OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: xmichielx on May 29, 2017, 09:28:15 pm
-
Hi!
I am trying OPNSense:
OPNsense 17.1.7-amd64
FreeBSD 11.0-RELEASE-p10
OpenSSL 1.0.2k 26 Jan 2017
On an APU2C4 with Suricata enabled, IPS enabled, promiscious enabled, interface; WAN,new rules installed and enabled ET-scan and more.
I also changed the rules from alert to drop.
No matter how hard I try: I don't see any blocks in my alerts tab using nmap -sS/nmap -sT against the WAN interface from a VPS to my OPNsense box.
I also noticed that I see no alerts at all, only STREAM alerts but no drops (I also expect Dshield and Comrpomised alerts from chinese ip adressess but no alerts at all).
My questions:
1) am I missing something to trigger the alerts?
2) I did the the eicar download before with the OPNsense test rules but no other rules are triggered
3) I have a VLAN interface connected to igb0 and use hardware offloading, all other hard offloading is disabled (by default) should I disable the VLAN interface? I also use port forwarding for SSH, HTTP & HTTPS can this cause issues?
I haven't experienced this with PFsense with suricata and/or snort.
Any pointers would be more then welcome :)
-
He way it was explained to me is that opnsense suricata doesn't include the wan ip in the list of home networks and therefore doesn't show all the 'chatter' that pfsense shows because it includes the wan ip in the list of home networks.
I was pointed to the suricata documentation and it specifically states that the home network file should only include local subsets/networks.
Seems to make sense to me.
-
How do I fix this?
And if this all has to be arranged (I assuming I need to enable SSH and edit files by hand) why is this not in the documentation or fixed in a .X release?
Also the IPS + Feodo tracker documentation does not mention it?! -> https://docs.opnsense.org/manual/how-tos/ips-feodo.html
-
It seems like opnsense suricata is configured properly per th suricata docs and pfsense is not.
Or I'm just missing something entirely.
Maybe Franco or Ad can add additional information.
-
I opened a Github issue (as I experience this as an issue), ticket; https://github.com/opnsense/core/issues/1664
If one of the 2 gets closed I will close the latter one.
-
I closed it, adding the LAN & GUEST interfaces (if you have a GUEST interface of course) helped creating the correct blocks.
-
I read over the github issue and I feel like I get why the alerts don't show in the default configuration but I'm a little confused as to what is the proper way to configure it.
As Ad pointed out, the suricata documentation says to only put LAN networks in home. His comments on lots of chatter make sense to me but why are other projects/products defaulting to including wan in home? And why does the OP want to change and keep this configuration in opnsense if it is chatter?
Or is the recommended setting to enable LAN and wan interfaces in IPS?
When I enable the LAN interface YouTube stops working on my network with no logged blocked alerts of any traffic. Not sure what's up with that. I'll troubleshoot it later today.
-
This is interesting, I always assumed that with my VLAN's PPPoE WAN connection being the only entry and nothing was ever logged that it was an issue. I have now "remotely" removed WAN and added my LAN and GUEST_LAN and I'm getting alerts. Not being on site I can't tell if it has had any negative effects, but the fact I can still remote into my network bodes well so far.
-
Just to follow up, enabling for just LAN and GUEST_LAN I have so far not had any issues internally. I visited plenty of sites, including YouTube and Twitch and they work perfectly.
So my only question is: is not having WAN included ok, i.e. am I any less protected?
-
I tried enabling IPS on my LAN interface and it just seems to kill it.
YouTube app doesn't work from mobile devices or tvs etc.. web browsing seems sluggish.
I tried disabling all rules and it made no difference. I also tried removing wan and only doing LAN but it always behaves the same way.
There are no block alerts when I enable LAN yet it seems to have a major impact when enabled.
What can I look at to troubleshoot this?
-
Well, it seems I'm not without issues, my 200Mbit connection is brought to its knees with tests showing it going down to just 20MBit - explains why I thought YouTube was ok as its enough for that.
I have a separate thread asking about how to fully reset just IDS/IPS, but I'm not liking the response so far. Really don't want to fully reset the whole firewall.