Messages

There is no longer an option listed for inline for the client export for openvpn after I upgrade to 19.1. It has been a while since i have attempted to download it so it may have been missing for some time or there is now a different method used for iOS that i am not aware of. I referenced the documentation here https://docs.opnsense.org/manual/how-tos/sslvpn_client.html that says to download the inline configuration. I only show Archive, File Only, Viscosity, and TheGreenBow under Export type.

Im not sure if i have something misconfigured but it appears when my lease expires for my ip on my wan opnsense is not requesting for a new ip address. If i manually request a new ip under the interfaces tab all is good. Any ideas?

Thanks

Thanks. I was trying to think of a scenario where you may want the rule to be active as alert for that particular host but still deny as a whole. Thinking about it more I guess if a rule comes up on legitimate traffic that may just be configured poorly you probably would want to allow that traffic for other destinations anyways but just know about it.

Last question I have. I hope :) When I change from IDS to IPS do I have to go to every individual rule and change them from alert to deny or is there a way to do this globally?

If you change an alert from deny to alert does that just affect that flow or does it change the rule itself?

I have been running in IDS mode for a while and I am about to switch to IPS. Where do blocked ip addresses or flows show up once I enable IPS. If I find a false positive how do I remove the block?

Thanks.

I added snort rules into the IDS and have enabled any of the ET or snort VRT groups that contain malware, virus, trojan, or anything else that sounds like it is something i wouldn't want running on my network. When i went to the rules and do a search on malware i find that of the groups i enabled only some rules are enabled and not all of them.

What dictates which rules are enabled?

Is the best approach to just enable the group and not the individual rules that are shown disabled?

I am currently not blocking and just running as an IDS. Once I have removed the false alarm rules I will probably convert to an IPS. Right now all the alarms show as alerts. Do these all get changed to drop once I change to IPS or do i need to go and change the rule behavior for each rule?

Lastly, when an ip gets blocked does that get added to a group in the firewall or is it just located under the alerts section of the IDS. Does the clear log button on the alert tab clear the block for the ip and if so how do you clear a block for one particular ip instead of the entire log file?

Which graphs to you mean? The RRD frontends for both? Or comparing different subsystem's visualisation? Either way, very interested in specifics.

I thought the traffic graph under health was showing incorrect values but then realized it is displayed in bytes instead of bits. I have searched but I dont see an option to change this. The graph itself is more visually pleasing than the standard RRD graphs in PFsense. I like how you can fine tune the area by moving the window below the main graph. Maybe its there and I just cant locate it but is there a way to configure the default behavior. I would love to be able to set the health graph to default to traffic and my lan interface. As well as change the unit from Bytes to Bits. Also, although the window is nice it would be nice to be able to enter a start and stop time to display on the graph.

Just my thoughts.

Thanks for the info. I was looking to see if there is a way to do it on box with a package like bandwidthd. I have been thinking of pushing off firewall logs to splunk, I believe it supports up to 500 MB per day of logging for free. I may try seeing if I could get a net flow dashboard working on there as well.

Is there a way within OPNsense to track individual users historical usage. I would like to be able to view a list of clients and show when they were connected and bandwidth used. Its nice to know data trends on devices on my network. Something like the graphs shown under the interface tab in insight but per client. Would be cool to have a quick visual of user traffic usage. Maybe be able to toggle between ip and hostname like what is on the traffic graphs. Actually, the client usage in the traffic graphs would work great if this was always being captured and data stored to view anytime.

your remote ip in your open vpn config is a private ip space if i am reading that correctly. Are you behind another firewall that is doing NAT translation? You may have to port forward 1194 to your opnsense firewall? I know some ISP's give a cable modem with a router built in.

I think there is a field on the client export where you select which interface you expect your client to come in on. Looks like you may have selected your lan interface instead of your wan interface on the client export. Also make sure you have a firewall rule to allow your inbound opvn port to your wan interface.

I just wanted to comment on OPNsense from the perspective of a recent PFsense user. In my initial search looking for a firewall I tested various firewalls; untangled, sophos/astro, and clearOS to name a few. I found PFsense to be the best by far that reached all of my needs. I use PFsense in a home environment that basically was used for monitoring and limiting internet usage, vpn service, traffic shaping (when my internet pipe was smaller) and providing reliable network access and security for my family. I recently started trying to fine tune my IDS within PFsense and was deciding between suricata and snort when I ran across some references for OPNsense forking from PFsense. It has been a while sense I messed around with another firewall distribution and sense this was based off the firewall I was already used to I thought it was worth investigating.

From 2 weeks of use with OPNsense I have to say this firewall looks great. It still has a lot of the PFsense feel to it but the GUI/Layout is improved greatly. OPNsense appears to take the approach to provide all the core functions that PFsense did but decide which is the best package to facilitate that need, make it the standard and direct its focus to maintaining those dedicated packages. This removes some choices/options for the firewall admin but I think it provides a more reliable/stable firewall. I currently run OPNsense on not the most ideal hardware but I have noticed the it appears to be using less ram than what PFsense used. I still have yet to configure surricata so i know that will be a good size hit on ram. I also really like that netflow visibility is built in to the gui but ntopng did provide more visibility.

I am still in the early stages of OPNsense so there may be some things I have missed but below are the items I think would be great to get included in OPNsense.
* Historical monitoring for individual client use - such as bandwidthd.
    * would be really cool if insight could map an ip to dhcp reservation and list traffic usage per user along with source/destination
* Squid reports, such as sarg or light squid
    * I haven't messed with the proxy much and this may be available and I just need to configure it but for the purposes of web filtering it would be nice to be able to do a splice all on squid so you can block a destination without having to intercept SSL traffic
* Its early and I dont know if i prefer the way historical bandwidth usage is displayed under health versus the graphs in PFsense

I mainly just wanted to post to tell the developers and community I think you guys are doing a great job.