You can start the port range from 10-21 and a second NAT with Ports 23-65535
or, if using 2222 for SSH, then 2 NAT rules:
Ports 10-2221
and
Ports 2223-65535
Port 2222 points to SSH and STAYS that way!
But you’re right, if a local machine can’t get the page, the firewall isn’t going to change anything.
Also, you now see why I dislke having a firewall running on my Nethserver. Even with AD (a virtualization inside a virtualization) things can get difficult, let alone using additional ports and proxies.
Like this, the firewall doesn’t interfere with what a local machine sees directly…
The nice thing about something like this: The NethServer has it’s own firewall and can protect itself.
So quickly opening a whole range of ports is not that serious a problem, especially if only for a few short tests.
OPNsense does make it easy to do a range or two for tests lke that!
Less interconnected problems, making life difficult.
Each box is, in itself, a working blackbox, and does NOT interfere with anything else on the network.
Changing accessibility / NAT or firewall rules will never disrupt internal processes, like a VM viewing an internally hosted webpage…
This does give a lot of flexibility - if for troubleshooting or daily usage is up to you, the admin.
You are also aware of the possibility in OPNsense to do config-backups automatically to your Nextcloud instance? The SSL has to be “official”, though. Lets Encrypt is fine, though, that’s recognized.
Another cool feature is the restore itself. You can restore the whole thing, or just parts like VPN config, users or firewall stuff…
I’ll have a look. Doing config-backups automized seems a good thing to have. But I’ll have to “officialise” ssl for opnsense too, only have this setup for nethserver until now. Until now, I just use the backup feature of ProxMox which is incredibly fast on a little vm like the one opnsense is running.
I will probably do more tests the next days, with the port opening but I start to think the problem is somewhere else. Reading another post I just did:
su - lool followed by loolwsd status and guess what, there is:
wsd-05203-05203 2020-02-21 20:18:39.007141 [ loolwsd ] INF Initializing wsd. Local time: Fri 2020-02-21 21:18:39+0100. Log level is [8].| common/Log.cpp:191
wsd-05203-05203 2020-02-21 20:18:39.007204 [ loolwsd ] INF Setting log-level to [trace] and delaying setting to configured [warning] until after WSD initialization.| wsd/LOOLWSD.cpp:904
wsd-05203-05203 2020-02-21 20:18:39.007249 [ loolwsd ] WRN SSL support: SSL is disabled.| wsd/LOOLWSD.cpp:991
wsd-05203-05203 2020-02-21 20:18:39.007322 [ loolwsd ] INF NumPreSpawnedChildren set to 1.| wsd/LOOLWSD.cpp:1018
wsd-05203-05203 2020-02-21 20:18:39.007341 [ loolwsd ] INF MAX_CONCURRENCY set to 4.| wsd/LOOLWSD.cpp:1026
wsd-05203-05203 2020-02-21 20:18:39.007358 [ loolwsd ] INF Maximum concurrent open Documents limit: 10| wsd/LOOLWSD.cpp:1098
wsd-05203-05203 2020-02-21 20:18:39.007367 [ loolwsd ] INF Maximum concurrent client Connections limit: 20| wsd/LOOLWSD.cpp:1099
wsd-05203-05203 2020-02-21 20:18:39.007382 [ loolwsd ] TRC Pre-reading directory: /bin//loleaflet/dist| wsd/FileServer.cpp:460
Aborted
-bash-4.2$ -
So the warning about ssl support being disabled caught my attention.
But thanks again for bringing those really cool features to my mind, giving me the opportunity to learn much more about opnsense.
Restoring just a “part” of the config, like users…
OPNsense doesn’t need an official SSL, just Nextcloud…
You also have the option of encrypted backups of opnsense - or not. I prefer unencrypted - i make sure no one else has access. But i once was really glad, when a client couldn’t find the Swisscom VDSL document (Zugangsdaten). That would have meant a 3-5 day delay with no internet or telephone, as they will only send these infos with registered mail…
This info was in the backup file, in clear text!
Off topic: Looked at the last 500 lines of /var/log/messages. omg
I definitely have to change ssh and disable passwordauth thus switch to cert based on the nethserver too as I have done already longtime ago for the host system. Way better than enabling fail2ban to eliminate all those useless logentries.
Yep, was just too lazy to do that on nethserver yet, but those entries two or three attempts per second make me think I should do it better sooner than later Will have to check other vms like opnsense, fogserver and pihole too, but I think, ssh ports are not open there…
Did you check if internally, the DNS is correct for SSL? SSL needs a hostname, IP does not work correctly, especially with proxies / reverse inbetween…
You mean for cloud.mydomain.com? I have set dns entries in nethserver for internal translation to internal nethserver ip, so I can successfully open the page cloud.ourdomain.com from vms in green network and it translates to the green ip of nethserver. That works fine.
SSH can be opened on opnsense, and so can cert based ssh!
Also a good idea is to enable serial access.
System -> Einstellungen -> Verwaltung
Proxmox can virtualize a connection, say from your windows/linux vm. Screen works wonders in Linux with serial connections. If you NEED troubleshooting on opnsense. With local AND Proxmox backups, I never needed that, but it’s still good to have…
Sure, but for now, I did not yet open it I think, unless it was open on image I had reveived. But I recall not having seen open port when going through settings, and I leave it like this for now. I prefer only having one single open port to prox host, and ssh to it and opening port with -L xy:internalip_opnsense:80
I’ll check that too (serial access), but not tonite
Another good idea is to replicate the NethServer DNS entries in OPNsense (unbound). If upgrading/updating or maintenence, all internal stuff still gets resolved correctly…
And set that on those boxes with fixed ip, DHCP can be set in NethServer as second DNS.
Another idea would be providing a third (or fourth) NIC for OPNsense, with connection to the green network. No Routing or Firewalling, but access to OPNsense (Interface and Internal DNS…). On the green network, OPNsense is “just” a DNS server…
Note: This doesn’t interfere with anything existing!
Absolutely, had the same thought. True! I see there is still plenty of room for optimization
I really am looking forward for after my holidays when we get the hardware thus I’ll be able to start setting up two more local proxmox nodes and implementing replicaton, HA and all these wonderfull things while going live with our clients, rolling out image with fog server and everything
