Topics

1

19.7 Legacy Series / Firewall VM not accessible via IPv6 on Hetzner

« on: August 06, 2019, 09:25:12 am »

Hi,

i have a problem with setting up the network on one of my servers, located at Hetzner. I want to have a OPNsense VM as a firewall for the other VMs and LXC containers. There is a HAproxy running on this firewall VM as well, and i have made the web frontend reachable from WAN side for easier config.

For setting up IPv4 i have followed https://pratt.is/hetzner-und-proxmox-pfsense-als-gateway/ - this works quite reliable. This is the complete config of the interfaces on the hypervisor: https://pastebin.com/xjcSUYpU

For IPv6 config i tried Dominic Pratt's way as well, but without success. Currently i have a static IPv6 on my WAN interface, it has the first IP from the /64 subnet Hetzner gave me. On the LAN end i took another IP from this subnet, and set the interface to /64 for SLAAC. As a result, the VMs get a v6 IP and can reach the internet via IPv6.

On the other side i have a problem. Of course i have set up an AAAA-Record in the DNS to access the firwall. I have also set up some firewall rules so that one can connect to the HAproxy. The proxy itself binds to the address i have set up on WAN side. Now the problem:

I can ping the firewall via its AAAA record perfectly well from the internet. However, it is not accessible via IPv6 at all, except the pings. Neither the web frontend, nor the HAproxy. The access from the LAN side works fine.

What is strange: The firewall has an Accept-rule for IPv6 traffic from the WAN side. I can see the connection attempts in the firewall log, they are marked as "Pass". However, i do not see any connection attempts in the HAproxy log. The web frontend isn't accessible either.

Where is my error? Has my interface config a mistake somewhere?

I think it isn't HAproxy's fault, it is reachable from the inside (via its WAN IP, though).
It isn't the firewall's fault. It logs the connection as "pass".
It cannot be due to missing IP forwarding in the hypervisor's kernel, since the VMs can communicate with the internet via IPv6. Strangely they were able to do so as well, when i had forgotten to activate net.ipv6.conf.all.forwarding in sysctl.

For information: I am using proxmox 6, the LXC containers are a fresh install from a Debian 10 template.

Maybe someone has an idea.

2

19.7 Legacy Series / HAProxy Frontend for IPv6

« on: August 04, 2019, 10:06:16 am »

Hi,

i have Opnsense in a DualStack Network. Inside this network there are some docker containers with IPv4 only, and i want to have HAProxy acting as a reverse proxy and as an "IPv6 offloader". I have configured IPv6 on the docker host and it can reach the internet via IPv6, so my Interface configuration in OPNsense seems to be correct.

I have created a firewall rule which allows IPv4 and v6 traffic on port 443 to enter the firewall. I have configured the docker container as a backend, and a matching frontend which has the v4 and the v6 listen address in the settings.

As a result, the service is reachable via v4, but not via v6. I do not see any v6 connections in the HAproxy log, however, when i enable logging in the appropriate firewall rule, i see the inbound traffic.

What am i missing here?

3

18.7 Legacy Series / Peer-to-peer OpenVPN IP configuration

« on: December 12, 2018, 12:54:31 pm »

I am trying to adopt a peer2peer OpenVPN configuration from a plain OpenVPN server config. The config file i am trying to rebuild on Opnsense looks like this:

Code: [Select]

dev tun3
proto udp
ifconfig 172.23.211.129 172.23.211.1
comp-lzo
port 42003
secret secret.key
log-append /var/log/openvpn/p2p.log
verb 4
persist-tun
persist-key
mode p2p

But i am struggling with the ifconfig option. For routing reasons later on i need my tunnel endpoint to be exactly 172.23.211.129 and the peer to be 172.23.211.1. On the peer's side both IP addresses are switched. This works good on the old config, but now i am somewhat confused by the IP settings fields in Opnsense's server config.

I have set up "General information" and "Cryptographic settings" so that the peer is generally able to open up the connection but is throwing an error that the ifconfig section is wrong. As far as i have checked the actual openvpn config file which is generated by Opnsense's web UI, the form fiel which controls this setting is "IPv4 tunnel network" - or at least the value given there specifies the value of "ifconfig".

However, just entering both IPs, comma-separeted, in this input field isn't accepted by the WebUI. Setting the "local network" and "remote network" values just results in adding a route command to the generated config, which isn't desired, since the routing will happen later on with OSPF.

Trying to set up the ifconfig value with the "Advanced options" textbox isn't working either, since i get an error that the Tunnel Settings are empty.

So, how can i set up a dead simple p2p VPN with no sophisticated settings in OPNsense which replicates the configuration i have posted above?

4

18.7 Legacy Series / Help with HAproxy TCP connections

« on: November 29, 2018, 11:37:24 am »

I am trying to set up a HAproxy connection. While i was successful with a frontend-backend-combination for HTTP and HTTPS, i am currently struggling with a plain TCP connection, so that can use SSH over HAproxy (for git clone operations).
I have set up both frontend and backend to TCP and combined it with a role which checks for the appropriate host name. The frontend is configured to the right port. However, although a simple telnet to the public port is successful , a SSH connection fails. This also happens for a MySQL connection i also want to set up as a HAproxy TCP connection.

I am no HAproxy expert, so maybe it's just a little option i have overseen. Here's a link to the generated configuration: https://pastebin.com/8QAQQ2pA

I think it has something to do with the hostname-matching ACL, but i do not know for sure. Maybe someone else has an idea?