Messages

VTI / Routed VPN support for IPSEC if possible  :P

You cant compare Linux/Iptables with OPNsense cause FreeBSD Vanilla also can achieve Route based IPsec

I'm sure it can, but I happen to be more familiar with Linux and iptables than I am with BSD/ PF, where I need a route based VPN to land on a virtual router I tend to use Linux to do it.  It just so happens to be what works for me in that situation.

Also there was a typo in my previous post it should have said now not "know"

It's one of the reasons I now use Linux/Iptables  in places where I would have used Opnsense  :(

Both of my 18.7.1 firewalls were reporting "Could not find the repository on the selected mirror." until I changed the mirror from (default) to explictly setting one.

Bump

Anyone, can Ha proxy not working with IPv6 then?  :o

What's the format to make HAproxy listen on port 80/443 on an IPv6 address

It looks like the form only manages to accept either a host name on an Ipv4  :(

https://support.aa.net.uk/L2TP_Client:_Windows

Windows 10 very much wants you to use IPSEC with L2TP, because microsoft knows best and how dare anyone want a simple tunnel without encryption.  ::)

I have a Virtual opnsense running in unraid 6.4 with the network type set to e1000 (For some weird reason that interface goes awol when set to virtio) - anyway since upgrading to 18.1 s stuck going em0 watchdog timeout -- resetting.

It was working on 17.7

Just a couple notes:

1) It's now in Settings > Global Paramaters

2) The config to use HTTP auth can either go in Virtual Services  > Public Services (New name for Frontend) OR Virtual Services > Backend Pools

what you do in 2 largely depends if you want to force authentication for everything served by that frontend instance or if you have multiple backend servers/sites you may only want to force authentication on some of them.

Fair enough

It would be really nice if supported alias's but I suspect that's a fair bit of work  ;)

Last time I tried to enable IPS on a VM running in Proxmox (KVM) it would just stop passing traffic and usually need a reboot to get going again, this was with the virtIO drivers.

it was an N3150 so gutless but it wasn't a CPU usage problem it was the VirtIO drivers really don't seem to play nice with IDS.

It's the reason I don't have the IDS turned on in any of my opnsense boxes because with most of them being virtual I can't risk it.

How do you get it to work with alias?

I've tried tabbing the field but that doesn't seem to work (firefox) and if I don't put an actual IP then it seems ha proxy gets upset.

I wanted to use an negative match on a list if IP's (I.e the rule says deny access to /wp-admin/ on the backend server but if it's one of those IP's on the trusted list the rule shouldn't fire)

Hi BartM

In my particular case the rule also had a source match so it doesn't make the firewall totally useless as you'd have to know which IP's were allowed and spoof those, which shouldn't really work for TCP anyway but yes could be a problem for UDP- that said it was a quick and dirty hack and I do need to go in and be more explicit about the allowed ports.

It was for an Ovirt managed host where the Engine was elsewhere (engine's since been moved) also the machine itself has it's own iptables firewall.

I don't think it should be explicitly disallowed however, maybe it could warn you that it's a bad idea, but ultimately is it not down to the network admin to make the call if they really do want to do something stupid.

Might be worth going interfaces > Diagnostics > Packet capture then selecting the interface that the SkyQ box is on, then adding the SkyQ box in the host address.

Hopefully that might give some clues as to if it's trying to lookup some internal address that only works with skys DNS, or if it's trying to talk out on a port that's blocked by your firewall policy.

Only had a quick skim through that doc seems ok to me, just leave the balancing algorithm on "stick on source ip" and it should be fine, If there's only one backend for that domain/vhost the balancing algorithm won't make much difference anyway as it's only got one possible location to balance it to.

Essentially you are going to end up with ACL's that say if hostname = X use backend Y.

I've got it working with LE and non balanced backends, it looks a bit daunting at first but it's actually fairly straightforward once you get the hang of the flow.