Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - TarteTatin

#1
Hello,

I can't make something work and I don't know what is my error.

My provider changes sometimes my WAN IP address, and when it happens, my Internet connection stop working, and I have to manually reload the WAN interface in "Interfaces: Overview" to make it work again.
So it's a problem when I am not at home.

I want to automatically reload this interface when Internet is not available anymore.

I tried to use "Monit", but my configuration is not accepted.

Services: Monit: Settings: Service Tests Settings
Name: ping_failed_cloudflare
Condition: failed ping4 address 1.1.1.1 count 5 with timeout 5 seconds
Action: Alert

Services: Monit: Settings: Service Settings
Enable service checks: checked
Name: reload_wan
Type: Custom
Path: /usr/local/sbin/ifctl
Start:
Stop: /usr/local/sbin/ifctl -r opt2
Tests: ping_failed_cloudflare
Depends:
Description: Reload WAN interface if ping to Cloudflare DNS fail.

I can't save my "Service Settings - reload_wan" configuration, and here is the error message:
QuoteTest ping_failed_cloudflare with type Network Ping not allowed for this service type
How to make it work?

Thanks for your help!
#2
Hello,

I have a setup where my OPNsense router and firewall is also running Unbound DNS for internal name resolution. I am using an external HAProxy instance (on a VM) to handle reverse proxying and SSL termination for all my services, including the OPNsense Web UI.

  • Unbound DNS on OPNsense has an override configured to redirect requests for the domain opnsense.mydomain.com to the IP address of the external HAProxy server.
  • HAProxy has a valid Let's Encrypt certificate and is responsible for handling requests for opnsense.mydomain.com.
  • The OPNsense Web UI is only accessible via LAN and is configured with the default self-signed certificate.

When I try to access the OPNsense Web UI using the domain name opnsense.mydomain.com from a device on my LAN:
  • The request bypasses HAProxy and is answered directly by OPNsense because it identifies the domain as its own.
  • This causes the browser to display a certificate error since OPNsense serves its self-signed certificate instead of routing the request to HAProxy, which has the Let's Encrypt certificate.

I need OPNsense to never respond directly to requests for its Web UI, even if it resolves the domain as pointing to itself. Instead, it should always forward these requests to HAProxy as defined in the Unbound DNS override.

How can I achieve that?

I look for only allowing the IP address of my HAproxy server in System: Settings: Administration, with DNS Rebind Check checked or unchecked, and using Listen Interfaces to only allow the IP address of my HAProxy server, but could only chose my LAN interface, and OPNsense and the HAProxy server are on the same LAN. So i am stuck here.

Thanks for your help!
#3
Hi!

First post here, thank you for this great firewall, which I am currently trying to configure for my needs with IPv6.

I was wondering if there is a way to modify, or add IPv6 link-local addresses for each of my LAN interfaces (fe80::XXXX:XXXX:XXXX:XXXX/64).

To simplify the gateway of my servers in theses LAN.

Thanks!