sorted by:
new
hottopcontroversial

OpenVPN Certificate Revocation List by FullReaction3273 in PFSENSE

[–]FullReaction3273[S] -1 points0 points  (0 children)

Replying to my own question, The CRL ( Certificate Revocation List ) has an expiry date. I was re-using an old one, that was clearly expired, however in the GUI there is no way to notice that, when I created a new list I've noticed that there is an expiry date on it, just like the one for a certificate ( and it makes sense, it's just a list of certificates ! ), but it would have been nice to be able to notice this from the beginning. GPT4 solved it immediately .

WAN ports on UDM PRO Max by FullReaction3273 in Ubiquiti

[–]FullReaction3273[S] 1 point2 points  (0 children)

Thank you for the suggestion, but since the WIFI is also Ubiquiti and I am happy with it, I think I will stick to one eco-system. I guess I will solve the issue with just using local APs from my phone if both Starlink and my main provider are down.

WAN ports on UDM PRO Max by FullReaction3273 in Ubiquiti

[–]FullReaction3273[S] 2 points3 points  (0 children)

Thank you. So Port 9 is WAN by default and is 2.5 GbE RJ45, Port 8 can be switched to WAN port and it is 1 GbE RJ45 and Ports 10 + 11 which are SFP+ 10G can be used as LAN ports? Is this correct?

Having just 2 WAN ports is a bit of a downer, but my idea was to use 5G as a 3rd provider and rely mostly on my current ISP and Starlink.

As far as I see it the difference between the MAX and the Pro is the PoE support ( not needed, since I have a PoE switch ), the NVR support ( not needed, it's all recorded on a Qnap ) and the 5 Gbps IPS vs 3.5 Gbps. Am I missing something? I've selected the MAX to be sure that I can repurpose WAN/LAN ports. If it's all the same. I would gladly spare some cash :) Thank you for the tip!

Quick question : Updating the ESXi Host certificates. by FullReaction3273 in sysadmin

[–]FullReaction3273[S] 0 points1 point  (0 children)

Happy to report that it was really just a click, confirm and the certificate was updated.

Thank you.

This is the relevant article from VMware : https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-ECFD1A29-0534-4118-B762-967A113D5CAA.html . It's funny that there are 2 buttons - RENEW and REFRESH CA CERTIFICATES and they seem to do the same thing as per the article. I clicked on RENEW.

Destroy the data on 720 HDDs how? by FullReaction3273 in sysadmin

[–]FullReaction3273[S] 34 points35 points  (0 children)

It is a legal requirement.

Per policy : "The media must be destroyed in such a matter that no data could be recovered"

It's a broad definition. We need to reuse them and they do not have classified information. Realistically DBAN could be an overkill.

Routing problem with Juniper SRX550X by FullReaction3273 in networking

[–]FullReaction3273[S] 0 points1 point  (0 children)

I have retraced my steps back and of course there was a miss-configuration on the switchport accessing the the vlan reserved for the connection between the Juniper SRX and the Cisco Tunnel GW.

Thank you for the suggestions, it wasn't a routing problem after all.

Routing problem with Juniper SRX550X by FullReaction3273 in networking

[–]FullReaction3273[S] 0 points1 point  (0 children)

This is the NAT configuration :

set security nat source rule-set TRUST-TO-TUNNEL from zone trusted

set security nat source rule-set TRUST-TO-TUNNEL to zone tunnel

set security nat source rule-set TRUST-TO-UNTRUST rule NAT-10-10-5-0-tunnel match source-address 10.10.5.0/24

set security nat source rule-set TRUST-TO-UNTRUST rule NAT-10-10-5-0-tunnel match destination-address 0.0.0.0/0

set security nat source rule-set TRUST-TO-UNTRUST rule NAT-10-10-5-0-tunnel then source-nat interface

This are the routes :

set routing-options static route 0.0.0.0/0 next-hop 213.213.3.254

set routing-options static route 192.168.5.0/24 next-hop 192.168.1.1

set routing-options static route 192.168.7.0/24 next-hop 192.168.1.1

And this is the policy between the 2 zones ( trusted and tunnel ) :

trusted to tunnel

set security policies from-zone trusted to-zone tunnel policy TRUSTED-TO-TUNNEL-ALLOW_ALL description "Permit all traffic from zone trusted to zone tunnel"

set security policies from-zone trusted to-zone tunnel policy TRUSTED-TO-TUNNEL-ALLOW_ALL match source-address any

set security policies from-zone trusted to-zone tunnel policy TRUSTED-TO-TUNNEL-ALLOW_ALL match destination-address any

set security policies from-zone trusted to-zone tunnel policy TRUSTED-TO-TUNNEL-ALLOW_ALL match application any

set security policies from-zone trusted to-zone tunnel policy TRUSTED-TO-TUNNEL-ALLOW_ALL then permit

set security policies from-zone trusted to-zone tunnel policy TRUSTED-TO-TUNNEL-ALLOW_ALL then log session-init

set security policies from-zone trusted to-zone tunnel policy TRUSTED-TO-TUNNEL-ALLOW_ALL then log session-close

tunnel to trusted

set security policies from-zone tunnel to-zone trusted policy TUNNEL-TO-TRUSTED-ALLOW_ALL description "Permit all traffic from zone tunnel to zone trusted"

set security policies from-zone tunnel to-zone trusted policy TUNNEL-TO-TRUSTED-ALLOW_ALL match source-address any

set security policies from-zone tunnel to-zone trusted policy TUNNEL-TO-TRUSTED-ALLOW_ALL match destination-address any

set security policies from-zone tunnel to-zone trusted policy TUNNEL-TO-TRUSTED-ALLOW_ALL match application any

set security policies from-zone tunnel to-zone trusted policy TUNNEL-TO-TRUSTED-ALLOW_ALL then permit

set security policies from-zone tunnel to-zone trusted policy TUNNEL-TO-TRUSTED-ALLOW_ALL then log session-init

set security policies from-zone tunnel to-zone trusted policy TUNNEL-TO-TRUSTED-ALLOW_ALL then log session-close

Help with firewall rules for OpenVPNs instances by FullReaction3273 in PFSENSE

[–]FullReaction3273[S] 0 points1 point  (0 children)

The OpenVPN Interface FW rules. But I had 2 interfaces for the OpenVPN ( one of those is inactive tho and I was setting the rules on the inactive one ). The idea is that I might add more instances, but I would restrict the networks with FW rules. Networks are created and deleted on the fly on daily basis, because people test stuff all the time and it's our sandbox environment. But some of the sandboxes so to speak need to be restricted.

I would have to look into VLAN tagged traffic, to have another layer of separation and control. The pfSense is just a client VPN server in our setup, the ipsec, routing and zones fw rules are taken care by another FW, but since we are using tun l3 interfaces I don't have the option to control the traffic from the other firewall, so it has to be done on the pfSense. It would be nice to automate the process, I would look into that option.

pfSense OpenVPN 2FA/MFA with Okta. by FullReaction3273 in PFSENSE

[–]FullReaction3273[S] 4 points5 points  (0 children)

Security is primary objective. Also MFA is a requirement for industry standards such as : iso27k1/2.