Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - XeroX

#31
So Port 22 works. Seems to be proxy related. But even when I turned off the web proxy, no transparent mode, no interfaces selected, it does not work.

Are there any hidden rules?
#32
Hello,
LAN contains ESXi Hosts and vCenter.
VLAN2 contains Active Directory and Horizon Connection Server.

I try to access vCenter (LAN) or any "internal" webservice via TCP 80 or 443. 80,443 or 3389 from LAN -> VLAN2 works fine.

Machines from VLAN2 can access the internet via Web Proxy (if needed, but currently not configured on any machine in VLAN2) (had it transparent before, but removed that).

OPNSense is the only physical gateway for both subnets.

Are there any hidden rules from the web proxy?
#33
Hello,
obviously I'm to stupid to get traffic from one VLAN to another one.

I do get traffic from LAN to VLAN2. But I can't reach VLAN2 to LAN (only ICMP works).

Can someone help me with that? I tried rules in every direction on every interface (LAN, VLAN2). I'm able to reach LAN -> VLAN2 but not in the other direction. What am I doing wrong?

As ICMP works, I would rule out any routing problem.

Is this related to the webproxy? (transparent mode, but rules deleted on VLAN2)

Cheers and thx for help.
#34
IDS IPS is active on the physical interfaces or vlans as well?

Activate IPS only on physical interfaces.
#35
22.1 Legacy Series / Re: Can't write image to USB key
January 28, 2022, 06:26:21 PM
You uncompressed it? bz2 is not the raw image. Use 7zip.
#36
Quote from: Julien on December 14, 2021, 03:12:44 PM
Quote from: XeroX on December 13, 2021, 04:06:43 PM
Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.

No I'm using suricata with additional Snort Rules. Use 29190. Don't use 3.x rules.
#37
Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

#38
21.7 Legacy Series / Re: Certificate renewal
October 09, 2021, 05:13:49 PM
Quote from: Fright on October 09, 2021, 04:01:20 PM
sorry, didn't guess that this is a hint of adding a new feature  :D

Kind of. Actually the question was more like "am I blind", "is there an easy way" or "can I achieve this via cmdline" to renew certificates.

However thanks for help!
#39
21.7 Legacy Series / Re: Certificate renewal
October 09, 2021, 03:08:22 PM
Quote from: Fright on October 09, 2021, 12:33:36 PM
ah
you can try to export "old" certs .crt and .key files from System: Trust: Authorities (for CA cert) or System: Trust: Certificates (for server's certs).
then do what @bartjsmit advised.
what didn't work for CA?
did you specify the keyUsage?

Thank you. No everything works with the CA, however I thought a simple renew button would have been nice as long as the private keys are managed by OPNSense.

#40
Quote from: franco on October 07, 2021, 08:12:51 AM
As for configuring ZFS from the GUI for use cases such as snapshots/boot environments that might be part of a future business edition instead.


Cheers,
Franco

Any plans to impelement automatic snapshots before any opnsense-code or opnsense-update? I saw this on TrueNAS.
#41
21.7 Legacy Series / Re: Certificate renewal
October 09, 2021, 12:00:54 PM
I do have the following certificates issued by OPNSense.

CA
|_ Inspection CA -> SSL Inspection Web Proxy
|_ Signing CA
   |_ Several Certificates for Web Servers

Now some certificates for webservers are expired and the inspection CA is expired. How to get these resigned with the same private key or if only possible to resign without private key?

I thought there is a better way than deleting and issue again.

#42
21.7 Legacy Series / Re: Certificate renewal
October 06, 2021, 03:41:24 PM
I've to dig this up again. This feels unconfortable when the private key was generated by opnsense and I don't know where the certificates are on the FS.

Thanks for the tipp bartjsmit, but this doesn't work with a SubCA.


Is there a way to renew a certificate previously signed within OPNSense via CLI?
#43
1) Check Rules and Policy Tab
2) Its called passlist.
3) Not out of the box. Whats the requirement here?
#44
21.7 Legacy Series / Certificate renewal
September 25, 2021, 03:24:50 PM
Hello,
is there any way to renew certificates that have been issued?

I use this as "light" CA, as other systems are to comlicated.

Cheers
#45
Such mal nach SSL Passthrough mit SNI in Verbindung mit HAProxy.

Der Hostheader bzw die SNI Payload ist unverschlüsselt.