Messages

Hello,
I added an Alias named for ex. ABCD. I selected URLs (IPs) and added to Domains. Saving and pressed "Apply".

pfTable showing -> ABCD stay empty even with URLs Table.

Is this correct behavior?

Cheers

Hello,
is it intended that Monit offers PAM Authentication and its actually even displayed in the settings but does not work?

I can see a upstreamed root password in monitrc, but it obviously not mine.

The pam.d file seems to be missisng. Intented or Bug?

Had this issue with "Vivalid" as well.

Signed up with Firefox.

Okay thank you.

Got it working. Rule must be at the TOP with LAN IN.

IPv4 UDP   ! Pi-Hole   *   *   53 (DNS)   *   *   

Anyone willing to assist me to allow DNS traffic to Internet from Pi-Hole (and firewall itself) but deny from every other host?

Okay thank you!

How I can install ports on OPNSense? or get postsnap?

Downloading the Repo as ZIP and trying to recompile hyperscan gives me the following message:
===>  hyperscan-5.2.1 pkg(8) must be version 1.13.0 or greater, but you have

Did I miss something?

nvm, found it: https://docs.opnsense.org/manual/software_included.html

Created a patch myself and wrote/sent the maintainer on FreeBSD Ports.

Got updated: https://github.com/freebsd/freebsd-ports/commit/c245ea082c9920167f214d9755d1c0138717afaf

@franco
Do you compile releases with "core2" or "native" cflags? Which cpu you use on the build machine?

EDIT: I saw you compile with "NATIVE":"off". Is it possible to get hyperscan with SSE4_2, POPCNT and AVX2 flags?

Hello there,
first of all thx for all the time you invest in development.

Is it possible to get an upgrade of hyperscan, 4.7.0 is more than 3 years old and hyerscan got some performance improvements over time with currently 5.2.1.

5.0.0 is supported with suricata: https://github.com/OISF/suricata/blob/master/doc/userguide/performance/hyperscan.rst

Right now you compile it with "core2" (SSE3)which results in not benefiting from SSE4.2, AVX2 and POPCNT (starting Haswell). This would improve performance further. Or do you compile with 'NATIVE' ?

I'm not familar with pkg mgmt, chances to get multiple configurations for that? Like choosing the appropriate hyperscan package?

https://github.com/intel/hyperscan/blob/90cd1863d64135323cae44606c6eff5fc76a1532/doc/dev-reference/getting_started.rst#fat-runtime

For ex. right now I've an "old" i3 which would support SSE4.2 and AVX2 (Released Q4/2014)
-------

Second question, snort rules have an ips policy within the file, right now "balanced" seems to be the default thats activated with snortrules-snapshot-29151.tar.gz (seems to work best with suricata 5.0.3). Any chances to get a field to choose which policy will be activated (beside the rules I've choosen myself)?

https://www.snort.org/faq/why-are-rules-commented-out-by-default

TL:DR

• Update Hyperscan to 5.2.1
• Compile Hyperscan to benefit from SSE4 and/or AVX2
• Make use of policys in IDS/IPS Rulesets (balanced, max-detect, etc)

Thanks for reading and your hard work!

Hello,
I've setup my OPNSense switching from UniFi. I've some basic questions.

1. I setup Wireguard via this:
https://wiki.opnsense.org/manual/how-tos/wireguard-client.html
and
https://www.thomas-krenn.com/de/wiki/OPNsense_WireGuard_VPN_für_Road_Warrior_einrichten#Firewall_Regel_f.C3.BCr_WireGuard
this guide.

I partly skipped configuration of Step 2c of the first guide.

Everything is setup and when the Wireguard Interface is not assigned, internal traffic isn't working.
Assigning the Interface allows me internal + external traffic via VPN even without the Firewall NAT Outbound Rule.
What am I doing wrong?

2. I'm using Pi-Hole as DNS. Works like a charm.

However I want to block all other DNS traffic, only pi-hole is allowed to connect to external dns.

- WAN-OUT <Pi-Hole> DST* TCP/UDP 53
- WAN-OUT * DST* TCP/UDP 53

With this rules Pi-Hole is blocked as well, why? Stop on first match is ticked.

Cheers