151
24.1 Legacy Series / Re: OPsense no internet on new fiber connection
« on: May 21, 2024, 08:30:39 am »
I think the Deco is a PPPoE client. You need the credentials to authenticate with the ISP PPPoE server.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
152
General Discussion / Re: A question from a newbie
« on: May 21, 2024, 08:26:58 am »
Likely OPNsense has no route to your WG subnet.
153
24.1 Legacy Series / Re: Migrating to vlan
« on: May 21, 2024, 08:24:59 am »
Do you have a managed switch and an AP capable of multiple SSID?
There is no need to change the devices on your LAN, or any physical cabling.
Bart...
There is no need to change the devices on your LAN, or any physical cabling.
Bart...
154
24.1 Legacy Series / Re: Packet loss in local network, when OPNsense is connected to switch
« on: May 20, 2024, 08:39:00 am »
Bad cable, bad NIC, or even bad earth (electrically speaking) - it's not likely to be a software issue
Test with a different OS instead of OPNsense.
Bart...
Test with a different OS instead of OPNsense.
Bart...
155
24.1 Legacy Series / Re: network reflection - local web server - ssl certificate
« on: May 20, 2024, 08:34:14 am »
Instead of curl use openssl s_client -trace -connect mydomain.com:443
156
Tutorials and FAQs / Re: SSL for local IIS Server it is possible?
« on: May 14, 2024, 08:28:28 am »
System, Trust, Authorities, add an authority
in IIS generate an CSR https://www.digicert.com/kb/csr-creation-ssl-installation-iis-10.htm
System, Trust, Certificates, add a certificate, select sign a CSR
All your clients need to trust the OPNsense CA. Export the CA public certificate and add it to their trusted stores
Bart...
in IIS generate an CSR https://www.digicert.com/kb/csr-creation-ssl-installation-iis-10.htm
System, Trust, Certificates, add a certificate, select sign a CSR
All your clients need to trust the OPNsense CA. Export the CA public certificate and add it to their trusted stores
Bart...
157
General Discussion / Re: Confused about IPv6
« on: May 12, 2024, 10:13:01 pm »
Modern browsers use happy eyeballs to decide between v4 and v6 https://datatracker.ietf.org/doc/html/rfc8305
Unifi AP's don't need to support IPv6 management to carry IPv6 traffic. Recent AP's support multicast well enough for it to work.
Bart...
Unifi AP's don't need to support IPv6 management to carry IPv6 traffic. Recent AP's support multicast well enough for it to work.
Bart...
158
General Discussion / Re: Vigor 130 SKY MER and Opnsense
« on: April 28, 2024, 10:00:55 am »
I set one of these modems up with Sky recently. Things to check:
- Load the latest BT (OpenReach?) firmware https://www.draytek.co.uk/support/downloads/vigor-130
- Try VLAN 101, 1 or none
- When in doubt, factory reset and set up bridge mode and VLAN again.
The DHCP option is necessary and sufficient to get a public IP in OPNsense. Make sure you save and reboot.
Bart...
- Load the latest BT (OpenReach?) firmware https://www.draytek.co.uk/support/downloads/vigor-130
- Try VLAN 101, 1 or none
- When in doubt, factory reset and set up bridge mode and VLAN again.
The DHCP option is necessary and sufficient to get a public IP in OPNsense. Make sure you save and reboot.
Bart...
159
24.1 Legacy Series / Re: Configuring a failover mechanism (firewall rules) in case my Pi-hole goes down
« on: April 26, 2024, 07:58:49 am »
DNS is not a security enforcement technique. It exists because wetware cannot remember IP addresses 
Firewall (policy) sits in level-3 of your network - that means that everything is by IP address. If you want to restrict higher up in the stack, you need a proxy (like Squid for web access)
As a service to make life easier for your users, it's great. A dedicated user (e.g. a teenager) can by-pass your restrictions by SOCKS, DOH, VPN, etc. Since malware isn't (yet) at that level, you can reduce its impact with a filtering DNS server (like pi-hole).
Concentrate on making DNS fast (local) and available (resilience). DNS on your firewall is for your firewall to use. Give your users the servers they need by DHCP and allow those servers to resolve.
Remember the KISS principle
Bart...
Firewall (policy) sits in level-3 of your network - that means that everything is by IP address. If you want to restrict higher up in the stack, you need a proxy (like Squid for web access)
As a service to make life easier for your users, it's great. A dedicated user (e.g. a teenager) can by-pass your restrictions by SOCKS, DOH, VPN, etc. Since malware isn't (yet) at that level, you can reduce its impact with a filtering DNS server (like pi-hole).
Concentrate on making DNS fast (local) and available (resilience). DNS on your firewall is for your firewall to use. Give your users the servers they need by DHCP and allow those servers to resolve.
Remember the KISS principle
Bart...
160
24.1 Legacy Series / Re: Inbound Wildcard DNS block
« on: April 23, 2024, 07:54:15 am »
If you distrust an inbound connection enough to block it, then why trust it not to spoof its name and/or IP address?
Content distribution networks, cloud services, CGNAT, proxies and what have you will obscure the source of external traffic and are out of your control.
If you want to increase the security, use a login to your service. If your logins are getting swamped from a certain corner of the internet, add a second factor (e.g. client cert for a web server).
Bart...
Content distribution networks, cloud services, CGNAT, proxies and what have you will obscure the source of external traffic and are out of your control.
If you want to increase the security, use a login to your service. If your logins are getting swamped from a certain corner of the internet, add a second factor (e.g. client cert for a web server).
Bart...
161
24.1 Legacy Series / Re: Configuring a failover mechanism (firewall rules) in case my Pi-hole goes down
« on: April 23, 2024, 07:47:40 am »under Services --> DHCPv4 --> DNS servers, there are only two fields to specify 2 DNS servers (not three).Two is better than one but three is the maximum.
Remember that certain clients (*cough Windows *cough) will only consider a DNS server unavailable when it stops pinging. A dual DNS server is more for updating one at a time without an outage. A load balancer will give you high availability for partial failures.
Probably it was not clear from my post, so it is worth noting that the DHCP server runs on my OPNsense (an not on my pi-hole).There are good arguments for having separate servers for different services. The built-in DHCP/DNS/Squid in OPNsense are there to provide a drop-in replacement for ISP routers IMHO. There are many posts in this forum about on-board WiFi from that same perspective.
Ars did a good article about this recently https://arstechnica.com/information-technology/2024/02/doing-dns-and-dhcp-for-your-lan-the-old-way-the-way-that-works/ I reckon the pi-hole makes a better DHCP than OPNsense but a dedicated server (or container) trumps both. It is also a good learning experience.
In any event, how do I force applications with hard-coded DNS addresses to go through specific DNS servers (in my case: pi-hole no. 1 & pi-hole no. 2, if the first one is down) without firewall rules? And if I need firewall rules for that, how do I set FW rules to redirect DNS queries to one of the two DNS servers (whichever is up)?Hard coding DNS in an application is horrible and should be a red flag about its quality. Firewall rules cannot take the place of a load balancer, since the firewall does not have the ability to check the health of each server in the pool. Horses for courses.
Bart...
162
24.1 Legacy Series / Re: Inbound Wildcard DNS block
« on: April 22, 2024, 04:34:07 pm »
create an entry in your DNS server for abc.com. to 127.0.0.1
163
24.1 Legacy Series / Re: Configuring a failover mechanism (firewall rules) in case my Pi-hole goes down
« on: April 14, 2024, 10:19:32 am »
DNS is designed for failover. Build a second pi-hole and issue these DNS option 6 addresses via DHCP (or static configuration on non-DHCP hosts)
<pi-hole1.IP.addr>
<pi-hole2.IP.addr>
9.9.9.9
Bart...
<pi-hole1.IP.addr>
<pi-hole2.IP.addr>
9.9.9.9
Bart...
164
Virtual private networks / Re: How do I: One VPN, Multiple (Potentially overlapping) Networks
« on: April 10, 2024, 07:48:29 am »
You cannot route traffic between overlapping subnets. The packets will never leave the router.
This sounds like a use case for an overlay network. Have a look at Tailscale
This sounds like a use case for an overlay network. Have a look at Tailscale
165
General Discussion / Re: Port 443 traffic bypass Squid Web Proxy
« on: April 10, 2024, 07:46:32 am »
Put the host on a different subnet/VLAN. If your security policy involves Squid, you need to securely handle exceptions. Any client on the LAN can spoof an IP on the exception list if they share a subnet.