Messages

Is this still the case?
Even if I configure the transparent proxy
https://docs.opnsense.org/manual/how-tos/proxytransparent.html

Suricata won't see the traffic unencrypted despite the ssl offloading is happening in opnsense?

This is a huge security issue...

I wouldn't mind to pay a small amount for some of the plugins as a kind of community enhanced edition (a way to support the project) since for home use business edition won't make a lot of sense, support or other business oriented plugins like the central management aren't useful.

Will the business plugins like the waf or Web filtering be availability in the community edition in any form?

The configuration parameters could be brought to the web ui

add this to any dns blocker

https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt
https://raw.githubusercontent.com/thiagocrepaldi/doh_servers/master/dohservers.txt
https://raw.githubusercontent.com/thiagocrepaldi/doh_servers/master/dohservers2.txt
https://raw.githubusercontent.com/thiagocrepaldi/doh_servers/master/dohservers2.txt

Hi @GreenMatter,

We hear you :) I've been notified about your suggestion.

The challenge we have here is that our user base is quite unique in the sense that we see home networks that are as evolved as an enterprise data center. We see Active-Active Hypervisors with lots of VM server guests, clustered firewalls, lots of VLANs, networks, Servers, Active Directory integrations, and lots of IoT devices.

This provides us with a unique advantage to be able to get very qualified feedback from all of our user segments.

On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.

Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)

First of all it doesn't make a lot of sense that a free user get unlimited devices and a paid one 50, I know there are other limitations.

On the other hand what differentiates Sophos/enterprise from Home/free should be the professional support and not the features, no one will install this in an enterpise wihtout support. Another thing is LDAP and you are doing it right here. So would not be affraid of companies using your software for free even if the home version features were free.

I still think that the price of the home version might be high considering the alternatives. Maybe selling it as a perpetual license for home users would be an option, or lowering the price to 2-5$ per month and limit more the free edition if you want home users which should be your target to pay for it.

Basically your problem is this

https://forum.netgate.com/topic/128853/suricata-and-vlans/2

Unless an opnsense dev says otherwise, Vlans and suricata with IPS mode doesn't work, and there is no solution for now.

https://github.com/opnsense/core/issues/4065

Comment here

https://www.sunnyvalley.io/post/sensei-for-opnsense-1-5-released/

* Suricata 5 and optimized ET Pro Telemetry rules plugin

What has changed in the "optimized ET Pro Telemetry rules plugin"? or what's new?

How easy is to switch from beta/RC to stable once is relased? can be done in the web ui changing the release branch or something?

Thanks

WAN IP is dynamic. Besides that i won't be able to see which internal IP is involved in the traffic? Or is that circumvented by adding the WAN IP to home networks?

edit: just tried this and indeed no internal IP's are shown so that's not really an option tbh.

@mimugmail: could you explain what the idea behind adding the WAN IP to Home Networks is?

oh and btw, enabling IPS on my WAN will catch and drop packets that are most likely going to be dropped by the firewall anyway. Maybe it's fun to see all internet baddies banging on the door, but it's a waste of system resources i think?

Well pfsense and opnsense IDS/IPS implementations are quite limited in terms of flexibility, but I think is something inherit from FreeBSD.

In any (comercial)  linux based firewall you can assign IDS/IPS policies to a single firewall rule, so if you have a rule that open ports to the internet you will want to see that traffic in the WAN, good news is that the IDS/IPS will only scan the traffic of that firewall rule and not the whole WAN, in addition you will enable only the IDS/IPS rules related with the assets behind that open port. If you don't have open ports with LAN is enough.

The result is that is much more efficient and you get less FP

[Question one]

I'd like to chime in with the same question and an additional question (plus a small cosmetic bug report at the end).

Question one
To give you specifics in the hope that it helps give you/me a better understanding of what is going wrong (or more likely what I'm missing), my setup is as follows:

• OPNSense running on an i5 NUC with 8GB RAM.
• 1 LAN subnet of 192.168.100.0/24 which is attached to the physical LAN in OPNSense.
• 1 DMZ subnet (192.168.50.0/24), which is a virtual interface (VLAN) hanging off the LAN interface of OPNSense.
• 1 Proxy server on the DMZ.
• 1 Guest network (192.168.150.0/24), which is a virtual interface (VLAN) also hanging off the LAN interface of OPNSense.
• 1 WAN interface using PPoE to a DSL modem.
• A Windows domain of around 10 Windows servers and multiple Linux servers with 2 Windows DNS servers sitting at 192.168.100.14 & 192.168.100.15.
• A Pihole running on the same subnet (192.168.100.18).
• Both Windows DNS servers have the Pihole set as their forwarder.
• DHCP is handled by the same Windows servers that handle DNS queries.
• OPNSense is set up as a DHCP relay for both the Guest and LAN subnets.
• Windows DHCP is set up to always update DNS so I can see all of the hosts, regardless of type, are being registered in DNS.
• DNS query route goes: Client --> Windows DNS --> Pihole --> Internet.

I've installed Sensei today and also added the DNS servers (192.168.100.14 & 192.168.100.15), under: Sensei/Configuration/Reporting & Data with the expectation that Sensei would check DNS for the hostnames of the IPs that are hitting the LAN interface. This doesn't appear to be happening and I'm not clear on why that is.
Further testing shows that if I use the FW to do DNS then I see the hostnames.

Is the only solution to this setup, to set the DNS in my DHCP scopes as the firewall then set the forwarder on the firewall DNS to be my Windows DNS servers (to keep the domain working), then the forwarder on the Windows DNS servers to be my Pihole docker container? That seems an overly excessive amount of DNS queries but it's the only way I'm seeing this working. This would be a pretty standard setup in most orgs in the sense that the first DNS host they query will always be the Windows DNS servers on the domain.

If this is the solution, then I don't understand why the option to allow the reverse lookup of IPs is present in Sensei.

Question 2
I am looking at the reports for "Top Remote Hosts" and I am seeing entries in there as FQDNs that are my internal hosts on the 192.168.100.0/24 subnet. Definitely not remote hosts. Interestingly, as Sensei is reporting the FQDN, it has to be getting that from my Windows DNS servers (I'm running split DNS so my domain is resolved internally), so it is able to query my DNS servers and retreive local addresses. Surely it should know that if the resolved address sits on a range that it knows it hosts on the LAN interface, it isn't remote. I'd almost accept it if the address was on my DMZ but even then, the DMZ (in my specific case here), is a virtual interface of the LAN so again, easy to spot that it's not Remote.
Or maybe I'm misunderstanding your meaning of "remote".  :)

Last question/bug report
Go to Sensei/Configuration/Reporting & Data
Click the small orange "i" next to: "Perform health check for indices:" and you'll see that the help section for "Connection Security" and the section for "Reporting Criteria" in the block below opens up with the explanation for setting the Reporting Criteria for the email reports. The same thing happens if you click the orange "i" for "You can erase reporting data:"

Sorry for the overly long post, thanks for making it this far! I look forward to any insight you can offer to the above questions.

Thanks.

The only clean solution would be to feed pihole or adguard home logs into logstash so it can be displayed by sensei. Maybe with the API's something can be done.
https://github.com/AdguardTeam/AdGuardHome/tree/master/openapi

Or doing exactly this

Pi-hole data visualization using Elasticsearch, Logstash and Kibana
https://github.com/nin9s/elk-hole

@l0rdraiden can you please stop with this behaviour, it looks like we don't agree on a lot of things (competitive edge compared to other products, which features add value, etc, etc).

Just try to keep things civil and to the point. As mentioned earlier, we can always discuss the addition of (advanced) features, as long as the use-case is clear and doesn't break how others use the product. In some cases we might even be willing to do the work.

This thread in general has a high potential to separate two groups of people, where in reality, our product is somewhere in the middle. We can't fix "make it simpler, Apple like" and "I want all the toggles from the underlaying system".

Since time is valuable, I'm not intending to put a lot more effort into this discussion, so please do not try to start a new one with me, chances are 99% I'm not going to respond.

Best regards,

Ad

I'm behaving fine thanks, being in disagreement doesn't mean a bad behaviour, but you already know that.

If you think the feature set of opnsense in 2020 is fine, and don't want to give any explanation, then fantastic I wasn't expecting one, I just gave my opinion, based on the experience of having tested many commercial products available in the market.

I was only asking to some people responding in this thread not being disrespecful or poke fun at other forum members when they are expressing their opinions.

l0rdraiden: you think I'm taking things to extreme, but you keep using the word "extreme" and imply that I'm extreme. I really don't think that's anywhere near where we are at with the way you keep pushing your interest, even by walking back your intentions. If you were't going for extereme, your words prior speak otherwise.

If you need need certain things to be said a certain way I think you will have to ask the right questions and -again- cut out the insults. At this point, I think you will keep going anyway and you left a lasting impression one way or another. Good day sir!

Again, and again and again.... taking things to the extreme => taking things out of context to a limit position.
I have never said that you are a extremist like you imply in your post, don't go victim now

At least next time treat better others opinions and not get on defensive, like someone is attacking you, since no one besides you have have any disrespecful attitude before that post.

Best regards

I'm merely trying to be honest without judging others. Personally I don't care for the "you don't do what I want so I will not like you as much" attitude. Please take it elsewhere. :)

Look, you're clearly not listening and/or missing the point fundamentally.

1. You insist of rewriting the open source IDS functionality.

2. The core team response is that it sees no immediate need to put hours into it, especially when these valuable ours can be spent on more pressing topics in the meantime.

3. Based on not providing rewritten code you are incapable or unwilling to provide the code yourself.

4. You (and others) act out because we don't agree with your requirements and needs.

Again you take things to the extreme

1. Rewriting the IDS? are you mad? who said that?
Expose a few more settings to the interface, that is a rewriting? lol
Is bring to a web interface a funtionally already exists in the backend... then I said look this is nice (scirus) someone replied and I didn't insist.

2. You could have said that first time instead being disrespectful with other forum members.

3. Rewriting the IDS functionality? again?

4. The only one acting out is you sir. Again if you don't plan to do it you can honestly say it instead being disrespectful. "Hey guys we are not doing this because we have other stuff more critical in the roadmap bla bla bla..."

Look at the long-lasting firewall API controversy. It was requested by a lot of people over the years, even companies who make money with OPNsense but have no obligation to contribute. Nobody saw the work or was willing to sponsor it (and we don't consider cheap outsourced programmers as a way forward for that particular matter for simple quality reasons).

In the end, someone was willing to sponsor a firewall API this year and behold, it was added to the project for everyone to use in a matter of weeks, not years.

Little life lesson: somebody telling you they won't do it means they won't do it based on the things that you offered. You get what you negotiate for. And dashing out insults because others do not agree is not negotiating. ;)

I hope you apply this life lesson as well in the future, because as far as I can tell in your post... you started being rude, and no one is pointing you with a gun to do something, just suggesting stuff

I don't see the point for this bleak comment. It speaks from a bitter place. We built all of what you see. We can make it better together still. Unless of course you don't see a way forward for you personally, but you can't use your reasoning to substitute your situation with everyone else's.

Don't take it wrong, don't take it to the extreme as always, because is the truth, offering a plain firewall that do the same or less than most of the comercial (or not) competitors will make it harder comercially, and even I (despite you may think) will like to see this product growth, it will be good for the community.
Usually if someone makes a feature request 99% of the time is not an original idea, is something that he has seen in other product and has been using, and if other product has add it is because probably because is usefull or many other costumers has asked for this.

For example, sensei, adds value because it contains a set of features that not all the competiros have.
Most things in the roadmap we haven seen last year add things that are avaiable in any FW or if they don't the added value is small.

Why a lot of people dont left pfsense to go opnsense, because pfblockerng is not in opnsense and although it can do something similar it misses a lot of features and customization available in pfblockerng. With sensei may be happening something similar already, because is a key differentiator.

Look at the roadmap
https://opnsense.org/about/road-map/
Do you see something that could be a differentiator with other firewalls in this TIER? (pfsense, sophos XG, Sonicwall, mikrotic...). Sorry I don't, and maybe the roadmap is fine because there are a lot of things to fix yet, but you know that better than me.

Regards