Messages

151

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: February 27, 2020, 03:42:14 pm »

Bringing High Availability Clustering support, better Ad Blocking, more improvements and some bug fixes; Sensei 1.4 release is out for OPNsense.

Is HA cluster support a premium feature?

I just get "The changes have been applied successfully, remember to update your Sensei backup FW in System: Sensei/Configuration/HA", but I have no "Sensei/Configuration/HA" tab and 'System: High Availability: Settings' has no Sensei option to check for sync.

152

20.1 Legacy Series / Re: CARP + IPv6 Router advertisements

« on: February 27, 2020, 01:34:03 pm »

I see your problem. I think my test ping6 just works, because icmp is stateless anyway and needs seperate rules in/out. So it does not matter which fw is passed on return.

Did you try RA HIGH in primary and RA LOWon backup as RA priority? Instead normal and low?

153

20.1 Legacy Series / Re: CARP + IPv6 Router advertisements

« on: February 27, 2020, 10:34:05 am »

IPv6 and RA usually use local-link addresses for routers. That is correct. Usually you even would not need CARP for default gateway redundacy, since clients collect RA from all routers and those that are on-link and store at least two for use.

I just checked my servers and they just have the link-local adresses of both carp members, but no other global ipv6 addresses.

To limit the storage needed for the Default Router List, a host MAY choose not to store all of the router addresses discovered via advertisements.  However, a host MUST retain at least two router addresses and SHOULD retain more.

https://tools.ietf.org/html/rfc4861

In a test where the backup device was used as gateway, there were no issues, since states from primary gateway were sync'ed via pfsync. So asynchrone routing should not be any issue if cabeling is correct.

BTW: RA interface option does not mean that the vip ip is advertised as gateway. It is just the interface ra daemon should bind to and generate RA for and IMHO it is just a (useless) cosmetical thing in gui. If you have a look at the generated radvd.conf in /var/etc,  you will not see any vip interface, just the physical one and it does not make any difference if you select OPT directly or OPT_vip. The generated configuration will not change.

Edit: Correction -> changes are made

Code: [Select]

--- radvd.conf-novip    2020-02-27 16:25:32.993687000 +0100
+++ radvd.conf-vip      2020-02-27 16:24:50.078941000 +0100
@@ -262,11 +262,14 @@
        AdvManagedFlag on;
        AdvOtherConfigFlag on;
        prefix 2002:db0::/64 {
-               DeprecatePrefix on;
+               DeprecatePrefix off;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
+       route ::/0 {
+               RemoveRoute off;
+       };

154

General Discussion / Re: Bandwidth Limit

« on: February 27, 2020, 07:50:36 am »

https://docs.opnsense.org/manual/how-tos/shaper.html
https://docs.opnsense.org/manual/shaping.html

155

Web Proxy Filtering and Caching / Re: Missing web filter menu

« on: February 24, 2020, 02:38:33 pm »

Like the title of the videos say 'Web Filter Plugin', you need to install this plugin. I never saw this menu entry in Core installation. Maybe you should watch part 1/2 of web filter plugin and see where to get and how to install it.

Edit:

I just googled 'web filter plugin opnsense' and hard to believe, but the first hit was https://github.com/cloudfence/opnsense-webfilter-community-plugin. And I don't think it is a co-accident that the videos was from cloudfence and the plugin either 

156

Web Proxy Filtering and Caching / Re: Missing web filter menu

« on: February 24, 2020, 10:57:22 am »

What do you mean with web filter? This: https://docs.opnsense.org/manual/how-tos/proxywebfilter.html

Just open the tab 'Remote Access Control Lists' like described.

157

20.1 Legacy Series / Re: Feature request: generate URL table alias from AS Numbers

« on: February 22, 2020, 08:31:20 pm »

Just use http://asn.blawk.net/ for your URL table

e.g. http://asn.blawk.net/2906 zu get list of ASN 2906 networks (Netflix)

158

20.1 Legacy Series / Re: Monitoring of "Configuration Synchronization (XMLRPC Sync)"

« on: February 19, 2020, 10:47:35 pm »

What a bullshit. It is a cluster and shall behave like one system. If I configure shit, both machines should have this issue than it is found faster.

ATM I have more issues due to forgotten syncs than by malconfiguration. And you are right. Sync must be monitored.

Hard to believe that after failover firewall behaviour changes because of a forgotten sync.

And additionally there.should be a big sync button on each page that supports ha sync - as shortcut AND reminder.

159

20.1 Legacy Series / Re: Monitoring of "Configuration Synchronization (XMLRPC Sync)"

« on: February 18, 2020, 03:17:49 pm »

Does the sync work for you? In 19.7 I could create CARP, firewall rules and DHCP settings and when hitting save, it got sync'ed to backup node. - Except for a few settings everything got sync'ed by clicking save to backup.

ATM I have to manually sync every time when changing things. Pretty annoying when updating rule sets. To easy to forget a sync and backup running asynchron.

160

Development and Code Review / Re: IPAM

« on: February 11, 2020, 03:11:31 pm »

phpIPAM is for documentation. Without further automatization, you have to document your vlan in phpIPAM and create it on your network (switches and firewalls).

I added scripts for DHCP and DNS, so static dhcp entries can be exported to ISC DHCP and ISC BIND server.

161

General Discussion / Re: home network with two opnsense firewalls, and split- DNS

« on: February 06, 2020, 01:55:50 pm »

.oO(Small home project with this company like network schema?)

162

General Discussion / Re: NAT - change rule if internal server is down

« on: February 05, 2020, 04:28:21 pm »

If you run a 2nd OPNsense as carp cluster and same haproxy config, it will work. That's how I do it.

Just be aware that haproxy is not sync'ed with build-in ha-settings sync. You have to manually replicate your haproxy config.

163

General Discussion / Re: NAT - change rule if internal server is down

« on: February 04, 2020, 10:25:51 am »

Use haproxy or nginx and reverse proxying for this. Then you do not need NAT, but terminate your HTTP-session on the firewall which will forward your request to the living system.

In haproxy it's pretty easy. Create a pool with 192.168.1.10 and 192.168.1.11, define one as active, the other as backup. Point your DNS record to your firewall and configure haproxy to listen on it.

Now it forwards your request to the living one, monitors both servers (you can define keep-alive method) and switch if the active one fails.

164

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: January 30, 2020, 02:39:35 pm »

Question:

What system privileges are needed to display / restrict sensei pages? I have several groups with just access to certain pages (viewonly, voucher creation, basic operation, etc.)

There exist no predefined privileges for sensei. I want just to allow reports and status. Without possibility to edit settings.

How can I restrict that?

165

General Discussion / Re: NAT issue using aliases

« on: January 20, 2020, 09:53:55 am »

And your scripts always returns content? No timeouts that may create empty results?

If static aliases work, I would assume either empty script results or problems with merging the aliases into 'https_www_proxied_hosts'