Topics

1

General Discussion / mDNS Repeater and firewall rules

« on: October 13, 2024, 06:59:52 pm »

Hello,

I want to use the mDNS repeater on OPNsense to forward mDNS between two subnets.
Out of the documentation it is not clear to me what firewall rules I need to allow the mDNS multicast traffic between these two vpn.

• on both interfaces to port 5353 at 224.0.0.251 and [ff02::fb] or
• on both interfaces to port 5353 at "subnet address" or
• on both interfaces to port 5353 at "this firewall"

Or a combination out of these three?

2

Hardware and Performance / Sophos SG 210/220/310/330 - blast from the past?

« on: June 08, 2024, 10:21:19 am »

Hello,

there I are many new hardware devices with modern powerful CPU, small form factor and low energy footprint and low noise that it is difficult to find the right choice. "Old" hardware is cheap to get as used devices often was a good choice in the past.

Is today a Sophos SG 210 / SG 220 / SG 310 / SG 330 still a good choice to run OPNsense in an ambitious home environment? Or is it blast from the past that cannot compete with actual new devices in regards of power, energy consumption and noise, even when taking cost into the calculation?

I am looking to upgrade my Qotom Q355G4 with something that provides one or two SFP+ ports. A DEC2752A or DEC2770 looks like a "dream build" but at high price. Is Sophos you get for around 100 $/EUR still an option to go nowadays?

3

24.1 Legacy Series / HAProxy - wrong ssl certificater after upgrade to 24.1

« on: January 31, 2024, 08:09:54 pm »

Hello,

for the issue with IDS not workong after update I could find quickly here the solution.
Now I have detected the second issue after update to 14.1.

I use HAProxy in a mix of SNI frontend (TCP type) and https frontend (SSL offloading). For offloading I use two hostnames with two ssl certificates that will will use two different backend servers.

Since the update the wrong certificate of the both is getting provided to the client. Backend selection is as expected. This setup is running since years. It broke when I upgraded to 14.1 yesterday.

4

23.7 Legacy Series / HAproxy: Syncthing Discovery server with forwarded client certificate in header

« on: September 02, 2023, 06:49:27 pm »

Hello,

I want to use the Syncthing Discovery server behind HAproxy with ssl offloading by HAproxy. To do so I set the discovery server to http (option -http). The connection is running. But I must forward the client certificate by header X-SSL-Cert. Acc. the manual the header is required in PEM format.

This would add the client cert in der format what is not recognized by the discovery server:

Code: [Select]

http-request set-header X-SSL-Cert %{+Q}[ssl_c_der,base64]
I modified the line to create a pem file. Either nothing is in or it is in wrong format.

Code: [Select]

http-request set-header X-SSL-Cert -BEGIN\ CERTIFICATE-\ %[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space

Connection is running. But discovery still cannot read the client cert:

Code: [Select]

no certificates: certificate decode result is empty

Any idea how to set-up the forwarding of client certificate by header correctly in OPNsense?

5

General Discussion / Client Cert Authentication sufficient for Exchange server

« on: September 03, 2022, 05:21:15 pm »

Hello,

does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose ‘activesync’ and ‘owa’ directly to the internet?

We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.

Option 1: setup client auth on HAProxy.
Option 2: passthrough ‘activcesync’ (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for ‘owa’ on HAProxy

Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.

But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?

6

21.1 Legacy Series / gateway monitoring - RTTd bad

« on: February 14, 2021, 05:32:40 am »

Hello,

I noticed bad RTTd values in my local network,

Some days ago, I changed my network configuration. Two networks that before were directly connected to the OPNsense box now are getting handled by a L3 switch. Between OPNsense and L3 switch I added a "transport network", connected directly from nic to nic with a 50 cm cable. I added a static route between both devices. I am not using VLAN or LAGG on the OPNsense 20.1.1 box for this connection. But the RTTd values from gateway monitoring are worse in comparison to the values of my WAN connections.

Any idea what could be wrong?
Or could it be related to the way the monitoring is measuring?

7

General Discussion / external inter-VLAN L3 switching / routing

« on: January 17, 2021, 03:43:47 pm »

Hello,

currently my home network with a hand full of VLAN is set-up with in that way that opnsense is doing all routing between the sub-nets. All devices are connected to one L2 switch. But since I upgraded a part of my home network to 10 Gbit, I now have a bottleneck between the networks I call "LAN" and "DMZ". My opnsense is a small box with 1 GBit ports only, but good enough to handle the traffic to and from internet.

Three goals I have:
(1) I would like to move the routing between the network "LAN" and "WAN" to an external 10 GBit L3 switch (Ruckus 7250). For all other networks the routing can stay on the opnsense box. Only few traffic needs to get routed that is related to those.
(2) I would like to utilise the available 3 physical ports (A2, A3, A3) on the opnsense box as much as possible.
(3) I would like to minimize the overhead on the opnsense box generated by VLAN tagging or LAGG.

My ideas are:
- run LAGG over all three ports and run one VLAN trunk to the switch with all networks in
- run one VLAN / VLAN trunk on each of the three ports and manually distribute the VLAN / subnets acc. expected traffic
- as shown on the sketch: one separate gateway and route for LAN and DMZ, directly connected without VLAN or LAGG. All other packed in one VLAN trunk. No need for LAG or VLAN on the networks with highest traffic.

Any disadvantages by going with the last one?
Better ideas?

Code: [Select]

  opnsense                               L3 switch

       A1 --------X WAN

                GW1 - 192.168.1.10/30
       A2 -------------------------------- B1 - LAN: 192.168.40.0/24   

                GW2 - 192.168.1.20/30
       A3 -------------------------------- B2 - DMZ: 192.168.50.0/24

                 VLAN trunk
       A4 -------------------------------- B3 |--- VLAN 10: 192.168.10.0/24
                                              |--- VLAN 20: 192.168.20.0/24
                                              |--- VLAN 30: 192.168.30.0/24

8

20.7 Legacy Series / Unbound - DNSBL exclusions for DNS over TLS Servers

« on: October 11, 2020, 11:39:22 am »

Hello,

it is possible in unbound plugin to define DNSBL addresses as exclusions for DNS over TLS Servers?

I am using opnsense box with unbound as primary DNS server. My mail server with spam filter and DNSBL also is using this box as DNS server. When I used to direct resolve the domain all was fine. But since I changed to use DNS over TLS with Cloudflare server may mail server cannot use all DNSBL list any longer.

Defining exclusion list in unbound is my first idea. Alternatively, setup bind on opnsense additionally for DNBS only or setup an dedicated DNS server directly on the mail server.

9

Web Proxy Filtering and Caching / nginx default_server

« on: September 27, 2020, 03:27:15 am »

Hello,

is there a possibility to specify the "default_server" in the nginx module?

I use more than on http(s) server in direction WAN as well multiple servers as upload servers. Routing is done by domain name and by parameter "servername". All works fine. But if someone accesses my server by IP address I would like to point to a specific upload server. In nginx config I would realise this by the parameter "default_server". Currently any upload server is called, but always the same.

Is it possible to do specify the default server?
What is current logic the upload server is getting selected in case if access by IP?

10

20.1 Legacy Series / os-acme - DNS-01 not working with Letsencrypt production environment

« on: May 09, 2020, 04:27:53 am »

Hello,

On my OPNsense box 20.1 I changed Lesencrypt validation from HTTP-01 to DNS-01 using the nsupdate (RFC 2136) method. Testing with staging environment is OK. I get issued the certificate.

But when I change Letsencrypt to production environment I get the following error:

Code: [Select]

[Sat May 9 11:09:58 JST 2020] The supported validation types are: http-01 , but you specified: dns-01
[Sat May 9 11:09:58 JST 2020] Error, cannot get domain token entry abcdefgh.de
With staging environment, I also can re-issue without waiting time. So, no DNS caching or refresh issue.

Due to the fact that testing with staging environment is working I assume there is something wrong on OPNsense side. Or do I miss something?

11

General Discussion / os-rfc2136 - documentation?

« on: May 06, 2020, 05:07:54 am »

Hello,

is there a documentation available for plugin os-rfc2136 (dynamic DNS updates)?

I am searching for some more details about the logic how updates are getting triggered.

• Does the plugin check if an DNS update was successful?
• If DNS update was not successful, will the plugin do re-trials?
• How the plugin validates if DNS update is required? By DNS server check or only WAN IP against "last changed value"?
• If there a periodic check for updates by the plugin itself or do I have to scheduled manually by cron?

I noticed a strange behavior when I did some tests to find the answers to my questions above. I changed the IP manually on DNS server to see what doing something and when. Nothing.

12

General Discussion / IPsec Site-to-Site - no access from OPNsense service

« on: May 03, 2020, 11:15:00 am »

Hello,

I assume I have a routing or firewall issue on OPNsense side, but I am running out of ideas where to search.

Under OPNsense I have set-up a site-to-site VPN with IPsec. On OPNsense side it is connected to the DMZ interface and its network. On remote site it is connected to a single host and the routed network.

Code: [Select]

DMZ (192.168.10.0/24) --> IPSec ------------> libreswan --> centos host (10.10.1.1/24)
What is not working is a connection from service on OPNsense to the remote host. To be precise I cannot reach the remote host by the plugin RFC2136 to do DNS updates via port 53/udp.

Firewall allows all from DMZ network to routed network. Connection between devices in DMZ network and remote host are working. Out of DMZ network I can reach my target port. So all fine on remote side.

13

Web Proxy Filtering and Caching / Sunny Valley Sensei not blocking

« on: October 12, 2019, 03:14:54 pm »

I just installed Sunny Valley Sensei on OPNsense 19.7.5 for testing purpose. The installation completed with success and also initial configuration is completed. The LAN interface is selected and all web filters are activated for testing. Status page shows all service running fine (at least to me it looks like).

But nothing is getting blocked. All traffic is going through. On dashboard I can see that the reports filling with data.

Could be there any conflict with running squid web proxy or incompatibility with LAGG interface for LAN? I have no idea where to search.

14

19.1 Legacy Series / nginx and autodiscover basic authentication on upsream server

« on: June 02, 2019, 02:27:29 pm »

Hello,

somehow my Exchange autodiscover does not work behind nginx as revers proxy. When I connect directly to the server it works. But behind OPNsense with nginx as reverse proxy autodiscover will end up in http 401 error.

Unfortunately, I don't see anything in the logs that gives me a hint were to search.

Basically, I am fine with either basic authentication pass through or authentication by OPNsense to LDAP server. Whatever is running is fine.

The rest like activesync and owa is running through opnsense.

Any idea where to search?

15

19.1 Legacy Series / openvpn client export not working

« on: May 11, 2019, 03:14:27 pm »

Hello,

after my issue with nginx if solved, I am faced with the next issue in OPNsense 19.1.7. The openvpn client export is not working. openvpn is set-up acc. wiki as road warrior. Certs for server and client are created by OPNsense CA. But when I now go to --> VPN --> Clientexport and press the button next to the user nothing happens. The browser shows loading activity for a while, but no file is coming. In the log files I cannot find any error.

Is there cli command to create the ovpn file instead of GUI?