Messages

106

General Discussion / Re: Updated Zabbix Proxy and Agent

« on: March 29, 2024, 06:49:31 pm »

I hear Mimugmail, but my problem is that I have a server/proxy mismatch and its causing me data issues. I did not realize this, so was hoping I could update OPNsense now.

107

General Discussion / Re: Network Time Service

« on: March 29, 2024, 06:48:25 pm »

I can ping the names, and coincidentally doing that showed me which groups respond quicker, but they always show Unreach/Pending. It never changes.

108

General Discussion / Updated Zabbix Proxy and Agent

« on: March 29, 2024, 04:47:28 pm »

Morning all,

Is there a way to update FreeBSD with the latest Zabbix agent and proxy? Right now the plugins are 6.4.12 and there is an update to 6.4.13. My main Zabbix server has been upgraded to 6.4.13 and its causing a data mismatch.

I tried pkg search zabbix but its only showing 6.4.12.

Thanks,
Steve

109

General Discussion / Network Time Service

« on: March 29, 2024, 03:51:46 pm »

Should I be worried that none of the OPNsense groups were reachable?

110

General Discussion / ClamAV and SaneSecurity

« on: March 29, 2024, 12:34:19 am »

Hello all,

I am trying to setup ClamAV to use the Sane Security AV signature list. I understand I need to add a URL but what URL? I cannot find anything on their website, so I was hoping someone has this configuration running and can point me in the right direction?

Thanks,
Steve

111

High availability / Re: HA in a VMware Service Provider Cloud

« on: March 27, 2024, 04:55:36 pm »

Thank you @mimugmail!

Do you or anyone else know if I could use the Virtual IP functionality, without full on HA? What I would like to do is build a single node, but set it up with VIPs, so when support comes I can just add a second node and away I go.

112

High availability / HA in a VMware Service Provider Cloud

« on: March 27, 2024, 03:55:48 pm »

Hello all,

I am deploying OPNsense in a service provider cloud. I have no ability to have promiscuous mode turned on. Does this preclude me from running HA in this cloud? Is there any way to use unicast to handle HA, like Fortinet does with their firewall VMs?

Thanks,
Steve

113

High availability / Re: Can I Use HA to Build Second Node?

« on: March 26, 2024, 08:44:10 pm »

A couple more questions...

1) I have set the primary node's advbase to 1 and advskew to 0. I have set the secondary node's advbase to 100 and left the advskew at 0. Is this ok?

2) I removed Virtual IPs from the sync process bc what I was noticing is that the VIPs on the secondary side would have their advbase and advskew changed back to the primary. This would take the secondary and think it was a master. Is this ok?

3) Should I be able to ping the VIPs associated with the interfaces? I have a PC that is part of a segment that has a VIP. If I ping the VIP I get nothing. I can ping the hard IPs without issue.

114

High availability / Re: OPNsense Hostname and HA

« on: March 26, 2024, 08:32:02 pm »

Thanks...will continue to treat as separate when it comes to managing them via GUI. Yes VPN  is set to be contingent on WAN VIP.

115

General Discussion / Re: Reverse Proxy Question

« on: March 26, 2024, 07:27:20 pm »

- Literally the biggest thread on the whole forum is about people who use HA-Proxy. https://forum.opnsense.org/index.php?topic=23339.0
- If you are most familiar with NGINX then use it, even if you don't need all the features, it's always good to have flexibility.

Fabulous...thank you!

116

High availability / Re: Can I Use HA to Build Second Node?

« on: March 26, 2024, 07:10:17 pm »

Figured it out...

As part of my build out of the first node I set the HTTPS port to 8443. Being I did not build out the second node it was defaulting to 443. So make sure your HTTPS port is the same on both nodes.

Now my last question...should Disable Preempt being checked or unchecked on the second node? I feel like it should be checked but its worded in a way that is confusing me.

117

High availability / Re: Can I Use HA to Build Second Node?

« on: March 26, 2024, 06:49:48 pm »

OK my first problem in getting this config running...

I cannot get the HA/Status screen up. It never shows up. I believe this is a cannot get the GUI of the other machine but not sure how to troubleshoot this.

118

Intrusion Detection and Prevention / Error Msg on OPNsense Console??

« on: March 26, 2024, 06:24:32 pm »

Hi all,

I am seeing this message many times on my OPNsense console:

iflib_netmap_config txr 2 rxr 2 txd 512 rxd 512 rbufsz 2048

Is this a Suricata issue?

Thanks,
Steve

119

Intrusion Detection and Prevention / IDS for VPN?

« on: March 26, 2024, 04:42:14 pm »

Morning all,

Is it advisable to enable IDS over the VPN connection? I know it sounds weird but I am protecting my internal networks, why not VPN?

Thanks,
Steve

120

General Discussion / Reverse Proxy Question

« on: March 26, 2024, 04:17:32 pm »

Morning all,

As I migrate some web/app servers to new platforms I am also building new firewall infrastructure to support them. Right now my reverse proxy sits on individual app servers, which makes management kind of crazy. As part of the re-platform I would like to centralize my reverse proxy on my OPNsense firewall infrastructure.

I see there are a few options, like Caddy, NGINX, and HAPROXY in the plugins. I am wondering if anyone has any input into which one to use. I am most familiar with NGINX but there is alot of functionality that I would not be using. Has anyone used HAPROXY?

Thanks,
Steve