1
Zenarmor (Sensei) / Updating the packet engine resets web filtering to moderate
« on: November 20, 2024, 10:28:10 pm »
Free edition, as the subject says.
Kind of annoying.
Kind of annoying.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
24.7 Production Series / Is there a practical limitation on the number of ipsec tunnels?
« on: November 06, 2024, 06:52:25 pm »
What the subject says, does an excessive number of ipsec tunnels slow down the firewall, does it lead to memory problems or something similar?
What would the recommended maximum number of ipsec tunnels be?
What would the recommended maximum number of ipsec tunnels be?
3
24.7 Production Series / Firewall logs - "let out anything from firewall host itself"
« on: October 27, 2024, 12:39:20 am »
Hi,
so, in my firewall logs, pretty much any packet that is allowed is allowed because "let out anything from firewall host itself".
I do have rules that allow traffic, so I would expect to see them there.
Is this because this is the name of the last match rule in the "out" direction?
If so, I do understand this, but it still makes the whole thing a bit useless.
so, in my firewall logs, pretty much any packet that is allowed is allowed because "let out anything from firewall host itself".
I do have rules that allow traffic, so I would expect to see them there.
Is this because this is the name of the last match rule in the "out" direction?
If so, I do understand this, but it still makes the whole thing a bit useless.
4
24.7 Production Series / KEA, HA and port numbers
« on: July 23, 2024, 08:05:52 pm »
Hi, I just setup my own KEA HA cluster, but the help seems to be wrong, it states in ha peers for the peer url:
Now both a kea setup I did for a customer a while ago and the key documentation specify that the port of the control agent must be used. My new setup confirms this.
So, what's up with that?
Code: [Select]
This specifies the URL of our server instance, which should use a different port than the control agent. For example http://192.0.2.1:8001/ while the control agent is on port 8000.Now both a kea setup I did for a customer a while ago and the key documentation specify that the port of the control agent must be used. My new setup confirms this.
So, what's up with that?
5
24.1 Legacy Series / How can I send logs to the wazuh agent
« on: June 13, 2024, 06:18:09 pm »
I quote the documentation:
But what does it mean?
Quote
Selecting which logs to ingest
Our Wazuh agent plugin supports syslog targets like we use in the rest of the product, so if an application sends its feed to syslog and registers the application name as described in our development documentation it can be selected to send to Wazuh as well.
For Intrusion detection we can send the events as well using the same (eve) datafeed used in OPNsense, just mark the Intrusion detection events in the general settings.
But what does it mean?
6
Web Proxy Filtering and Caching / OPNWAF - How can I configure a virtual server to listen on a specific IP?
« on: June 11, 2024, 06:09:57 pm »
Quite some time ago, the nginx plugin had the same problem of only being able to bind to a specific port on all interfaces, the same seems to be true for OPNWAF.
Is that the case or am I just unable to find the option, and if true, is it possible to expand this option from "port" to something like "ip:port"?
Is that the case or am I just unable to find the option, and if true, is it possible to expand this option from "port" to something like "ip:port"?
7
Development and Code Review / Idea: Give the admin the ability to name network interfaces or at least renumber
« on: June 11, 2024, 10:37:09 am »
As is, opnsense numbers network interfaces in sequence of creation, opt1 to optX. Additionally, there are lan and wan predefined interfaces.
Firewall rules are associated to this interface identifier.
If, for any reason, this interface identifier changes, it is quite hard to get all this to work again through deleting interfaces and recreating them in the correct sequence. Especially if the sequence has been broken through deleting an interface somewhere in the middle.
Also, in an opnsense HA cluster, interfaces must be created in identical sequence on all firewalls in the cluster, which is a hassle, and potentially problematic if this goes out of sync for some reason.
So, why not give users the ability to choose the interface identifier themselves on creation, or even be able to rename the identifier in an existing interface?
Firewall rules are associated to this interface identifier.
If, for any reason, this interface identifier changes, it is quite hard to get all this to work again through deleting interfaces and recreating them in the correct sequence. Especially if the sequence has been broken through deleting an interface somewhere in the middle.
Also, in an opnsense HA cluster, interfaces must be created in identical sequence on all firewalls in the cluster, which is a hassle, and potentially problematic if this goes out of sync for some reason.
So, why not give users the ability to choose the interface identifier themselves on creation, or even be able to rename the identifier in an existing interface?
8
Web Proxy Filtering and Caching / NginX reverse proxy with a namevirtualhost as backend
« on: April 25, 2024, 10:20:08 am »
A customer needs a reverse proxy the backend of which uses different hostnames than the frontend and has 3 websites on it using namevirtualhosts (also using SSL).
So this seems to be doable with haproxy:
- on my frontend, differentiate between the different hostnames via SNI
- the real servers use different custom SNI names, so the backend can differentiate
- a Host header is set for the backend with abovementioned SNI names, or else the backend doesn't switch to the right website
- location headers in the response are rewritten to my frontend names
In apache, one would do this using ProxyPass / ProxyPassReverse, while I didn't test it, this seems fairly simple.
Now correct me if I'm wrong, but this doesn't seem possible with nginx on opnsense, not having the UI elements to specify a custom host header for an upstream?
So this seems to be doable with haproxy:
- on my frontend, differentiate between the different hostnames via SNI
- the real servers use different custom SNI names, so the backend can differentiate
- a Host header is set for the backend with abovementioned SNI names, or else the backend doesn't switch to the right website
- location headers in the response are rewritten to my frontend names
In apache, one would do this using ProxyPass / ProxyPassReverse, while I didn't test it, this seems fairly simple.
Now correct me if I'm wrong, but this doesn't seem possible with nginx on opnsense, not having the UI elements to specify a custom host header for an upstream?
9
Virtual private networks / Wireguard diagnostics in 23.7
« on: October 25, 2023, 10:11:19 am »
Can we please have the old diagnostics back? The new ones are fairly low on information content.
10
High availability / CARP with Dialup interfaces: how to use "Disconnect dialup interfaces"?
« on: December 01, 2022, 09:02:34 pm »
I have a opnsense cluster with PPPoE dialup and I'm struggling to configure dialup failover.
I suspect there are certain limitations on what has to be configured for it to work. Does the parent interface of the PPPoE interface have to have a CARP ip for it to work?
There is the github thread on the feature but I couldn't get it to work with the rather minimal information in there.
Thankful for any pointers.
EDIT: is it correct that the base interface must have a CARP IP? It seems to work now - with a great amount of flapping, but it quietens down after some minutes.
I suspect there are certain limitations on what has to be configured for it to work. Does the parent interface of the PPPoE interface have to have a CARP ip for it to work?
There is the github thread on the feature but I couldn't get it to work with the rather minimal information in there.
Thankful for any pointers.
EDIT: is it correct that the base interface must have a CARP IP? It seems to work now - with a great amount of flapping, but it quietens down after some minutes.
11
22.1 Legacy Series / RSPAMD action quarantine?
« on: May 02, 2022, 03:33:02 pm »
Is that implemented in the current rspamd version?
There is a request from colleagues to not reject extensions via multimap, but quarantine the mails in question.
There is a request from colleagues to not reject extensions via multimap, but quarantine the mails in question.
12
22.1 Legacy Series / Applying IP changes of an interface lead to small downtimes for other interfaces
« on: March 07, 2022, 12:31:40 pm »
So I created a new VLAN subinterface, applied, everything was fine.
Then I assigned the interface, also ok.
But when I configures the IP address of the interface, I lost 3 pings to google (which ran over different VLANs).
I am told changing an interface does not lead to downtimes for other interfaces, am I the only one with this problem?
Or is this normal because the traffic that experienced a short outage runs over different VLANs on the same hardware interface?
Then I assigned the interface, also ok.
But when I configures the IP address of the interface, I lost 3 pings to google (which ran over different VLANs).
I am told changing an interface does not lead to downtimes for other interfaces, am I the only one with this problem?
Or is this normal because the traffic that experienced a short outage runs over different VLANs on the same hardware interface?
13
22.1 Legacy Series / traffic shaping, especially fq_codel and WFQ
« on: February 04, 2022, 06:14:19 pm »
So I use fq_codel because it's a huge plus in general for the usability of internet connections under load.
It still became important to reduce the priority of a specific flow in relation to the others (it's a backup job to the cloud and takes up all bandwidth).
Apparently with fq_codel that's not possible since it ignores the weights chosen in the queue.
If WFQ is used in the pipe, prioritization works as expected, but the queue management is gone - the "Enable codel" checkboxes seem to do almost nothing - or rather, the codel part without the fq is not hugely beneficial.
Cake seems to solve this, but it's not available on dummynet.
Any other ideas?
It still became important to reduce the priority of a specific flow in relation to the others (it's a backup job to the cloud and takes up all bandwidth).
Apparently with fq_codel that's not possible since it ignores the weights chosen in the queue.
If WFQ is used in the pipe, prioritization works as expected, but the queue management is gone - the "Enable codel" checkboxes seem to do almost nothing - or rather, the codel part without the fq is not hugely beneficial.
Cake seems to solve this, but it's not available on dummynet.
Any other ideas?
14
22.1 Legacy Series / IPv6 dynamic firewall rules and NPT
« on: January 28, 2022, 11:49:25 am »
I see a lot has been done in that regard.
I like that we can now have IPv6 dynamic hosts.
It would be great if we could also get IPv6 dynamic networks - pretty much the same functionality as hosts have, only no automatic /128 and instead an ability to specify a netmask. Then I could get rid of my interface group rules and do it via alias, which is much nicer.
Now that the functionality to swap out the first 64 bits is there, dynamic NPTv6 doesn't seem that hard to me either.
Also, we need a thumbs up smiley in the forum
.
I like that we can now have IPv6 dynamic hosts.
It would be great if we could also get IPv6 dynamic networks - pretty much the same functionality as hosts have, only no automatic /128 and instead an ability to specify a netmask. Then I could get rid of my interface group rules and do it via alias, which is much nicer.
Now that the functionality to swap out the first 64 bits is there, dynamic NPTv6 doesn't seem that hard to me either.
Also, we need a thumbs up smiley in the forum
.
15
Web Proxy Filtering and Caching / How do I restrict the proxy from allowing access to local networks?
« on: November 10, 2021, 08:38:24 pm »
Typically my firewall sits at the center of many local networks. Some of them should be accessible to clients, some of them not.
I can restrict that using the firewall.
But if I enable the web proxy, that circumvents the firewall? How to I prevent clients from accessing otherwise protected internal networks by using the proxy?
I can restrict that using the firewall.
But if I enable the web proxy, that circumvents the firewall? How to I prevent clients from accessing otherwise protected internal networks by using the proxy?
Pages: [1] 2