Open MrCybertux opened 5 months ago
@MrCybertux, Let's see if I can address your questions here:
On VPN you can't block acces to the WebGui even with a explicit forbinden rule we could still get to the GUI A: I need more information to understand what you have tried to do but it's totally possible to block access to the OPNSense Admin GUI using a firewall rule. By default we create a rule allowing access from the WAN Interface for people using it for Labs. For a production environment I would remove this rule and setup to only allow access from a possible management interface. You could create either a rule on each interface or a Floating rule to restrict the access.
Aliases seem to work 50% of the time at some rules we had to use the ips behind the aliases because otherwise the rules would not be active A: If you mean Alias using URLs this is a OPNSense feature which try to resolve all the IPs for a give FQDN and cache it and dynamically use the IPs found from a DNS query in the desired rule. If the DNS is failing to resolve you might have problems with it. Reference: https://docs.opnsense.org/manual/aliases.html
We tested the VPN setup and had 3 Test users online but OpenVPN only showed on connection from the user undefined A: If you are using Active-Active option you might have to check both firewalls. I never saw this condition.
For Active-Active scenario there are a bunch of limitations in OPNSense where it only syncs the Memory State Table from the Active Node to the Passive Node if a connect is initiated in the Passive Server the Active one will never be aware of it. It causes asymmetry in traffic. If you are considering OPNSense in a production environment with HA you should be using Active/Passive solution and come up with a solution to auto change the UDR in Azure in case of a outage in the Primary Server.
For production environment I would highly recommend the OPNSense official deployment option. Reference: https://docs.opnsense.org/manual/how-tos/installazure.html
Hi,
Sorry to say but the opnsense we were seting up did not work as expected in any sense. We wanted to setup a high availabilty setup for a customer witch needs a VPN to connect to his payment providers. We noticed the following problems:
On VPN you can't block acces to the WebGui even with a explicit forbinden rule we could still get to the GUI
Aliases seem to work 50% of the time at some rules we had to use the ips behind the aliases because otherwise the rules would not be active
We tested the VPN setup and had 3 Test users online but OpenVPN only showed on connection from the user undefined
So of three wanted functions Routing, Firewalling and VPN gateway only routing worked correctly i would say this project is still in beta and not production ready