Topics

1

General Discussion / Client Cert Authentication sufficient for Exchange server

« on: September 03, 2022, 05:21:15 pm »

Hello,

does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose ‘activesync’ and ‘owa’ directly to the internet?

We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.

Option 1: setup client auth on HAProxy.
Option 2: passthrough ‘activcesync’ (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for ‘owa’ on HAProxy

Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.

But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?

2

21.1 Legacy Series / gateway monitoring - RTTd bad

« on: February 14, 2021, 05:32:40 am »

Hello,

I noticed bad RTTd values in my local network,

Some days ago, I changed my network configuration. Two networks that before were directly connected to the OPNsense box now are getting handled by a L3 switch. Between OPNsense and L3 switch I added a "transport network", connected directly from nic to nic with a 50 cm cable. I added a static route between both devices. I am not using VLAN or LAGG on the OPNsense 20.1.1 box for this connection. But the RTTd values from gateway monitoring are worse in comparison to the values of my WAN connections.

Any idea what could be wrong?
Or could it be related to the way the monitoring is measuring?

3

General Discussion / external inter-VLAN L3 switching / routing

« on: January 17, 2021, 03:43:47 pm »

Hello,

currently my home network with a hand full of VLAN is set-up with in that way that opnsense is doing all routing between the sub-nets. All devices are connected to one L2 switch. But since I upgraded a part of my home network to 10 Gbit, I now have a bottleneck between the networks I call "LAN" and "DMZ". My opnsense is a small box with 1 GBit ports only, but good enough to handle the traffic to and from internet.

Three goals I have:
(1) I would like to move the routing between the network "LAN" and "WAN" to an external 10 GBit L3 switch (Ruckus 7250). For all other networks the routing can stay on the opnsense box. Only few traffic needs to get routed that is related to those.
(2) I would like to utilise the available 3 physical ports (A2, A3, A3) on the opnsense box as much as possible.
(3) I would like to minimize the overhead on the opnsense box generated by VLAN tagging or LAGG.

My ideas are:
- run LAGG over all three ports and run one VLAN trunk to the switch with all networks in
- run one VLAN / VLAN trunk on each of the three ports and manually distribute the VLAN / subnets acc. expected traffic
- as shown on the sketch: one separate gateway and route for LAN and DMZ, directly connected without VLAN or LAGG. All other packed in one VLAN trunk. No need for LAG or VLAN on the networks with highest traffic.

Any disadvantages by going with the last one?
Better ideas?

Code: [Select]

  opnsense                               L3 switch

       A1 --------X WAN

                GW1 - 192.168.1.10/30
       A2 -------------------------------- B1 - LAN: 192.168.40.0/24   

                GW2 - 192.168.1.20/30
       A3 -------------------------------- B2 - DMZ: 192.168.50.0/24

                 VLAN trunk
       A4 -------------------------------- B3 |--- VLAN 10: 192.168.10.0/24
                                              |--- VLAN 20: 192.168.20.0/24
                                              |--- VLAN 30: 192.168.30.0/24

4

20.7 Legacy Series / Unbound - DNSBL exclusions for DNS over TLS Servers

« on: October 11, 2020, 11:39:22 am »

Hello,

it is possible in unbound plugin to define DNSBL addresses as exclusions for DNS over TLS Servers?

I am using opnsense box with unbound as primary DNS server. My mail server with spam filter and DNSBL also is using this box as DNS server. When I used to direct resolve the domain all was fine. But since I changed to use DNS over TLS with Cloudflare server may mail server cannot use all DNSBL list any longer.

Defining exclusion list in unbound is my first idea. Alternatively, setup bind on opnsense additionally for DNBS only or setup an dedicated DNS server directly on the mail server.

5

Web Proxy Filtering and Caching / nginx default_server

« on: September 27, 2020, 03:27:15 am »

Hello,

is there a possibility to specify the "default_server" in the nginx module?

I use more than on http(s) server in direction WAN as well multiple servers as upload servers. Routing is done by domain name and by parameter "servername". All works fine. But if someone accesses my server by IP address I would like to point to a specific upload server. In nginx config I would realise this by the parameter "default_server". Currently any upload server is called, but always the same.

Is it possible to do specify the default server?
What is current logic the upload server is getting selected in case if access by IP?

6

20.1 Legacy Series / os-acme - DNS-01 not working with Letsencrypt production environment

« on: May 09, 2020, 04:27:53 am »

Hello,

On my OPNsense box 20.1 I changed Lesencrypt validation from HTTP-01 to DNS-01 using the nsupdate (RFC 2136) method. Testing with staging environment is OK. I get issued the certificate.

But when I change Letsencrypt to production environment I get the following error:

Code: [Select]

[Sat May 9 11:09:58 JST 2020] The supported validation types are: http-01 , but you specified: dns-01
[Sat May 9 11:09:58 JST 2020] Error, cannot get domain token entry abcdefgh.de
With staging environment, I also can re-issue without waiting time. So, no DNS caching or refresh issue.

Due to the fact that testing with staging environment is working I assume there is something wrong on OPNsense side. Or do I miss something?

7

General Discussion / os-rfc2136 - documentation?

« on: May 06, 2020, 05:07:54 am »

Hello,

is there a documentation available for plugin os-rfc2136 (dynamic DNS updates)?

I am searching for some more details about the logic how updates are getting triggered.

• Does the plugin check if an DNS update was successful?
• If DNS update was not successful, will the plugin do re-trials?
• How the plugin validates if DNS update is required? By DNS server check or only WAN IP against "last changed value"?
• If there a periodic check for updates by the plugin itself or do I have to scheduled manually by cron?

I noticed a strange behavior when I did some tests to find the answers to my questions above. I changed the IP manually on DNS server to see what doing something and when. Nothing.

8

General Discussion / IPsec Site-to-Site - no access from OPNsense service

« on: May 03, 2020, 11:15:00 am »

Hello,

I assume I have a routing or firewall issue on OPNsense side, but I am running out of ideas where to search.

Under OPNsense I have set-up a site-to-site VPN with IPsec. On OPNsense side it is connected to the DMZ interface and its network. On remote site it is connected to a single host and the routed network.

Code: [Select]

DMZ (192.168.10.0/24) --> IPSec ------------> libreswan --> centos host (10.10.1.1/24)
What is not working is a connection from service on OPNsense to the remote host. To be precise I cannot reach the remote host by the plugin RFC2136 to do DNS updates via port 53/udp.

Firewall allows all from DMZ network to routed network. Connection between devices in DMZ network and remote host are working. Out of DMZ network I can reach my target port. So all fine on remote side.

9

Web Proxy Filtering and Caching / Sunny Valley Sensei not blocking

« on: October 12, 2019, 03:14:54 pm »

I just installed Sunny Valley Sensei on OPNsense 19.7.5 for testing purpose. The installation completed with success and also initial configuration is completed. The LAN interface is selected and all web filters are activated for testing. Status page shows all service running fine (at least to me it looks like).

But nothing is getting blocked. All traffic is going through. On dashboard I can see that the reports filling with data.

Could be there any conflict with running squid web proxy or incompatibility with LAGG interface for LAN? I have no idea where to search.

10

19.1 Legacy Series / nginx and autodiscover basic authentication on upsream server

« on: June 02, 2019, 02:27:29 pm »

Hello,

somehow my Exchange autodiscover does not work behind nginx as revers proxy. When I connect directly to the server it works. But behind OPNsense with nginx as reverse proxy autodiscover will end up in http 401 error.

Unfortunately, I don't see anything in the logs that gives me a hint were to search.

Basically, I am fine with either basic authentication pass through or authentication by OPNsense to LDAP server. Whatever is running is fine.

The rest like activesync and owa is running through opnsense.

Any idea where to search?

11

19.1 Legacy Series / openvpn client export not working

« on: May 11, 2019, 03:14:27 pm »

Hello,

after my issue with nginx if solved, I am faced with the next issue in OPNsense 19.1.7. The openvpn client export is not working. openvpn is set-up acc. wiki as road warrior. Certs for server and client are created by OPNsense CA. But when I now go to --> VPN --> Clientexport and press the button next to the user nothing happens. The browser shows loading activity for a while, but no file is coming. In the log files I cannot find any error.

Is there cli command to create the ovpn file instead of GUI?

12

19.1 Legacy Series / nginx: not starting after setting access log "disabled"

« on: May 11, 2019, 06:15:08 am »

Hello,

Nginx is not starting after setting of access log in section srver to "disabled".

My setup with nginx as reverse proxy is running. When I change in nginx server settings access log from "Standard" to "Disabled" in the first step looks like all is working fine. Nginx is running. But after reboot of OPNsense box nginx is not starting any more.

In error.log I found:

Code: [Select]

2019/05/11 12:52:00 [emerg] 51023#100211: unknown log format "disabled" in /usr/local/etc/nginx/nginx.conf:1519
In nginx.conf I found

Code: [Select]

access_log  /var/log/nginx/xxxxxxx.de.access.log disabled;
To me it looks like after reboot of opnsense the nginx conf is getting rewiritten but the fomat is not correct.

13

19.1 Legacy Series / nginx reverse proxy IPv6 --> IPv4

« on: May 04, 2019, 05:33:55 pm »

Hello,

can I use nginx plugin as reverse proxy from IPv6 address to internal server with IPv4 address only?

With all I tried so I do not get it running.

My starting point is that my IPv4 setup is running: WAN IPv4 --> nginx --> DMZ IPv4
I set-up IPv6 GIF tunnel (HE) and in firewall I allow on tunnel interface ICMP and port 80 and 443 to "this firewall'.
No further set-up of IPv6 address to any other interface.
When I look on sockets bindings of nginx to ports looks OK for IPv6:
  www  nginx  tcp6   *:443   *:*
  root   nginx  tcp6    *:80    *:*
  root   nginx  tcp6    *:443    *:*
Ping from outside to local GIF address is working fine.

But http and https access from outside to local GIF address timed out. Nothing I can see in the firewall logs.

Any idea what to do?
Or is it simple not possible what I want to do?

14

19.1 Legacy Series / performasnce issue with McAfee endpoint security?

« on: February 09, 2019, 03:05:16 pm »

Hello,

I noticed a strange behavior with the combination OPNsense 19.1, Windows 10 , McAfee Endpoint Security 10.5. Connection to WAN hangs dramatically (PING as well download speed).

I moved in a new home, got a new PC and updated to OPNsense V19.1 at the same time. All internet devices are running perfectly with the Netgear router from internet company. But wenn I echange the Netgear router with my OPNsense box the Win PC internet hangs, both over LAN and WLAN while iPhone, iPad and Android phones are running fine with OPNsense box. LAN connecton from PC to OPNSense box seems to work without problem.

When I disable McAfee endpoint security on the Win PC it also runs fine with PFsense.

Any idea where the incompatibility between OPNsense and the PC can come from?

I am pretty sure that there is nothing wrong with the PC setup as it is a standard configuration of a big corporate running on thousands of PCs in the same configuration.

15

18.7 Legacy Series / igb NIC - WAN drop and increased PING time

« on: August 12, 2018, 03:31:51 pm »

Hello,

With OPNsense 18.7 I still have the issues on WAN port with increased PING time till packets lost and drop of WAN connection. The issue is a know issue related to igb driver or Intel NIC. In my case it is an Intel NIC i211-AT on a Qotom Q335G4. I see the issue only on WAN port that is connected to the cable modem AVM Fritz!Box 6490. On LAN ports connected to a Cisco switch all is fine (I always can reach OPNsense Web interface via these LAN ports). My first supect was the modem. But after this was getting exchanged the issue still is there.

The issue also is reported on pfsense forum and in this old post here
https://forum.opnsense.org/index.php?topic=5511.msg28687#msg28687

I tried out all recommended tuning parameters, but all without success. I believe I see an improvement but no solution.


/boot/loader.conf.local

Code: [Select]

kern.cam.boot_delay=10000
kern.ipc.nmbclusters=1000000
hw.igb.num_queues=1
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1
hw.pci.enable_msix=0
hw.igb.enable_msix=0

in optimizatino parameters

Code: [Select]

dev.igb.0.eee_disabled=1
dev.igb.1.eee_disabled=1
dev.igb.2.eee_disabled=1
dev.igb.3.eee_disabled=1

Is there anyboy working on this topic?
Is there already a solution that helps?

Thank you