Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - cclloyd

Pages: [1] 2

19.1 Production Series / No User Import Option when setting LDAP server

« on: May 07, 2019, 07:18:29 am »

I'm trying to add LDAP auth to my OPNSense installation. I got the server set up and can confirm it works with the tester by entering a valid username/password. I'm using FreeIPA as the LDAP server.

But I don't see any import icon when I go to System > Access > Users.

Details for System > Access > Servers > FreeIPA server:
Hostname: ipa.example.com
Port: 389
Peer CA: OPNSense
Bind Credentials: (blank)
Base DN: dc=example,dc=com
Authentication containers: cn=users,cn=compat,dc=example,dc=com
User naming attribute: uid

Am I doing something wrong?

19.1 Production Series / Outside Traffic Redirecting to OPNSense instead of HAProxy

« on: March 22, 2019, 12:52:18 am »

I have a bunch of subdomains (ex1.example.com, ex2.example.com, ...) pointing to my OPNSense router (10.0.0.1). I also have HAProxy to proxy requests on 443 to their respective backends.

I don't recall changing anything, but now, they won't work from the outside. Only if the DNS resolves to 10.0.0.1, and not my WAN ip, will it proxy the traffic correctly to their backends. If you try from WAN, it gives the warning about DNS rebind attack.

How can I prevent this behavior and make it proxy correctly?

18.7 Legacy Series / radvd file location?

« on: January 18, 2019, 10:52:08 am »

Is there a file that contains the contents of the output of the command `radvdump`? I need to enable radvd on my dd-wrt wireless router to be able to get an ipv6 address and it would work best if I can just copy its radvd to the radvd location on dd-wrt.

18.7 Legacy Series / WAN Interface not obtaining IPv6 prefix.

« on: January 14, 2019, 11:18:12 am »

I have my WAN configured to use DHCPv6 to request only a /64 prefix, and have DHCPv6 server configured to dish out addresses with the entire /64 subnet.

But when I try to renew the DHCP lease for the WAN to actually obtain a prefix, it doesn't seem to grab one.

Running dhcp6c manually to see what happens yields the following: (em0 is WAN interface, em1 is LAN)

Code: [Select]

root@opnsense:/var/etc # dhcp6c -Df em0
Jan/14/2019 05:14:39: extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:23:cf:17:58:1c:c1:de:06:d7:70
Jan/14/2019 05:14:39: cfparse: fopen(/usr/local/etc/dhcp6c.conf): No such file or directory
Jan/14/2019 05:14:39: reset a timer on em0, state=INIT, timeo=0, retrans=891
Jan/14/2019 05:14:39: Sending Solicit
Jan/14/2019 05:14:39: a new XID (c0b30) is generated
Jan/14/2019 05:14:39: set client ID (len 14)
Jan/14/2019 05:14:39: set elapsed time (len 2)
Jan/14/2019 05:14:39: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:39: reset a timer on em0, state=SOLICIT, timeo=0, retrans=1091
Jan/14/2019 05:14:41: Sending Solicit
Jan/14/2019 05:14:41: set client ID (len 14)
Jan/14/2019 05:14:41: set elapsed time (len 2)
Jan/14/2019 05:14:41: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:41: reset a timer on em0, state=SOLICIT, timeo=1, retrans=2083
Jan/14/2019 05:14:43: Sending Solicit
Jan/14/2019 05:14:43: set client ID (len 14)
Jan/14/2019 05:14:43: set elapsed time (len 2)
Jan/14/2019 05:14:43: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:43: reset a timer on em0, state=SOLICIT, timeo=2, retrans=3982

18.7 Legacy Series / IPv6 addresses not accessible over internet.

« on: January 02, 2019, 11:16:53 am »

I have an experimental gitlab server accessible only on IPv6 (I set the listen address to "[::]")

I can access it over IPv6 fine, but only on my home network. If I try to access it over the internet (say from my phone over LTE [confirmed LTE had ipv6 by going to ipv6.google.com]), the connection times out.

My WAN interface is using DHCPv6, and the server is confirmed to have IPv6 connectivity.

Why can't I access it using ipv6 over internet?

19.1 Production Series / Adding LDAP Users?

« on: December 31, 2018, 01:57:00 am »

I was following the docs on how to add LDAP auth to OPNSense. I added an LDAP server and using the tester, I authenticated against it successfully.

But how do I go about adding an LDAP user to opnsense? I tried going to System -> Access -> Users but I don't see a cloud import icon anywhere.

18.7 Legacy Series / Use Extra NIC for VLAN support.

« on: December 30, 2018, 12:01:22 pm »

I have 2 NICs in the server I use with OPNSense (2 port/4 port). Currently, the 2 port has my WAN interfance and LAN interface (plugged into an unmanaged switch).

Because the switch is unmanaged, it doesn't support VLAN tagging, so when the wireless router tries to use a VLAN it gets stripped away.

But can I use the 4 ports on the other NIC as extra LAN ports, so say any traffic coming from bce0 is assigned to a certain VLAN, that way I can just plug the wireless router directly into that.

18.7 Legacy Series / IKEv2/Wireguard Client

« on: December 12, 2018, 01:12:24 am »

I have Algo set up a VPN on a VPS instance that I use my for a VPN most of the time. It only supports IKEv2 and Wireguard.

Currently there's some issues on Xbox that only affect the Northeast, but tunnelling with a VPN (not located in northeast US) fixes the issue.

Can I configure OPNSense to tunnel all traffic (possibly only for 1 client) through a VPN tunnel?

Web Proxy Filtering and Caching / Nginx Proxy not working?

« on: November 14, 2018, 02:46:03 am »

Here are my settings: https://imgur.com/a/2aa6CRY

I'm trying to use the nginx plugin to add a few proxy addresses to my network. For example, I want to proxy `nzb.example.com:80` to `10.0.1.11:6789`, but with the above settings, when I go to nzb.example.com, it times out when trying to connect.

Any advice on configuring this plugin?

Web Proxy Filtering and Caching / HAProxy configuration questions

« on: October 23, 2018, 11:09:50 am »

I'm trying to configure HAProxy to allow outside access to some services (like webgui's for various services).

As an example, I'm trying to allow `freeipa.example.com:443` redirect to `ipa.example.com:443` (this being the hostname of the virtual machine. Internal DNS resolves this to 10.0.0.15)

But connections timeout when I try to connect to them. I also tried port forwarding 443 to 10.0.0.1 (the IP of opnsense)

Any help? Am I doing something fundamentally wrong?

(Attached is my Real Server, Backend Pool, and Virtual Service configurations)
Edit: attachments too large. Here's imgur album: https://imgur.com/a/DRvd5AM

18.7 Legacy Series / Am I doing Port Forwarding Wrong?

« on: October 17, 2018, 12:00:42 am »

I'm trying to get port forward working, but it just doesn't seem to be working.

My Xbox has an Open NAT, but I'm not sure which of the 3 rules I have enabled are allowing that.
Plex isn't accessible outside my network.
And when I try to ssh using `ssh user@example.com -p 22333`, the connection times out.

I also can't connect to the VPN server.

How do I get port forwarding working

18.7 Legacy Series / Unable to port forward SSH and unable to SSH on IPv6?

« on: October 11, 2018, 09:10:46 am »

I'm trying to make it so that when I ssh mydomain.com on port 22555, it will redirect it to 10.0.0.15 on port 22.

My NAT port forward rule is as follows:
Source Address: *
Source Ports: *
Destination Address: WAN address
Destination Ports: 22555
NAT IP: 10.0.0.15
NAT Ports: 22

But it doesn't seem to be letting me connect when I try `ssh user@mydomain.com -p 22555` my VPS.

Also when I try to `ssh ipv6:addr:here -p 22555` or `ssh ipv6:addr:here`, it also times out.

What am I doing wrong?

18.7 Legacy Series / LDAP Discovery with Unbound DNS

« on: October 01, 2018, 12:07:27 am »

I'm using FreeIPA on my network for authentication, and puppet to provision them. For puppet (using the sssd module) to properly enroll them, it needs to be able to discover the freeipa server with dns.

When trying to join, it tells me this:

Code: [Select]

 * Using domain name: example.com
 * Calculated computer account name from fqdn: PUPPETMASTER
 * Calculated domain realm from name: EXAMPLE.COM
 * Discovering domain controllers: _ldap._tcp.example.com
 ! No LDAP SRV records for domain: _ldap._tcp.example.com: Name or service not known
 ! Couldn't find usable domain controller to connect to
adcli: couldn't connect to example.com domain: Couldn't find usable domain controller to connect to

How can I add the SRV records to my dns with unbound dns? The only options listed for records are A, AAAA, and MX.

18.7 Legacy Series / Unbound DNS not resolving for external connections

« on: September 20, 2018, 06:25:53 am »

I'm using unbound DNS as my DNS for my OPNSense installation. The interface for it is set to all, but for some reason it won't resolve for external connections.

Like I have an override:

Name: bt
Domain: example.com
Host: 10.0.1.11
Type: A

And when I try to access the host on my network it works just fine. But when I try it from anything outside my network, it fails to connect.

18.7 Legacy Series / Port Forwarding with Plex not working.

« on: September 13, 2018, 12:08:13 pm »

I'm trying to allow plex to access outside my home network, but it says it can't connect.

Plex is running in a docker container in `network_mode: host`, so no docker subnet.

I have a NAT rule :

Source port: 32400
Source IP: any
Destination port: 32400
Destination host: 10.0.1.11
Redirect target port: 32400
Redirect target IP: 10.0.1.11

But when I try to allow plex access outside my network, it fails to connect.

Pages: [1] 2