Messages

1

General Discussion / Re: Firewall configuration and gotify android application

« on: August 30, 2024, 02:00:21 am »

Hi,
Did you setup your firewall to pass http and https traffic of the ip and ports your Gotify server is listening on ?
If that didn't work try to add an nginx reverse proxy addon to opnsense and configure nginx to forward requests to gotify. If that didn't work either, try to enable websocket on the nginx reverse proxy (the gotify documentation doesn't indicate it is using websocket but i have seen some chatting programs using websocket and doesn't work if the reverse proxy didn't support it).
Don't forget to put the ip address of your firewall or reverse proxy on the variable trustedproxies of your /etc/gotify/config.yml or which ever is your gotify's config location.

2

General Discussion / Re: Firewall reporting

« on: August 22, 2024, 01:08:24 pm »

Thank you.

3

General Discussion / Firewall reporting

« on: August 19, 2024, 10:24:34 am »

Hi,
One of our firewalls is a Fortigate that i have been asked to replace with another one less expensive and I hope it could be Opnsense.
Of course some people, inside my company argue that few products can compete with that brand. My arguments are that opensense can repond to our needs without trying to compare both products feature by feature.
The following is just a suggestion.
One of the features of the above brand is a daily security report, which looks like this:
Security Analysis
Report Date: August 16, 2024 14:00
Data Range: 2024-08-15 00:00 2024-08-15 23:59 GMT+1 (FAZ local)


Table of Contents
Bandwidth and Applications 3
Traffic Bandwidth 3
Number of Sessions 3
Top Applications by Bandwidth 3
Top Applications by Sessions 4
Top Users by Bandwidth 4
Top Users by Sessions 4
Top Destination by Bandwidth 4
Top Destination by Sessions 5
DHCP Summary 5
Top Wifi Client by Bandwidth 5
Traffic History by Number of Active Users 5
Web Usage 6
Top 20 Most Active Users 6
Top 20 Most Visited Categories 6
Top 50 Most Visited Sites 6
Top 10 Online Users 6
Top 10 Categories 6
Top 50 Sites By Browsing Time 6
Top 20 Bandwidth Users 7
Top 20 Categories By Bandwidth 7
Top 50 Sites (and Category) by Bandwidth 7
Top 20 Most Blocked Users 9
Top 20 Most Blocked Categories 9
Top 50 Most Blocked Sites 9
Emails 10
Top Senders by Number of Emails 10
Top Recipients by Number of Emails 10
Top Senders by Combined Email Size 10
Top Recipients by Combined Email Size 11
Threats 12
Malware Detected 12
Malware Victims 12
Malware Source 12
Botnet Detected 12
Botnet Victims 12
Botnet C&C 12
Botnet C&C Detected by DNS Filtering 12
Intrusions Detected 13
Intrusion Victims 14
Intrusion Sources 14
VPN Usage 15
VPN Traffic Usage Trend 15
VPN User Logins 15
Authenticated Logins 15
Failed Login Attempts 15
Top Dial-up VPN Users 16
Top Sources of SSL VPN Tunnels by Bandwidth 16
Top SSL VPN Tunnel Users by Bandwidth 16
Top SSL VPN Web Mode Users by Duration 16
Top SSL VPN Users by Duration 16
Top Users of IPsec VPN Dial-up Tunnel by Bandwidth 16
Top Site-to-Site IPsec Tunnels by Bandwidth 16
Top Dial-up IPsec Tunnels by Bandwidth 16
Top Dial-up IPsec Users by Bandwidth 16
Top Dial-up IPsec Users by Duration 17
Admin Login and System Events 18
Login Summary 18
Login Summary By Date 18
List of Failed Logins 18
Events by Severity 18
Events by Date 18
Critical Severity Events 18
High Severity Events 19
Medium Severity Events 19
Appendix A 20
Devices 20

And my question is : is there inside the opnsense installation a central repository to collect all this data so it could be possible later to extract it and generate a corresponding report. I know, the sensei plugin generates and sends such reports but they are not so exhaustive as the fortigate ones.
TIA
Fathi B.N.

4

23.7 Legacy Series / Re: openvpn profile: Certificate Depth reset to Do Not Check after saving

« on: August 09, 2023, 03:37:49 pm »

Solved, thanks.

5

23.7 Legacy Series / Re: New OpenVPN profile server: TLS static key neither automatically generated nor f

« on: August 05, 2023, 12:45:13 pm »

Sorry, I didn't see the new tab.
Thanks.
Best Regards,
Fathi.

6

23.7 Legacy Series / Re: Peer Certificate Revocation List present but no Peer Certificate Authority

« on: August 05, 2023, 12:41:09 pm »

Thanks.
Best Regards,
Fathi.

7

23.7 Legacy Series / Re: openvpn profile: Certificate Depth reset to Do Not Check after saving

« on: August 05, 2023, 12:40:02 pm »

Will wait for the fix.
Thanks.
Best Regards.

8

23.7 Legacy Series / Re: small suggestions for new openvpn profile

« on: August 05, 2023, 12:39:28 pm »

My second suggestion was just to be able to compare generated files (result of configuration) with the old and new way to configure openv and be sure all old configs have been set.

Best Regards,
Fathi.

9

23.7 Legacy Series / [Solved] openvpn profile: Certificate Depth reset to Do Not Check after saving

« on: August 05, 2023, 11:55:43 am »

Hi,
When creating a new openvpn profile, the "Certificate Depth" value is always reset to "Do Net Check" after saving whatever value is chosen before saving.
May be this is related to the issue described in the topic 35225.0 https://forum.opnsense.org/index.php?topic=35225.0 (no way to select the peer CA to check client certificates against).
TIA

10

23.7 Legacy Series / [Solved] Peer Certificate Revocation List present but no Peer CA

« on: August 05, 2023, 11:36:37 am »

Hi,
In the openvpn profile form the "Peer Certificate Revocation List" option is present but not the "Peer Certificate Authority" one allowing to select which Certificate Authority will be used to verify client certificates.
May be the form doesn't show because i have created only one Certificate Authority when creating an openvpn server before the 23.7 version change, and so it is implicitly chosen. In this case please ignore this post.
TIA.

11

23.7 Legacy Series / [Solved] small suggestions for new openvpn profile

« on: August 05, 2023, 11:31:04 am »

Hi,
As several parameter names, descriptions and locations (order in the form) have changed between the old openvpn server generation wizard and the new openvpn profile form, would it be possible, as a suggestion, to print the old parameter names in italic, between parenthesis, under the new parameter names, so people could rapidly and with minimum possible mistakes manually migrate their old config to the new profile form.
Or at least have one preview button, similar to the one down this page, that allows previewing what will be the server config file.
TIA.

12

23.7 Legacy Series / [Solved] New OpenVPN profile server: TLS static key neither automatically genera

« on: August 05, 2023, 11:18:15 am »

Hi,
When creating a new openvpn profile for a server, there is no textarea to fill a static key nor is there the old option to "Automatically generate a shared TLS authentication key".

13

23.7 Legacy Series / Detecting compromised vpn clients

« on: August 05, 2023, 03:07:42 am »

HI,
I have setup openvpn server to allow remote users to connect to internal network. I would like to setup intrusion detection to detect malicious traffic from compromised vpn clients to corporate lan. I am only interested on vpn client address as real addresses are dynamic (3G/4G mobile network) and opnsense is behind another firewall, so all clients seem to be coming from dmz gateway.
Which surricata rules should i activate, mainly to detect attacks against windows servers and databases ?
TIA.

14

General Discussion / Weighted loadbalanced MultiWAN not working

« on: June 11, 2021, 02:32:45 pm »

Hi, I have followed the document at https://docs.opnsense.org/manual/multiwan.html and setup a weighted monitored loadbalanced multiwan group between 2 adsl connections.
on the interfaces configuration page relative to the WAN interface (both adsl connections are on the same subnet but to two different isp), the gateway group doesn't appear. If i leave the Gateway vakue to its default, packets are not forwarded from the lan clients to the internet. If i choose any of the wan gateways traffic is forwarded from  lan clients to the internet but then i don't have load balancing.
Can someone help me please ?
TIA
Fathi B.N.

15

19.1 Legacy Series / Re: Benchmarking OPNsense

« on: February 22, 2019, 12:24:29 am »

I have a lot of warnings and critical messages from the underlying hypervisor about memory, swap usage, disk backlog, fifo errors, disk utilization, inbound packets dropped ratio, ...  and that is why i am asking about sizing.