Topics

Hello,

what is the advantage of using "Proxy TCP/UDP on Layer 4" by Caddy instead of using port forwarding in OPNsense?

I just migrated from HAProxy to Caddy. Reverse proxy with TLS termination and TLS (SNI) Multiplexing on HTTPS Port with TLS passthrough were easy to set-up and just work fine. It was a pain to get this combination running in HAProxy.

Not clear to me is what a use case for "Proxy TCP/UDP on Layer 4" could be where it is better to use Caddy instead of just do port forwarding.

[mDNS repeater]

Hello,

I want to use the mDNS repeater on OPNsense to forward mDNS between two subnets.
Out of the documentation it is not clear to me what firewall rules I need to allow the mDNS multicast traffic between these two vpn.

• on both interfaces to port 5353 at 224.0.0.251 and [ff02::fb] or
• on both interfaces to port 5353 at "subnet address" or
• on both interfaces to port 5353 at "this firewall"

Or a combination out of these three?

Hello,

there I are many new hardware devices with modern powerful CPU, small form factor and low energy footprint and low noise that it is difficult to find the right choice. "Old" hardware is cheap to get as used devices often was a good choice in the past.

Is today a Sophos SG 210 / SG 220 / SG 310 / SG 330 still a good choice to run OPNsense in an ambitious home environment? Or is it blast from the past that cannot compete with actual new devices in regards of power, energy consumption and noise, even when taking cost into the calculation?

I am looking to upgrade my Qotom Q355G4 with something that provides one or two SFP+ ports. A DEC2752A or DEC2770 looks like a "dream build" but at high price. Is Sophos you get for around 100 $/EUR still an option to go nowadays?

Hello,

for the issue with IDS not workong after update I could find quickly here the solution.
Now I have detected the second issue after update to 14.1.

I use HAProxy in a mix of SNI frontend (TCP type) and https frontend (SSL offloading). For offloading I use two hostnames with two ssl certificates that will will use two different backend servers.

Since the update the wrong certificate of the both is getting provided to the client. Backend selection is as expected. This setup is running since years. It broke when I upgraded to 14.1 yesterday.

Hello,

I want to use the Syncthing Discovery server behind HAproxy with ssl offloading by HAproxy. To do so I set the discovery server to http (option -http). The connection is running. But I must forward the client certificate by header X-SSL-Cert. Acc. the manual the header is required in PEM format.

This would add the client cert in der format what is not recognized by the discovery server:

Code Select Expand

http-request set-header X-SSL-Cert %{+Q}[ssl_c_der,base64]

I modified the line to create a pem file. Either nothing is in or it is in wrong format.

Code Select Expand

http-request set-header X-SSL-Cert -BEGIN\ CERTIFICATE-\ %[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space

Connection is running. But discovery still cannot read the client cert:

Code Select Expand

no certificates: certificate decode result is empty


Any idea how to set-up the forwarding of client certificate by header correctly in OPNsense?

Hello,

does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose 'activesync' and 'owa' directly to the internet?

We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.

Option 1: setup client auth on HAProxy.
Option 2: passthrough 'activcesync' (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for 'owa' on HAProxy

Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.

But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?

Hello,

I noticed bad RTTd values in my local network,

Some days ago, I changed my network configuration. Two networks that before were directly connected to the OPNsense box now are getting handled by a L3 switch. Between OPNsense and L3 switch I added a "transport network", connected directly from nic to nic with a 50 cm cable. I added a static route between both devices. I am not using VLAN or LAGG on the OPNsense 20.1.1 box for this connection. But the RTTd values from gateway monitoring are worse in comparison to the values of my WAN connections.

Any idea what could be wrong?
Or could it be related to the way the monitoring is measuring?

[move the routing between the network "LAN" and "WAN" to an external 10 GBit L3 switch]

Hello,

currently my home network with a hand full of VLAN is set-up with in that way that opnsense is doing all routing between the sub-nets. All devices are connected to one L2 switch. But since I upgraded a part of my home network to 10 Gbit, I now have a bottleneck between the networks I call "LAN" and "DMZ". My opnsense is a small box with 1 GBit ports only, but good enough to handle the traffic to and from internet.

Three goals I have:
(1) I would like to move the routing between the network "LAN" and "WAN" to an external 10 GBit L3 switch (Ruckus 7250). For all other networks the routing can stay on the opnsense box. Only few traffic needs to get routed that is related to those.
(2) I would like to utilise the available 3 physical ports (A2, A3, A3) on the opnsense box as much as possible.
(3) I would like to minimize the overhead on the opnsense box generated by VLAN tagging or LAGG.

My ideas are:
- run LAGG over all three ports and run one VLAN trunk to the switch with all networks in
- run one VLAN / VLAN trunk on each of the three ports and manually distribute the VLAN / subnets acc. expected traffic
- as shown on the sketch: one separate gateway and route for LAN and DMZ, directly connected without VLAN or LAGG. All other packed in one VLAN trunk. No need for LAG or VLAN on the networks with highest traffic.

Any disadvantages by going with the last one?
Better ideas?

Code Select Expand


  opnsense                               L3 switch

       A1 --------X WAN

                GW1 - 192.168.1.10/30
       A2 -------------------------------- B1 - LAN: 192.168.40.0/24   

                GW2 - 192.168.1.20/30
       A3 -------------------------------- B2 - DMZ: 192.168.50.0/24

                 VLAN trunk
       A4 -------------------------------- B3 |--- VLAN 10: 192.168.10.0/24
                                              |--- VLAN 20: 192.168.20.0/24
                                              |--- VLAN 30: 192.168.30.0/24

Hello,

it is possible in unbound plugin to define DNSBL addresses as exclusions for DNS over TLS Servers?

I am using opnsense box with unbound as primary DNS server. My mail server with spam filter and DNSBL also is using this box as DNS server. When I used to direct resolve the domain all was fine. But since I changed to use DNS over TLS with Cloudflare server may mail server cannot use all DNSBL list any longer.

Defining exclusion list in unbound is my first idea. Alternatively, setup bind on opnsense additionally for DNBS only or setup an dedicated DNS server directly on the mail server.

Hello,

is there a possibility to specify the "default_server" in the nginx module?

I use more than on http(s) server in direction WAN as well multiple servers as upload servers. Routing is done by domain name and by parameter "servername". All works fine. But if someone accesses my server by IP address I would like to point to a specific upload server. In nginx config I would realise this by the parameter "default_server". Currently any upload server is called, but always the same.

Is it possible to do specify the default server?
What is current logic the upload server is getting selected in case if access by IP?

Hello,

On my OPNsense box 20.1 I changed Lesencrypt validation from HTTP-01 to DNS-01 using the nsupdate (RFC 2136) method. Testing with staging environment is OK. I get issued the certificate.

But when I change Letsencrypt to production environment I get the following error:

Code Select Expand

[Sat May 9 11:09:58 JST 2020] The supported validation types are: http-01 , but you specified: dns-01
[Sat May 9 11:09:58 JST 2020] Error, cannot get domain token entry abcdefgh.de

With staging environment, I also can re-issue without waiting time. So, no DNS caching or refresh issue.

Due to the fact that testing with staging environment is working I assume there is something wrong on OPNsense side. Or do I miss something?

Hello,

is there a documentation available for plugin os-rfc2136 (dynamic DNS updates)?

I am searching for some more details about the logic how updates are getting triggered.

• Does the plugin check if an DNS update was successful?
• If DNS update was not successful, will the plugin do re-trials?
• 
  How the plugin validates if DNS update is required? By DNS server check or only WAN IP against "last changed value"?
• If there a periodic check for updates by the plugin itself or do I have to scheduled manually by cron?

I noticed a strange behavior when I did some tests to find the answers to my questions above. I changed the IP manually on DNS server to see what doing something and when. Nothing.

[routing or firewall issue on OPNsense side]

Hello,

I assume I have a routing or firewall issue on OPNsense side, but I am running out of ideas where to search.

Under OPNsense I have set-up a site-to-site VPN with IPsec. On OPNsense side it is connected to the DMZ interface and its network. On remote site it is connected to a single host and the routed network.

Code Select Expand

DMZ (192.168.10.0/24) --> IPSec ------------> libreswan --> centos host (10.10.1.1/24)

What is not working is a connection from service on OPNsense to the remote host. To be precise I cannot reach the remote host by the plugin RFC2136 to do DNS updates via port 53/udp.

Firewall allows all from DMZ network to routed network. Connection between devices in DMZ network and remote host are working. Out of DMZ network I can reach my target port. So all fine on remote side.

[But nothing is getting blocked.]

I just installed Sunny Valley Sensei on OPNsense 19.7.5 for testing purpose. The installation completed with success and also initial configuration is completed. The LAN interface is selected and all web filters are activated for testing. Status page shows all service running fine (at least to me it looks like).

But nothing is getting blocked. All traffic is going through. On dashboard I can see that the reports filling with data.

Could be there any conflict with running squid web proxy or incompatibility with LAGG interface for LAN? I have no idea where to search.

Hello,

somehow my Exchange autodiscover does not work behind nginx as revers proxy. When I connect directly to the server it works. But behind OPNsense with nginx as reverse proxy autodiscover will end up in http 401 error.

Unfortunately, I don't see anything in the logs that gives me a hint were to search.

Basically, I am fine with either basic authentication pass through or authentication by OPNsense to LDAP server. Whatever is running is fine.

The rest like activesync and owa is running through opnsense.

Any idea where to search?

Hello,

after my issue with nginx if solved, I am faced with the next issue in OPNsense 19.1.7. The openvpn client export is not working. openvpn is set-up acc. wiki as road warrior. Certs for server and client are created by OPNsense CA. But when I now go to --> VPN --> Clientexport and press the button next to the user nothing happens. The browser shows loading activity for a while, but no file is coming. In the log files I cannot find any error.

Is there cli command to create the ovpn file instead of GUI?

Hello,

Nginx is not starting after setting of access log in section srver to "disabled".

My setup with nginx as reverse proxy is running. When I change in nginx server settings access log from "Standard" to "Disabled" in the first step looks like all is working fine. Nginx is running. But after reboot of OPNsense box nginx is not starting any more.

In error.log I found:

Code Select Expand

2019/05/11 12:52:00 [emerg] 51023#100211: unknown log format "disabled" in /usr/local/etc/nginx/nginx.conf:1519

In nginx.conf I found

Code Select Expand

access_log  /var/log/nginx/xxxxxxx.de.access.log disabled;

To me it looks like after reboot of opnsense the nginx conf is getting rewiritten but the fomat is not correct.

Hello,

can I use nginx plugin as reverse proxy from IPv6 address to internal server with IPv4 address only?

With all I tried so I do not get it running.

My starting point is that my IPv4 setup is running: WAN IPv4 --> nginx --> DMZ IPv4
I set-up IPv6 GIF tunnel (HE) and in firewall I allow on tunnel interface ICMP and port 80 and 443 to "this firewall'.
No further set-up of IPv6 address to any other interface.
When I look on sockets bindings of nginx to ports looks OK for IPv6:
  www  nginx  tcp6   *:443   *:*
  root   nginx  tcp6    *:80    *:*
  root   nginx  tcp6    *:443    *:*
Ping from outside to local GIF address is working fine.

But http and https access from outside to local GIF address timed out. Nothing I can see in the firewall logs.

Any idea what to do?
Or is it simple not possible what I want to do?

Hello,

I noticed a strange behavior with the combination OPNsense 19.1, Windows 10 , McAfee Endpoint Security 10.5. Connection to WAN hangs dramatically (PING as well download speed).

I moved in a new home, got a new PC and updated to OPNsense V19.1 at the same time. All internet devices are running perfectly with the Netgear router from internet company. But wenn I echange the Netgear router with my OPNsense box the Win PC internet hangs, both over LAN and WLAN while iPhone, iPad and Android phones are running fine with OPNsense box. LAN connecton from PC to OPNSense box seems to work without problem.

When I disable McAfee endpoint security on the Win PC it also runs fine with PFsense.

Any idea where the incompatibility between OPNsense and the PC can come from?

I am pretty sure that there is nothing wrong with the PC setup as it is a standard configuration of a big corporate running on thousands of PCs in the same configuration.

[NIC i211-AT]

Hello,

With OPNsense 18.7 I still have the issues on WAN port with increased PING time till packets lost and drop of WAN connection. The issue is a know issue related to igb driver or Intel NIC. In my case it is an Intel NIC i211-AT on a Qotom Q335G4. I see the issue only on WAN port that is connected to the cable modem AVM Fritz!Box 6490. On LAN ports connected to a Cisco switch all is fine (I always can reach OPNsense Web interface via these LAN ports). My first supect was the modem. But after this was getting exchanged the issue still is there.

The issue also is reported on pfsense forum and in this old post here
https://forum.opnsense.org/index.php?topic=5511.msg28687#msg28687

I tried out all recommended tuning parameters, but all without success. I believe I see an improvement but no solution.


/boot/loader.conf.local

Code Select Expand

kern.cam.boot_delay=10000
kern.ipc.nmbclusters=1000000
hw.igb.num_queues=1
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1
hw.pci.enable_msix=0
hw.igb.enable_msix=0


in optimizatino parameters

Code Select Expand

dev.igb.0.eee_disabled=1
dev.igb.1.eee_disabled=1
dev.igb.2.eee_disabled=1
dev.igb.3.eee_disabled=1


Is there anyboy working on this topic?
Is there already a solution that helps?

Thank you