Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - kein

#1
Quote from: eptesicus on May 12, 2017, 08:57:53 PM



I was able to change the DNS servers for the VPN connection directly in OPNSense, which fixed my issue!

Have you tried other DNS providers? I tried PIA's DNS, and DNS.Watch, but their both incredibly slow. I'm currently using OpenDNS, but am skeptical if I should use one of the slower, more secure, DNSs.

Also... I just got back from a trip where I haven't had time to remote home, and I noticed that my VPN connection to the Netherlands was stopped, and the traffic on my torrent server was now unencrypted. Do you know of a way to have a kill-switch of some kind? Something that could occur in OPNSense to stop all traffic assigned to that tunnel and reconnect if the connection has dropped?

Thanks again!

Hi,

thanks OP for the post, it works just fine.
For the kill-switch part I had the work done with an extra NAT/outbound rule,
Rule to add after the ones concerning the VPN :
Clone the WAN default rule (LAN->WAN), check "do not nat".
Put the rule AFTER rules pecified by M4D and BEFORE default rules.

WAN    proxytraffic     *    *    *    NO NAT    *    NO    proxy killswitch 

The rules block the traffic from the alias_proxytraffic to go trough the normal wan gateway.
As, if the VpnClient goes down, the PC will use the default WAN gateway.
#2
I found a workaround.
Now I'm using a linux daemon (ddclient) found in the repository to update my dyndns.

The daemon triggered two alerts on the ips: 
-basci auth , already set to alert
-ET POLICY DynDNS CheckIp External IP ; thtat I unchecked

Note that with the new rule unchecked (dyndns) the previous python script is still blocked when receiving the html response.
#3
Hello,

I have a strange issue with my IDS configured as IPS.

When I try to update my dyndns, from a lan server, with a python script the request is being blocked by my IPS without any notification in logs.
Of course the python request pass when the IPS mode is disabled.
Notification logs works fine for others alerts.

what I see in the filter logs:
00:00:07.312284 rule 49/0(match): pass out on bridge0: (tos 0x0, ttl 64, id 11059, offset 0, flags [DF], proto UDP (17), length 57)
    192.168.x.y.44784 > 8.8.8.8.53: 12586+ A? www.ovh.com. (29)
00:00:00.016332 rule 49/0(match): pass out on bridge0: (tos 0x0, ttl 64, id 14936, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.x.y.46222 > 198.27.92.1.80: Flags [\S], cksum 0xec96 (correct), seq 303142016, win 29200, options [mss 1460,sackOK,TS val 4192644824 ecr 0,nop,wscale 7], length 0


My opnsense version is :
OPNsense 17.1.1-amd64
FreeBSD 11.0-RELEASE-p7
OpenSSL 1.0.2k 26 Jan 2017

The os is configured as inline firewall, two interfaces bridged.

The python script used : http://ipcheck.sourceforge.net/
test command : /usr/bin/python /srv/scripts/ipcheck/ipcheck.py -v -a 8.8.8.8 toto password hello.de

The script trigger a "basic auth" alert, set as alert and non-blocking. And something more is blocked but without any notifications in the alert tabs.
I already tried to set promiscuous mode, changed the pattern match.

Do you know where I can investigate ? Some more verbose logs can be get ?

Kind regards