Messages

16

Hardware and Performance / Re: Good ITX board with limited availability

« on: April 05, 2019, 05:47:02 pm »

Looking at it rationally, I guess for only a firewall and <=1Gbit, anything but the smallest Epyc 3101 is probably way overkill even including IDS. So if the need is there for a larger model, 10Gbit is probably in the mix too somewhere.

Bit different if the server is multi purpose, e.g. running ESXi and OPNsense only being one of several applications. Then the Epyc 3251 looks pretty bad-ass and great bang for the buck.

17

Hardware and Performance / Re: Good ITX board with limited availability

« on: April 02, 2019, 02:38:17 pm »

They’ve started selling them in Sweden now. Bit cheaper than the equiv Xeon D-1500 and certainly D-2100 but no 10Gbit ethernet on the other hand. For 10Gbit the Xeons still look pretty good, also considering that architecture  would likely be the best supported from software/driver perspective.

18

General Discussion / Re: LAN x DMZ design with one firewall or two?

« on: March 18, 2019, 08:37:26 pm »

Sounds like you're in pretty good shape.

19

Hardware and Performance / Re: Good ITX board with limited availability

« on: March 17, 2019, 08:05:47 pm »

Bleeding edge... not sure you can even buy them yet? Looks promising though.

20

General Discussion / Re: LAN x DMZ design with one firewall or two?

« on: March 16, 2019, 08:49:44 am »

I’m not a professional network engineer either but here’s me 5c and take them for what it’s worth. Some considerations are necessary here which may help drive the decision; do the servers in the DMZ need to talk to each other or are they all completely stand-alone? What are they actually running in terms of OS and applications and how secure can they be? How many servers? Bear in mind that a firewall such as OPNsense is itself a server running FreeBSD - although with a lot of focus on keeping it secure. It may be possible to harden your application servers in themselves to a similar degree, depending.

A common practise for smaller setups would be to separate DMZ from LAN (as you have) and basically treat the DMZ almost as the public internet, i.e. assume that any server in there could be hacked (through what they expose to the internet) and therefore harden all the servers themselves, through absolute minimum number of ports and services open etc.

Additional layering (network segments and firewalls) can bring additional isolation and security as well as scale but I wouldn’t go there just for the sake of it before taking a hard look at the servers themselves first and how they interact with one another on the DMZ if at all.

21

Hardware and Performance / Re: Good ITX board with limited availability

« on: March 15, 2019, 01:01:53 pm »

Their appliances seem to use similar embedded AMD processors like APU2 by https://pcengines.ch/apu2.htm very dated I have no idea why would anyone use that expecially for the price of Deciso...I’d buy rather something more enterprise and contribute back to the project via donation unless you need their support, where I could understand why to pay extra...

Agreed, unfortunately. Maybe the lower end models offer a reasonable package, although very modest performance with embedded low-end AMDs as you say. But moving up the value chain with their embedded A10 quad core models, you’re approaching SuperMicro Xeon server territory in terms of pricing, with higher performance in orders of magnitude and better expandability etc.

22

Hardware and Performance / Re: Good ITX board with limited availability

« on: March 14, 2019, 07:34:59 am »

Hey @rungekutta, thanks for the answer;)
My internet is not fast 30/4, but enough for here..
[...]
Buy a refurbished cheap quad gigabit card, probably from a datacenter, you'll mostly be more than fine.
Don't think your network will only run good with 'the latest and greatest' I myself find it challenging to use small hardware(low specs)
I'm a hobbyist in heart and soul;)

We both run OPNSense at home so are clearly both tinkerers ;-) but coming at this from different perspectives. You enjoy repurposing and pushing low spec hardware to the limit - all respect to that. I'm more from the perspective of building solutions that just run and run, and I like headroom... also, my WAN connection is 33x faster than yours, those speed are not uncommon here where I live (and the teenagers at home expect them ;-)). So if your CPU can just about manage your connection, by extrapolation I'd need 33x more performance if the router is not going to be the bottleneck... In real terms it's probably more like 10x according to passmark and that currently allows me 80% of my WAN capacity with IDS switched on which is good enough... right now ;-)

As for ECC... it doesn't add much to the overall cost these days if you choose components carefully so I'd definitely get it if I did a new build tomorrow. YMMV.

23

Hardware and Performance / Re: Good ITX board with limited availability

« on: March 13, 2019, 08:35:04 pm »

Hi, I guess we're talking about a router used in the home domain. Depending on your needs anything would do. Here a supermicro d-410 with a HP-364T quad gigabit adapter, such you can probably buy on your well known marketplace for a few dollar. It runs IDS, a proxy for 'shitware', a VPN, not so fast, there's no AES-ni, etc.. Though for the common home hobbyist this could be more than enough to run a dozen servers and the same amount of clients without a glitch

Fair enough and each to their own and their needs of course. How fast is your WAN?

Then there is said in this thread you should consider using ecc because you may need to reboot because of problems.. and the root cause would be non-ecc! really?,  cmon don't make me laugh, boxes here run for ever without ecc, I run a debian server on an Upboard first edition which easily achieves an uptime of 150 days++(mostly rebooted due to kernel upgrades, the supermicro board(OPNsense) also has no trouble with this), ecc would maybe (very maybe) have an effect on self healing file-systems like ZFS though, if one bit more is destroyed in a million it's still not repairable.

ECC has much lower failure rate than non-ECC RAM. And non-ECC RAM is more likely to cause system instability by memory errors. That doesn't mean all non-ECC systems are inherently unstable, and most of the world's computers still run non-ECC RAM. While a large proportion of the world's enterprise servers run ECC, as do many professional workstations aimed at CAD, audio/video production, medical imaging, etc. At the end of the day, all about risk assessment and choice. Personally I run ECC on my NAS but currently non-ECC on my OPNSense router (which is still very stable) - but next build will probably be ECC.

Oh and than IPMI, for your home server, why? do you run some datacenter at home? agreed nice toys which you use a few times, but you need it?, I think you don't, my 50 cents.

I find it extremely practical. Saves having to carry the server to somewhere you can plug it into a screen and keyboard, or vice versa. Even BIOS updates and config changes can be done remotely over the network. Again YMMV depending on your layout / setup at home.

24

19.1 Legacy Series / Re: auto proxy discovery

« on: March 13, 2019, 07:59:33 pm »

Thanks. That makes a lot of sense.

25

19.1 Legacy Series / Re: auto proxy discovery

« on: March 12, 2019, 10:14:59 pm »

Ok guys, thanks for that tip, will come in handy. I managed to figure this one out without it though. It was kind of in the instructions... but not to its full implication, so to speak.

I cleared out browser caches to do some more debugging on access to wpad.dat and realised I had SSL redirection enabled (80 -> 443) on the OPNSense web gui. And it runs the default self-signed certificate - I had taught my browser to trust it so didn't notice at first. But the invalid certificate is why I got erratic and different behaviour from different clients and browsers with respect to loading and parsing wpad.dat.

So it left me with two options; either get a valid certificate for OPNSense's LAN web gui, or switch the whole GUI to port 80 and http, which is kind of terrible but the lazy option. It's a shame that OPNSense won't let me serve out wpad.dat on http/80 and run the web gui on https/443 at the same time.

In any case, I got it to work reliably now across all the clients I've tried including Mac and Windows.

26

19.1 Legacy Series / Re: auto proxy discovery

« on: March 12, 2019, 05:37:05 pm »

Run a trace on the interface that the iOS devices connect with to confirm that they are sending WPAD packets and to compare the traffic with a Chrome client. Interfaces, Diagnostics, Packet capture.
Wireshark is your friend https://www.wireshark.org/

Thanks. How do I do that in practise? Do I need to install on OPNSense and run from shell or are there standard tools in the GUI somewhere to run the capture (later to be downloaded and analysed in Wireshark)?

27

19.1 Legacy Series / Re: auto proxy discovery

« on: March 11, 2019, 10:56:33 pm »

Another test - added a block rule in the firewall for ports 80 and 443. Unfortunately that still didn't get Safari to use the proxy settings, it just fails to load the pages instead.

Chrome in the meanwhile continues to read and respect the proxy settings as configured.

28

19.1 Legacy Series / Re: auto proxy discovery

« on: March 11, 2019, 10:31:35 pm »

Just tried an iOS client. That also silently ignores the wpad.dat settings whether I set it to full auto-discovery or whether I give it the wpad.dat URL. Just hits the web pages direct irrespective.

29

19.1 Legacy Series / auto proxy discovery

« on: March 11, 2019, 10:12:49 pm »

Hi all,

I've been trying to get auto discovery of my web proxy to work on my LAN with limited success and I'm not sure how to debug it so wondering if there are success stories out there or if this is just intrinsically flaky with a diverse set of clients...?

My test client is Mac OS X 10.14.3. I have followed the guide, although not managing to make it work, experimented a bit further. My current config in OPNSense generates this file:

Code: [Select]

/*
  PAC file created via OPNsense
  To use this file you have to enter its URL into your browsers network settings.
*/
function FindProxyForURL(url, host) {

if (!((isPlainHostName(host)) || (shExpMatch(host, "*.mydomain.com")))) {
return "PROXY 192.168.200.1:3128";
}

   // If no rule exists - use a direct connection
   return "DIRECT";
}

... which I think should work. I have added an option to the DHCP server to send the URL on field 252 according to the instructions.

Indeed, on the client:

Code: [Select]

$ scutil --proxy
<dictionary> {
  ExceptionsList : <array> {
    0 : *.local
    1 : 169.254/16
  }
  FTPPassive : 1
  HTTPEnable : 0
  HTTPSEnable : 0
  ProxyAutoConfigEnable : 1
  ProxyAutoConfigURLString : http://192.168.200.1/wpad.dat
  ProxyAutoDiscoveryEnable : 1
}

... looks promising (the URL is picked up from DHCP).

HOWEVER. Safari completely ignores the proxy setting and just loads pages direct instead. Chrome on the other hand actually honours the proxy setting... unless in "incognity mode" in which case it also ignores the proxy setting and hits the pages directly! I can see this by following Squid's access log while loading up different pages on the client using various browsers.

Do I need to block direct access in order to get the browsers to actually use the proxy settings specified?

Very odd... Anyone got experience from this?

30

Hardware and Performance / Re: Good ITX board with limited availability

« on: March 07, 2019, 12:08:48 pm »

Sorry, I mean E-2100 of course