Messages

What is your risk? If this is a lab setup, do you even process real data?

OK. I see that "lab setup" was misleading. Yes, it is processing real data. There are two private mail accounts on it. I know, there are better ways instead of using an oversized Exchange for this. I called it home lab set-up to avoid any link to corporate use or professional data with hundreds of mailboxes.

Therefore let me rephrase my question:

Are there common and recommended scenarios where the activesync site of IIS in Exchange is directly exposed to the internet without reverse proxy or WAF in front?

Have you considered a VPN for instance?

Yes. I am even doing it like this. Most secure variant I guess, but also with disadvantages: Drains more battery from mobile and VPN not always with a stable connection. Therefore I am looking for other ways.

Hello,

does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose 'activesync' and 'owa' directly to the internet?

We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.

Option 1: setup client auth on HAProxy.
Option 2: passthrough 'activcesync' (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for 'owa' on HAProxy

Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.

But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?

So, the client-certificate requirement is configured on the 'Public Service' as 'Optional'. This way you don't need a client-cert for the public website. For the secure services, I add the mentioned 'check' if a client-cert is used, otherwise deny access.

I try to achieve something similar and found your post.

What will happen if the client presents a cert that is not valid and you only check if the cert was presented?
Would it be the right way to combine 'ssl_c_used' with 'ssl_c_verify' in your check?

I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.

After reading a couple of time and trial-and-error, finally I got it running. The key infortation was written in the chapter:

6. How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_map-file_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your "NOSSLservice_server" is running in TCP mode.

Could anybody get mixed modes passthrough and offloading running with HAProxy under OPNsense meanwhile?

I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.

I guess this instruction for pfsense is exactly what I am looking for. Unfortunately, I am not able to transfer this to OPNsense.

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Any idea?

However, performing a backup within Zenarmor, uninstalling and re-installing it and then restoring the backup resolved the issue.

Perfect, this solved my issue. It took me a while to find this help. I already thought I am the only one with this issue.

I am currently using a Lenovo 03X6903 USB 3 but it only shows up as 100baseTX <half-duplex> in the Lobby, looking for one that will connect at 1000mbps.

Is it connected to an USB 3.0 port?
Some only establish a 100baseTX link when connected to USB 2.0.

Adguard is only installed on some devices, not all.

OK, your are talking about AdGuard on client devices. I was talking about AdGuard Home on OPNsense.

but why not just do it if it's possible... An ad (or malware) which is not blocked by one is hopefully blocked by the other...

Recources on OPNsense box. Performance.
I would like to avoid to spend firewall resources two times or three times for something that is already done.

unbounddns > access list, I guess you didn't add your WireGuard network there...

Sorry, my question was misleading you. It is not about Unbound, it is about AdGuard from the repository of this thread.

With my unbound set-up before, Wireguard was working. After change to AdGuard DNS, Wireguard was not working any more. On the AdGuard configuration page, the Wireguard network was listed as listening.

But it is solved now. It was any kind of UDP routing issue. The DNS setting on Wiregurd client was not pointing to the Wireguard interface IP. It was pointing to another network on OPNsense. With Unbound this worked. With AdGuard UDP access was not working. By using a test tool and TCP port it also worked. After I changed the DNS IP on Wireguard client to the Wireguard interface IP it also worked with AdGuard.

I am using AdGuard from this repo. Installation and set-up all fine. I can resolve from my "normal" networks. But I do not get DNS resolution from my client connected through Wireguard.

Before with unbound on port 53 it was working. No other change I did than installing AdGuard on port 53 and switched off Unbound.

Any idea where to search?

I have a combination of unbound with proper blacklists, sensei free and adguard on my devices. Works very well!

Is there any advantage using all three of them?
If you use adguard I do not see an advantage of unbound with blocking list.
Does sensei free on top of these give you so much more?

These are serious questions from me. So far, I was using unbound as forwarder and sensei free. I am just testing adguard and asking myself what unbound and sensei could be good for if I would use adguard.

[access needs]

Any suggestions on best practices to separate the devices?

I would separate the devices in some categories by access needs and by trust.
And then create groups out of it by finding the right balance between simplicity and the security level you want to achieve.

• does only need connection to internet. No connection to or from other devices. (e. g. IoT, guest devices)
• Connection to or from other devices required
• sensible devices worth to protect (e. g. server)
• trusted devices (e. g. PC, phone)
• untrusted devices (e. g. guest phone and PC,
• required connection speed (routing PC to NAS might be slow)
• ...

I personally do not separate wired and wifi devices. As my wifi AP can handle multiple SSID and VLAN I use only one network (VLAN) for wired and wifi devices of the same category.

unrelated to that it would be nice to have, on ntp conf:
- configure peers and not only servers

Chrony meanwhile is existing as a plugin. I will try out when I find time.
But this point above is what I am still missing in the current NTP config: peers.

Hello,

I noticed bad RTTd values in my local network,

Some days ago, I changed my network configuration. Two networks that before were directly connected to the OPNsense box now are getting handled by a L3 switch. Between OPNsense and L3 switch I added a "transport network", connected directly from nic to nic with a 50 cm cable. I added a static route between both devices. I am not using VLAN or LAGG on the OPNsense 20.1.1 box for this connection. But the RTTd values from gateway monitoring are worse in comparison to the values of my WAN connections.

Any idea what could be wrong?
Or could it be related to the way the monitoring is measuring?

It looks like I was thinking too complex.

After further research I found out, that in my small network I could do it much more simple: no transport net and therefore OPNsense firewall and L3 switch directly connected to the two networks I would like to route in between by L3 switch. Default route to firewall and L3 switch as gateway for for hosts in DMZ and LAN network.