91
General Discussion / Re: LAN with client isolation
« on: June 20, 2021, 08:47:01 pm »
Your best option is to use switches that supports port isolation (or client isolation if you use access points).
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
92
21.1 Legacy Series / Re: OPNsense on VMware ESXi
« on: June 17, 2021, 12:42:01 am »
Just wanted to chime in that I use a vmnic from a trunked dswitch and tag my vlans inside the virtual OPNsense.
It works great, feels very smooth to be able to add new vlans to the VM without having to do anything in vCenter.
It works great, feels very smooth to be able to add new vlans to the VM without having to do anything in vCenter.
93
21.1 Legacy Series / Re: Captive portal not redirecting in version 21.1.5
« on: June 14, 2021, 01:58:33 pm »You're right - PEBKAC;)
In the end I got it working and I learned a lot .....
Good job.
That's all that matters really
94
Web Proxy Filtering and Caching / Re: HAProxy chainloading Lua Scripts
« on: June 14, 2021, 12:37:43 pm »Ever solve this? I am struggling with the LUA file. The http-auth lua uses haproxy-lua-http ... which i can't seem to find.
Solve what exactly?
The "chainloading"/require between lua scripts added via the webui is not working due to the way that OPNsense autogenerates the filenames of lua scripts (dot in the middle of the filename).
See this issue on github and give your input in order to give the issue more attention.
https://github.com/opnsense/plugins/issues/2265
Until that gets fixed the solution is posted in my first post in this thread:
The solution is to put the script as /usr/local/share/lua/5.3/haproxy-lua-http.lua but then it will not get synced to standby host.
If you have more than one host you will need to add the file manually to each host.
95
21.1 Legacy Series / Re: Captive portal not redirecting in version 21.1.5
« on: June 13, 2021, 02:29:28 pm »Anyone an idea whart there is going on?
PEBKAC is obviously what's going on
96
21.1 Legacy Series / Re: DNS/DHCP A Record Behavior Change in 21.1.6 (Breaking Change)
« on: June 10, 2021, 11:05:54 am »97
21.1 Legacy Series / Re: Captive portal not redirecting in version 21.1.5
« on: June 08, 2021, 10:52:47 am »How can i solve this problem with a certificate?
I already told you:
Make sure that your certificate is valid if you use HTTPS.
Either buy a valid certificate or use Lets Emcrypt.
98
21.1 Legacy Series / Re: how to limit stepson's usage of internet? new to opsense.
« on: June 07, 2021, 06:28:07 pm »I'm curious on this one. Could a list of MAC addresses be used to force the clients to use the LAN ?. I.e get an ip if in the allowed MAC list only, in case there is no switch with DHCP-snooping.
Not totally sure what you mean with "force the clients to use the LAN".
If you mean that you have a list of MAC addresses and you only want to allow those specific MAC adresses to get a DHCP lease then it could be done by using the option:
Deny unknown clients under DHCP config for that specific interface.
You will need to add the allowed MAC's at the bottom under: DHCP Static Mappings for this interface.
However, that in itself will not prevent users from configuring a static IP on their device.
I guess you could combine it with the Static ARP option and ARP Table Static Entry (enable that for each static mac - ip binding you create). Then add a firewall rule that only accepts traffic from the IP's that you have configured statically.
I have not tested it but in theory it should work
99
Zenarmor (Sensei) / Re: Number of Policies
« on: June 07, 2021, 03:34:49 pm »
Yeah I'm with OP here.
Current policy limitations seems like a business decision from Sunny Valley more than anything else.
At least Default + 3 on Home Edition would be fair since SoHo has Default + 4.
Current policy limitations seems like a business decision from Sunny Valley more than anything else.
At least Default + 3 on Home Edition would be fair since SoHo has Default + 4.
100
21.1 Legacy Series / Re: how to limit stepson's usage of internet? new to opsense.
« on: June 07, 2021, 03:20:56 pm »1. Add static IP Address for all the devices in Services>DHCPv4>[LAN].
2. Add the devices IP Address to Firewall>Aliases.
3. In Firewall>Settiings>Schedules, add the time and day for allow access.
4. In Firewall>Rules>Lan, add the rules to the top. Put allow rule then follow by block rule.
Good advice in general.
However, depending on how crafty the users are ideally you would need to use a switch with DHCP-snooping and ARP inspection to prevent them from changing MAC or configuring static IP's to work around the limitations on the dynamically allocated ones.
Another solution would be to used a separate VLAN and apply limits on the entire subnet.
101
21.1 Legacy Series / Re: Captive portal not redirecting in version 21.1.5
« on: June 07, 2021, 02:55:05 pm »
I did not notice any problems with this in 21.1.5 and currently its working good for me in 21.1.6.
Make sure that your DNS server properly resolves the configured hostname in your captive portal settings to the IP of your Captive Portal interface.
Also make sure that your certificate is valid if you use HTTPS else I've noticed that certain devices does not want to load the captive portal site.
Make sure that your DNS server properly resolves the configured hostname in your captive portal settings to the IP of your Captive Portal interface.
Also make sure that your certificate is valid if you use HTTPS else I've noticed that certain devices does not want to load the captive portal site.
102
21.1 Legacy Series / Re: SSHD Port Forwarding?
« on: June 07, 2021, 02:52:02 pm »
Yes it does support SSH port forwarding a.k.a SSH tunneling.
103
Tutorials and FAQs / Re: Tutorial: OPNsense, HAProxy, Let's Encrypt, Wildcard Certs, 100% A+ SSLLabs
« on: June 07, 2021, 02:21:02 pm »1. You dont need to use virtual IP's.
I totally get your point! This makes indeed sense but I think only if you have a static WAN IP.
Well, I only have dynamic IP's for my WAN interfaces. MultiWAN consisting of a fiber primary with LTE failover, two OPNsense hosts running CARP on all interfaces except for WAN (since I cannot get proper stateful failover with dynamic WAN IP's).
As it would break the access from internal networks to the external URLs "service.subdomain.mydomain.tld" if one enabled that access using DNS rewrite rules. I am not aware of a way to rewrite DNS entries in Unbound to the WAN interface address.
With NAT reflection your way of setting this up can of course work.
The way I'm doing access from internal networks is with Split DNS (DNS override as you call it).
In my opinion NAT reflection is an inferior solution since you lose the ability to track originating source IP in HAProxy when going through NAT.
Since HAProxy is already listening on 0.0.0.0 (all available IPv4 interfaces) I resolve the Split DNS to the internal IP of my DMZ CARP IP (but any internal IPv4 interface will do as long as you allow 80/443).
I also have certain domains I don't want reachable from the Internet so I use two map file rules, one for internal domains along with a condition that checks that source is RFC1918.
And one for external domains where I also require additional authentication.
104
Tutorials and FAQs / Re: Tutorial: OPNsense, HAProxy, Let's Encrypt, Wildcard Certs, 100% A+ SSLLabs
« on: June 05, 2021, 03:00:21 pm »
@TheHellSite Great guide! I'm sure it will help alot of people trying to get this kind of setup up and running.
I'm running a similar setup and have some suggestions for improvement to your guide.
1. You dont need to use virtual IP's.
If you bind the HAProxy frontends to 0.0.0.0:80 & 0.0.0.0:443 it will bind to you WAN interface (even if it's dynamic). And when you do there is no need for NAT forwarding to the virtual IP's so a simple firewall rule for 80/443 on the WAN interface is enough.
Then you can bind the SSL terminating frontend to 127.0.0.1:[port] and use that IP for your SSL terminating "real server".
With the added bonus of that it performs better in a CARP setup.
2. Use map files {Advanced --> Map files}
Using map files to map domains to backends will keep your config rules alot less cluttered, especially when you have many subdomains to match. With map files 1 rule is enough to map all of your domains.
Example for map file:
plex.mydomain.tld Backend_plex
Example for rule:
(Execute function: Map domains to backend pools using a map file
Map file: [name of your map file]
Then apply the map file rule to your SSL terminating frontend.
I'm running a similar setup and have some suggestions for improvement to your guide.
1. You dont need to use virtual IP's.
If you bind the HAProxy frontends to 0.0.0.0:80 & 0.0.0.0:443 it will bind to you WAN interface (even if it's dynamic). And when you do there is no need for NAT forwarding to the virtual IP's so a simple firewall rule for 80/443 on the WAN interface is enough.
Then you can bind the SSL terminating frontend to 127.0.0.1:[port] and use that IP for your SSL terminating "real server".
With the added bonus of that it performs better in a CARP setup.
2. Use map files {Advanced --> Map files}
Using map files to map domains to backends will keep your config rules alot less cluttered, especially when you have many subdomains to match. With map files 1 rule is enough to map all of your domains.
Example for map file:
plex.mydomain.tld Backend_plex
Example for rule:
(Execute function: Map domains to backend pools using a map file
Map file: [name of your map file]
Then apply the map file rule to your SSL terminating frontend.
105
Zenarmor (Sensei) / Re: Bug report: localhost cannot be used for reverse lookups
« on: May 07, 2021, 10:53:23 am »Just use your gateway IP (192.168.1.1) or whatever it is
Yeah no shit...
There is obviously a reason that I want to use the localhost adress, hence the bug report.