Messages

31

16.7 Legacy Series / Re: Firewall rule logic

« on: August 11, 2016, 02:53:53 am »

Ok,

It seems I do need a NAT Port Forward rule and set it as follows:

Interface : WAN1
Destination : WAN1 (This is the destination IP address seen in the Logs - e.g. my WAN IPaddress)
Source Port Range: any
Dest Port Range : HTTPS - HTTPS
Redirect Target IP : my server IP
Redirect Target port : HTTPS

Pic of the result attached.

Odd that you can't set it for all WAN addresses like you can a normal port but easy enough to duplicate.

Any further info gratefully received (e.g. I did something really stupid) !

B. Rgds
John

32

16.7 Legacy Series / Re: Firewall rule logic

« on: August 10, 2016, 10:14:02 pm »

Hi Bart,

thanks for replying. I'm a no-nothing on firewalls :-)

Can you explain the difference between setting up a straight forward rule, and setting up a NAT rule ?

On my current Draytek 3300 I just have some simple rules that forward various ports to a couple of internal servers e.g. IMAPS, SMTP, HTTPS, SSH etc Pic attached.

I have two WAN ports each with a public IP. Some ports get forwarded from either WAN port, and some depending on which WAN port they arrive on.

I just wanted to recreate those in Opnsense. My guess is I can just create a simple firewall forward rule and do not need to bother with NAT rules as I do not need a 'Redirect Target IP/Port ?

Funny - you get so used to something it seems second nature, and then you try a new system and it takes a while to get your head around it.

Any help gratefully received !

B. Rgds
John

33

Development and Code Review / Re: Interface display order

« on: August 10, 2016, 09:43:01 pm »

Thanks ! I'll give it a whirl.

B. Rgds
John

34

Development and Code Review / [SOLVED] Interface display order

« on: August 10, 2016, 04:21:23 pm »

Remember this when I played with earlier versions (https://github.com/opnsense/core/issues/199)

The first WAN interface is called 'wan' by the system with further interfaces then being called optx.

Despite being able to change the description of the interface the actual sort order does not change.

So for example in Firewall rules you get

WAN1   LAN   WAN2   WAN3   IPSEC

I found a solution was to manually rename and sort each interface in the <interfaces> in:

/conf/config.xml

I then renamed any references

e.g.

wan -> wan1
opt1 -> wan2
opt2 -> wan3

I then updated any relevant pages e.g. interfaces/gateways to resave and regenerate any configs e.g. firewall rules.

I now have nicely sorted interfaces everywhere :-) Only a small thing but looks SO much better and everything is more logical, and where you expect to find it.

It is better to do it as soon as you have assigned your interfaces and before you do any other configuration.

Not sure how to suggest fixing this - happy to create a bug if you think it is worth a NFR ?

B. Rgds
John

35

16.7 Legacy Series / Firewall rule logic

« on: August 10, 2016, 12:26:24 pm »

Been messing with firewall rules and some things don't quite make sense

If I create a Port Forward in the NAT section, it appears in the Firewall Rules section but cannot be edited from there. Is there any point, assuming that any rules created in NAT are just firewall rules, period? Or is there some difference somewhere that I have missed?

Wouldn't it just be simpler for me to create a Firewall rule and not bother using the Port Forward section or does a NAT rule do something different?

Under Port Forward rules you have 'Destination' and 'Redirect Target IP'. It isn't apparent what the difference is (there is no help text for 'Destination'). I presume that for a simple rule the Destination should just be the WAN address ?

It's probably all good if you know the system, but coming at it fairly blind it isn't that obvious !

B. Rgds
John

36

Development and Code Review / Re: How to add mc ?

« on: August 09, 2016, 11:25:00 pm »

Running "pkg search mc" should get you what  you need.

Awww damn. Noob question :-(

Sorry... too stuck in my linuxy ways !

pkg install mc-light

Many thanks.

B. Rgds
John

37

16.7 Legacy Series / Re: sshd missing ?

« on: August 09, 2016, 11:17:58 pm »

Grrrr.... thanks !

There are none so blind as those who cannot see ;-)

B. Rgds
John

38

Development and Code Review / [SOLVED] How to add mc ?

« on: August 09, 2016, 12:36:02 pm »

One of my fave little packages for rooting about places is mc - midnight commander

Any ideas/suggestions on how to install/add it as a package ?

B. Rgds
John

39

Development and Code Review / Re: Let's Encrypt support

« on: August 09, 2016, 12:33:07 pm »

I have been using a bash script called letsencrypt.sh on my linux boxes and wrote a small plugin for them to generate the config files. The letsencrypt.sh script is a lot easier and more transportable than the full fat official clients.

https://github.com/lukas2511/letsencrypt.sh

It probably wouldn't take much to use that (and believe it is BSD compatible). You just need to write a simple plain text config file and domains.txt file and add a cronjob for renewals.

You have to be able to http resolve a .well-known/acme-challenge directory for a given domain.

B. Rgds
John

40

16.7 Legacy Series / [SOLVED] sshd missing ?

« on: August 09, 2016, 12:23:32 pm »

Managed to get my box installed and updated to 16.7

I was looking for sshd to be able to shell in but can't see anything anywhere. Am I missing something ?

B. Rgds
John

41

16.7 Legacy Series / Re: Install error 19 with virtual disk

« on: July 19, 2016, 07:22:01 pm »

I have tried boot delays out to 60000 now still with no joy.

More I read, the more I think something is fundamentally broken in there that no one wants to really sort out.

Similar 'USB' orientated issues all over the show.

Ah well, can't do any more now. Let me know if you have suggestions to test.

B. Rgds
John

42

16.7 Legacy Series / Re: [SOLVED] L2TP gone and how to upgrade?

« on: July 19, 2016, 07:19:34 pm »

if i were you i wouldn't use L2TP, i would go for openVPN of IPSEC.

I use OpenVPN for about 10 years now. Problem are companies and customer that still demand PPTP or at least a VPN that works right out of the box on client machines. For there is still no (simple) way to use Microsofts SSTP-VPN, L2TP is the only answer.

I'd ask them whether they leave the keys in the front door of their house, or their office, or their nice car.

I'd also ask them are they happy that most of the known planet is listening to every character of their data

Would they be happy if all those people actually just turned up at their office and house and walked in without any permission and started rifling through all their documents and reading and copying everything ?

Are they happy to sit in front of a judge and risk fines or even jail for not protecting their, or their clients data properly ?

Do they really not care THAT much ?

Windows users (slapshead)..... :-)

B. Rgds
John

43

16.7 Legacy Series / Re: Install error 19 with virtual disk

« on: July 18, 2016, 02:24:45 pm »

Hi John,
Here's the 15.7.18 amd64 ISO:

Thanks Franco. Makes installing a little easier ! Still would like to get to the bottom of the issue though.

Seem like the IPMI system creates a USB based virtual CD from the ISO image. From the looks of things this is getting timed out when the system tries to mount it across the network. Do you have any idea what units are used by kern.cam.boot_delay ?

I'm away on business for about 10 days so won't have much time to actually have a go at this but I will try and do some reading.

B. Rgds
John

44

16.7 Legacy Series / Re: Install error 19 with virtual disk

« on: July 15, 2016, 12:44:10 pm »

Managed to get to 16.1.18 from the 15.7.11 BUT I am stuck now on i386

Any chance of a link to a x64 version of 15.x please ? Seem to be in short supply out there !

B. Rgds
John

45

16.7 Legacy Series / Re: Install error 19 with virtual disk

« on: July 15, 2016, 01:02:05 am »

PS - is there anywhere I can get a copy of a 15.7.x x64 iso rather than the i386 I have ?

I can test, and also upgrade from 15-16 it seems ?

B. Rgds
John