"Recent posts
#1
25.7, 25.10 Series / Re: Exclude domain from firewa...
Last post by meyergru - Today at 01:10:31 PMFirewall aliases are meant to be used with pf rules. pf acts on IPs and subnets. So what should a DNS "domain" mean in that context?
It is not even a specific hostname within a domain, which could at least be resolved to an IP (or a set of IPs).
It is not even a specific hostname within a domain, which could at least be resolved to an IP (or a set of IPs).
#2
25.7, 25.10 Series / Re: 25.7.8 Wireguard road warr...
Last post by FredFresh - Today at 12:59:36 PMHave you tried to use trace route instead of ping?
#3
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...
Last post by vpx - Today at 12:55:42 PMHi Q-Feeds,
I just wanted to mention that the banner in your notification mails doesn't look right in Outlook Classic, it's way too big. At home in my browser on outlook.com it looked fine.
Maybe you can fix this. If you don't have Outlook Classic for testing I can look at it after you did some changes.
I just wanted to mention that the banner in your notification mails doesn't look right in Outlook Classic, it's way too big. At home in my browser on outlook.com it looked fine.
Maybe you can fix this. If you don't have Outlook Classic for testing I can look at it after you did some changes.
#4
25.7, 25.10 Series / KEA hostnames in the firewall...
Last post by FredFresh - Today at 12:39:54 PMHi,
there is a way to see the host names specified in the KEA dhcp reservations (internal subnets) inside the firewall live view log?
In the live view page, activating " Lookup hostnames", I see two times the IP address (for internal IPs) and the domain for the external IPs.
Thanks
there is a way to see the host names specified in the KEA dhcp reservations (internal subnets) inside the firewall live view log?
In the live view page, activating " Lookup hostnames", I see two times the IP address (for internal IPs) and the domain for the external IPs.
Thanks
#5
General Discussion / Struggling with OPNsense in a ...
Last post by Untoasted9563 - Today at 12:05:51 PMHi all,
Recently I switched to fiber and got a new router/modem from my ISP. That damn thing does not have a bridge mode and on top of that the subnet cannot be changed (192.168.1.0/24). Unfortunately, I have a contract period of two years, and it looks like I have to accept that.
Like many of those routers, it offers a DMZ feature, which as I understand is just port forwarding of everything to the DMZ host and placing the host in a /32 network for isolation (192.168.1.254/32 in my case). Generally, this worked, but I have some issues with that.
A bit of background info:
- I run HAproxy for different self-hosted services (originally based on the Hellsite tutorial: https://forum.opnsense.org/index.php?topic=23339.0)
- As per that tutorial, I created a virtual IP (IP Alias 127.4.4.3/32 on Loopback interface), which is set as a listen address on the public server in HAproxy. Alongside the SNI listening on 0.0.0.0:443
- the services are in different DMZ vlans
- i have an MGMT network for Ubiquity gear and some other admin webUIs. Before, this was 192.168.1.0/24, which i moved to 192.168.5.0/24 in order to prevent overlap with the ISP subnet.
- I have a WAN firewall rule, that allows IPv4 TCP 443/80 to "WAN address", which was allowing for remote access on HAproxy, when OPNsense was having a public IP at the WAN interface (remember, now it has 192.168.1.254).
- Gateway for 192.168.1.1 was created (Upstream and Far checked) and specified in the WAN interface.
Now the strange thing happens, when I am trying to connect to one of my services from remote:
I see the attempt being routed to 192.168.5.254 and therefore be default-denied. What is this IP? I have never typed it anywhere. Of course it could be a typo, but the only place, where I have typed 1.254 is the static IP at the WAN interface, and this is correct (otherwise the external connection attempt would not even be registered).
Since it is not "WAN address", it does not trigger the existing rule.
Trying to circumvent this, I added the 192.168.5.254 IP alongside "WAN Address", but HAproxy is not catching those requests and lists nothing in the log.
Another issue (maybe related, thats why I shortly mention it here) is the lack of internet access in the MGMT network, and that network alone. All other networks and VLANs under OPNsense have internet access.
ping -S 192.168.10.1 8.8.8.8 is successful
ping -S 192.168.5.1 8.8.8.8 fails.
Despite having a temporary allow all protocols from any to any on all ports, in/out as top rule in MGMT rules.
Can anybody make some sense of this? did I forget anything due to the fact that OPNsense has a private IP on the WAN?
Thankful for all help and pointers
Cheers,
Untoasted
Recently I switched to fiber and got a new router/modem from my ISP. That damn thing does not have a bridge mode and on top of that the subnet cannot be changed (192.168.1.0/24). Unfortunately, I have a contract period of two years, and it looks like I have to accept that.
Like many of those routers, it offers a DMZ feature, which as I understand is just port forwarding of everything to the DMZ host and placing the host in a /32 network for isolation (192.168.1.254/32 in my case). Generally, this worked, but I have some issues with that.
A bit of background info:
- I run HAproxy for different self-hosted services (originally based on the Hellsite tutorial: https://forum.opnsense.org/index.php?topic=23339.0)
- As per that tutorial, I created a virtual IP (IP Alias 127.4.4.3/32 on Loopback interface), which is set as a listen address on the public server in HAproxy. Alongside the SNI listening on 0.0.0.0:443
- the services are in different DMZ vlans
- i have an MGMT network for Ubiquity gear and some other admin webUIs. Before, this was 192.168.1.0/24, which i moved to 192.168.5.0/24 in order to prevent overlap with the ISP subnet.
- I have a WAN firewall rule, that allows IPv4 TCP 443/80 to "WAN address", which was allowing for remote access on HAproxy, when OPNsense was having a public IP at the WAN interface (remember, now it has 192.168.1.254).
- Gateway for 192.168.1.1 was created (Upstream and Far checked) and specified in the WAN interface.
Now the strange thing happens, when I am trying to connect to one of my services from remote:
I see the attempt being routed to 192.168.5.254 and therefore be default-denied. What is this IP? I have never typed it anywhere. Of course it could be a typo, but the only place, where I have typed 1.254 is the static IP at the WAN interface, and this is correct (otherwise the external connection attempt would not even be registered).
Since it is not "WAN address", it does not trigger the existing rule.
Trying to circumvent this, I added the 192.168.5.254 IP alongside "WAN Address", but HAproxy is not catching those requests and lists nothing in the log.
Another issue (maybe related, thats why I shortly mention it here) is the lack of internet access in the MGMT network, and that network alone. All other networks and VLANs under OPNsense have internet access.
ping -S 192.168.10.1 8.8.8.8 is successful
ping -S 192.168.5.1 8.8.8.8 fails.
Despite having a temporary allow all protocols from any to any on all ports, in/out as top rule in MGMT rules.
Can anybody make some sense of this? did I forget anything due to the fact that OPNsense has a private IP on the WAN?
Thankful for all help and pointers
Cheers,
Untoasted
#6
Hardware and Performance / Re: DEC750 Questions
Last post by Monviech (Cedrik) - Today at 11:52:20 AMThe plugins are not automatically installed. They will show in the Firmware page as missing after config import. Just don't install the ones you do not need.
I wouldn't update the bios nor install a microcode plugin, just keep it as it is. I'd only update or install these if there is a serious reason to do so, and currently I don't know of any (does not mean I assume I'm 100% right, "Jeder ist seines Glückes Schmied").
I wouldn't update the bios nor install a microcode plugin, just keep it as it is. I'd only update or install these if there is a serious reason to do so, and currently I don't know of any (does not mean I assume I'm 100% right, "Jeder ist seines Glückes Schmied").
#7
Hardware and Performance / Re: DEC750 Questions
Last post by ProximusAl - Today at 11:35:31 AMSo just to be extremely clear for me:
1. Should I install the AMD Microcode plugin on a DEC750, or not? Whats the recommended idealogy.
2. I'm assuming I'll update the BIOS day 1, to make sure it's fully up to date.
3. Is there any value in enabling HyperThreading? AMD CBS -> Zen Common Options -> Core/Thread Enablement -> SMTEN
I'm just looking at the BIOS update instructions, and 1 and 3 are mentioned, but no recommendation.
The final thing, is my current backup came from an install with the Intel Microcode plugin installed, which obviously I dont want with this device.
Is this easy to remove from the config before importing?
TIA
1. Should I install the AMD Microcode plugin on a DEC750, or not? Whats the recommended idealogy.
2. I'm assuming I'll update the BIOS day 1, to make sure it's fully up to date.
3. Is there any value in enabling HyperThreading? AMD CBS -> Zen Common Options -> Core/Thread Enablement -> SMTEN
I'm just looking at the BIOS update instructions, and 1 and 3 are mentioned, but no recommendation.
The final thing, is my current backup came from an install with the Intel Microcode plugin installed, which obviously I dont want with this device.
Is this easy to remove from the config before importing?
TIA
#8
25.7, 25.10 Series / Re: Exclude domain from firewa...
Last post by FredFresh - Today at 11:05:51 AMOk, I thought so...but just in case there would be the chance to exclude domains or it is just not possible?
Thanks
Thanks
#9
25.7, 25.10 Series / Re: Exclude domain from firewa...
Last post by Monviech (Cedrik) - Today at 10:15:49 AMBest create an additional block rule before your rule that allows hosts.
Then you do not need to invert anything, you simply have a selective block rule before the more broad allow rule.
Then you do not need to invert anything, you simply have a selective block rule before the more broad allow rule.
#10
25.7, 25.10 Series / Exclude domain from firewall a...
Last post by FredFresh - Today at 09:55:25 AMHello,
I tried to search for an answer but wasn't able to find, but for sure this was already discussed.
How I can exclude domains from a firewall alias? "!" works fine with ip addresses and subnets, but not with domains.
I tried like this !youtube.com , should i use some additional character?
What I am doing wrong?
Thanks
I tried to search for an answer but wasn't able to find, but for sure this was already discussed.
How I can exclude domains from a firewall alias? "!" works fine with ip addresses and subnets, but not with domains.
I tried like this !youtube.com , should i use some additional character?
What I am doing wrong?
Thanks
