Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Tubs

#1
Quote from: Diwrosa on February 22, 2025, 03:30:28 PMHave you seen the Teklager TLSense C3758R which appears to be a rebadged Qotom Q20331G9-S10?

Thank you. Yes, I found. But at a differnt price than the Aliexprewss offers.
Same for this German shop. https://eckstein-shop.de/QOTOM-Q20331G9-1U

#2
Quote from: HeneryH on February 19, 2025, 05:43:57 PM@jde1000 , I got the Qotom Denverton Q20300G9-S10 Atom C3808 to run my OpnSense and some firewall apps like Traefik and Authentik.


Let us know how it performs.
Especially I would be interested in the difference between C3808 and C3758R/C3758 when running OPNsense on bare metal.

I am interested in the Qotom Q20331G9-S10 or Q20331G9-1U with C3758R. But so far I cannot find an OK offer in Europe. The Amazon and Aliexpress vendors currently are not shipping to Europe, or at least to my country.
#4
Hello,

what is the advantage of using "Proxy TCP/UDP on Layer 4" by Caddy instead of using port forwarding in OPNsense?

I just migrated from HAProxy to Caddy. Reverse proxy with TLS termination and TLS (SNI) Multiplexing on HTTPS Port with TLS passthrough were easy to set-up and just work fine. It was a pain to get this combination running in HAProxy.

Not clear to me is what a use case for "Proxy TCP/UDP on Layer 4" could be where it is better to use Caddy instead of just do port forwarding.
#5
Thank you. This helps.

Somehow I missed your replays on my question.
#6
OK, I did not mentioned that these two vlans are isolated from each other by default and only inter vlan routing is possible where it explicitly is allowed by a firewall rule.

Yes, I just could make trial and error. But I want to understand what is right and what is wrong. That's why I am asking in the hope someone know the answer.
#7
General Discussion / mDNS Repeater and firewall rules
October 13, 2024, 06:59:52 PM
Hello,

I want to use the mDNS repeater on OPNsense to forward mDNS between two subnets.
Out of the documentation it is not clear to me what firewall rules I need to allow the mDNS multicast traffic between these two vpn.

  • on both interfaces to port 5353 at 224.0.0.251 and [ff02::fb] or
  • on both interfaces to port 5353 at "subnet address" or
  • on both interfaces to port 5353 at "this firewall"
Or a combination out of these three?
#8
Hello,

there I are many new hardware devices with modern powerful CPU, small form factor and low energy footprint and low noise that it is difficult to find the right choice. "Old" hardware is cheap to get as used devices often was a good choice in the past.

Is today a Sophos SG 210 / SG 220 / SG 310 / SG 330 still a good choice to run OPNsense in an ambitious home environment? Or is it blast from the past that cannot compete with actual new devices in regards of power, energy consumption and noise, even when taking cost into the calculation?

I am looking to upgrade my Qotom Q355G4 with something that provides one or two SFP+ ports. A DEC2752A or DEC2770 looks like a "dream build" but at high price. Is Sophos you get for around 100 $/EUR still an option to go nowadays?
#9
I was running in the same issue.
Habe a look here.

https://forum.opnsense.org/index.php?topic=38435.0
#10
Thank you.
This looks like the issue I am facing.
#11
Hello,

for the issue with IDS not workong after update I could find quickly here the solution.
Now I have detected the second issue after update to 14.1.

I use HAProxy in a mix of SNI frontend (TCP type) and https frontend (SSL offloading). For offloading I use two hostnames with two ssl certificates that will will use two different backend servers.

Since the update the wrong certificate of the both is getting provided to the client. Backend selection is as expected. This setup is running since years. It broke when I upgraded to 14.1 yesterday.
#12
Hello,

I want to use the Syncthing Discovery server behind HAproxy with ssl offloading by HAproxy. To do so I set the discovery server to http (option -http). The connection is running. But I must forward the client certificate by header X-SSL-Cert. Acc. the manual the header is required in PEM format.

This would add the client cert in der format what is not recognized by the discovery server:
http-request set-header X-SSL-Cert %{+Q}[ssl_c_der,base64]

I modified the line to create a pem file. Either nothing is in or it is in wrong format.
http-request set-header X-SSL-Cert -BEGIN\ CERTIFICATE-\ %[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space

Connection is running. But discovery still cannot read the client cert:
no certificates: certificate decode result is empty


Any idea how to set-up the forwarding of client certificate by header correctly in OPNsense?
#13
Quote from: Maj0rrush on July 22, 2023, 12:34:55 PM
Ich habe einen Vodafone Kabel Anschluss ( ehemals Unitymedia ) mit 1000Mbit.
[...]
Welche OPNSense Hardware sollte ich für diesen Anschluss wählen ?

Du fragst nicht danach, aber mache dir beim Wechsel der Firewall auch Gedanken zur Anbindung an das Gerät, das den Zugang zum Kabelnetz herstellt. Wenn es ein "einfaches" und reines Kabelmodem ist, dann passt das immer. Wenn du dort heute ein Kombigerät hast, das auch Firewall und Telefon bereitstellt (z. B. FritzBox), dann hast du mit dem OPNsense-Gerät eine zweite Firewall, die zu doppeltem NAT führt. Geht auch. Man sollte nur wissen, was das bedeutet, bevor mit dem Basteln beginnt.
#14
Quote from: pmhausen on September 08, 2022, 09:11:35 PM
Still please read all of my last post. Using a dedicated OWA server is highly recommended.

Thanks a lot again. Yes, I got your point already by your first mail.

I will reconsider after looking in some more details. Basically the vpn way is fine for me. My small home lab is running out of resources and one Exchange already is using more RAM I want to spend.
#15
Quote from: pmhausen on September 08, 2022, 07:30:53 PM
Millions of Enterprises do that. Expose OWA to the Internet. That's what it was made for.

Thank you.