Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Tubs

Pages: [1]

20.1 Legacy Series / os-acme - DNS-01 not working with Letsencrypt production environment

« on: May 09, 2020, 04:27:53 am »

Hello,

On my OPNsense box 20.1 I changed Lesencrypt validation from HTTP-01 to DNS-01 using the nsupdate (RFC 2136) method. Testing with staging environment is OK. I get issued the certificate.

But when I change Letsencrypt to production environment I get the following error:

Code: [Select]

[Sat May 9 11:09:58 JST 2020]	The supported validation types are: http-01 , but you specified: dns-01
[Sat May 9 11:09:58 JST 2020]	Error, cannot get domain token entry abcdefgh.de

With staging environment, I also can re-issue without waiting time. So, no DNS caching or refresh issue.

Due to the fact that testing with staging environment is working I assume there is something wrong on OPNsense side. Or do I miss something?

General Discussion / os-rfc2136 - documentation?

« on: May 06, 2020, 05:07:54 am »

Hello,

is there a documentation available for plugin os-rfc2136 (dynamic DNS updates)?

I am searching for some more details about the logic how updates are getting triggered.

Does the plugin check if an DNS update was successful?
If DNS update was not successful, will the plugin do re-trials?
How the plugin validates if DNS update is required? By DNS server check or only WAN IP against "last changed value"?
If there a periodic check for updates by the plugin itself or do I have to scheduled manually by cron?

I noticed a strange behavior when I did some tests to find the answers to my questions above. I changed the IP manually on DNS server to see what doing something and when. Nothing.

General Discussion / IPsec Site-to-Site - no access from OPNsense service

« on: May 03, 2020, 11:15:00 am »

Hello,

I assume I have a routing or firewall issue on OPNsense side, but I am running out of ideas where to search.

Under OPNsense I have set-up a site-to-site VPN with IPsec. On OPNsense side it is connected to the DMZ interface and its network. On remote site it is connected to a single host and the routed network.

Code: [Select]

DMZ (192.168.10.0/24) --> IPSec ------------> libreswan --> centos host (10.10.1.1/24)
What is not working is a connection from service on OPNsense to the remote host. To be precise I cannot reach the remote host by the plugin RFC2136 to do DNS updates via port 53/udp.

Firewall allows all from DMZ network to routed network. Connection between devices in DMZ network and remote host are working. Out of DMZ network I can reach my target port. So all fine on remote side.

Web Proxy Filtering and Caching / Sunny Valley Sensei not blocking

« on: October 12, 2019, 03:14:54 pm »

I just installed Sunny Valley Sensei on OPNsense 19.7.5 for testing purpose. The installation completed with success and also initial configuration is completed. The LAN interface is selected and all web filters are activated for testing. Status page shows all service running fine (at least to me it looks like).

But nothing is getting blocked. All traffic is going through. On dashboard I can see that the reports filling with data.

Could be there any conflict with running squid web proxy or incompatibility with LAGG interface for LAN? I have no idea where to search.

19.1 Legacy Series / nginx and autodiscover basic authentication on upsream server

« on: June 02, 2019, 02:27:29 pm »

Hello,

somehow my Exchange autodiscover does not work behind nginx as revers proxy. When I connect directly to the server it works. But behind OPNsense with nginx as reverse proxy autodiscover will end up in http 401 error.

Unfortunately, I don't see anything in the logs that gives me a hint were to search.

Basically, I am fine with either basic authentication pass through or authentication by OPNsense to LDAP server. Whatever is running is fine.

The rest like activesync and owa is running through opnsense.

Any idea where to search?

19.1 Legacy Series / openvpn client export not working

« on: May 11, 2019, 03:14:27 pm »

Hello,

after my issue with nginx if solved, I am faced with the next issue in OPNsense 19.1.7. The openvpn client export is not working. openvpn is set-up acc. wiki as road warrior. Certs for server and client are created by OPNsense CA. But when I now go to --> VPN --> Clientexport and press the button next to the user nothing happens. The browser shows loading activity for a while, but no file is coming. In the log files I cannot find any error.

Is there cli command to create the ovpn file instead of GUI?

19.1 Legacy Series / nginx: not starting after setting access log "disabled"

« on: May 11, 2019, 06:15:08 am »

Hello,

Nginx is not starting after setting of access log in section srver to "disabled".

My setup with nginx as reverse proxy is running. When I change in nginx server settings access log from "Standard" to "Disabled" in the first step looks like all is working fine. Nginx is running. But after reboot of OPNsense box nginx is not starting any more.

In error.log I found:

Code: [Select]

2019/05/11 12:52:00 [emerg] 51023#100211: unknown log format "disabled" in /usr/local/etc/nginx/nginx.conf:1519
In nginx.conf I found

Code: [Select]

access_log /var/log/nginx/xxxxxxx.de.access.log disabled;
To me it looks like after reboot of opnsense the nginx conf is getting rewiritten but the fomat is not correct.

19.1 Legacy Series / nginx reverse proxy IPv6 --> IPv4

« on: May 04, 2019, 05:33:55 pm »

Hello,

can I use nginx plugin as reverse proxy from IPv6 address to internal server with IPv4 address only?

With all I tried so I do not get it running.

My starting point is that my IPv4 setup is running: WAN IPv4 --> nginx --> DMZ IPv4
I set-up IPv6 GIF tunnel (HE) and in firewall I allow on tunnel interface ICMP and port 80 and 443 to "this firewall'.
No further set-up of IPv6 address to any other interface.
When I look on sockets bindings of nginx to ports looks OK for IPv6:
www nginx tcp6 *:443 *:*
root nginx tcp6 *:80 *:*
root nginx tcp6 *:443 *:*
Ping from outside to local GIF address is working fine.

But http and https access from outside to local GIF address timed out. Nothing I can see in the firewall logs.

Any idea what to do?
Or is it simple not possible what I want to do?

19.1 Legacy Series / performasnce issue with McAfee endpoint security?

« on: February 09, 2019, 03:05:16 pm »

Hello,

I noticed a strange behavior with the combination OPNsense 19.1, Windows 10 , McAfee Endpoint Security 10.5. Connection to WAN hangs dramatically (PING as well download speed).

I moved in a new home, got a new PC and updated to OPNsense V19.1 at the same time. All internet devices are running perfectly with the Netgear router from internet company. But wenn I echange the Netgear router with my OPNsense box the Win PC internet hangs, both over LAN and WLAN while iPhone, iPad and Android phones are running fine with OPNsense box. LAN connecton from PC to OPNSense box seems to work without problem.

When I disable McAfee endpoint security on the Win PC it also runs fine with PFsense.

Any idea where the incompatibility between OPNsense and the PC can come from?

I am pretty sure that there is nothing wrong with the PC setup as it is a standard configuration of a big corporate running on thousands of PCs in the same configuration.

18.7 Legacy Series / igb NIC - WAN drop and increased PING time

« on: August 12, 2018, 03:31:51 pm »

Hello,

With OPNsense 18.7 I still have the issues on WAN port with increased PING time till packets lost and drop of WAN connection. The issue is a know issue related to igb driver or Intel NIC. In my case it is an Intel NIC i211-AT on a Qotom Q335G4. I see the issue only on WAN port that is connected to the cable modem AVM Fritz!Box 6490. On LAN ports connected to a Cisco switch all is fine (I always can reach OPNsense Web interface via these LAN ports). My first supect was the modem. But after this was getting exchanged the issue still is there.

The issue also is reported on pfsense forum and in this old post here
https://forum.opnsense.org/index.php?topic=5511.msg28687#msg28687

I tried out all recommended tuning parameters, but all without success. I believe I see an improvement but no solution.

/boot/loader.conf.local

Code: [Select]

kern.cam.boot_delay=10000 				
kern.ipc.nmbclusters=1000000
hw.igb.num_queues=1 
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1
hw.pci.enable_msix=0
hw.igb.enable_msix=0

in optimizatino parameters

Code: [Select]

dev.igb.0.eee_disabled=1
dev.igb.1.eee_disabled=1
dev.igb.2.eee_disabled=1
dev.igb.3.eee_disabled=1

Is there anyboy working on this topic?
Is there already a solution that helps?

Thank you

18.7 Legacy Series / 18.7: password not acepted any more after update

« on: July 31, 2018, 10:05:20 pm »

I just updated to 18.7. But now I cannot login any more with root and my local password. It is getting rejected with "wrong password".

Network connection to internet is working. Servers on VLAN connection via HAproxy I also cannot reach.

18.1 Legacy Series / bind routed IPv6 subnet to services

« on: March 31, 2018, 12:58:35 pm »

Hello,

is it possible to bind services from OPNsense to IPv6 address of a routed subnet?
Specifically, I am interested in HAProxy.

So far my OPNsense up is working fine. I have IPv4 WAN via PPPoP and IPv6 via a GIF tunnel with routed /48 subnet. Routing and filtering of IPv6 to the different internal networks with /64 subnets out of routed /48 subnet is working fine.

I have set up HAProxy as reverse proxy for several web services running behind OPNsense. With IPv4 this is working fine. With the IPv6 endpoint address of the tunnel it also would work.

But is it also possible to bind HAproxy to one or more IPv6 addresses of the routed IPv6 subnet instead of GIF tunnel endpoint address?

This would allow me proper DNS entries incl. PTR matching to the several domain names used.

Thank you.

Hardware and Performance / SOHO hardware MINISYS

« on: March 18, 2018, 09:16:36 pm »

Hello,

currently my OPNsense is running under Hyper-V. But I am planning to move it to a dedicated hardware.

Qotom is the company some are recommending also for pfsense. Qotom Q355G4 has CPU from Broadwell generation. The MINISYS IBOX-501 N13 has Kaby Lake CPU generation.

I am not familiar nowadays anymore with this big variety of different CPU types for mobile, embedded, desktop and server. Is here anybody with experience of different CPUs in combination with OPNsense?

Is there any significant difference in power and power consumption between Core i5-5250U of Qotom Q355G4 and Celeron 3865u and Core i3 7100u of MINISYS IBOX-501 N13?

Thanks.

18.1 Legacy Series / VPN road worrier IKEv2 and DNS for local domain not working

« on: March 18, 2018, 07:49:56 pm »

Hello,

I finally could set-up road worrier VPN with IKEv2 to work with iPhone (iOS). On OPNsense "Mutual RSA" and on iPhone cert-based authentication was the only IKEv2 based combination I could get running. Firewall setting and access to OPNsense ubound is set-up and seems to me correct by now. (IPSEC is in virtual network 192.168.200.0/24 and LAN is 192.168.100.0/24)

Everything so far works fine except of DNS for local network. In "mobile clients" of IPSEC settings in OPNsense the local DNS server 192.168.100.1 is set-up. By using a network tool on iPhone I can get DNS resolution for clients on LAN from DNS server of OPNsense on 192.168.100.1. But by using standard without giving explicit DNS name the iPhone is not contacting the local DNS for local domain.

Configuration issue or bug on OPNsense or on iPhone with iOS 11?

Thank you.

Pages: [1]