsense as DNS
  • For now allow ESXi, LAN to access all interfaces. Later I will tighten these to only allow certain ports in and out on ESXi to LAN with aliases
  • Block all Plex metrics traffic with alias metrics.plex.tv, floating rule?

Port forwards:
https://imgur.com/zStbMCR

Rules:
Floating
https://imgur.com/P0gGbkJ

ESXi
https://imgur.com/qz9W80U

LAN
https://imgur.com/UCeeTdV

LAN2
https://imgur.com/5yQlyCc

OPENVPN (server)
https://imgur.com/VUGazFX

PIA
https://imgur.com/XtkCUSa

PIA2
https://imgur.com/iEVnFfx

PIA3
https://imgur.com/7FhKVu0

PIA4
https://imgur.com/O5rtTdR

WAN
https://imgur.com/IsLO9Kt

WIFI
https://imgur.com/UjpZsvc

Outbound NAT:
https://imgur.com/HLwHexX
https://imgur.com/Y3jRUbi
https://imgur.com/fgOMWwY

Gateways:
https://imgur.com/3dfOYes
groups:
https://imgur.com/a/AilFa

Interfaces:
https://imgur.com/r9WwokQ

General settings (DNS):
https://imgur.com/RdKVSKv

Unbound DNS:
https://imgur.com/m2DMyAK

DNS redirect rules:
To restrict client DNS to only the specific servers configured on a firewall, a port forward may be used to capture all DNS requests sent to other servers.

Before adding this rule, ensure the DNS Forwarder or DNS Resovler is configured to bind and answer queries on Localhost, or All interfaces.

In the following example, the LAN interface is used, but it could be used for any local interface. Change the Interface and Destination as needed.

Navigate to Firewall > NAT, Port Forward tab
Click fa-level-up Add to create a new rule
Fill in the following fields on the port forward rule:
Interface: LAN
Protocol: TCP/UDP
Destination: Invert Match checked, LAN Address
Destination Port Range: 53 (DNS)
Redirect Target IP: 127.0.0.1
Redirect Target Port: 53 (DNS)
Description: Redirect DNS
NAT Reflection: Disable


QuoteThis procedure will allow the firewall to block DNS requests to servers that are off this network. This can force DNS requests from local clients to use the DNS Forwarder or Resolver on OPNSense for resolution. When combined with OpenDNS, this allows DNS-based content filtering to be enforced on the local network.

Setup OpenDNS servers (or whatever DNS servers are preferred) in System > General.
Add a firewall rule on Firewall > Rules, LAN tab permitting TCP/UDP source:any to the firewalls LAN IP Address, port 53 (destination IP and port)
Move this newly created rule from step #2 to the very top of the LAN rules
Add a new rule blocking protocol TCP/UDP source:any destination:any.
Move the rule created in step #4 to the second position behind the permit rule that was moved in step #3.
That's it. Enjoy the fact that the hosts behind OPNSense can only talk to the built in DNS resolver running on LAN which uses your DNS.

Hope you guys can help me out to achieve some of my goals!
Thanks and merry Christmas!!
#10
    Hey guys,

    I had OPNsense running behind my modem/router combination for a while now (Double NAT). This gave some errors from time to time.
    Now I found out that I could set the router in bridge mode. I have OPNsense running on my Ubuntu 16.04 virtualbox host. It has 2 NICs.

    Everything works as it should although I have a weird feeling about the Host directly connected to the modem. I have set the secondary NIC on the host (WAN) to a LAN ip (address line in /etc/network/interfaces) 192.168.111.111 which is bogus ofcourse.
    Problem is that the NIC has to be up on the host in order to get connectivity in OPNsense (Virtualbox sees the NIC when its down).

    UFW rules on the Host are: default deny incoming and some ports on tcp opened or limited.

    Like I said I don't really feel secure right now, does anyone have some advice on what to do or to test?

    Below are the schematics.

    Kind regards,

    Ezra

    Edit: I might add ( don't think its really necessary but hey...) that I have all traffic tunneled through a OpenVPN client via OPNsense (except my Chromecast for netflix -> default GW)