Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - hbc

Pages: 1 ... 27 28 [29] 30 31 ... 34

421

German - Deutsch / Re: QR-Code Gäste Wlan

« on: April 04, 2019, 10:15:00 am »

Für mich liest es sich bei der Fritz.Box aber so, daß dort ohne Captive-Portal gearbeitet wird. Die Gäste haben ein seperates Netz (eigene SSID) mit eigenem, fixem PSK.

D.h. Du hast für alle Gäste den selben QR-Code und darin ist dann die SSID, Verschlüsselungsart und der PSK gespeichert. Unter https://qrcode.tec-it.com/de/wifi kannst Du Dir z.B. solche QR-Codes erzeugen lassen.

Was Du aber willst ist ja ein QR-Code, der quasi die Voucherdaten enthält und der müßte dann für jeden einzelnen Gast seperat erzeugt werden. Außerdem bräuchte es dann vermutlich zwei QR-Codes.

einen QR-Code, der SSID konfiguriert und Verschlüsselung Open (wobei zu offenem WLAN verbinden auch noch jeder so hinbekommen sollte)
einen QR-Code, der dann über URL-Parameter (falls das vom Captive-Portal unterstützt wird), die individuellen Anmeldedaten an das Portal weiterreicht.

Also ich habe mir früher die Voucher als CSV exportieren lassen und dann über Serienbrieffunktion entsprechende, stylische Voucher erstellen lassen. Da bräuchte es dann vermutlich ein Plugin für die Textverarbeitung, das dann QR-Codes generieren kann und als Bild in diese Voucher intergriert.

Hab da sogar eben was gefunden: https://blog.egovernment.krzn.de/dynamische-qr-codes-im-ms-office-word-serienbrief-macwindows/

Von dem her fragt sich noch, ob man die Felder des Captive-Portals über URL-Parameter ausfüllen kann. So in der Art https://portal:8000?inputUsername=gast&inputPassword=password&signin

422

German - Deutsch / Re: IPsec mit gleichen Netzen

« on: April 02, 2019, 06:54:43 pm »

Sorry, mein Fehler. Hatte es so verstanden das auf beiden Seiten das Netz 192.168.1.0/24 existiert.
Klar kann man zwei Netze mit IPSec verbinden. Musst Du Site-to-Site VPN einrichten.

423

19.1 Legacy Series / Re: 19.1.4 ISO - ZFS install option missing?

« on: April 02, 2019, 04:32:31 pm »

Yes, we run squid and sensei. There are several 10GbE chelsio cards in this machine. Also has dual XEON.

424

General Discussion / Re: DHCP on WAN with public IP via RFC1918?

« on: April 02, 2019, 04:31:03 pm »

Seems that your ISP uses RFC1918 addresses for transfer networks and infrastructur services.

425

German - Deutsch / Re: IPsec mit gleichen Netzen

« on: April 02, 2019, 04:27:35 pm »

Spontan würde ich mal sagen, ohne wenigstens NAT zu machen, kann ich es mir nicht vorstellen. Schließlich sind die IPs ja dann vermutlich doppelt vorhanden. Warum sollten die durch den VPN-Tunnel gehen, wenn im lokalen Netz selbige ebenfalls erreichbar sind?

426

19.1 Legacy Series / Re: 19.1.4 ISO - ZFS install option missing?

« on: April 02, 2019, 04:22:50 pm »

Quote

ZFS should be installed on system that has ecc ram and 8GB min. Do you have such system?

I have 512GB ram. Think this will not be an issue. I just wonder how an ZFS installation would work.

427

19.1 Legacy Series / Re: 19.1.4 ISO - ZFS install option missing?

« on: April 01, 2019, 09:26:35 am »

Quote

With regards to ZFS: I've just done 2 conversions from vanilla "FreeBSD on ZFS" to OPNSense (opnsense-bootstrap) and they both work as expected, ran the script, rebooted, was in webgui.

Can you write short guide/tutorial how to use ZFS in OPNsense? Did you install FreeBSD first and then all this OPNsense stuff or did you have a script to convert OPNsense to ZFS?

428

19.1 Legacy Series / Re: firewall allow via GEO isn't working

« on: March 30, 2019, 06:38:55 pm »

I think there was a problem with aliases in port forwarding. Maybe you have the same problem.

https://forum.opnsense.org/index.php?topic=12002.0

should be fixed in 19.1.5

429

German - Deutsch / Re: Hardware für transparenten Proxy als Webfilter für 50 Clients

« on: March 30, 2019, 06:23:09 pm »

Also für Schulen in BaWü, die über das Wissenschaftsnetz BelWue angeschlossen sind, gibt es folgende Lösung/Service. Bieten die Schulprovider anderer Länder sicher auch in sicher Weise an.

https://www.belwue.de/produkte/dienste/jugendschutzfilter.html

430

German - Deutsch / Re: Hardware für transparenten Proxy als Webfilter für 50 Clients

« on: March 29, 2019, 07:39:16 pm »

Quote

Ist mein vorhaben mit OPNsense realisierbar?

Definitiv ja.

Quote

Beherrscht OPNSense die HTTPS Filterung mittels SNI so das ich kein extra Zertifikat installieren muss?

Funktioniert ebenfalls. Habe ich hier auch im Einsatz mit derzeit ca. 100 Clients. Ich habe zudem noch wpad konfiguriert. Wenn die Clients sich selbst gleich richtig auf Proxy konfigurieren, dann minimiert das die Fälle, wo es mit Transparenz Probleme geben kann.

Quote

Würde ein J3160 Quadcore (LES Compact 4L) als Hardware genügen? Falls nein was bräuchte ich ungefähr?

Kann ich jetzt nicht beurteilen zudem ich da keine Angabe zum RAM fand. Ich habe es derzeit auf einem Fujitsu Primergy RX300 S4 mit 32GB RAM laufen. Läuft super mit Virenscan, Suricata und Sensei zusätzlich.

Du könntest zudem noch OpenDNS oder das Bind-Plug-in nutzen, um jugendgefährdende Seiten zu filtern.

431

Tutorials and FAQs / Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group

« on: March 29, 2019, 07:55:34 am »

Quote

I thing the missing s is the problem here...

Hell yeah, you were right. Just this little typo. Corrected it and now it switches to matching peer config with the wanted group.

Perfect!

So I have my ike1-legacy PSK configuration and a new ike2 configuration that works with windows build-in client.

Thx

432

Tutorials and FAQs / Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group

« on: March 28, 2019, 12:59:55 pm »

Haha. It is the same like in your provided ones.

ipsec.conf

Code: [Select]

config setup
  uniqueids = never

conn mobileIPv4-ike2
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = X.X.X.X
  right = %any
  leftid = vpn.gateway.local
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 172.16.0.0/24
# See https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
  ike = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
  esp = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
  leftauth = pubkey
  rightauth = eap-radius
  rightsendcert = never
  eap_identity = %any
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  reqid = 1000

conn mobileIPv4-ike2-Employees
  also = mobileIPv4-ike2
  rightgroup = "Employees"
  rightsourceip = 172.16.0.0/24
  leftsubnet = 0.0.0.0/0
  auto = add

conn mobileIPv4-ike2-Admins
  also = mobileIPv4-ike2
  rightgroup = "Admins"
  rightsourceip = 172.17.0.0/24
  leftsubnet = 0.0.0.0/0
  auto = add

strongswan.conf

Code: [Select]

starter {
    load_warning = no
}

charon {
    cisco_unity = yes
    plugins {
        eap-radius {
            servers {
                addc1 {
                    address = X.X.X.X
                    secret = "2secret"
                    auth_port = 1812
                    acct_port = 1813
                }
            }
            accounting = yes
            # Activate passing the radius class attribute as rightgroup
            class_group = yes
        }
    }
}

433

Tutorials and FAQs / Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group

« on: March 28, 2019, 11:26:43 am »

Ok, finally I managed to get a working configuration. Everything done in new include directories.

Just enabled IPSEC and IKE without further configuration. So ipsec.secrets and ipsec.conf just have the include line. strongswan.conf has some more defaults.

I setup three policies like in example to assign groups via radius attribute 25 (class). This works, but it keeps the rightsourceip of the first matched entry.

Code: [Select]

Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|2> selected peer config 'mobileIPv4-ike2-Employees'
...
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> sending RADIUS Access-Request to server 'addc1'
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> received RADIUS Access-Accept from server 'addc1'
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> received group membership 'Admins' from RADIUS
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> reassigning offline lease to 'acme\admin'

The first matching entry mobileIPv4-ike2-Employees is matched. Then RADIUS is done, group assignment sent and now I expect it to switch to mobileIPv4-ike2-Admins and get an ip from admin pool. But I get ip address from mobileIPv4-ike2-Employees pool.

The RADIUS request should be done before selecting peer configuration because the peer configuration depends on the returned class attribute. What am I doing wrong?

434

General Discussion / Re: Two LAN/subnets; cannot connect from one to other - Firewall rules?

« on: March 25, 2019, 01:38:26 pm »

Routing and Dual NAT? Please decide what you are using.

If you are doing Dual-NAT, then your 10.0.0.0/24 addresses are rewritten to 192.168.1.100 (1st NAT) and your company clients just see 192.168.1.100 as source address. When your 10.0.0.0/24 clients connect to internet, they get rewritten to 192.168.1.100 in 1st step (1st NAT) on your router2 and in 2nd step (2nd NAT) to your WAN-IP (on opnsense).

Problem: Your company clients cannot reach your private clients without port forwarding. Your company clients just see 192.168.1.100 as source address, but not the real IP within 10.0.0..0/24 network.

If you do real routing, you do not need any NAT/masquerading rule on your router2, but proper routes. Your clients in 10.0.0.0/24 network have router2 as gateway. Every network that is not directly attached (everything else that is not 10.0.0.0/24) gets forwarded to router2. It will then deliver 192.168.1.0/24 traffic direct to clients and forward everything else to your opnsense.

And now the important thing about reverse route. If a client in 10.0.0.0/24 sends traffic to 192.168.1.0/24 with router2 as gatway, everything perfect this way BUT your company clients do not know that 10.0.0.x is behind router2. So it sends the reply to its default gateway (opnsense). And without reverse route opnsense does not know either where to send 10.0.0.0/24 packets and routes to its default gateway (=WAN) where it will get dropped due to "do not route private networks" policy.

So either you have to tell every company client that router2 is gateway for 10.0.0.0/24 or you create a static route on opnsense that points to router2.

System: Gateways: Single --> router2 (192.168.1.100)
System: Routes: Configuration --> 10.0.0.0/24 - Gateway router2

Then company clients thatt want to send traffic to 10.0.0.0/24, forward traffic to opnsense. opnsense knows that it has to forward packets to 192.168.1.100 (router2) for this network and router2 finally knows 10.0.0.0/24, since directly attached.

435

Tutorials and FAQs / Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group

« on: March 25, 2019, 11:39:06 am »

Quote

opnsense-patch acdf14e
opnsense-patch a4d157d
opnsense-patch dfd48d2

This bunch of patches worked. Now I will see whether includes work. How about HA? Do I have to sync ipsec.opnsense.d folder myself or is it done by config sync?

Pages: 1 ... 27 28 [29] 30 31 ... 34