Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - klamath

Pages: [1]

21.1 Legacy Series / OpenVPN routing with Site to Site not working

« on: August 17, 2021, 03:58:23 pm »

I am trying to setup a site to site VPN. I created a new VLAN and gateway on the remote VPN since the inside networks are overlapping.

The connection establishes, I can ping from the Opnsense firewall the remote VPN host, however I cannot connect from the "Inside" Vlan.
I am not sure if the return traffic is hairpinning back to the local LAN and not back out the openVPN interface.

Side A (Client):

LAN:192.168.1.0/24
Tunnel: 10.80.80.0/24
Remote Network: 10.81.81.0/24

Note: I am using Gateway groups, HA WAN

Side B (Server)

LAN: 192.168.1.0/24 (not used)
Vlan99: 10.81.81.0/24 (used for VPN)
Tunnel: 10.80.80.0/24
Local Network: 10.81.81.0/24 (Vlan99)

Ping From firewall to remote host:
root@cerberus:~ # ping 10.81.81.10
PING 10.81.81.10 (10.81.81.10): 56 data bytes
64 bytes from 10.81.81.10: icmp_seq=0 ttl=63 time=81.705 ms
64 bytes from 10.81.81.10: icmp_seq=1 ttl=63 time=72.062 ms

SSH/WEB from Side A to Side B:

2021-08-16T19:49:16   filterlog[17007]   116,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,4,0x0,,63,0,0,DF,6,tcp,60,192.168.1.19,10.81.81.10,58012,22,0,S,256715406,,29200,,mss;sackOK;TS;nop;wscale
2021-08-16T19:49:12   filterlog[17007]   116,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,4,0x0,,127,0,0,DF,6,tcp,48,192.168.1.24,10.81.81.10,51943,443,0,S,749930554,,64240,,mss;nop;nop;sackOK
2021-08-16T19:49:12   filterlog[17007]   116,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,4,0x0,,127,0,0,DF,6,tcp,48,192.168.1.24,10.81.81.10,50996,443,0,S,313488011,,64240,,mss;nop;nop;sackOK

SSH/WEB from Side B to Side A (return traffic)

2021-08-17T00:48:43   filterlog[27813]   77,,,0,em0_vlan99,match,pass,out,4,0x0,,126,0,0,DF,6,tcp,48,192.168.1.24,10.81.81.10,59967,443,0,S,1496152610,,64240,,mss;nop;nop;sackOK,fae559338f65e11c53669fc3642c93c2
2021-08-17T00:47:39   filterlog[27813]   77,,,0,em0_vlan99,match,pass,out,4,0x0,,62,0,0,DF,6,tcp,60,192.168.1.19,10.81.81.10,57662,22,0,S,1969582485,,29200,,mss;sackOK;TS;nop;wscale,fae559338f65e11c53669fc3642c93c2
2021-08-17T00:46:33   filterlog[27813]   77,,,0,em0_vlan99,match,pass,out,4,0x0,,62,0,0,DF,6,tcp,60,192.168.1.19,10.81.81.10,57662,22,0,S,1969582485,,29200,,mss;sackOK;TS;nop;wscale,fae559338f65e11c53669fc3642c93c2

Rules:

Side A:

Inside:
IPv4 *    *    *    10.81.81.0/24    *    *
OpenVPN
IPv4 *    *    *    10.81.81.0/24    *    *    *

Side B:

Vlan99:
IPv4 *    *    *    *    *    *    *
OpenVPN:
IPv4 *    *    *    *    *    *    *

I haven't had a chance to run a remote tcpdump, I did run it last night on side A and can see the VPN traffic flow out, but I don't think im seeing return traffic hit:

00:00:00.126673 rule 116/0(match): pass out on ovpnc4: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.19.42478 > 10.81.81.10.22: Flags ~~, cksum 0x6481 (correct), seq 4135526895, win 29200, options [mss 1420,sackOK,TS val 3650534517 ecr 0,nop,wscale 7], length 0~~

21.1 Legacy Series / Site to Site OpenVPN with internal overlapping networks, NAT 1:1?

« on: June 15, 2021, 03:56:15 pm »

Howdy!

I am setting up a Site to Site VPN using OpenVPN. I created a new OpenVPN endpoint and assigned it a 10.69.69.0/24 network. I would like to get a 1:1 NAT going so I can give selective access across the VPN without exposing my internal network to the remote VPN. I am having some issues setting the NAT 1:1 to work correctly, I have attached my 1:1 rule along with my FW rule, looking to see what else I might need to get this to work right.

Thanks!

21.1 Legacy Series / [solved] 21.4 Multi-wan + DNS over TLS

« on: May 04, 2021, 04:53:58 pm »

Hello,

I have been running a multi-wan failover for a few months now. Last week i decided to make the leap into DoT and got that setup with Unbound + Adguard plugin. I setup Unbound to listen on port 5153 and set Adguard to point to Unbound as the upstream DNS resolver. I setup a portward to redirect all DNS traffic to the local gateway of whatever subnet the client is on.

I noticed that whatever I did i was always getting redirected to the primary remote health checker for the multiwan setup. IE I set Cloudflare to be my unbound DoT resolver, but when having DNS per interface listed in System-> Settings -> General it would not respect any portforwards nor unbound DNS upstream.

If I remove the DNS resolvers from opnsense's WAN interfaces, unbound starts to work, nowever dpinger seems to use the primary WAN to send requests out and not the backup WAN's monitoring interface.

Any help would be appreciated!

Thanks,
Tim

20.7 Legacy Series / [solved] nginx auth issues with Exchange 2016/IIS 401 loop

« on: January 28, 2021, 03:46:49 pm »

Hello,

I have been investing a good deal of time getting IDS working on opnsense for SSL inspection. At first I went the route of using HAproxy with decrypt/encrypt however I was told that the IDS system for opnsense requires an interface to monitor and act upon. I was recommended to use nginx since it offers a WAF that should fit my needs. I got all the endpoints going, everything seems fine, however when running Microsoft's connectivity checker it fails validating the connection back to my firewall. I am not seeing this issue with HAproxy that is currently serving up access to Exchange. I ran into a few fixes online to address the issue however I am at a loss as to where I can plumb the fixes into opnsense's GUI for nginx.

The problems line up exactly with these posts [1,2,3], authentication loop when trying to reach "autodiscover.domain.com/Autodiscover/Autodiscover.xml" I can verify an auth loop by trying to login via a web browser to this URL with nginx fronting the requests.

Thank you,
Tim

[1] https://forum.opnsense.org/index.php?topic=12939.msg59935#msg59935
[2] https://stackoverflow.com/questions/14839712/nginx-reverse-proxy-passthrough-basic-authenication
[3] https://community.synology.com/enu/forum/1/post/132310

20.7 Legacy Series / IDS + Haproxy + SSL decrypt

« on: January 25, 2021, 04:49:22 pm »

Howdy,

I just got finished up with converting the majority of my portforwards to haproxy terminated endpoints. The SSL termination + re-encryption is taking place on my opnsense firewall. I have IDS monitoring my external WAN connections, I was wondering if there is anything else i need to get setup to have IDS inspect the "in the clear" data while it is transversing the firewall?

Thanks

20.7 Legacy Series / Looking for performance options for 1GB/s ISP with IDS/IPS

« on: November 23, 2020, 09:17:25 pm »

Howdy,

I have migrated away from my ASA to a new supermicro E300-9D-8CN8TP running Opnsense. I have been loving the product so far, however i have been chasing performance issues around single stream connections and IDS.

Layout:
Supermicro E300-9D-8CN8TP with 32 GB of RAM
Two ISP connections 1GB/50, 200/10 setup with Active/Active (terminating connections into ixl0-1)
One access port for INSIDE (ixl2)
One Trunk port for DMZ and Openstack VLANs (ixl3)
Opnsense 20.7.5 (running 20.7.4-next kernel)

When i enable IDS/IPS my single stream performance drops to 300mbps, I have IDP/IPS enabled on both WAN circuits and not any inside or trunked port. Promisc mode is disabled. I have tweaked the amount of RAM IDS/IPS can consume for both stream/defrag and host, I can manage to get around 500mbps now, however im still no where near the 800mbps I can pull from speedtest.net with multiconnections enabled. I have done some CPU pinning on suricata as outlined here:

threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [ 2-3 ] # include only these CPUs in affinity settings
- receive-cpu-set:
cpu: [ 4-5 ] # include only these CPUs in affinity settings
- worker-cpu-set:
cpu: [ 6-15 ]
mode: "exclusive"

This has helped move some processes away from CPU0, but doing a single stream TCP session im still limited to under 600mbps speeds, suricata seems to be in sea-saw mode as the connection flutters between 300-500mbps on long running streams [1]. I don't think I am CPU bound as when im running a long tcp session I am monitoring host performance with top -P and I dont see any core hitting 100% utilization.

Any help would be appreciated as this is my last issue i need to finish up to call this migration complete.

Tim

[1]
Reverse mode, remote host mx2.eth0.com is sending
[ 5] local 192.168.99.5 port 33098 connected to 144.202.48.166 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 22.7 MBytes 190 Mbits/sec
[ 5] 1.00-2.00 sec 53.1 MBytes 446 Mbits/sec
[ 5] 2.00-3.00 sec 54.8 MBytes 460 Mbits/sec
[ 5] 3.00-4.00 sec 54.4 MBytes 457 Mbits/sec
[ 5] 4.00-5.00 sec 41.1 MBytes 345 Mbits/sec
[ 5] 5.00-6.00 sec 43.8 MBytes 368 Mbits/sec
[ 5] 6.00-7.00 sec 47.2 MBytes 396 Mbits/sec
[ 5] 7.00-8.00 sec 49.6 MBytes 416 Mbits/sec
[ 5] 8.00-9.00 sec 52.6 MBytes 441 Mbits/sec
[ 5] 9.00-10.00 sec 56.3 MBytes 473 Mbits/sec
[ 5] 10.00-11.00 sec 52.5 MBytes 441 Mbits/sec
[ 5] 11.00-12.00 sec 54.1 MBytes 454 Mbits/sec
[ 5] 12.00-13.00 sec 53.5 MBytes 449 Mbits/sec
[ 5] 13.00-14.00 sec 55.1 MBytes 462 Mbits/sec
[ 5] 14.00-15.00 sec 50.2 MBytes 421 Mbits/sec
[ 5] 15.00-16.00 sec 40.4 MBytes 339 Mbits/sec
[ 5] 16.00-17.00 sec 43.9 MBytes 368 Mbits/sec
[ 5] 17.00-18.00 sec 35.7 MBytes 300 Mbits/sec
[ 5] 18.00-19.00 sec 32.6 MBytes 274 Mbits/sec
[ 5] 19.00-20.00 sec 19.4 MBytes 162 Mbits/sec
[ 5] 20.00-21.00 sec 25.6 MBytes 214 Mbits/sec
[ 5] 21.00-22.00 sec 28.4 MBytes 238 Mbits/sec
[ 5] 22.00-23.00 sec 29.0 MBytes 243 Mbits/sec
[ 5] 23.00-24.00 sec 29.7 MBytes 249 Mbits/sec
[ 5] 24.00-25.00 sec 29.8 MBytes 250 Mbits/sec
[ 5] 25.00-26.00 sec 30.5 MBytes 256 Mbits/sec
[ 5] 26.00-27.00 sec 30.1 MBytes 252 Mbits/sec
[ 5] 27.00-28.00 sec 30.0 MBytes 251 Mbits/sec
[ 5] 28.00-29.00 sec 30.3 MBytes 254 Mbits/sec
[ 5] 29.00-30.00 sec 33.6 MBytes 282 Mbits/sec

Pages: [1]