Messages

Thanks, p1n0ck10.

Appreciate the generosity there, dcol. You've given me a fine head-start. Have never been much good at firewall rules. Never had that aha moment I've managed with other things. But can adapt other peoples' rules, so fantastic.

I'll spend a bit of time this coming weekend working out which ports various services use. No gaming or torrents which'll save a few headaches but i do like to use OSMC from time to time. (Kodi variant if you've not heard of it). That might prove a stumbling block. Heres hoping it doesn't. Other than that it's just surfing, email and, occasionally, a bit of testing of nginx stuff. Also hoping to make motioneye os available to remote viewing. Just so much on the list...

Best wishes and thanks again.

Thanks dcol. I'd just popped back to swot up on how to be a little bit more tyrannical with my firewall rules. And saw your reply.

I really like the logic of blocking unused inbound ports outright. Must be a guide somewhere?

Although I'd come back here with outbound blocking in my mind.

It does seem that the internal wifi of a PC Engines APU2 is somehow made stable when bridged to the LAN by simply plugging in an unmanaged switch. I've since read that lots of people have trouble with the WIFI dropping out a lot -- as I did -- and this is a solution of sorts. Or, I could be wrong, and something else fixed it, like an update!

But we're about a month in now and OPNSense is extraordinarily stable and robust, and snappy. The investment of time and effort has been worth it.

Thanks, fabian. I'm keeping a close watch on degradation. We're running here on an APU2 (with a palm-sized gigabit switch that runs off 5v 600ma, so I have it plugged into the router's USB). The APU2 has a fair bit of oomph, as I expect you're aware.

I'm chuffed to have got this far. The internet speeds are much snappier. We migrated here from an Asus Merlin. We're not heavy users and we don't need intense streaming, but like almost everyone these days, we're like cold turkeying lab rats if the internet breaks.

I'm taking it steady. Learning now how to hone the logs and what to watch out for. This is why I love opensource. It's technological freedom.

Excuse the ramble. On balance, the performance hit of facing Suricata on the WAN isn't a big deal on a simple and low-use home network such as ours. And it is working now, very stable. I imagine this becomes more of an issue the greater the load becomes? I guess there was some insight going on in my original question.

Cheers.

It makes logical sense, as you explain, to set up the inline detection on the WAN. Much thanks and apologies for not getting back to you sooner.

No longer having problems with WIFI failing when the LAN goes quiet. Not sure what I did or even if I did anything. Was maybe fixed by incorporating an unmanaged switch. Perhaps that keeps the LAN alive, and consequently the WIFI.

Hi. Fairly new to all this. Simple set-up, so far.

WAN > ISP MODEM > OPNSENSE > LAN and WIFI (bridged)

Small home network. WIFI Bridged to LAN (working, but not quite there yet. WIFI drops when LAN activity ceases for a while).

Have Suricata watching over the WAN but I ask myself... wouldn't Suricata be better provisioned if it was watching the LAN (and therefore also the WIFI, I assume)? Given that the firewall will be dealing with the WAN.

Thanks.