Messages

76

Web Proxy Filtering and Caching / HAProxy vulnerable to HTTP Request Smuggling

« on: September 08, 2021, 06:55:51 pm »

Just a heads up to my fellow HAProxy users.
HAProxy has a vulnerability that is quite nasty, see the following github link for mitigation until a fixed version is available:

https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95

77

General Discussion / Re: UDP Broadcast Relay

« on: September 08, 2021, 10:38:09 am »

Just wanted to thank the community and @bertoforth / @marjohn56 for this great plugin/service.

Have been able to successfully use 7 VLANs of segregation - chromecasts, yamaha receivers, Anthem pre/pro, BubbleUPnP, unRaid, server/services, HD Homerun, cameras, etc. all logically separated in their corresponding VLANs created for my purposes - while having the convenience of being able to use my primary wireless LAN to cast, discover, stream, etc.

The UDP Broadcast Relay with point/click/type has really made things easy and prevented me from going down the scripted socat route.

Thank you again

Awesome, would you mind sharing your config for HD Homerun?

78

Virtual private networks / Re: Possible to set static IP for OpenVPN Clients?

« on: September 07, 2021, 10:00:02 am »

I've not done it for ages, but if I remember correctly you must use client specific overrides along with the ifconfig-push advanced option.

See:
https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/

79

General Discussion / Re: Opnsense HAProxy lets encrypt setup with SSL docker containers

« on: September 06, 2021, 08:51:17 pm »

It's simple. The solution is to use SSL passthrough for the connections that you dont want to terminate in HAProxy.

80

General Discussion / Re: Issue with WAN Interface dropping internet every 24 hours

« on: September 06, 2021, 08:29:31 pm »

Gotta love "network admins" that cannot even troubleshoot their home networks properly and then blame the software without any additional data to back it up.

My first thought: If you suspect that your mac spoofing is an issue why not temporarily disable it to see if the problem goes away? Maybe your ISP limits the amount of DHCP leases and if you keep changing MAC you reach the limit and no further DHCP leases will be offered?
Another possibility could be that your virtualized environment has troubles with the spoofed mac and the virtual Interface. (And also a MAC generator? Really? Is it that hard to come up with random MAC's on your own?)

Sniffing on WAN should help you see if you receive DHCP offers and acks.

Regarding performance probably not enough raw power to route your packets? Overbooked host? Other VM's eating up your CPU cycles?
I'm pushing 500Mbit on a virtualized host with an 8th gen i5 2.10GHz base frequency.

81

General Discussion / Re: CrowdSec

« on: September 06, 2021, 04:57:42 pm »

Sorry, the link doesn't work (anymore?)

https://doc.crowdsec.net/blog/crowdsec_firewall_freebsd

82

High availability / Re: How to sync Let's Encrypt configuration to slave

« on: September 06, 2021, 04:47:13 pm »

under the heading certificates of the let's encrypt plugin, there is no certificate and no other settings that are present on the master.

That is as expected. You sync the certificates, not the LE settings.

Look at certificates on the slave instead.
System: Trust: Certificates

83

High availability / Re: How to sync Let's Encrypt configuration to slave

« on: September 04, 2021, 09:04:30 pm »

You must select to sync Certificates in System: High Availability: Settings


Prego

84

Web Proxy Filtering and Caching / Re: OPNSense HAProxy and Cloudflare

« on: July 22, 2021, 06:42:29 pm »

Why are you doing stuff from cli?
Cert and validation is all configured in the webui from lets encrypt plugin.

Use the staging environment until all is working then switch over to production.

Looks like you are making life hard for yourself.

85

Web Proxy Filtering and Caching / Re: OPNSense HAProxy and Cloudflare

« on: July 22, 2021, 04:22:12 pm »

You must create an API token that has DNS permissions in Cloudflare and then configure that token for your validation in OPNsense.

86

Web Proxy Filtering and Caching / Re: OPNSense HAProxy and Cloudflare

« on: July 19, 2021, 06:36:10 pm »

Why is that an issue though?
That's what I'm doing and it works with Cloudflares Full mode.

Otherwise you can generate a CSR under System - Trust - Certificates, put that in Cloudflare to get your cert and then import your cloudflare cert in OPNsense and use that in HAProxy.

87

Web Proxy Filtering and Caching / Re: OPNSense HAProxy and Cloudflare

« on: July 19, 2021, 02:47:05 pm »

Take a look at this guide to get HAProxy up and running:

https://forum.opnsense.org/index.php?topic=23339.0

88

Web Proxy Filtering and Caching / Re: OPNSense HAProxy and Cloudflare

« on: July 18, 2021, 10:07:35 pm »

Well, it seems a bit much asking someone else to create a video for you but I'm proxying a domain from Cloudflare to HAProxy and the Cloudflare settings are pretty much the same as in the video.

I have not bothered to do the Full (strict) SSL/TLS mode but the Full mode works fine for me.

If you already have a proper HAProxy setup it should not require any additional configuration in HAProxy except maybe creating an ACL that allows Cloudflare IP's only.

89

Zenarmor (Sensei) / Re: Bug report: PHP error due to typo with mongodb

« on: June 29, 2021, 05:56:08 pm »

Well, the mongodb service had stopped again for some unknown reason.

Just starting the service normally (without erasing reporting data) got it up and running.

However I seem to get alot of mongodb stops for no apparent reason, the fw is up and running all other services works fine but mongodb keeps taking a dump from time to time.

Edit:

Looking at this further I found the following:

Code: [Select]

root@fw01:/var/log # grep -i mongod dmesg.*
dmesg.today:pid 20481 (mongod), jid 0, uid 922, was killed: out of swap space
dmesg.yesterday:pid 20481 (mongod), jid 0, uid 922, was killed: out of swap space

So out of memory seems like a solid guess, just weird that no other services was affected. I have 8GB RAM and 2 days retention for Sensei.
Looks like Suricata is using alot of RAM though.

90

Zenarmor (Sensei) / Bug report: PHP error due to typo with mongodb

« on: June 29, 2021, 11:45:55 am »

Saw this error when I logged into OPNsense today:

Code: [Select]

[28-Jun-2021 22:47:18 Europe/Stockholm] PHP Warning:  unlink(/tmp/mongodb_dahsboard60da35511c350.json): No such file or directory in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 97
[28-Jun-2021 22:47:18 Europe/Stockholm] PHP Warning:  unlink(/tmp/mongodb_dahsboard60da35511c350_result.json): No such file or directory in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 98
If you look at the filename it's looking for a file called dahsboard.