Messages

931

20.7 Legacy Series / Re: Configure lighttpd to log real client IP behind reverse proxy?

« on: January 13, 2021, 01:46:32 pm »

Yup, that worked.

Guided by the lighttpd docs (https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModExtForward), I included the mod_extforward module in the server.modules list, and added extforward.headers and extforward.forwarder directives.

Extract from webgui.inc from line 236:

Code: [Select]

## modules to load                                                                     
server.modules              =   (                                                       
  "mod_access", "mod_expire", "mod_compress", "mod_redirect", "mod_setenv",             
  "mod_cgi", "mod_fastcgi","mod_alias", "mod_rewrite", "mod_openssl" {$lighty_modules}, "mod_extforward"
)                                                                                       
                                                                                       
extforward.headers = ( "X-Forwarded-For”, “Forwarded-For”, "X-Real-IP” )
                                                                                       
extforward.forwarder = (                                                               
     "172.16.66.5" => "trust",                                                         
     "fdfd:2553:8868:66:216:3eff:feeb:8e62" => "trust"                                 
)                                                                                       

Note that I added the mod_extfoward module at the end of the server.modules list so that, if mod_accesslog is enabled through the $lighty_modules variable (reflecting that access logging is turned on in the web GUI), the mod_extforward module will be enabled afterwards, as stipulated in the lighttpd docs.

I also had to add the extforward.headers directive, because I found that the default (which is to search the "X-Forwarded-For" and "Forwarded-For" headers when the directive is empty) wasn't returning the real client IP despite X-Forwarded-For being set in my nginx config to $proxy_add_x_forwarded_for. So I added X-Real-IP, which is also set in my nginx config, and that worked. I will have to figure out separately the X-Forwarded-For issue with nginx.

Regarding the extforward.forwarder directive, that would obviously be the data item for the GUI, ie the user would be asked to enter the IP(s) of the reverse proxy. I guess the GUI could have both that, and an option to select to load the mod_extforward module (like for the mod_accesslog module), or alternatively the mod_extforward module could just be enabled by default and the only item in the GUI would be the ability to enter the IPs if the user is using a reverse proxy. I assume that the mod_extforward module, even if enabled, would just do nothing if there are no trusted IPs set in extforward.forwarder.

932

20.7 Legacy Series / Re: Configure lighttpd to log real client IP behind reverse proxy?

« on: January 13, 2021, 09:20:34 am »

Thanks Franco, I will look into that.

933

General Discussion / Re: How to block a website / URL

« on: January 13, 2021, 06:12:12 am »

Look where your block rule is placed...

934

General Discussion / How to block a website / URL

« on: January 13, 2021, 05:37:14 am »

I assume you want to block clients on your LAN from accessing that URL?

If so, one way is:

Create a Host(s) Alias for www.bbc.com

Then create a firewall rule into the LAN interface, Action Block (or Reject), IP versions IPv4+IPv6, protocol TCP, source any, destination the Alias created above, destination port HTTPS (you can also block HTTP if you want - easiest way to do both would be to create a Port(s) Alias for both HTTP and HTTPS and use that Alias for the destination port in the firewall rule)

Make sure the rule is above the Allow LAN to any rules in the list

935

20.7 Legacy Series / [SOLVED] Configure lighttpd to log real client IP behind reverse proxy?

« on: January 13, 2021, 04:46:44 am »

I run the OPNsense webserver behind a nginx reverse proxy. I have configured the X-Forwarded-For header in nginx to pass the real IP of the client connecting to the reverse proxy, but OPNsense does not register that.

To get OPNsense to do so, I understand from research that I need to enable the "mod_extforward" module in lighttpd and specify the IP(s) of the reverse proxy. Something like this:

Code: [Select]

server.modules += ( "mod_extforward" )
extforward.forwarder = (
     "xxx.xxx.xxx.xxx" => "trust",
     "xxx.xxx.xxx.xxx" => "trust"
)
My question is where is best to do this in OPNsense, so that it will survive updates. I suspect it is best not to do it in /usr/local/etc/lighttpd/lighttpd.conf? Should I:

• add it to /usr/local/etc/lighttpd/modules.conf?
• create a separate conf file in /usr/local/etc/lighttpd/conf.d/? In that case what is the best way to load it, eg adding an include directive to modules.conf?

Thanks

936

20.7 Legacy Series / Re: Port Forwarding

« on: January 12, 2021, 10:19:40 pm »

Check that you have a corresponding firewall rule on the WAN interface to actually allow the inbound http traffic

This is usually created automatically for you when setting up the port forward, since “Add associated filter rule” is selected by default under Filter rule association. A rule will not have been created if you selected “None” when setting up the port forward (and traffic will be blocked), or if you selected “Pass” (which allows the traffic without a separate firewall rule)

Your screenshots don’t show your Filter rule association setting

937

20.7 Legacy Series / Re: Regular LAN detached event, sometimes results in failure of resolv.conf and IPv6

« on: January 11, 2021, 10:37:34 pm »

Can confirm it is Sensei causing this issue. I was “due” for a LAN detached/attached sequence this morning and it didn’t occur with Sensei off

I will raise this with the Sensei folks

938

General Discussion / Re: How to export only the firewall rules

« on: January 11, 2021, 08:03:48 am »

Not sure whether this is in a format you want, but you can see them in /tmp/rules.debug or list them with pfctl -sr (or list everything with pfctl -sa)

939

20.7 Legacy Series / Re: Looking to give clients on an interface public IPv6 space from /64 - how to?

« on: January 11, 2021, 01:22:37 am »

According to this thread (https://community.ui.com/questions/T-Mobile-Home-Internet-IPv6/44391c82-8276-42b0-97dd-0984a0eab17a) that ISP does not offer IPv6 prefix delegation. You will probably need to discuss with them what the appropriate configuration is for IPv6

940

20.7 Legacy Series / Re: Looking to give clients on an interface public IPv6 space from /64 - how to?

« on: January 11, 2021, 12:21:47 am »

You’ve set a PD size of /64 on the WAN but I can’t actually see any prefix being delegated. You sure you aren’t allocated a /60 or /56 for the LAN side?

941

20.7 Legacy Series / Regular LAN detached event, sometimes results in failure of resolv.conf and IPv6

« on: January 10, 2021, 09:05:31 pm »

No problem. My script is a simplified version of something marjohn56 posted in the forum for an unrelated but similar issue. I run the cronjob every minute for 5 minutes from 3.03am each day.

Contents of /usr/local/sbin/ping6_check.sh:

Code: [Select]

#!/bin/sh
# Script to test IPv6 connectivity and restart dhcp6c if necessary

# Try a few pings to Cloudflare's IPv6 servers.
# Quit immediately if we get a single frame back.
# If neither server responds at all then restart dhcp6c.

counting=$(ping6 -o -c 10 2606:4700:4700::1111 | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')

if [ $counting -eq 0 ]; then

  counting=$(ping6 -o -c 10 2606:4700:4700::1001 | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')

  if [ $counting -eq 0 ]; then

    # Restart dhcp6c

    service dhcp6c restart

  fi
fi
Contents of /usr/local/opnsense/service/conf/actions.d/actions_ping6_check.conf:

Code: [Select]

[load]
command:/usr/local/sbin/ping6_check.sh
parameters:
type:script
message:starting IPv6 connectivity check
description:Run IPv6 check
After setting these up, as root run the following to get the job to appear in the cronjob list in the GUI:

Code: [Select]

service configd restart
On a hunch yesterday I had an idea that Sensei might be behind this behaviour - for example it might be doing some sort of refresh or update or health check every 2 days. I had Sensei configured on the LAN interface. As I check I have disabled it for the time being and will see whether the behaviour continues.

After my hunch a search revealed your post about Sensei and IPv6 (https://forum.opnsense.org/index.php?topic=9521.msg55708#msg55708) which show logs somewhat similar to what I have been seeing. Which makes me think my hunch may be right.

942

20.7 Legacy Series / Re: Unbound service routinely stopping/crashing following 20.7.7 update

« on: January 09, 2021, 06:32:35 am »

Check for updates as you may not have the patch - 20.7.7_1 was released before the patch, and then the patch later added

943

General Discussion / Re: Block range of LAN hosts from ANY Internet access

« on: January 07, 2021, 09:45:15 pm »

No problem

The other thing to understand is that, because of outbound NAT on IPv4, traffic going out the WAN interface to the internet won’t have as its source IP the internal IP of your cameras, but instead your public IP (otherwise return traffic from the internet could not find its way back). You can see this if you watch the WAN interface in the live firewall logs. That’s why your WAN rules didn’t work

In any event, usually the best approach to firewall rules is to apply them on the interface where the traffic is first handled by OPNsense (in your cameras’ case, the LAN interface). Saves unnecessary processing of traffic that is going to dropped anyway later

944

General Discussion / Block range of LAN hosts from ANY Internet access

« on: January 07, 2021, 07:16:51 am »

You want the rule to apply “in” - it is traffic coming from a device on the LAN into the LAN interface on OPNsense

945

General Discussion / Re: Block range of LAN hosts from ANY Internet access

« on: January 07, 2021, 07:05:16 am »

No I am talking about in the LAN rule - Gateway under advanced features