Messages

151

Tutorials and FAQs / Re: Building a Transparent Bridge Filter with OPNsense

« on: November 07, 2024, 01:51:03 pm »

It looks like the Zenarmor guide for this goes with 3 interfaces by default.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

152

German - Deutsch / Re: Routing-Problem: zwei Geräte im gleichen WLAN mit unterschiedlichen Routen

« on: November 07, 2024, 11:24:52 am »

Zum ganzen NAT Reflection Thema hab ich mal einen größeren docs Artikel verfasst. Da werden auch die Probleme erklärt wie Source NAT für Geräte im gleichen Netzwerk.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

153

24.7 Production Series / Re: DDNS with Porkbun - Req to update API hostname

« on: November 07, 2024, 10:51:25 am »

If it does not happen in time you can try os-caddy.

There, porkbun is updated with the new api endpoint since 24.7.8.

https://github.com/libdns/porkbun/commit/00df3156a86b3cce0941fea674ed545d289dec5a

154

24.7 Production Series / Re: Is there a practical limitation on the number of ipsec tunnels?

« on: November 06, 2024, 07:14:18 pm »

I guess it depends on the hardware since it uses resources. So the better hardware the higher the number of possible tunnels.

https://wiki.strongswan.org/issues/2911

155

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: November 06, 2024, 10:35:11 am »

Hello, these certificates should be eventually cleaned up by caddy's storage cleanup routine. But that can take till past expiry or longer.

You can delete them manually in the filesystem.

Code: [Select]

/var/db/caddy/data/caddy/certificates/

156

General Discussion / Re: Client certificates (mTLS) in Caddy plugin

« on: November 05, 2024, 06:01:49 pm »

https://github.com/opnsense/plugins/issues/4089

PRs welcome, all the framework is there. It should be very easy to add to the GUI.

There is a script that will automatically extract certificates from System - Trust for caddy here:

https://github.com/opnsense/plugins/blob/bb69d4653746320c0bf4363eb42f63906b5584e8/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php#L35

It runs automatically when caddy reloads or starts so the certs are all there.

157

Tutorials and FAQs / Re: Building a Transparent Bridge Filter with OPNsense

« on: November 05, 2024, 04:46:19 pm »

I have no issue with it. If it was a genuine effort, thank you.

If one of your steps here are different or improve the original documentation, please feel free to improve that guide on github.

As reference, some people have issued with the original guide, so if you can improve it: https://github.com/opnsense/docs/issues/614

158

Tutorials and FAQs / Re: Building a Transparent Bridge Filter with OPNsense

« on: November 05, 2024, 04:35:33 pm »

This kinda looks like AI generated content at first glance, especially the Key Benefits section.

159

General Discussion / Re: OPNcentral Plugin

« on: November 05, 2024, 01:24:07 pm »

You should try to get a response from the web interface of the target firewall by trying this in the source firewall:

curl -v https://example.com:8443

And if that does not work you have a firewall issue (e.g. not allowing access to port 8443) or routing/policy issue with the IPsec tunnel. (Maybe the source IP is not what you expect and the traffic doesn't pass through the tunnel since the SPD does not allow it)

Use "tcpdump" additionally on both hosts, or the packet capture in the GUI.

EDIT: Also, WebGUI not listening on "all (recommended)" can also be an issue.

160

General Discussion / Re: OPNcentral Plugin

« on: November 05, 2024, 01:16:14 pm »

Is the target firewall using the Business Edition too?

EDIT: If you are using 8443 add the firewall like this:

https://example.com:8443

Your curl shows it tries port 443.


https://docs.opnsense.org/vendor/deciso/opncentral.html#add-firewall-nodes-to-the-central-host

161

German - Deutsch / Re: OpenVPN und Multi-WAN: Auswahl des ausgehenden WAN-Interfaces

« on: November 05, 2024, 01:06:31 pm »

Ja man macht den Port Forward auf dem gewünschten WAN interface mit dem Loopback interface und OpenVPN Port als Ziel.

162

General Discussion / Re: OPNcentral Plugin

« on: November 05, 2024, 01:01:40 pm »

Try to use the IP address and if that works use a different FQDN without .local or .localdomain.

Try using a real FQDN that is not using Unbound Overrides but has a real zone.

163

German - Deutsch / Re: Off-topic: merkwürdiges Verhalten einer Fritzbox mit SIP und DECT

« on: November 05, 2024, 11:20:42 am »

Wie wäre es mit etwas Routing Trickserei um genau dieses Netzwerk auszuklammern?

- 172.17.0.0/24 <- Das soll nicht geroutet werden

https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

Allowed IPs: 172.16.0.0/12
Disallowed IPs: 172.17.0.0/24

Ergebnis: AllowedIPs = 172.16.0.0/16, 172.17.1.0/24, 172.17.2.0/23, 172.17.4.0/22, 172.17.8.0/21, 172.17.16.0/20, 172.17.32.0/19, 172.17.64.0/18, 172.17.128.0/17, 172.18.0.0/15, 172.20.0.0/14, 172.24.0.0/13

Für das alles jeweils eine Route machen.

Oder wenn es 172.17.0.0/16 sein soll:

AllowedIPs = 172.16.0.0/16, 172.18.0.0/15, 172.20.0.0/14, 172.24.0.0/13

164

German - Deutsch / Re: Off-topic: merkwürdiges Verhalten einer Fritzbox mit SIP und DECT

« on: November 05, 2024, 09:54:06 am »

Vielleicht ist in der Fritzbox eine DECT IP Basisstation eingebaut, via Software abgebildet, und benutzt diese IP Addresse einfach für die interne kommunikation. Sehr strange, noch nie so gesehen.

Wenn das stimmt dann könnte man die DECT Telefonie jeder Fritzbox mit dieser Route lahmlegen. Wäre interessant wenn das noch jemand testen würde.

165

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: November 05, 2024, 06:20:44 am »

It really doesnt tell me mich, Ive never seen errors like these before.

Maybe Caddy Debug logs of the failed requests or HTTP access logs can show whats happening. Right now Im just as much in the dark as you though, sorry.

It looks like a weirder problem, maybe https://caddy.community can help better.