Messages

16

Tutorials and FAQs / Re: Caddy Proxy - Install and Use

« on: September 05, 2019, 07:00:23 pm »

Okay, running from command line, it appears it is having an issue with cloudflare and DNS.  I find only a few results on Google for the message I get, and they seem to indicate that it is the result of my "split DNS," because I use the same domain.tld for all my machines locally as I am trying to resolve externally.  So now its down to configuring OPNsense properly, I think.

Code: [Select]

acme: error cleaning up: cloudflare: failed to find zone domain.tld.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6102,\"message\":\"Invalid format for X-Auth-Email header\"},{\"code\":6103,\"message\":\"Invalid format for X-Auth-Key header\"}]}],\"messages\":[],\"result\":null}"
followed a couple lines later by

Code: [Select]

acme: error presenting token: cloudflare: failed to find zone domain.tld.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6102,\"message\":\"Invalid format for X-Auth-Email header\"},{\"code\":6103,\"message\":\"Invalid format for X-Auth-Key header\"}]}],\"messages\":[],\"result\":null}"

17

Tutorials and FAQs / Re: Caddy Proxy - Install and Use

« on: September 05, 2019, 06:24:03 pm »

I do have a

Code: [Select]

log /var/lib/caddy/caddyservice.log
in my /var/lib/caddy/Caddyfile, as well as the aforementioned

Code: [Select]

: ${caddy_logfile="/var/lib/caddy/caddy.log"}
in the init script.  There are no log files being generated that I can see in either location.  Nor anything in system logs in /var/log to indicate what's killing the process.

I guess I try running it directly from the command line, with various options to see if it logs its failure to the console.

18

Tutorials and FAQs / Re: Caddy Proxy - Install and Use

« on: September 05, 2019, 05:31:56 pm »

I did finally manage to at least get the caddy command to kick off.  I had to go in and change the /usr/local/etc/rc.d/caddy init script to executable.

Now I have to figure out why it won't stay running and how to get a readable log file explaining what's killing it.  The log file entry in the caddy init script in the example provided in this thread

Code: [Select]

: ${caddy_logfile="/var/lib/caddy/logs/caddy.log"}
does not seem to create a log file.  Perhaps its a version difference and this variable was deprecated, as the comments section above these variables in my version does not include that entry.  Instead it is:

Code: [Select]

# caddy_syslog_facility (str) Set to "local7" by default.
#                             Defines the syslog facility used to log output from the caddy process.
#                             This is NOT the web access log.
#
# caddy_syslog_level (str)    Set to "notice" by default.
#                             Defines the syslog level used to log output from the caddy process.
#                             This is NOT the web access log.

...

: ${caddy_syslog_facility="local7"}
: ${caddy_syslog_level="notice"}


However, there is no useful information regarding Caddy's failure in system.log or any other log I can see.  I am not getting a caddy.log file generated anywhere.

19

Tutorials and FAQs / Re: Caddy Proxy - Install and Use

« on: September 04, 2019, 09:01:25 pm »

Yes, I copied the file from <extraction location>/init/freebsd into /usr/local/etc/rc.d/ per the guide, modifying it for my Cloudflare account info environment variables.

20

Tutorials and FAQs / Re: Caddy Proxy - Install and Use

« on: September 04, 2019, 03:39:50 am »

Since I'm opening 80 and 443 directly to the router for Caddy to capture, I would guess I should configure things so the GUI only listens on the internal LAN interface instead of "All" since it is also on 443?

Also, I'm not super clear with FreeBSD how to get the service actually registered so it can be started without rebooting the router.  I tried sysrc caddy_enable=YES but when I try "service caddy start" it just tells me caddy doesn't exist.  FreeBSD is definitely a bit different than Linux.

Thanks so much for the clarification you've provided so far to this newcomer.

21

Tutorials and FAQs / Re: Caddy Proxy - Install and Use

« on: September 03, 2019, 03:58:14 pm »

I apologize for necro'ing this, but I didn't get an answer to my questions regarding it in a new thread.

In your second code snippet, you list the items that go into /etc/rc.conf but my OPNsense doesn't have a /etc/rc.conf and I wasn't sure where else that might go.  Do I just make one that contains only the items you have in your code snippet?

Thanks!  And again, I apologize.

22

19.7 Legacy Series / Config file questions

« on: September 01, 2019, 07:18:17 pm »

I was following the tutorial for getting Caddy up and running, but at one point, the writer mentions adding a line to the /etc/rc.conf file.  I'm not sure about the previous version, but my recently updated 19.7 install doesn't have this file.  Where would that be?

Also, if I'm running a reverse proxy directly on my OPNsense box, what would the firewall rules for 80 and 443 look like?  I've done port forwarding to other hosts, but never opened a port for my router itself.  Localhost?  The LAN IP?

Any guidance is appreciated.

23

19.1 Legacy Series / Re: WAN speed issue - 19.1 on XCP 7.5

« on: February 12, 2019, 12:53:04 am »

OPNsense 19.1.1-amd64

24

19.1 Legacy Series / WAN speed issue - 19.1 on XCP 7.5

« on: February 11, 2019, 10:47:26 pm »

I am experiencing a WAN speed issue that I'm hoping someone more knowledgeable than I can help diagnose.

I'm running OPNsense 19.1 in a VM on XCP 7.5 over AT&T gigabit fiber, which means I have the required AT&T box (required, as it acts as the filter for unsubscribed services on the same line) set for "passthrough" to have the router VM get the public IP.  That part works fine, and my two port forwards work.  The hypervisor host physical interface is connected to a switch, in a three-port VLAN, to allow the OPNsense VM to be migrated to another host without downtime.  However, I have taken the switch out of the equation for testing, with no change.

If I run an iperf test between LAN clients and the router, I get the expected line speed of ~1000Mb/s.  If I run the speed test that is built into the AT&T box, I get the expected ~900Mb/s both up and down.  If I run an iperf test from the router to a public iperf server, or run a generic web-based speed test from a LAN client, it gets ~40Mb/s down and 100Mb/s up.  Something between the router and the AT&T box is bogging down, but I don't know how to diagnose that segment.

When I first got my AT&T connection, the full speed was available, but I don't remember if the slowdown coincided with an upgrade on the OPNsense or the XCP.

My physical link LED says the link is 1000Mb/s.  I've disabled offload and set the NIC type in the router VM to e1000 instead of the RTL819 that is default, based on googling.  I've got the xen-tools plugin loaded and XCPCenter confirms the use of the paravirtualized drivers.  I don't know for sure what the link speed is for the virtual interface, as ifconfig in OPNsense only says "ethernet manual" for media, and there's no ethtool that might otherwise tell me.

Anyone have an idea what my issue might be and how I might go about diagnosing and resolving the issue?  Any help would be greatly appreciated.

25

19.1 Legacy Series / 19.1 Prod upgrade in Xen VM w/ AT&T fiber - WAN IP conflict

« on: February 01, 2019, 09:34:42 pm »

I upgraded from 18.7 to 19.1, and now I am getting this in the logs:

Feb 1 14:26:00   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!
Feb 1 14:25:59   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!
Feb 1 14:25:58   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!
Feb 1 14:25:55   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!
Feb 1 14:25:54   kernel: arp: mm:aa:cc:aa:dd:rr is using my IP address XX.XX.XX.XX on xn3!

With AT&T fiber, the router provided by them is required, as it does some sort of authentication and acts as the filter for TV signals over the fiber.  However, it can be configured for a "passthrough" for a host behind it to receive the public IP.  That MAC address is the AT&T box and the IP is the public IP address.  It was fine under 18.7 but now the network is pretty slow, I'm guessing due to the conflict.

The only thing I've changed is the upgrade.

Any ideas would be appreciated.

26

18.7 Legacy Series / Port forwarding rule not working?

« on: December 14, 2018, 02:44:57 am »

I'm on OPNsense 18.7.8, and I have a port forward rule that doesn't seem to work, and I'm not sure why.

WAN   TCP/UDP   *   *   WAN address   2400           192.168.1.200   2400      <--Works fine
WAN   TCP           *   *   WAN address   2222           192.168.1.100   2222      <--Connection timeout

The service on 192.168.1.100:2222 responds fine if I'm on the LAN.  And it is definitely TCP-only, as it is an SSH-based service.  But I have tried changing it to TCP/UDP, but it made no difference.

The port forward that works fine is used for an automated system with a remote client, so I have no way to manually confirm that it is working, I just have to take the reports' word for it.  Which is "Yes, the service is accessible."

I don't know exactly what to look for in the logs.  If someone could give me a clue on that one, I can go poke around in there and see if maybe the firewall is acting like this rule doesn't exist or something.

Any suggestions?

Thanks!

27

18.7 Legacy Series / OPNsense 18.7.8 in VM on XCP-ng 7.5.1 ... slow throughput

« on: November 30, 2018, 07:16:26 pm »

I am having issues with slow speed on my wan interface.  I have gigabit fiber, but my DL is only 50Mbit, with ~100Mbit upload.  If I run iperf between a LAN PC and the OPNsense LAN interface, I get my 1Gb.  If I run iperf from a machine directly connected to the "modem" to a public iperf server, I get pretty close to my 1Gb.  If I run iperf from my OPNsense to a public iperf server, I get 50Mbit down, 120Mbit up.

I've googled a bunch, and made sure all the offloads are disabled, IPS/IDS are disabled.  But I am not all that deep into actual system administration to know how to achieve the next bit, which seems to be to force my NICs away from the xn* to en1000 drivers.

How would I go about doing that?  Any help is appreciated.

28

18.1 Legacy Series / Re: Multiple NICs and routing and such

« on: March 09, 2018, 06:21:12 pm »

If it's a server, the rule can be bent to one IP + GW for access NIC, one IP for iSCSI NIC (only if you have a NAS with iSCSI you wish to connect your File Server/ Storage server to...), and one IP + GW for iLO NIC.

If you have both 192... and 10... on the NFS server, and more so you also have GW IP addresses set on both NICs, it is very tricky to isolate and direct each packet on the desired interface/ network, you would have to use static routes on many (if not on all) end-devices (workstations, servers, NAS devices...). It's a hell of a topology.

That's basically what I have for the servers, one IP+GW (1Gbe, 192.168.1.X) for web services and normal stuff, one IP for the NFS (10Gbe, 10.10.10.x), and one IP for iLO/DRAC/SNMP (1Gbe, 10.10.20.X).  I'm not sure why it was doing what it was doing, because I set the DHCP for "none" on the gateway for the NFS subnet, and the servers are actually configured for static IP.  But as soon as I put the blocking rules in for those hosts, I no longer had the "permission denied" issue.

Now to work on my port forwarding issue ... but that's for another post.

29

18.1 Legacy Series / Re: Multiple NICs and routing and such

« on: March 09, 2018, 05:25:09 pm »

I've set rules and now one of my two hosts can mount the share just fine.  The other host has an issue that I am working with that community to resolve.  I appreciate the clue on the firewall.

Thanks!

30

18.1 Legacy Series / Re: Multiple NICs and routing and such

« on: March 09, 2018, 03:20:54 pm »

I have three different interfaces in OPNsense, corresponding to three different VLANs on the switch.  My primary network for all of my devices and such (192.158.1.X/24), a "storage" VLAN (10.10.10.X/24), and a "management" VLAN (10.10.20.X/24) that is for the iLO/DRAC interfaces on the servers, etc.  Since I have OPNsense configured with an interface for each of those, I don't have any layer 3 (I think that's right) functions enable for those VLANs on the switch itself.

I am finding that when I try to mount the NFS from my storage server that allows only clients in the 10.10.10.0/24 subnet, I continually get "permission denied by server," which makes me think that the servers are trying to mount via their 192.168.1.X interfaces, rather than their 10.10.10.X 10Gbe interfaces.

I will look into rules to block that traffic.

Thanks!