Messages

OpnSense needs a corporate server adapter for the client workstations. Basically ZeroTier with Loopback, and Proxy functionality.

The purpose is ultimately to run OpnSense on Windows machines and have it intercept ALL traffic on the instance that the 'user' is 'using'.

It will help with blocking ads in the future.

The beast is going to use this to program your karma.

We need security middleware capable of reading any incompressible string in memory.

Mandiant & Sysinternals utilities can help with this project.

The purpose is to find any encryption key, machine wide to decrypt any traffic on the computer at all running through the browser at least, and send to a local IDS instance

Security Onion on Mikrotik Tilera is my design for this.

If you have any ides about it post here.

I reached out to Dell about copyright. I haven't heard back yet. There is a custom Compellant Raid Adapter, with the following on board:

3.33 Ghz Wolfdale w/ a 15 Watt Heatsink.
Spartan 3 Xilinx with 256 MB DDR2 / NAND Flash (Raid 1)
12.5 Farad Ultracapacitor for a battery backup
Old Intel 2x Gig NIC Controller Chip (Secure / Unflashable):
NH82546GB
Spansion GL06N90FFI02

PCI-2 v2 x8

I was loading these on HP 57xx Thin Clients, and I was going to pull the driver from the 3 Compellant SC040 servers that I had bought, as their OS is in BSD. The deep state was so covetous the ruined my career, and stole my gear, under the guise of taxes, and an eviction.

That said netherlands funded the Mayflower.

The OS for the Compellant SC030/40 is in BSD, so the drivers are as well.

This card should be useful for the Suricata engine.

Opswat does the best file analysis I've seen. Basically Virustotal & Fireeye.

I haven't used the on premise, but they have a chrome plugin that works extremely well.

The cost isn't wretched.

Does anyone know if this works with graphics card acceleration, or is that going to stay deprecated?

I've been able to export the certificates using the links in the web interface, and then copy pasting them into the import fields on the other sites firewalls.

The issue I'm having is trust for the CA Cert. The Server Certificate for one of the VPNs is showing self signed, and the CA Cert for that VPN shows having signed the Users certificate for that VPN, but not the Servers.

To be clear I'm using a different CA, Server, and User certs for all VPNs. In order to segment the network.

This is the part that is confusing to me:

Services > DHCP > Servers > <Interface> (Tab) > 'Failover Peer IP':

"Machines must be using CARP. Interface's advskew determines whether the DHCPd process is Primary or Secondary. Ensure one machine's advskew<20 (and the other is >20)."

Also, where is the advskew setting located?

Also I'm seeing this from a switch on my lab network:

00:00:00:00:01:01
XEROX CORPORATION         2017/05/11 02:39:56    tstp never

Which is apparently a BootP client, getting a perpetual lease from this thread:

https://forum.pfsense.org/index.php?topic=82884.0

Is there a way to disable BootP completely?

I'm having issues getting CARP VIP sync to work on Mikrotik switches. Changing the VHID didn't help. So I set all the interfaces to use IP Alias.

XMLRPC sync works just fine for all High Availability settings via a dedicated interface.

DHCP failover didn't work at all using IP Aliases. The interface does say to use CARP, so I am assuming it means CARP VIP, and not High Availability.

All three interfaces were showing either:

'My State':
communications-interrupted
recover

'Peer State':
normal
unknown-state

or vice versa.

Removing the failover IP allows both peers to serve IP addresses.

Typically in this case I will assign a part of the subnet to each peer, or add a subnet delay.

Am I right in thinking that the CARP VIP is the issue, and that I can't use IP Alias for DHCP Failover?

If that directionality always holds, and is reproducible I would suspect the stateful firewall rules, or security services on the Zyxel.

You can also check the rekey intervals for Phase 1 / Phase 2 proposals on both sides. Some vendors implement rekeying for amount of data sent (Cisco), as well as time (which is standard). I haven't used Zyxel so I don't know.

I would try telneting to an open port on either box, from either box, and see if the session stays open. You may have to install this in windows: Start > Run > appwiz.cpl > 'Turn windows features on or off' > (Scroll down) Check 'Telnet Client' > 'OK' button
RDP works very well for telneting: 'telnet <server a> 3389' (assuming its open on the firewall in the server), and allowed from system properties (sysdm.cpl) under the 'Remote' tab.
Try a very small file, try an encrypted file (that can't be inspected).
SMB requires multiple ports
You can also try FTP

Typically I will install a Filezilla FTP server, and use a limited user account (removing it even from the 'users' group), and limiting that 'user' to Guest status, and granting 'logon as a service' rights (gpedit.msc), and whatever folder access (NTFS permissions) that it needs.

I always liked Filezilla, but more recent versions tend to have junkware as well.

Lastly you can also try after rebooting both firewalls (after the tunnel just came up).

Creating VM's that use more vCPU's than there are execution units available will reduce performance, not increase it.

The theoretical knowledge doesn't really help anyone, if they can't apply it.

You're being pedantic, and your statement isn't technically accurate.

It depends on your workload:

If it is more latency sensitive, and not consuming the whole CPU, then user Hyperthreading / SMT, and commit all logical processors.

If it is more compute intensive, or completely single threaded then it may be better to switch Hyperthreading / SMT off in the BIOS, and use the exact number of physical cores available.

Blog posts like that discount the nuance of actual life. You cannot possibly recommend an ideal configuration without knowing the workload. NUMA locality doesn't apply with a single socket machine.

In the OP's instance where he is possibly going to buy a box dedicated for this a dual / quad core single cpu should suffice just fine for all the bells, and whistles.

Given multiple packages running it makes sense to enable Hyperthreading, and count the logical processors.

This is a logical argument, real world testing is always better.

Said more nicely:
*BSD, OpnSense, and Suricata are multithreaded, and to my knowledge the other important packages are. So as many cores as possible with a 'smarter' scheduler (HT / SMT) makes more sense, since it isn't likely to chew through all available compute power. For 500 mbps of traffic.

Bare Metal install is better in my book as you don't have to deal with additional vulnerabilities, and patching. Performance difference should be within a few percent of ESXi if your hardware has room to breath (bottlenecks are not the same). Hardened BSD will arguably be more secure than ESXi.


To the OP, basically get a quad core, with a dedicated gigabit network interface for at least the LAN, and WAN, if you want all of the bells, and whistles. Your network card is likely the bottleneck.

Just to clarify, yes the traffic will be dropped.

I've built 2 HA clusters using 17.1. All the same hardware.

XMLRPC sync works fine.
VPN on the master works fine. (Service start, logs, connectivity, etc.)
WAN is a CARP VIP.
Everything else works fine.

The backup firewall cannot start it's OpenVPN service. There are no logs in the firewall.

The 2nd pair of firewalls is a bit more interesting. I had to use IP Alias for both LAN / WAN. CARP didn't work with the switch for some reason. The first OpenVPN synced, and starts on both firewalls. I setup a 2nd VPN using the wizard, and it syncs fine, but the service for it won't start on the backup firewall. I set the logging to 11 on the master, which synced to the backup, but no logs for service start on the backup.

The primary VPN is WAN > LAN
The 2nd VPN is for LAN > Management

The 2nd instance is using 1195 UDP, and 192.168.11.0/24 to defer from the primary VPN.

The goal is to require multifactor VPN to the firewall before being able to access administrative interfaces on the network devices.

Is there any thing else I can check here?

What are the recommendations to have the firewall segment traffic depending on VPN type, or user? I only see the 'OpenVPN' interface listed under Firewall > Rules. The ovpns1, and ovpns2 aren't defined in the GUI that I can see.

I missed that you have to stop, and restart the openvpn service.

The setting that fixed it is the 'Topology' check box, toward the bottom.

I have two firewalls setup with CARP / HA. xml rpc sync is failing after upgrading, which may be a separate issue.

I setup the OpenVPN server with certificates, and user / password. I was able to connect the VPN, and ping the main firewall only (on any interface). I tried reconfiguring various settings, but nothing worked. I ripped out the firewall rules, and server vpn, and just used the wizard, but still have the same exact problem:

I can ping the CARP, LAN, and LAN (CARP VIP) addresses from the VPN, as well as the 'default gateway' that is issued to my client without issue. Before I updated to 17.1.5, and broke the xml rpc sync I was still connected to the VPN via the fwback firewall, while the fwmain firewall was rebooting, so the WAN CARP VIP was working fine as well.

I am using 169.254.x.x for the actual WAN addresses of both firewalls, with no issues so far, so these interfaces are not pingable from the VPN. These interface addresses are all pingable:

192.168.1.254 (LAN CARP VIP)
192.168.1.251 (LAN fwmain)
172.16.1.251 (CARP fwmain)
192.168.10.1 (gateway address, for some reason the gateway address changes it has been .1 through .5)

I could never ping any other address on the LAN, including the backup firewall 192.168.1.250 (fwback) over the VPN.

None of the settings seem to affect this problem (including 'Topology'); I have spent a few hours testing permutations.

I have IDS enabled, but not IPS.

The CARP interface is a broadcom gigabit chip. The other 4 interfaces are all Intel Gigabit Pro 1000. They are all configured the same, and in the same order.

I updated to 17.1.5 in the hopes that maybe it would fix something? It didn't affect the issue, but broke xml rpc sync (it auto submitted a bug report for this, twice, using the same email that I have registered for the forums:

"An Error occured while attempting XML RPC sync ... /xmlrpc.php parse error. not well formed"

I was thinking that the update broke something, but I don't know how to check.

I am stuck. I don't see any setting to tweak to allow access to the LAN over the VPN.

I am using Windows 8.1 Clients running over Vmware workstation (on a Windows 8 host). I have tried both 'Bridged', and 'NAT' for the Vmware settings, but they behave exactly the same way. I am using the current Viscosity client.

It doesn't seem that the firewall itself is releasing traffic.

The original 2 firewall rules as created by the Wizard had to be modified:
The UDP 1194 inbound rule had to be changed to 'any' instead of 'WAN' since it's using the WAN CARP VIP, and not the actual WAN address.

I added a LAN rule to allow traffic from 192.168.10.0/24 to test it.

The original rule under the 'OPENVPN' interface is still there. I noticed that under 'Interfaces / Assignments' there is a 'ovpns1' interface that isn't assigned to anything. I had also tried assigning this interface a static IP address on the tunnel subnet of 192.168.10.0, but that only prevented pinging the firewall itself as well. That was the point where I ripped everything out, and disabled, and then deleted that interface. After updating to 17.1.5 it seems to be working as it was before; I can still ping any (routable) interface on fwmain, but nothing else.

Any help is greatly appreciated.