Messages

sure..

screnshoots attached.

thanks.

Hello,

Decided to post the issue I'm having here, since for the love of god can't find what's wrong 😊

I implemented the guide to the letter using virtual IP. I setup 1 public service accessible from internet and few local accessible only ( I separate this on my DNS settings for domain. I only pointed xyz.mydomain.net to my public IP ( static ). Everything is working as expected.

Now I want to open full domain to my public IP, and implement step 7 of this guide to make only public services available over the internet, and limit the local services to LAN access only.

I added the local subdomains rule and map file as described in the guide, but for some reason it doesn't work...services are always available even if accessed from internet...like the LOCAL_SUBDOMAINS_map_conditions would not apply...but if I remove the PUBLIC_SUBDOMAINS-map-rule form HTTPS_frontend its is working, but only from local lan, as it should since, its limiting access to LAN only....when I put both  rules in my HTTPS_frontend the rule for local lan access only is not sticking, but websites are accessible from lan and internet.

Did I missed something obvious ?, or as it looks to me, like 2 rules are not handled in parallel, since with only one rule (either) its working.

Any help appreciated.

Posting my config;

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    maxconn                     128
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 100
    timeout client 30s
    timeout connect 4s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 100

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_Frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_Backend

    # logging options
    option tcplog

# Frontend: 1_HTTP_Frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_Frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option httplog
    # ACL: NoSSL_Condition
    acl acl_6241c8286b2146.46286925 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6241c8286b2146.46286925

# Frontend: 1_HTTPS_Frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6241cc05878570.68121182.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option httplog
    # ACL: LOCAL_SUBDOMAINS_map_conditions
    acl acl_63f758e46145e5.66171870 src 192.168.1.0/26

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63f7583a8314e2.36363887.txt)] if acl_63f758e46145e5.66171870
    # ACTION: PUBLIC_SUBDOMAINS_map_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6241c892a54f84.31767078.txt)]

# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Unifi_backend (Unifi_Backend)
backend Unifi_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Unifi 172.1.1.2:8443 ssl alpn h2,http/1.1 verify none source 192.168.1.1

# Backend: Homeassistant_backend (Homeassistant_Backend)
backend Homeassistant_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Homeassistant 192.168.1.3:8123

# Backend: Docker_OCI_backend (Docker_OCI_Backend)
backend Docker_OCI_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server docker 172.1.1.2:9443 ssl alpn h2,http/1.1 verify none source 192.168.1.1



# statistics are DISABLED





same for me.

P.S Usually I dont rant about free SW, but this is almost core functionality and gets no testing love prior release.

Zenarmor is a 3rd party plugin, tbh its anything else than core

This is why I dont rant :), my definition of core was wrong sorry.

same for me.

P.S Usually I dont rant about free SW, but this is almost core functionality and gets no testing love prior release.

Hello..I hope its not against the rules..but I thought I post it here first if someone finds it useful...I have available for sale 1y old fitlet2 (J3455) with 8G RAM and 256G mSATA in EU.

It handles (tested via ppoe) 1Gpbs without IPS/IDS and around 500mb VPN traffic. I didnt do testing with IPS/IDS so dont have the valid figures there.

Everything in perfect working order. Shipped to EU only. Price 300 EUR shipped to your address.

For more info PM me.

In used fitlet2 with celeron CPU till recently, and it can do 1Gbps pppoe with ease. But i didn't run any additional plugins like suricata or zenarmor. For openvpn it can do 500mbps. Hope it helps, its a great little box just running a little hot.

That did the trick...thanks.

ello,

Maybe someone has an idea how to increase this. I noticed these errors in log files since upgrade to 22.1. Obviously GEOIP_block alias is too big to be processed. It worked on previous version.

Thanks.


null
Consider increasing net.pf.request_maxcount.Invalid argument. {current_size: 491798, new_size: 525738}
2022-02-09T15:07:02
/update_tables.py   Error loading alias [GEOIP_Block]: cannot set addresses in GEOIP_Block: too many elements.

Hello,

Moderators if this is against the rules, please delete. I run my FW virtualised now on new HW, so I have spare qotom Q335G4 with i3-5005U CPU and 4 intel i211 eth ports, if anyone is interested or in need, since boats from China are slow lately.

Everything is in perfect working order, box is barebone no RAM or HDD. Willing to ship to EU only.

PM me for the rest.

EDIT: On the way to new home :)

I installed adguard plugin...everything seems to be working ok...only under plugins the adguard is marked as miss-configured ? Why is that?

hi franco, yes..that is the mirror and the problem :) thanks, now upgrade went fine.

Hi,

Just tried to do upgrade from 1.18.7_1 to 18.1.8, and upgrade is not successful. Packages are downloaded, but reboot did not happen. Then I manually rebooted the router, and I'm still on old version. If I initiate upgrade again..this is the output;



**GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (67 candidates): .......... done
Processing candidates (67 candidates): ... done
The following 16 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   sudo: 1.8.22_5 -> 1.8.23_2
   sqlite3: 3.23.0 -> 3.23.1
   socat: 1.7.3.2_2 -> 1.7.3.2_3
   python27: 2.7.14_1 -> 2.7.15
   py27-sqlite3: 2.7.14_7 -> 2.7.15_7
   opnsense-update: 18.1.6 -> 18.1.8
   opnsense: 18.1.7_1 -> 18.1.8
   openssh-portable: 7.7.p1_1,1 -> 7.7.p1_2,1
   libnghttp2: 1.31.1 -> 1.32.0
   liblz4: 1.8.1.2,1 -> 1.8.2,1
   krb5: 1.16_1 -> 1.16.1
   freetype2: 2.9_1 -> 2.9.1
   ca_root_nss: 3.36.1 -> 3.37

Installed packages to be REINSTALLED:
   libucl-0.8.0
   libffi-3.2.1_2
   curl-7.59.0 (options changed)

Number of packages to be upgraded: 13
Number of packages to be reinstalled: 3

The operation will free 1 MiB.
1 MiB to be downloaded.
[1/2] Fetching curl-7.59.0.txz: .......... done
pkg-static: cached package curl-7.59.0: size mismatch, fetching from remote
[2/2] Fetching curl-7.59.0.txz: .......... done
pkg-static: cached package curl-7.59.0: size mismatch, cannot continue
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

thanks for the link...i will try to study the code...pcloud is commercial cloud storage provider..its not self hosting like nextcloud or owncloud.

fabian thanks for explaining this..out of curiosity i fired up opnsense in vmware and test it..unfortunate it doesn't work..log file below.

I don't know much about coding, but maybe for the future a generic webdav option would be nice..not sure if this can be done..:)


May 1 18:03:21    config[41014]: {"url":"https:\/\/webdav.pcloud.com\/remote.php\/dav\/files\/myemail.com\/","content_type":"text\/html; charset=iso-8859-1","http_code":404,"header_size":161,"request_size":213,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":0.840269,"namelookup_time":0.137024,"connect_time":0.280039,"pretransfer_time":0.664595,"size_upload":0,"size_download":328,"speed_download":390,"speed_upload":0,"download_content_length":328,"upload_content_length":-1,"starttransfer_time":0.839998,"redirect_time":0,"redirect_url":"","primary_ip":"74.120.8.227","certinfo":[],"primary_port":443,"local_ip":"10.0.0.29","local_port":49755}

May 1 18:03:21    config[41014]: Error while fetching filelist from Nextcloud

Hello,

Sorry for maybe stupid question..there is a feature planned for 18.7 (most probably) to have backups via WebDav (nextcloud).

Would this feature also work with other cloud solutions accessible via webdav? Personally I'm using pCloud, that is fairly popular in EU, and pcloud is also accessible via https://webdav.pcloud.com, or the implementation is specific to nextcloud?

Thanks for sharing the light :)

Regards,