Messages

I'm not really convinced attacks are only possible through local access, what about hypervisors. It seems even attacks from one vm to fetch another vm's data are possible. VMWare has patches but those work together with the OS patches. If that's the case any vm running on the same hypervisor host could be used to attack.

That's the type I'm most worried about since we use OPNSense on a vCloud environment where of course other customers have vm's.

No replies ?

No one has experience with a transparant firewall with HA ?

Hi,

I'm in the middle of building a redundant firewall / ids solution where using NAT isn't really an option. So I was reading and experimenting a bit with bridging and CARP and how to use it for my situation.

I found some information on the pfsense forum that seems usefull but it is based on somewhat older versions and I'd like to be sure it won't be overwritten by updates of course.

I've seen two different solutions, one is based on a bridge for each firewall + an extra interface for management. By implementing a vip on the management interfaces there's a CARP interface that can be checked with devd. Once the state changes of the CARP interface a script is called and transfers the bridge into the right state.

https://forum.pfsense.org/index.php?topic=45971.0

The other solution uses ifstated to detect the state of the CARP interface and configures what to do with the bridge accordingly.

https://forum.pfsense.org/index.php?topic=6516.0

I also thought about STP but I think it won't work because both OPNSense firewalls will be virtual machines on VMWare. vSwitches themselves don't support STP and the physical switchports are due to the vSwitches shared between multiple vm's. So I don't think that's gonna work.

Both solutions, devd and ifstated seem to do what I want, just simply enable/disable a bridge together with a CARP interface when the router is primary or backup.

Are there any advantages / disadvantages for both methods ? Are they complete or am I (or the writer) missing something. And can I configure them manually without the risk of being overwritten in a future update of OPNSense ?
Any help pointing me in the right direction is appreciated, plan is to make a howto out of this so other people might benefit from it as well.

Best regards,

Werner Reuser

Ok, found a solution through the client export page: /vpn_openvpn_export.php, can add extra remote lines there.

Can add extra option lines in here. Only thing is it isn't possible to save settings there, at least I don't have a save button there. Is it supposed to be this way ?

Would be nicer if you could save those settings for future usage.

Hi,

I'm trying to figure out how to get multiple

remote xxx.xxx.xxx.xxx tcp-client

lines in the autogenerated client config for OpenVPN.

I have two OpenVPN servers that cannot use CARP due to vCloud restrictions, the sync users, certificates, firewall rules etc so they can both be used. Using multiple remote lines in OpenVPN client config causes the client to use the backup server if the primary fails.

I just cannot figure out if this can be done using the GUI... Or is there any other way (override a template) to accomplish this ? There's just to many vpn users to manually fix each persons client config file :(

Best regards,

Werner

Hi,

I'm running into trouble with using OPNSense with CARP. It all worked fine in a test environment where I was able to put vSwitches into promiscuous mode and with forged transmits enabled. However the production vClouds we use are IAAS and using these settings is not supported there.

I was wondering if it's possible to use Keepalived on OPNSense as this works out of the box in our vClouds, I have a few VyOS routers and a few CentOS boxes using it.

Other options/solutions are welcome as wel. Problem with CARP seems to be the mac address for a carp interface that doesn't match the physical interface it's mac.

I really like to use OPNSense as VPN solutions as it integrates nicely with my AD.

Is it possible to use the XMLRPC sync without CARP ? That way I could potentially use a manual failover instead of CARP... If the config (users, ldap, certs) are available I only have to add ip addresses manually.

What interface type are you using in VMWare ?

Can't say much about OPNSense performance virtual but I do have a few VyOS routers on VMWare backed by 10Gbit connections, performance has never been an issue. Using VMXNet3...

Hi Franco,

No problem, everyone's busy ;)

I'm not sure if Suricata allows for already in the template defined items to be overridden, else just a simple optional include to a file containing custom config would be sufficient.

What would be a usefull option is more filtering options in the rules tab and especially a filter to select enabled/disabled rules in a category. It's a lot of work now to find all enabled or all disabled rules. I was going through them to enable them all, just temporary for generating as much logging as possible for testing purposes.

Nobody knows if the suricata.yaml file is being overwritten during an update ??

Hi,

I'm in the middle of a kind of pilot project for implementing IDS in front of our SAAS network. I selected OPNsense as it is a firewall solution that's capable of HA and integrates Suricata.

Testing went well so far but I need to do some changes to the Suricata configuration.

I'd like to implement some more rulesets for example, I already found this issue: https://github.com/opnsense/core/issues/1219
Perfect for home made rules but not for fetching latest versions of ruleset files externally. I guess the url list of standard rulesets to update is configured somewhere, any chance it can be modified to add some extra urls ?

Apart from that I'd like to be able to make changes to suricata.yaml, is that possible without my config changes being overwritten during the next update ? I've seen the package lockdown functionality, that seems nice but I do want the software to be updated, without changing my specific config. Is there any mechanism for custom configuration ?

Everything else is impressive, very nice clean webinterface, however I do feel a bit of an alien coming from Vyatta/VyOS, some concepts really differ coming from there. Keep up the good work !