OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Alphakilo »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - Alphakilo

Pages: [1]
1
Development and Code Review / security/acme-client: API token support for Cloudflare
« on: September 19, 2019, 06:25:13 pm »
acme.sh supports Cloudflares new token model, which allows fine-grained control over token permissions.
Reference: https://github.com/Neilpang/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token

I'm a huge fan of the "least-privilege" principle, so I took it upon me to take a stab at implementing it into the os-acme-client Plugin.
Here's the result: https://github.com/Alphakilo/plugins/commit/3a4edf21bcb8cc25df9b7748cee6d88dadf5f98b


It works on my lab and my productive installations, though there are some issues where I'd like some feedback on.

  • Are <help>-elements appropriate in the dialogValidation.xml?
  • I can't get a proper control structure around this, any advice?

Cheers!

2
General Discussion / Gandi.net API support for os-dyndns?
« on: September 07, 2018, 08:12:15 pm »
So. For my homelab I have lots and lots of domains and subdomains. Currently they are registered with Cronon (STRATO).
Since I'm pretty darn tired of STRATOs fits and general backwardness, I'd like to transfer them to a provider that actually knows what they're doing. I've evaluated some providers and settled for gandi.net.

Now comes the complicated part:

I have an dynamic public IP that changes on every reconnect, or at very least on every forced reconnect (24h). The os-dyndns is doing a great job with STRATO, at least as good as it can with that company (yes, I'm salty).

But it seems it has no option for the gandi.net API.

There's an python implementation over at GitHub, but I'd also like to keep the process of DynDNS updates on the OPNsense. While not potentially compromising my border gateway by running 3rd party stuff on it. CNAME is also not an option.

That leaves me... Well, here. Asking for help ;)

Maybe I'm just not seeing how it can be done?
Maybe it could be implemented?

If the latter is true, welp, my PHP doesn't go far beyond <?php phpinfo(); ?>. But I'd be happy to help by testing and providing API keys.

Cheerio!

3
Documentation and Translation / Dockerized "buildsys" for the docs (Sphinx)
« on: April 19, 2018, 05:18:55 pm »
Heya!

So I wanted to give the documentation some love (sidenote: reStructuredText is an awful markup) but found myself unwilling to install Sphinx in order to get previews.
Then it hit me. This is what Docker was made for.

The result is this:
https://github.com/Alphakilo/opnsense-sphinx-doc-docker
https://hub.docker.com/r/alphakilo/opnsense-sphinx-doc/

Now instead messing around with python and its dependencies you can run
Code: [Select]
docker run --rm -v ~/src/docs:/docs alphakilo/opnsense-sphinx-doc:latest and enjoy your build.

I have a few questions about the "official" build process, since I couldn't find resources about that.
What version of Sphinx and Python is used to build for docs.opnsense.org?

I don't want nasty surprises regarding parsing or formatting that may be depending on the Sphinx version, or some stupid library.

Regards

4
General Discussion / Feature request: DHCP options per client MAC address
« on: April 19, 2018, 02:17:24 pm »
Hi!

IDK if this is the right place to state a feature request, but I couldn't figure out where to do that, so here we go:

I'd like to serve DHCP clients different Options based on their MAC address. Specific addresses or parts ("begins with", i.e.: vendor prefixes).

My use case is this: I have VoIP-Phones from multiple vendors. They require different DHCP options to do auto-provisioning.
Sometimes the same option is used for different values by different vendors or models.

Right now I'm forced to use different interfaces (VLANs) in those cases, which I'm not happy about.

Regards

5
18.1 Legacy Series / PPPoE pain
« on: March 28, 2018, 06:44:22 pm »
Hello folks.

I very recently switched from Sophos UTM to OPNsense (18.1.5). So far this journey was very painful. It makes me question whether I'm incompetent or something went horribly wrong with my deployment.

I have a slew of issues, pretty much everywhere. The thing that bothers me most currently is the stability of my one and only egress to WAN.

Let me describe my setup.
My ISP (1&1 / Versanet) provides me VDSL via PPPoE dial-in. They only accept PPPoE traffic which is tagged as VLAN 7.
So I created an interface for that (re1_vlan7) and used it for the PPP configuration (pppoe0). That resulted in the creation of the WAN interface.

re1 is connected to an Zyxel VDSL modem.

The dial-in works. Most of the time. Now to my issues:

Unable to save WAN interface

Every time I save the WAN interface, connectivity drops until I reboot OPNsense. I figured two different causes

a) My PPPoE password got URL-encoded every time I saved either the interface or PPP-config. I solved that setting a new password at my ISP.
b) NAT continues to use the old interface address as src address for new (!) connections, sporadically. In fact: it continues to use all addresses that where ever assigned to the interface during uptime in what seems to be an round-robin fashion.

24h disconnects

My ISP forces a re-dial-in every 24h, assigning a new addresses (IPv4 & v6). I used a cron job (via WebUI / System / Settings / Cron: 0 5 * * * Periodic interface reset -> pppoe0) to do that at a time where it's least bothersome. That results in broken PPPoE dial-in until I reboot OPNsense.

Broken in the sense that the dial-in works, but get's terminated after 2-4 seconds after obtaining an IP by LCP "LCP: rec'd Terminate Request #3" (Configure-NAK?).
After the reboot the dial-in works instantly and is not terminated in that fashion.

And when I fix this issue, I'm pretty sure the NAT issue from above will come back to haunt me.

Vanishing default gateways

The ISP assigned default-gateway drops out of the routing table from time to time. I haven't been able to figure out the root cause, because I don't even know where to look. The issue get's more frequent when I enable gateway-monitoring though.

DHCPv6

There are multiple DHCPv6 clients for the pppoe0 interface, resulting in "dhcp6c: XID mismatch".
I can't figure out how or why there are multiple instances for the same interface using the same configuration (and funny enough: the same PID file):

Code: [Select]
root@{{hostname}}:~ # ps x | grep "dhcp6c"
74604  -  Ss     0:00.05 /usr/local/sbin/dhcp6c -D -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0
79106  -  Ss     0:00.04 /usr/local/sbin/dhcp6c -D -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0
I'm at loss what even to do next.
It just feels so random. Every time I fix something, more problems come up.

6
Intrusion Detection and Prevention / Different rulesets per network
« on: March 23, 2018, 05:23:45 pm »
Hello,

I'm wondering if it is possible to apply different rulesets for different networks.
For instance: Drop P2P for one VLAN, while allowing it for a different.

Cheers

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2020 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2