Messages

1

19.1 Production Series / No User Import Option when setting LDAP server

« on: May 07, 2019, 07:18:29 am »

I'm trying to add LDAP auth to my OPNSense installation.  I got the server set up and can confirm it works with the tester by entering a valid username/password.  I'm using FreeIPA as the LDAP server. 

But I don't see any import icon when I go to System > Access > Users. 

Details for System > Access > Servers > FreeIPA server:
Hostname: ipa.example.com
Port: 389
Peer CA: OPNSense
Bind Credentials: (blank)
Base DN: dc=example,dc=com
Authentication containers: cn=users,cn=compat,dc=example,dc=com
User naming attribute: uid


Am I doing something wrong?

2

19.1 Production Series / Outside Traffic Redirecting to OPNSense instead of HAProxy

« on: March 22, 2019, 12:52:18 am »

I have a bunch of subdomains (ex1.example.com, ex2.example.com, ...) pointing to my OPNSense router (10.0.0.1).  I also have HAProxy to proxy requests on 443 to their respective backends.

I don't recall changing anything, but now, they won't work from the outside.  Only if the DNS resolves to 10.0.0.1, and not my WAN ip, will it proxy the traffic correctly to their backends.  If you try from WAN, it gives the warning about DNS rebind attack.

How can I prevent this behavior and make it proxy correctly?

3

18.7 Legacy Series / radvd file location?

« on: January 18, 2019, 10:52:08 am »

Is there a file that contains the contents of the output of the command `radvdump`?  I need to enable radvd on my dd-wrt wireless router to be able to get an ipv6 address and it would work best if I can just copy its radvd to the radvd location on dd-wrt.

4

18.7 Legacy Series / Re: WAN Interface not obtaining IPv6 prefix.

« on: January 17, 2019, 09:22:15 pm »

I tried siwtching it between none and track.  It worked at the time.

Also didn't know that THAT is what the prefix ID is for, and why when I changed it I got a different prefix that still started with 2601.  The last 4 of the prefix were different, which means comcast is probably giving me at least a /48 prefix, right?

And yes, 2601 was the LAN ip, which seems to be correct in that that's whats being dished out by the ISP, and I can access the router using both its LAN ip (2601) and WAN IP (2001)

And if SLAAC can't do DNS at all, what would the best method be for syncing them to DNS records?  Currently my v4 network tracks all DHCP clients (including static leases) as {hostname}.lan.example.com, and I want all ipv6 clients to be mapped in {hostname}.lan6.example.com.   (I use unbound DNS for this).  When I used DHCPv6, my servers weren't grabbing an IP address at all (seemed like dhclient wasn't running on the servers, all ubuntu 18.04).

5

18.7 Legacy Series / Re: WAN Interface not obtaining IPv6 prefix.

« on: January 16, 2019, 11:03:07 pm »

Yea I guess that makes sense.  Just request the address anyway and use the prefix.

But now when I do that, it's using the prefix I previously had (starts with 2601) instead of the one comcast just gave me (2001).  Tried rebooting, etc.  Why wont the lan update to the new prefix?


Edit:  After going back to my old config just to test a few things (DHCPv6 WAN with track interface LAN, no DHCPv6 on lan), comcast gave my router an IP starting with 2001, but all my clients are still getting IPs that start with 2601 (my old prefix).  Why are they doing that?

And is it possible to have clients that are configured with SLAAC still be registered in the local DNS so that I can resolve them using 'asdf.lan6.example.com'?

Also an issue Im having is that using Track Interface for lan, it doesn't seem to be clearing the previous settings, thus why it's using the wrong prefix.  How can I clear this?

6

18.7 Legacy Series / Re: WAN Interface not obtaining IPv6 prefix.

« on: January 15, 2019, 11:21:28 pm »

Only info I can see on the Interfaces > Overview page on WAN is that the Gateway IPv6 is fe80::259:dcff:fe79:2422.  I don't see anything about it hinting at what I should be requesting.  The DHCPv6 server fails to start currently because it isn't fetching a prefix.

7

18.7 Legacy Series / Re: WAN Interface not obtaining IPv6 prefix.

« on: January 15, 2019, 10:55:53 am »

I don't exactly know which prefix size comcast gives me.  Its a gigabit home connection.  I know they give me at least a /64 prefix because when I originally had it set to track interface on LAN, and had the WAN DHCPv6 request an ip and not just a prefix, it worked, and clients configured with SLAAC with comcast as the DHCP.

8

18.7 Legacy Series / WAN Interface not obtaining IPv6 prefix.

« on: January 14, 2019, 11:18:12 am »

I have my WAN configured to use DHCPv6 to request only a /64 prefix, and have DHCPv6 server configured to dish out addresses with the entire /64 subnet.

But when I try to renew the DHCP lease for the WAN to actually obtain a prefix, it doesn't seem to grab one. 

Running dhcp6c manually to see what happens yields the following: (em0 is WAN interface, em1 is LAN)

Code: [Select]

root@opnsense:/var/etc # dhcp6c -Df em0
Jan/14/2019 05:14:39: extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:23:cf:17:58:1c:c1:de:06:d7:70
Jan/14/2019 05:14:39: cfparse: fopen(/usr/local/etc/dhcp6c.conf): No such file or directory
Jan/14/2019 05:14:39: reset a timer on em0, state=INIT, timeo=0, retrans=891
Jan/14/2019 05:14:39: Sending Solicit
Jan/14/2019 05:14:39: a new XID (c0b30) is generated
Jan/14/2019 05:14:39: set client ID (len 14)
Jan/14/2019 05:14:39: set elapsed time (len 2)
Jan/14/2019 05:14:39: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:39: reset a timer on em0, state=SOLICIT, timeo=0, retrans=1091
Jan/14/2019 05:14:41: Sending Solicit
Jan/14/2019 05:14:41: set client ID (len 14)
Jan/14/2019 05:14:41: set elapsed time (len 2)
Jan/14/2019 05:14:41: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:41: reset a timer on em0, state=SOLICIT, timeo=1, retrans=2083
Jan/14/2019 05:14:43: Sending Solicit
Jan/14/2019 05:14:43: set client ID (len 14)
Jan/14/2019 05:14:43: set elapsed time (len 2)
Jan/14/2019 05:14:43: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:43: reset a timer on em0, state=SOLICIT, timeo=2, retrans=3982


9

18.7 Legacy Series / IPv6 addresses not accessible over internet.

« on: January 02, 2019, 11:16:53 am »

I have an experimental gitlab server accessible only on IPv6 (I set the listen address to "[::]")

I can access it over IPv6 fine, but only on my home network.  If I try to access it over the internet (say from my phone over LTE [confirmed LTE had ipv6 by going to ipv6.google.com]), the connection times out. 

My WAN interface is using DHCPv6, and the server is confirmed to have IPv6 connectivity.

Why can't I access it using ipv6 over internet?

10

19.1 Production Series / Adding LDAP Users?

« on: December 31, 2018, 01:57:00 am »

I was following the docs on how to add LDAP auth to OPNSense.  I added an LDAP server and using the tester, I authenticated against it successfully.

But how do I go about adding an LDAP user to opnsense?  I tried going to System -> Access -> Users but I don't see a cloud import icon anywhere.

11

18.7 Legacy Series / Re: Use Extra NIC for VLAN support.

« on: December 31, 2018, 12:23:03 am »

Do I set it to static, IP, DHCP, etc to get it to properly connect?  (The wireless router isn't being assigned an IP from DHCP, I set it manually on the wireless router itself.

12

18.7 Legacy Series / Use Extra NIC for VLAN support.

« on: December 30, 2018, 12:01:22 pm »

I have 2 NICs in the server I use with OPNSense (2 port/4 port).  Currently, the 2 port has my WAN interfance and LAN interface (plugged into an unmanaged switch).

Because the switch is unmanaged, it doesn't support VLAN tagging, so when the wireless router tries to use a VLAN it gets stripped away.

But can I use the 4 ports on the other NIC as extra LAN ports, so say any traffic coming from bce0 is assigned to a certain VLAN, that way I can just plug the wireless router directly into that.

13

18.7 Legacy Series / IKEv2/Wireguard Client

« on: December 12, 2018, 01:12:24 am »

I have Algo set up a VPN on a VPS instance that I use my for a VPN most of the time.   It only supports IKEv2 and Wireguard.

Currently there's some issues on Xbox that only affect the Northeast, but tunnelling with a VPN (not located in northeast US) fixes the issue. 

Can I configure OPNSense to tunnel all traffic (possibly only for 1 client) through a VPN tunnel?

14

Web Proxy Filtering and Caching / Re: Nginx Proxy not working?

« on: November 15, 2018, 01:23:30 am »

Ok I added the upstream server to the location.  I still can't connect.  I doubt its a firewall issue because I'm accessing it on LAN, and ufw is disabled on the machine its trying to proxy to.

I am not familiar with tcpdump, but when I tried to access it in the ssh shell, I couldn't immediately see any useful information.

If it means anything, the page I'm trying to connect to is also protected by a .htpasswd file.

15

Web Proxy Filtering and Caching / Nginx Proxy not working?

« on: November 14, 2018, 02:46:03 am »

Here are my settings: https://imgur.com/a/2aa6CRY

I'm trying to use the nginx plugin to add a few proxy addresses to my network.  For example, I want to proxy `nzb.example.com:80` to `10.0.1.11:6789`, but with the above settings, when I go to nzb.example.com, it times out when trying to connect.

Any advice on configuring this plugin?