"
Hey all,
Have a lot of spare capacity in APAC region. Wanting to setup OPNsense mirror. What's best mode of contact?
Have a lot of spare capacity in APAC region. Wanting to setup OPNsense mirror. What's best mode of contact?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
Web Proxy Filtering and Caching / HAproxy Virtual Hosting
February 18, 2019, 03:44:49 AM
Hey dudes, so how does one do redirection and load balancing for the frontend based on the virtualhost?
#3
18.7 Legacy Series / [SOLVED] Setting Source IP
September 01, 2018, 10:20:04 AM
Hey,
So we've implemented our new border routers, which have now been placed in front of our OPNsense firewalls now.
Anyway, the link between our border routers and firewalls are using a private IP range. Our border routers and OPNsense firewalls are peered with each other using BGP, and our OPNsense firewalls advertised /32 public IP ranges through to the border routers, which then obviously aggregate and advertise them up to our transit peers. The public IP addresses are assigned as secondary IP addresses on that interface.
So anyway, the problem I want to resolve, is I want the OPNsense firewall to rather than use the private IP address that's assigned to the inter-link address, is to use the public IP address as the source address, as to allow traffic to be routed back to it.
T.I.A
So we've implemented our new border routers, which have now been placed in front of our OPNsense firewalls now.
Anyway, the link between our border routers and firewalls are using a private IP range. Our border routers and OPNsense firewalls are peered with each other using BGP, and our OPNsense firewalls advertised /32 public IP ranges through to the border routers, which then obviously aggregate and advertise them up to our transit peers. The public IP addresses are assigned as secondary IP addresses on that interface.
So anyway, the problem I want to resolve, is I want the OPNsense firewall to rather than use the private IP address that's assigned to the inter-link address, is to use the public IP address as the source address, as to allow traffic to be routed back to it.
T.I.A
#4
18.1 Legacy Series / OSFP Route Filtering
June 19, 2018, 12:26:02 PM
Hey,
Can someone from the devs tell me how the OSPF route filtering is meant to be configured? What I want to do, is use the prefix list to specify the networks that I want to publish out via OSPF, rather than adding them individually to the OSPF process itself.
Can someone from the devs tell me how the OSPF route filtering is meant to be configured? What I want to do, is use the prefix list to specify the networks that I want to publish out via OSPF, rather than adding them individually to the OSPF process itself.
#5
18.1 Legacy Series / Firewall Zones
May 31, 2018, 05:15:02 AM
Hi all,
Was wanting to know if the concept of "firewall zonies" has been or is going to be implemented into OPNsense.
Thanks,
D
Was wanting to know if the concept of "firewall zonies" has been or is going to be implemented into OPNsense.
Thanks,
D
#6
18.1 Legacy Series / GRE over IPSEC
May 01, 2018, 12:44:05 PM
Hey all,
So firstly, yes I did quickly try to search both the documentation and the forums for some quick answers, but was left still wanting.
So at the moment, I'm connecting a few sites together using IPSEC tunnels. They're working fine. However, there is a new requirement now, now that they're up. To use a dynamic routing protocol over the tunnel.
I know that from the current IPSEC tunnel it's not possible. But I know that with a GRE tunnel I can.
However, configuring this in OPNsense isn't very clear cut, or maybe it's that easy I'm over complicating it.
I'm able to establish the GRE tunnel. But how do I encrypt it?
The reason for this, is because I can't seem to use the OpenVPN option due to configuration limitations on the other end, Mikrotik router and Cisco router.
Anyway, how do I wrap it up? Do I specify the IP addresses of the GRE tunnel? Or do I specify the external IP's of each device in the IPSEC tunnels to wrap up the GRE tunnel?
Directions would be greatly appreciated.
So firstly, yes I did quickly try to search both the documentation and the forums for some quick answers, but was left still wanting.
So at the moment, I'm connecting a few sites together using IPSEC tunnels. They're working fine. However, there is a new requirement now, now that they're up. To use a dynamic routing protocol over the tunnel.
I know that from the current IPSEC tunnel it's not possible. But I know that with a GRE tunnel I can.
However, configuring this in OPNsense isn't very clear cut, or maybe it's that easy I'm over complicating it.
I'm able to establish the GRE tunnel. But how do I encrypt it?
The reason for this, is because I can't seem to use the OpenVPN option due to configuration limitations on the other end, Mikrotik router and Cisco router.
Anyway, how do I wrap it up? Do I specify the IP addresses of the GRE tunnel? Or do I specify the external IP's of each device in the IPSEC tunnels to wrap up the GRE tunnel?
Directions would be greatly appreciated.
#7
18.1 Legacy Series / Icinga2 Monitoring Agent
March 15, 2018, 07:28:36 AM
Hi guys,
Is there any plans of adding the Icinga2 monitoring agent to the package list? We've made the decision to roll out Icinga2, so it'd be nice to have that included if possible.
Thanks,
Is there any plans of adding the Icinga2 monitoring agent to the package list? We've made the decision to roll out Icinga2, so it'd be nice to have that included if possible.
Thanks,
#8
17.7 Legacy Series / Web Admin Hanging When Using Firefox on Windows
September 13, 2017, 12:27:15 AM
Hi guys,
Has anyone else experienced browser lockups when accessing the Web Admin portal using Firefox on Windows? Seems okay in macOS and Linux, but just Windows?
Has anyone else experienced browser lockups when accessing the Web Admin portal using Firefox on Windows? Seems okay in macOS and Linux, but just Windows?
#9
17.7 Legacy Series / [SOLVED] Where to Apply Firewall Rules for Site-to-Site IPSEC traffic
August 15, 2017, 01:22:24 AM
So as the title says, where should I be applying the Site-to-Site IPSEC Firewall rules? Should I be assigning them to the "IPSEC" interface that gets created? Or to the WAN interface?
#10
17.7 Legacy Series / OSPF Redistribute Remote Site-to-Site IPSEC networks
August 14, 2017, 02:02:11 PM
Hi guys,
In out DC, we use OPNsense almost exclusively now. With the exception for one server that runs our old Sophos UTM appliance.
We would like to decommission this, we can complete an Site-to-Site IPSEC tunnel. And traffic flows behind the OPNsense firewall, its internal networks, and our branch site and it's internal networks. But we have a separate OPNsense firewall as well that protects another network, which we use OSPF to publish routes between the two.
So the question is, how do we redistribute Site-to-Site IPSEC tunnel networks to the OSPF Areas? Ive tried selecting Kernel Routes, Static Routes and Connected Routes as well for redistribution.
In out DC, we use OPNsense almost exclusively now. With the exception for one server that runs our old Sophos UTM appliance.
We would like to decommission this, we can complete an Site-to-Site IPSEC tunnel. And traffic flows behind the OPNsense firewall, its internal networks, and our branch site and it's internal networks. But we have a separate OPNsense firewall as well that protects another network, which we use OSPF to publish routes between the two.
So the question is, how do we redistribute Site-to-Site IPSEC tunnel networks to the OSPF Areas? Ive tried selecting Kernel Routes, Static Routes and Connected Routes as well for redistribution.
#11
17.7 Legacy Series / Filebeats and Logstash
August 10, 2017, 03:23:33 PM
Hi guys,
We run ELK internally for all of our logging, and run Filebeat specifically on all our servers where possible.
Was wanting to know if we could potentially have Filebeats and Logstash included to export things like Suricata Eve logs and maybe Squid and other system logs into our ELK cluster directly?
At the moment we're just throwing SYSLOGs at it and are trying and working with those logs for the moment. But itd be nice to have Filebeats and Logstash.
Has anyone else done this yet?
We run ELK internally for all of our logging, and run Filebeat specifically on all our servers where possible.
Was wanting to know if we could potentially have Filebeats and Logstash included to export things like Suricata Eve logs and maybe Squid and other system logs into our ELK cluster directly?
At the moment we're just throwing SYSLOGs at it and are trying and working with those logs for the moment. But itd be nice to have Filebeats and Logstash.
Has anyone else done this yet?
#12
17.7 Legacy Series / [SOLVED] Squid Proxy Unknown Equifax Root CA
August 09, 2017, 11:06:34 PM
Hi guys,
So I've implemented OPNsense almost EVERYWHERE now, with only my core IPSEC VPN gateways to replace, once I figure out configuration patterns and passing dynamic routes.
Anyway, the issue that I'm having, is once I configure SSL interception, almost every site works fine, except for Google sites, or sites that use the Google CA.
I've attempted to use the unknown intermediate CA configuration to include additional certificates, but nothing seems to work, so thus I either don't visit Google, or don't enable SSL interception.
Has anyone else run into this problem when visiting SSL intercepted sites and received the UNKNOWN_CA_ERROR?
And how did you resolve the issue without disabling SSL interception.
TIA,
D
So I've implemented OPNsense almost EVERYWHERE now, with only my core IPSEC VPN gateways to replace, once I figure out configuration patterns and passing dynamic routes.
Anyway, the issue that I'm having, is once I configure SSL interception, almost every site works fine, except for Google sites, or sites that use the Google CA.
I've attempted to use the unknown intermediate CA configuration to include additional certificates, but nothing seems to work, so thus I either don't visit Google, or don't enable SSL interception.
Has anyone else run into this problem when visiting SSL intercepted sites and received the UNKNOWN_CA_ERROR?
And how did you resolve the issue without disabling SSL interception.
TIA,
D
Pages1
