Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - loredo

Pages1
#1
19.7 Legacy Series / LDAPS authentication server certificate issue with Azure AD
October 01, 2019, 03:23:01 PM
Hello,

I am trying to add an LDAPS server to the list of authentication options in "System > Access > Servers". More precicely, it is the LDAPS server of Microsoft Azure AD (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps).

This is working absolutely fine on a pfSense machine, users can authenticate in OpenVPN easily.

However, adding the server in OPNsense is a bit of a hassle. When testing the server, this is what the logfile says:

Code Select
opnsense: LDAP bind error [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate),Can't contact LDAP server]

The certificate is a self-signed one, created by an internal Sub CA (it was done on the pfSense machine, same way you can do it on OPNsense). However, it seems OPNsense is unable to verify the trust chain for the server certificate while pfSense is.

I installed the entire trust chain into the OPNsense trust store so in general the certificates are there. It just seems that they are not being used.

Can someone help me to find out more and identify the root cause? I am running on latest version 19.7.4_1.


Thanks,
Julian
#2
19.1 Legacy Series / [RESOLVED] pkg.opnsense.org not reachable via IPv6
April 11, 2019, 04:16:31 PM
Hi,

it is currently not possible to do any updates using IPv6 connectivity.
It seems pkg.opnsense.org is not responding on it's v6 address, connecting to v4 works fine.

Can somebody look into this please?

-Julian
#3
18.7 Legacy Series / Updating GeoIP aliases takes too long
November 10, 2018, 11:29:48 AM
Hello,

is there a way to increase performance of the table update for GeoIP based aliases?
When it seems the update script is running for ages, sometimes it will never end and other tables will not be updated. Also, it does not seem to recognize if such update is actually required or not. Unfinished tables will even have a huge impact when the tables are (already) being used in pf rules, it might easily happen that pf rules are not loaded correctly and network traffic will be totally blocked (had this a couple of times).

I was using pfBlockerNG-dev before and I saw way better performance and handling using the GeoIP features of it. Not sure about the architecture here but is there a plan to improve on it? Currently it seems this functionality is not production ready.

Thanks,
Julian
#4
18.7 Legacy Series / IPv6 default route lost / ICMP6 RA not received
November 10, 2018, 11:05:50 AM
Hello,

I am facing an issue to keep my IPv6 connectivity up and running as the default route to fe80::1 will disappear.

When sniffing the traffic using "tcpdump -pni igb0 icmp6", it seems the ICMP6 RA package is not received on the WAN interface. However, sniffing in promiscuous mode by "tcpdump -ni igb0 icmp6" will show the incoming RA and also NDP will work just fine then. In that case the default route will be put back into the routing table.

Similar issue was already discovered on pfSense a couple of month ago:
https://redmine.pfsense.org/issues/8611

Is there any other fix besides a workaround to permanently put the interface into promiscuous mode by "ifconfig igb0 promisc" during bootup?


Thanks,
Julian
#5
18.1 Legacy Series / Proxying OPNsense GUI with HAproxy
May 09, 2018, 10:00:53 AM
Hi,

for more flexibility I want HAproxy to listen on port 443 and proxy OPNsense GUI.
The HAproxy configuration is not a problem as such. However, the OPNsense GUI does not seem to support being behind a proxy as the interface becomes fairly sluggish. This is what I get on the browser console, only when accessing the GUI via HAproxy:

Code Select

JQMIGRATE: Migrate is installed, version 3.0.1
jquery-3.2.1.min.js:4 [Deprecation] Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
send @ jquery-3.2.1.min.js:4
ajax @ jquery-3.2.1.min.js:4
e.ajax @ jquery-migrate-3.0.1.min.js:80
r._evalUrl @ jquery-3.2.1.min.js:4
Ja @ jquery-3.2.1.min.js:3
append @ jquery-3.2.1.min.js:3
r.fn.(anonymous function) @ jquery-3.2.1.min.js:3
(anonymous) @ (index):1149
each @ jquery-3.2.1.min.js:2
each @ jquery-3.2.1.min.js:2
(anonymous) @ (index):1143
j @ jquery-3.2.1.min.js:2
k @ jquery-3.2.1.min.js:2
setTimeout (async)
(anonymous) @ jquery-3.2.1.min.js:2
i @ jquery-3.2.1.min.js:2
fireWith @ jquery-3.2.1.min.js:2
fire @ jquery-3.2.1.min.js:2
i @ jquery-3.2.1.min.js:2
fireWith @ jquery-3.2.1.min.js:2
ready @ jquery-3.2.1.min.js:2
S @ jquery-3.2.1.min.js:3
(index):1131 TypeError: Cannot read property 'datum' of null
    at system_information_widget_cpu_update (<anonymous>:27:48)
    at system_information_widget_update (<anonymous>:36:7)
    at (index):1128
    at Array.map (<anonymous>)
    at Object.<anonymous> ((index):1125)
    at i (jquery-3.2.1.min.js:2)
    at Object.fireWith [as resolveWith] (jquery-3.2.1.min.js:2)
    at A (jquery-3.2.1.min.js:4)
    at XMLHttpRequest.<anonymous> (jquery-3.2.1.min.js:4)
(index):1131 TypeError: Cannot read property 'datum' of null
    at system_information_widget_cpu_update (<anonymous>:27:48)
    at system_information_widget_update (<anonymous>:36:7)
    at (index):1128
    at Array.map (<anonymous>)
    at Object.<anonymous> ((index):1125)
    at i (jquery-3.2.1.min.js:2)
    at Object.fireWith [as resolveWith] (jquery-3.2.1.min.js:2)
    at A (jquery-3.2.1.min.js:4)
    at XMLHttpRequest.<anonymous> (jquery-3.2.1.min.js:4)
(index):1131 TypeError: Cannot read property 'datum' of null
    at system_information_widget_cpu_update (<anonymous>:27:48)
    at system_information_widget_update (<anonymous>:36:7)
    at (index):1128
    at Array.map (<anonymous>)
    at Object.<anonymous> ((index):1125)
    at i (jquery-3.2.1.min.js:2)
    at Object.fireWith [as resolveWith] (jquery-3.2.1.min.js:2)
    at A (jquery-3.2.1.min.js:4)
    at XMLHttpRequest.<anonymous> (jquery-3.2.1.min.js:4)
(index):1131 TypeError: Cannot read property 'datum' of null
    at system_information_widget_cpu_update (<anonymous>:27:48)
    at system_information_widget_update (<anonymous>:36:7)
    at (index):1128
    at Array.map (<anonymous>)
    at Object.<anonymous> ((index):1125)
    at i (jquery-3.2.1.min.js:2)
    at Object.fireWith [as resolveWith] (jquery-3.2.1.min.js:2)
    at A (jquery-3.2.1.min.js:4)
    at XMLHttpRequest.<anonymous> (jquery-3.2.1.min.js:4)


Any idea if I need to pimp something in HAproxy or if this is a problem in the OPNsense GUI?
#6
18.1 Legacy Series / /etc/hostid not being generated
April 01, 2018, 07:11:00 PM
Hi,

is there any reason /etc/hostid file is not generated automatically?
I see quite a lot of error messages when using command line, similar to this one:

Code Select
cat: /etc/hostid: No such file or directory

However, hostid should be generated during bootup:

Code Select

root@hostname:~ # sysrc -A|grep hostid
hostid_enable: YES
hostid_file: /etc/hostid


Apologies should this be a too simple question. I am new to BSD and wasn't able to find anything useful from Google about this so I assume it must be something OPNsense or HardenedBSD related?

If I run the hostid service manually it shows me the generated IDs but still wouldn't write those to the desired file(s).


Many thanks,
Julian
Pages1