1
German - Deutsch / Re: PPPOE durch Update auf 27.7.10 gebrickt?
« on: Today at 06:27:00 pm »
Hab grade upgedatet und mein PPPoE mit Telelekom geht.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
Virtual private networks / Re: IPSec Tunnel with Dual WAN Failover GW_Group
« on: Today at 06:26:44 am »
I guess if both sides have two ISPs you will need something like this:
https://docs.opnsense.org/manual/how-tos/dynamic_routing_ospf.html#ipsec-failover-with-vti-and-ospf
This works very well.
https://docs.opnsense.org/manual/how-tos/dynamic_routing_ospf.html#ipsec-failover-with-vti-and-ospf
This works very well.
3
Virtual private networks / Re: IPSec Tunnel with Dual WAN Failover GW_Group
« on: December 02, 2024, 09:52:04 pm »
Maybe you need default gateway switching for the OPNsense itself. It can be activated somewhere.
System: Settings: General - At the bottom.
I would like to know if a change in the default route will still make it try to use the first IP.
That combined with DPD to force a restart of phase 1.
System: Settings: General - At the bottom.
I would like to know if a change in the default route will still make it try to use the first IP.
That combined with DPD to force a restart of phase 1.
4
24.7 Production Series / Re: Can not get NGINX to allow connections..
« on: December 02, 2024, 08:24:59 pm »
Crowdsec monitors http access logs that caddy emits.
If its the Layer 4 Proxy there will not be HTTP access logs. So not really.
You could make the Crowdsec setup distributed with collectors and API stuff, but better open a new thread for that or search the forum.
If its the Layer 4 Proxy there will not be HTTP access logs. So not really.
You could make the Crowdsec setup distributed with collectors and API stuff, but better open a new thread for that or search the forum.
5
24.7 Production Series / Re: Can not get NGINX to allow connections..
« on: December 02, 2024, 07:53:59 pm »
Good job figuring it out 
6
24.7 Production Series / Re: Can not get NGINX to allow connections..
« on: December 02, 2024, 07:29:07 pm »
well the opnsense can not reach it.
Error caddy error ts:2024-12-02T18:01:41Z logger:http.log.error msg:dial tcp 192.168.2.181:8080: i/o timeout
Go to the opnsense ssh shell and try:
curl -vv http://192.168.2.181:8080
Error caddy error ts:2024-12-02T18:01:41Z logger:http.log.error msg:dial tcp 192.168.2.181:8080: i/o timeout
Go to the opnsense ssh shell and try:
curl -vv http://192.168.2.181:8080
7
24.7 Production Series / Re: Can not get NGINX to allow connections..
« on: December 02, 2024, 06:57:33 pm »
What you did must be all correct though.
What does the caddy debug log say? Post the output when you connect to your domain (set log level to debug).
What does the caddy debug log say? Post the output when you connect to your domain (set log level to debug).
8
Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS
« on: December 02, 2024, 12:34:07 pm »
Have you checked the Caddy Certificate widget (dashboard) if there is a certificate when you enable https for the frontend? If not check the caddy logs why it fails to issue one.
9
Virtual private networks / Re: customize ipsec weak cipher sets
« on: December 02, 2024, 11:04:38 am »
Are you sure this does not create any race conditions between the GUI config and the overwritten config?
Is it always the same proposals after every reload/restart of the service?
I would rather create the full tunnel as single imported configuration with no GUI elements creating the same configuration.
Is it always the same proposals after every reload/restart of the service?
I would rather create the full tunnel as single imported configuration with no GUI elements creating the same configuration.
10
French - Français / Re: [CADDY] Reverse proxy page blanche / Reverse proxy blank page
« on: December 02, 2024, 10:55:14 am »
Blank page means caddy can not connect to the upstream.
https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-troubleshooting
https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-troubleshooting
11
Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS
« on: December 02, 2024, 08:13:44 am »
Any request that hits caddy on its ports will trigger an evaluation if it should be further processed or not. So these are not warning or errors, but a debug message that the frontend received a connection request that could not be mapped to any configured hostname (thus no available certificate).
If you think its an attack block the requesting IP via Crowdsec or Firewall rules.
If you think its an attack block the requesting IP via Crowdsec or Firewall rules.
12
General Discussion / Re: Multiple webservers and services behind OPNWaf?
« on: December 02, 2024, 06:10:48 am »
It essentially does SNI bases reverse proxying.
So if you have
app1.example.com -> 192.168.1.1:80 (webserver1)
app2.example.com -> 192.168.1.2:80 (webserver2)
It can do that. But it can also send multple apps to the same webserver via host header (SNI) passthrough.
If you have any issues configuring it tell me, Im maintaining it right now.
So if you have
app1.example.com -> 192.168.1.1:80 (webserver1)
app2.example.com -> 192.168.1.2:80 (webserver2)
It can do that. But it can also send multple apps to the same webserver via host header (SNI) passthrough.
If you have any issues configuring it tell me, Im maintaining it right now.
13
24.7 Production Series / Re: Can not get NGINX to allow connections..
« on: December 02, 2024, 06:00:00 am »
After your will has been broken by HA Proxy try out Caddy, which is very easy to configure and does what you need and has proper documentation (I linked it earlier).
14
24.7 Production Series / Re: Can not get NGINX to allow connections..
« on: December 01, 2024, 09:14:44 pm »
If the OPNsense sends a request to e.g. 172.16.2.100:8080 and you do not see it in tcpdump at all then nothing gets to your host.
If its a linux you can also do
tcpdump -i any port 8080
that captures all existing interfaces.
If its a linux you can also do
tcpdump -i any port 8080
that captures all existing interfaces.
15
Virtual private networks / Re: ikev1 NO-PROPOSAL-CHOSEN
« on: December 01, 2024, 07:18:03 pm »
If it worked with legacy download the swanctl file (VPN - IPsec - Advanced Settings) And compare it to what you did in connections.
Its the same file that both implementations populate with the same options.
Its the same file that both implementations populate with the same options.