Topics

caddy can't start the opnsense web gui after upgrading to 24.7.12

Was working fine before the upgrade.

the handler is configured to do a tls skip verify... so not sure why its stumbling over this...

edit: Interesting in that seems to work ok from a "Private Window". Browser must be holding on to something ?

Just wanted to give a big high five to the caddy team for integrating their solution neatly into opnSense.
I revisited caddy about a year ago... and settled on haProxy instead, since caddy implementation on opnsense was quite immature at the time. haProxy comes with some complexity and reluctantly used that it for the last 12 months.

What a difference a year makes....

I revisited caddy yesterday, and got my whole reverse proxy up in a couple of hours. Integration with core opnsense was much better than I first envisioned. I really like how caddy leverages the trust store in opnsense should you choose to go that way (i did).

I found the doco incredibly clear, concise and super relevant for what I was trying to achieve...

I can see that is capable of doing way more than reverse proxying... and good to know. I may have some use for layer 4, or perhaps simple web hosting... in the future.

Chapeaux

my road warrior setup was not properly connecting, so I consulted latest release documentation to see if everything was setup properly.
Ther doco appears corrupted. The instructions point to items that do not exist, and has become very confusing.

Perhaps a close reading is needed to see if the document remains to be fit for purpose.

Is this possible ?
I searched around and could not find anything.
I have a topic that is some 40 pages and would like to search through it...
the search feature on the forum does not seem to provide this...
anyone ?

[Who is this for?]

2023-11-11 Initial tutorial published
~
This is similar to another tutorial on the subject, but going to use Virtual IP's rather than an additional wan interface to accomplish the task at hand. For original tutorial and inspiration see here :   https://forum.opnsense.org/index.php?topic=33497.0

Who is this for?
opnsense only accepts ethernet as physical connection for your wan.
If your ISP is using older vdsl protocols to connect you to the internet, you will need another device (modem) which you'll need to configure. Usually this a spare router you have lying around which you will dumb down and run it in bridged mode. Physically you plug an RJ11 line from wall to modem for adsl/vdsl, and then plug an ethernet port from the bridged modem to the router's wan port. This way your router will perform all the handshaking with your ISP, and the modem only worries about protocol translation between vdsl and ethernet.

This arrangement works fine, but you lose access to the modem gui, which is very annoying. The modem is behind the wan port, and its management ip is not accessible, since the wan port is busy connecting you to the internet. Should you wish to consult the modem gui to have a look at your sync rate, well you can't. You would need to pull the modem out of its position, reset to defaults and then connect to a pc sitting on your desk. What  a pain.

Solution:
opnsense does have a solution which is a little complex though only uses a couple of configuration lines, hence this tutorial. Once you get your head around some of the key concepts it is very gratifying as it teaches you quite a bit about networking... so worth giving it a go in my opinion.
The nature of the solution is to use your physical wan link to to run 2 x different networks. Network 1 is your normal wan, and network 2 is a small subnet we create to talk directly to the modem. We use a virtual ip address as a means to create this second network. Piece of cake. Read on...

There are 4 x steps in this tutorial as follows: We will show each step in some detail... so please stop stressing.

   
• Configure your modem's GUI IP address
• Create a virtual IP address
• Configure Outbound NAT to direct traffic to the modem over the wan link
• Firewall rule to allow flow between your lan and the new subnet targetting your modem

IP addressing:
Before we start let me say I will be using a set of addresses that suit my personal situation. I don't like using standard addressing schemes as these are constantly being probed for security flaws. For this tutorial please adapt IP addressing schemes to suit your own installation.

LAN
192.168.92.1/24  mask 255.255.255.0 (254 usable ip addresses)

Modem network - A tiny subnet is created to connect opnsense to the modem via its own subnet.
192.168.5.1/30 mask 255.255.255.252

   
• 4 x addresses of which only 2 are usable
• 192.168.5.0 - network id
• 192.168.5.3 - Broadcast
• 192.168.5.1 - usable address pointing to the modem
• 192.168.5.2 - usable address pointing to the vip

Hardware:
I use a 4 x port qotom box for my opnsense platform
I use a draytek vigor 130 router/modem. Turn off dhcp and set into bridged mode.

Step 1: Setup modem
I put the modem into bridge mode.



Assign it an ip address of 192.168.5.1/30 (note subnet mask of 252)



Step 2: Create the vip
In opnsense navigate to: Interfaces-> virtual IP's->Settings, and add a new vip like this. Make sure to tunnel it via the physical wan interface
I give the vip an ip address of 192.168.5.2


Step 3: Outbound NAT
In opnsense I need a way to shuffle all traffic bound for the modem subnet, via the wan physical interface, Outbound NAT is your friend here
Navigate to Firewall-> NAT -> Outbound, and create a rule which looks like this:


step 4: Firewall
Since in opnsense all subnets are configured to reject traffic by default, we need to specifically open up traffic from Lan to the modem subnet. I use a simple fw rule to acheive this.
Navigate to Firewall-> rules -> Floating, and add a rule like this:



Time to test this config... fire up a web page, and enter the modem gui address:


Job done....

For extra credit you can try some of the following ideas....

if you run a reverse proxy best to use it, rather than trying to remember a pesky ip address. I added an entry to my reverse proxy, and can access the modem gui with my domain... eg. modem.mydomain.net. Nice one....

When starting out... you may wish to point your vip at the existing subnet defined in your router. Otherwise you cannot get to the modem without pulling it out and resetting to defaults. Once you have the scheme working you can configure your modem in a more exact way.

I am working through the road warrior setup of wireguard in the opnsense docs.

when it comes to assignment/routing I have a showstopper that mystifies me.

I assign wg0 as an interface. But when I try to enable it I get the following error....

>>
The following input errors were detected:

    The DHCP Server is active on this interface and it can be used only with a static IP configuration. Please disable the DHCP Server service on this interface first, then change the interface configuration.
>>
However ipv4 config type is defined as (none)... so that can't be the problem.

really confusing... so any ideas are appreciated.

I successfully created a nat port forward for my torrent engine. np.
I tick the "log" checkbox and save changed, but alas I get NO log message from the port forward.
The fw appears to implement the portforward, as the results are plain to see on the destination address.

Can someone please confirm logging is working on port forwarding rule in NAT ?

I am on the latest stable, with a fairly vanilla config.

Many thanks...

I am new to opnsense, and have it running at latest version in my homelab setup.
There is an odd behaviour that I'm encountering... wanting to know if you[ve seen this before.

If I submit a ping to a made up name, opnsense returns the ip address of the wan. It does this for any made up name I throw at it. I am expecting the ping to fail, but it does not. Is there a setting somewhere I should be looking at ? zzz is a make believe host that does not exist....

>>>
ben@hystou:~$ ping zzz
PING expander.net.au (122.199.38.68) 56(84) bytes of data.
64 bytes from opn.expander.net.au (122.199.38.68): icmp_seq=1 ttl=64 time=313 ms
64 bytes from opn.expander.net.au (122.199.38.68): icmp_seq=2 ttl=64 time=235 ms
64 bytes from opn.expander.net.au (122.199.38.68): icmp_seq=3 ttl=64 time=155 ms