Messages

106

22.1 Legacy Series / Re: Netflix on TV not working after using Unbound DNS Blocklist

« on: June 28, 2022, 06:41:07 am »

Unless you are using Linux or Mac I would recommend removing windows spyblocker blocklists (they literally block everything microsoft related, even updates, e-mail, xbox app and windows store)

Also one of the blocklists could be blocking netflix, so de-select blocklists one by one and restart unbound each try untill it works.

from advanced settings, there is option to use custom blocklists, so I would recommend using some of those instead

107

21.7 Legacy Series / Re: Wildcard certificate not applied to all services

« on: June 27, 2022, 05:10:18 pm »

Sorry can't help with that. I would contact certificate issuer and ask help from google as well.

Opnsense isn't able to force any certificates to you (it doesn't even check if you are using valid certificate or not, when you send certificate validation request to google, opnsense will send it even if it's invalid and response you get is how google sees it)

Proxy certificates, VPN certificates etc. are all authenticated by servers not firewall (unless you are using IPS function). Just by it's own, firewall only blocks, rejects, passes and forwards traffic based on rules it has.

108

21.7 Legacy Series / Re: Wildcard certificate not applied to all services

« on: June 27, 2022, 03:15:50 pm »

Also you don't have to use certificate for your mail.mydomain.com and out.mydomain.com if mail address which you send mail to is admin@mydomain.com.

mail.mydomain.com and out.mydomain.com are just something you need to add to dns records, to tell which server recieves mail and which sends it, inbox and outbox both use FQDN certificate, at least to my knowledge

109

21.7 Legacy Series / Re: Wildcard certificate not applied to all services

« on: June 27, 2022, 03:10:45 pm »

<<All I had to do to get certificates was to add domain key provided by my mail server provider to DNS records.>>
That's for the dkim keys I think? My issue is related to establishing a TLS connection between Gmail and my server,

Does your mail have DMARC records on it's DNS? If it's just matter of google not trusting your certificate, it might be due to lack of DMARC records. I know that relays are not trusted 100% without any proof that they aren't being used to spam.

https://mxtoolbox.com/ has good free tools with checking the mx records and DMARC and dmarcian.com helps you with that.

Other than that, issue isn't in firewall (as long as you can send and/or recieve mail using other mail mail service, it means things work, google is just quite strict about these things since a lot of people used to use their mail for spamming and scams)

You will have to check your domains info if it supports wildcards. Wildcard certificates are used to assign same sertificate for FQDN and x amount of it's sub domains.

You won't be able to assign wildcard certificates for domains, which providers do not allow it. I would recommend contacting your domain provider, server customer support and certificate provider about this

110

21.7 Legacy Series / Re: Wildcard certificate not applied to all services

« on: June 27, 2022, 01:26:28 pm »

If you have used Let's encrypt to sign those certificates, then you need to go to let's encrypts settings and check that certificate in question has mydomain.com as FQDN and alias contains mail.mydomain.com and out.mydomain.com.

You also must make sure, that domain you registered has wildcard support (some Domain providers charge extra for that).

If you don't use Let's encrypt, then you need to contact your certificate provider and ask them for assistance.

I don't run my own mail servers, so I can't tell exactly how certs work on mail servers. All I had to do to get certificates was to add domain key provided by my mail server provider to DNS records.

111

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 25, 2022, 03:48:56 pm »

Also if you use intel motherboard which has ECC RAM support, then it definetly has network chip with vlan support.

All intel motherboards which support ECC ram are designed for servers and workstations

112

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 25, 2022, 03:44:00 pm »

If your server needs access to different networks and you want to restrict access from certain computers, that's easy thing to solve.

If you want to avoid having to buy expensive multiport server NIC, check if it's current one supports IEE 802.1Q (That's standard VLAN Tag support), setup a VLANs on the switch and on the server and that's it.

Downside to that is, you need to setup VLANs (if you haven't) which isn't that hard but it is alot of work.

Yeah, troubleshooting VLANs is even more of a pain. I had an issue where I forgot to place a VLAN to a trunk port. It causes a particular untagged port at the other end has no connection to its DHCP server. I spend hours trying to figure why that is the case. I eventually realize that I was looking at the wrong place.

I used to setup the server as VM with three separate ethernet ports - one for each network. Now that I replaced that server with a physical one. I only have one port. Since I don't think I can setup that port as VLAN trunk, I end up giving that server special network access to the other devices on the other networks.

Check the model of network chip that server has, many of them have VLAN support. If you bought Workstation or server grade motherboard (AsrockPro, Asus Prime, Creator or WS and supermicro motherboards are ones I know are workstation and server motherboards) or actual server, their built in network chips do have VLAN support.

Nowadays pretty much any modern motherboard network chips have VLAN support

113

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 25, 2022, 09:08:09 am »

Oh and I use 192.168.1.1 etc as an example.

You can use any IP range which is reserved for private networks, 192.168.1.0/24 is just most common. https://www.ionos.com/help/server-cloud-infrastructure/private-network/private-ip-address-ranges/ <---- you can use any of ranges in question for private networks

114

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 25, 2022, 09:01:42 am »

As for firewall rules.

You use firewall rules ONLY to allow access from network A to network B and blocking access from Network A to webgui, ssh or any remote management of the firewall, you won't be able to use firewall rules to block network A gaining access to devices in network A, for that the firewall on device in question (if it has any) would have to block the access or you would have to use switch with ACL (Allowed connections list) which blocks it.

You can use external DHCP servers though, if your firewalls LAN IP is 192.168.1.1 and has already working route 192.168.0.0/16. When you connect computer with 192.168.2.20 to LAN, you are able to access internet (if LAN firewall allows it).

Every rule that has LAN net as source and/or destination, is applied to any device connected to LAN port (it isn't bound to IP addresses), so you can setup external DHCP server with routes which gives different IP address to clients than LAN on firewall has. Don't know exactly how it's done because I have never done it, but I think that only requires routes or if it doesn't work out of the box.

It's easy to test, you can create virtual machine with IP 192.168.2.1,  DHCP server which pool is 192.168.2.0/24 and routing, setup route where destination network of 192.168.0.0/16 to 192.168.1.1, go to OpnSense, add gateway 192.168.2.1 and create route where destination is 192.168.2.0/24 to 192.168.2.1 and see if it works.

Yes, it is possible to use opnsense firewall without DHCP function and you don't have to use even same IP range as opnsense has, it's possibly just more complicated to setup and requires quite a bit of routing

115

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 25, 2022, 08:22:50 am »

If your server needs access to different networks and you want to restrict access from certain computers, that's easy thing to solve.

If you want to avoid having to buy expensive multiport server NIC, check if it's current one supports IEE 802.1Q (That's standard VLAN Tag support), setup a VLANs on the switch and on the server and that's it.

Downside to that is, you need to setup VLANs (if you haven't) which isn't that hard but it is alot of work.

Now if you don't mind searching for deals, you can check if there are cheap pre-owned NICS available.
I can recommend ones that have Intel I350 chip, Intel Ethernet  I350-T4 (T4 means it has 4 ports) for example is around 250€ if you buy it brand new, so pre owned one wouldn't cost much over 150€, I350-T1 cards cost around 50-100€, so unless you need more than 2 ports, it's cheaper to just buy single port NIC. Only thing you have to check, which features and network protocols it supports, I would recommend ones with IEE 802.1Q (also known as VLAN tag) and Jumbo Frames, that way you know it's at least suitable for servers like NAS.

If your server has enough physical ports, you don't need VLANs, you can connect each port to different network and only downside would be, that server OS you use (like TrueNas) won't allow you to use DHCP on more than one port and you have to setup static IP manually and add those IPs to DHCP servers reserve list or choose IPs outside the DHCP pool range.

Only reason you would need to allow access from X network to all networks (or X IP to all networks) is to be able to do some diagnostics, access management and test that connections work.

Allowing server to access certain networks is done with VLANs or having multiple ethernet ports on the server

116

General Discussion / Re: How to setup DDNS?

« on: June 24, 2022, 12:37:36 pm »

Try disabeling "Force SSL". Some DDNS providers don't work if you have that enabled, if HTTPS is something you must have, then namecheap works just fine for it.

Thanks this at least gave me som new errors

Like Failed to update Server said: 'KO'
and "WARNING: Wait at least 5 minutes between update attempts"

Despite the update time being 6 minutes, any idea what can be wrong here?

From that I would say either bug in DDNS client, service in question doesn't accept non-SSL connections or (hopefully) you have tried to renew IP too many times.

117

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 24, 2022, 12:28:32 pm »

 If you don't need access from your computer to all networks, I would recommend to leave 1 LAN port for management and use VLANS on other LAN port, this way you can allow LAN management to have access to all VLANs, and all you have to do, is just connect your computer to Management LAN whenever you need access to it.

Think it as this way, to make networks as secure as possible, gaining access to different networks would have to require you to physically connect computer to right network, not just allow specific IP, since IPs can be changed and MAC addresses can be cloned.

118

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 24, 2022, 12:18:04 pm »

Make sense. However, I never manage to figure out how the routing is handled and its syntax. I managed to get the job done with the firewall rules.

Following the approach of setting up the gateway for each network, how would I go about setting up only one device with a particular IP address like 192.168.2.10 to be able to access 192.168.5.0/24 and certain devices on other network like 192.168.4.10 and 192.168.4.50? I was able to handle this easily with firewall rules.

If 192.168.2.10 is LAN3 and 192.168.5.0/24 is LAN 5, you can set 192.168.2.10 to be able to access to LAN 5 by going to LAN5 firewall rules, creating block rule where direction is in, source is LAN3 net and destination is LAN5 net. Move the new block rule above default allow all rule.

Then create an host alias, type in 192.168.2.10 and go back to LAN5 rules, this time create pass rule, where direction is in, source is Alias you created and destination is LAN5 net, move the pass rule above block rule and test if it works. Now only 192.168.2.10 should be only IP that can access LAN5 and you need to do same thing for each network except LAN3.

Firewall applies rules based on order, by default order is from top to bottom, so any block rule should be above allow any to LAN rule, and any "allow specific IP" above block rule which contains range of IP or network where IP lies.

Do keep in mind that x net is not bound to IPs, so with this set of rules, you are able to access LAN5 on any computer on LAN2 as long as it's IP is 192.168.2.10, for more specific protection (like MAC address filtering) you will need a switch which has MAC address ACL support.

119

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 24, 2022, 07:31:55 am »

Also if you have multiple routers and switches each connecting to different networks, then you need to check routes more carefully.

Things are simple when you have just a firewall to which switches are connected to, as soon as you add another router into it, things get more complicated because of routing, due to the fact that many manufacturers use default 192.168.1.0/24 network on their routers

120

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 24, 2022, 07:10:25 am »

I did test this and defaultuserfoo is correct. You don't need rules to allow access to devices between same network because firewall doesn't block communication within same networks.

Way you allow communication between 2 different networks, is by creating routes.

If you have LAN 5 with IP range of 192.168.5.0/24 and LAN 3 with 192.168.3.0/24, reason why you can't ping devices in different  LAN, is because they are in different network.

All you need to do, is add either LAN 5 or 3 interface to gateways and create a route where destination is 192.168.0.0/16 and gateway is IP of either one of LAN you have added as gateway.

Allow any to LAN default rule will allow all traffic to any network, so if you are unable to ping, it's due to gateway misconfiguration or you are missing a route.