You can do this with HAProxy already in opnsense. And yes you can route more than just HTTP. (when you are making the Backend rules, switch from Layer 7, to Layer 4. Only thing is that it will do TCP, but not UDP.
As you have posted, port forward cannot tell what the domain even is. (and the url alias is not used the way you are thinking).
I think you can achieve it with a reverse-proxy. Let’s say that domain.com points at server 0, you’ll have to put a reverse proxy that answers all calls. In the config of the reverse proxy you’ll have to redirect the services based on the domain. I’m using Caddy and this example should work:
This won’t work. At the level you are looking to route the packets, there is no concept of which domain the request was intended for. You need a service that knows how to look at that packet, and forward it appropriately.
What you need to look into is a Reverse Proxy such as haproxy, caddy, or nginx (no specific order). I use haproxy to do something similar, but only on my internal network (with wireguard to access those when I am elsewhere).
Which ever reverse proxy you pick will be responsible for looking at those packets coming into it, and can determine the intended domain to route them appropriately, either through SNI, or more likely by unrwrapping the TLS on the packet.
I’d be careful with doing this, as you are letting whatever outside traffic into your network, so it’s up to you to assess the risk for your use case and make the appropriate mitigations.
It will accept all traffic sent to it via the ports it is listening on, just like any other service. It doesn’t have to forward everything though, and what it does with that is up to it’s configuration options and what you do with those.
Since you mentioned the wildcard cert, I assumed you were talking about services that speak http/s, and that they’d probably be on port 443. Those were a lot of assumptions by me.
If it’s not an http/s type service, what kind of services are we talking about?
<span style="color:#323232;">arp: 192.168.1.61 moved from someMAC to anotherMAC on igc1
</span><span style="color:#323232;">arp: 192.168.1.61 moved from anotherMAC to someMAC on igc1
</span><span style="color:#323232;">WARNING: / was not properly dismounted
</span><span style="color:#323232;">WARNING: /: mount pending error: blocks 40 files 4
</span>
I mean, I’m not saying that errors on the drive are the CAUSE of the problem, more likely a symptom, but it does look like it just straight up crashed, right?
Final Update: it’s the hardware, I think it was overheating in general, but also the SSD seems to have been dying and the ram wasn’t particularly reliable, possibly due to the heat.
Good lesson not to buy the cheapest thing from AliExpress! My new box is working great.
You haven’t mentioned the logs. Any hints there? System/ log files/ general. You can see there how a regular reboot/ shutdown should look like at least.
Is there a second device at the same outlet, that writes logs or shows its uptime? To rule out power outages.
Bios settings: is there a setting to power on the pc when the power is reconnected. (If it was an outage)
It’s plugged into a power strip that other devices are plugged into, I did turn on “power on on ac restore” so if it is power related it should come back and I’ll see the downtime in uptimekuma.
The system logs go straight from No IP Change detected to the next boot, so a crash or failure seem likely. If something told the computer to shut down, I should see that in the logs, right?
It’s a passively cooled computer, is there any way that I can determine whether a high temp forced the computer down?
The system logs go straight from No IP Change detected to the next boot, so a crash or failure seem likely.
I think so. If it was shut down orderly, there should be log entries for the shutdown.
It’s a passively cooled computer, is there any way that I can determine whether a high temp forced the computer down?
Some bios have logging. I remember a Asrock board with bmc which remembered CPU too hot events. It depends on the board, normally I would say: I don’t think so.
If it is a hardware issue: boot a Live Linux from an USB-stick. Memtest86, long smart test,fsck, CPU burnin test, a network load test could show failures. But it is just wild guessing at this point from my side. Sorry.
CPU temps in opnsense: system / settings/ misc/ thermal. Not helpful but maybe interesting.
If you bridge multiple ethernet ports, the performance will be worse than using a switch. Unless you want 5 separate networks, then you only need 2 ports and an ethernet switch.
8GB of RAM and a 128GB SSD is more than enough for running OPNsense. You could easily get by with half that.
Don’t bother with the WiFi card unless you want to use it to connect to the hotspot on your phone as a backup internet connection. They are not intended for use as an access point.
As far as RFI, cheap power bricks are noisy. You may have to get some FT240-31 torroids and loop many turns of the cords through them. 100mbps ethernet is also noisy, avoid it if at all possible. If you absolutely have to use it, use shielded cable. 10mbps is fairly quiet and so is 1gbps and higher.
Ah. I was drawn to the tidiness of the single box with six ports, and didn’t realise the topology differed from the home router/AP/switch/waffle iron boxes.
A two-port router plus an 8-port 2.5G switch are probably cheaper too.
I wish someone would make small components designed to stack, like the old Linksys kit contemporary with the WRT54G. All this ends up crammed precariously on a bedroom deesser because that was where the local cable decided to mount their connection for the modem, hence the desire to keep the box count down. Maybe when we get fibre (eyeroll) we can convince them to mount the gear in another room more amenable to a little equipment cabinet/rack.
What RAM does this “beelink” have (I’ve never heard of them)?
IPS can be very memory intensive if you add lots of rules, regardless of how their behaviour is set. (You can check the table size)
Also, what else do you have enabled? Do you have ZenArmour also installed and running? That is another memory hungry app (it does the same thing, so either use ZenArmour or IPS, not both).
Finally, do you have offloading disabled for the Interfaces? Interfaces ->Settings you need to disable Hardware CRC, TSO and LRO at the least for IPS to work. You might have to disable VLAN HW filtering as well.
These last settings are probably the most common reason for IPS failing. Drivers are almost always broken for these functions, particularly in HardenedBSD/FreeBSD. IIRC these are off by default in pf, but on in OPN.
That’s a good point on the memory. I actually installed with ZFS on root instead of UFS like I had on pfSense, which uses more RAM. All the hardware offloading is disabled so I think RAM is the culprit as I’ve only got 8gb in there.
I don’t think it’s the IPS rules themselves because they were set to Alert only. I just enabled a few of the standard rule sets that are available.
I’m using a Beelink GK55 and seemed to be fine with pfSense.
As for the topology, I’ve got one ipv4 WAN gateway on one NIC, and the other NIC is for the LAN which connects through a couple UniFi switches. There are 3 VLANs as well.
Each network is different. I did this for my network which has multiple subnets and internal DNS servers sitting on the “server” subnet. The “server” subnet is excluded, since devices in there are more tightly controlled (and it would create a routing loop).
Granted, it may not be the best way, but here is how I did it:
Create Firewall Alias group (type: hosts) with IP addresses of internal DNS servers (PiHoles, in my case).
Create NAT Port Forward to route all traffic on port 53 to the alias (TCP/UDP, source: network, destination: !network on port 53, redirect target: DNS alias, redirect port: 53) for each network
Each network (except the “server” network) has the below rule set (order is important)
Allow TCP/UDP 53 to DNS alias
Drop all TCP/UDP 53
Drop all TCP/UDP 853
Drop all TCP/UDP 443 traffic to external DNS over HTTPs alias group
Since NAT port forward rules are processed before interface/network rules, any device using port 53 for DNS (regardless of the IP address they have set) will automatically (and transparently) get redirected to my PiHole servers. The drops are in place so devices that try to use other common DNS methods are blocked. Generally, those devices will then default to the DHCP DNS servers.
I have been running this config for a few years and have found a few downsides:
You can’t visit websites that have the same addresses as their DNS hosts, ie: 1.1.1.1
Although github.com/jpgpi250/piholemanual is updated regularly, it has contained the odd false-positive (GitHub pages had a weird overlap at one point) breaking legitimate HTTPS traffic
My PiHole servers are configured to allow queries from all origins (theoretical security risk)
Hope this helps! And remember to be careful when messing with DNS and clear those caches when testing.
Some devices or software will ignore what the os or network are telling them and use their own DNS servers, mainly to bypass filtering. If that’s what’s happening then you’re mostly out of luck. The best you could do is set up firewall rules to block those other servers, assuming they all even use port 53, but that would probably just prevent those devices from working at all.
It’s not completely out of the question that you could intercept and redirect those requests, if they’re not encrypted
Reviving this for the new year, in case someone else runs into this issue… I finally solved it.
The problem was a glitch in the docker compose/portainer. I had my ports in docker compose set to 80:80/443:443, but when the container was deployed, it assigned 1880:80/18443:443 because of…reasons, and I didn’t notice until going through it all line by line 🤦.
Redeploying the stack/container didn’t solve it, so I changed the time zone to another city, redeployed and viola, everything works perfect as it should!
Yes, I added it in the set up, just used the dropdown that automatically adds rules. Also tried deleting the automatic rules and adding the same manually, still nothing ☹️
This is driving me nuts and I may end up looking for another solution.
opnsense
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.