Messages

[EDIT:]

I'd recommend against this. OPNsense is a firewall, which should in fact be one of the safest devices on your network. It is basically the gatekeeper between you and the big bad internet. Running additional services on it increases the attack surface and therefor increases the risk.

Don't get me wrong, I am not entitled to anything, as a user of an open source project. Big I really like the vast focus of OPNsense towards security. They even switched bases from FreeBSD to HardenedBSD - because it's obviously much more secure. I can't speak for the developers, the core team or any contributing member of OPNsense; but running Java on a firewall seems pretty... inconsistent with the core values of OPNsense.

And hey, of course you are free to do as you please, but if your goal is to have one device acting as a firewall, gateway, WiFi controller and perhaps more, you will be better of and have an easier time with a Linux distribution designed for exactly these purposes. 

EDIT: Adding - if you have a spare box, throw Ubuntu or Debian on it and take a look at these scripts for an easy UniFi Controller installation: UniFi Scripts

[EDIT]

If I try to update Sensei (engine version 0.8.0) to the stable release, it throws the following error:

Code Select Expand

OPNsense version later than 19.7.2, activating Sunny Valley Networks Sensei packet repository via "os-sunnyvalley"...Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'os-sunnyvalley' have been found in the repositories
Repo package "os-sunnyvalley" installation failed!
***ERROR***


This is on OPNsense 19.7.2

EDIT: I was able to install the engine version 1.0, by removing os-sensei and reinstalling it via the package tools. Though, sensei-updater continues to throw the same error.

s/FreeBSD/HardenedBSD/g

Since 19.1 hit the market - erm, mirrors - OPNsense switched fully to HardenedBSD. It's very comparable to FreeBSD, only more secure. Fun fact, Shawn Webb (lattera) is one of the founders of HardenedBSD and an OPNsense core member. Interesting, but perhaps a bit technical talk by Shawn: https://www.youtube.com/watch?v=kHNzgUeY6cE

It worked! I can now breathe again... ps. I'm on ziggo, one would think that they know better with almost 4 million customers. I guess not.

Which modem did they got you? One of those new ConnectBoxes?

This is a known issue - have it in other OS's as well as soon as there is a non-standard kernel involved. Even with the information notice, VMware tools seems to function perfectly. Might be the case for you too - could you check that?

[EDIT:]

Installed the netmap enabled kernel, seems like it crashes elasticsearch in Sensei constantly. Though, the Sensei service itself is running perfectly. Could it be the case that Sensei is not adjusted yet? Seems I can't activate Sensei on the WAN port - which is a VLAN interface (my provider requires it).

EDIT: rebooted once more (second reboot after kernel installation) and now it seems to work as solid as before.

Is it doable to create custom images? I'd like to have an install image with LibreSSL already in it - not unwilling to do the effort myself.

We're currently working with OPNsense for the integration. As a part of this process, OPNsense started providing some of our dependencies. We'll update our installer and package to be compatible with the latest changes on OPNsense package repository, soon.

Thank you for the reply. No problem; I'll gladly help you test it out as soon as it's possible :)

The best thing you could probably do, is take the Fritzbox out of the equation. As you have DSL, OPNsense is perfectly able to 'dial in' via PPPoE or whatever it is your upstream provider uses. Doing so prevents nastyness that comes from having a double NAT.

Are the VMs using different ports? If so, you could just use port forwarding.

[Benefit:]

If DNS still is somewhat a mystery to you - and don't be ashamed if it is, being pretty complex for newcomers - this might clear something up:

Normally - with forwarding enabled, it works like this:

• Your client asks the DNS service "Who is opnsense.org?"
• Your DNS service will check its cache and reply if the answer is already known.
• Since 2 is not true in our example, the DNS service forwards the request to the configured external upstream DNS server(s).
• Upon receiving the answer, your DNS service will reply to your client and tell it the answer of its request.
• Lastly, your DNS service will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.

With forwarding disabled, it works like this:

• Your client asks the DNS service "Who is opnsense.org?"
• Your DNS service will check its cache and reply if the answer is already known.
• Since 2 is not true in our example, the DNS service delegates the request to the (local) recursive DNS resolver.
• Your recursive server will send a query to the DNS root servers: "Who is handling .org?"
• The root server answers with a referral to the TLD servers for .org.
• Your recursive server will send a query to one of the TLD DNS servers for .org: "Who is handling opnsense.org?"
• The TLD server answers with a referral to the authoritative name servers for opnsense.org.
• Your recursive server will send a query to the authoritative name servers: "What is the IP of opnsense.org?"
• The authoritative server will answer with the IP address of the domain opnsense.org.
• Your recursive server will send the reply to your DNS service which will, in turn, reply to your client and tell it the answer of its request.
• Lastly, your DNS service will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.

You can easily imagine even longer chains for subdomains as the query process continues until your recursive resolver reaches the authoritative server for the zone that contains the queried domain name. It is obvious that the methods are very different and the own recursion is more involved than "just" asking some upstream server. This has benefits and drawbacks:

• Benefit: Privacy - as you're directly contacting the responsive servers, no server can fully log the exact paths you're going, as e.g. the Google DNS servers will only be asked if you want to visit a Google website, but not if you visit the website of your favorite newspaper, etc.
• Drawback: Traversing the path may be slow, especially for the first time you visit a website - while the bigger DNS providers always have answers for commonly used domains in their cache, you will have to transverse the path if you visit a page for the first time time. A first request to a formerly unknown TLD may take up to a second (or even more if you're also using DNSSEC). Subsequent requests to domains under the same TLD usually complete in < 0.1s.

Information largely sourced from a Pi-Hole guide. Interesting, unrelated side-note: another member, Alec, is implementing the functionality Pi-Hole offers in OPNsense!

Did you perhaps tick the 'Deny unknown clients' box on the DHCP server page?

During the initial installation, a dependency throws a 404 error:

Code Select Expand

pkg: https://updates.sunnyvalley.io/repo/libXtst-1.2.3.txz: Not Found
FAILED : Unable to install required packages. Please see install.log

Thank you very much for your answer. I ended up reinstalling OPNsense, spend quite some work on it, but everything is back up and running. I know that there is a configuration export & import option, but it feels better to start with a clean slate :)

I found the issue.

Good job! And thank you kindly for sharing the solution - others might benefit from that if they ran into the same issue!

I had some difficulty with a setup that involved both vpn client and vpn server. The official tutorial from opnsense for the vpn server was quite different from what the wizard did, and that caused some confusion. There was no documentation on the client side, but PIA was helpful with the details missing on the pfsense documentation. Maybe the wizard would have eventually worked.

Have to be entirely honest here, I haven't tried the VPN client myself on OPNsense. The only VPN servers I trust are the ones I completely manage - not those of an external party. Not even the ones that seem trustworthy due to a good track record (PIA, AirVPN, Cryptostorm).  I run two VPN servers right now, at home and on the infra in a datacenter. The latter one is merely a fallback - if there are connectivity issues. 4G is a proper fallback, but has a shared IPv4 and isn't static.

I like your point about unbound + pihole. I will.definitely try to set that up.

If you need help with that, feel free to ping me! One additional tip: are you familiar with Wally3K's blocklist collection?

You are also right about moving trust from A to B. However, I was certain I could not trust A. Also, some of my machinnes can hop to another tunnel, to mix up the traffic more. ;)

The best use-case depends on your goals. If anonimity is your goal, mixing it up is a pretty great idea - and perhaps using TOR over a VPN even better. If it is merely that you don't trust your ISP or to circumvent censorship, it doesn't matter that much. On a decent phone, some applications use certificate pinning. Even if there is a MitM attack going on - it won't be effective as this causes a fingerprint mismatch. Quite a while ago, this technique was also developed for websites/webservers (HPKP, HTTP Public Key Pinning) - though it was killed with Chrom{ium,e} dropping support. Too easy to screw it up, rendering websites totally inaccessible. And Let's Encrypt proved to be quite difficult with the validity set at three months.

I have also struggled with a good wireless setup. Mine is currently cobbled together from decent commercial routers that have been tweaked to just pass though, a couple with dd-wrt. The radios are good, and most of the processing has been moved to my firewall, so it works, but... I even tried a more expensive mesh setup, but it did not give me the control I needed, and was not much speed improvement anyway, so returned it. I would like to hear of a good, not-too-expensive alternative, so will be interested to hear if you pull the trigger on the Arubas.

Right now, I have one poor mans AP - as there isn't that much space to cover. Just one TP-Link Archer C7 flashed with OpenWRT in a wireless switch setup. But as soon as I need more APs, this isn't going to cut it.

If you want proper wireless communication with a limited budget, UniFi is the number one brand. There is a massive difference between 'enterprise grade' (yikes, I hate that phrasing) devices and 'consumer grade'. The biggest difference being wireless hand-off. Basically put, that are multiple APs creating one big network - whereas a couple of 'consumer grade' devices with the same SSID and WPA2 passphrase are individual networks.

I have pinged my mate with whom I had the discussion about privacy policies and T&Ds - as long as you use the UniFi APs and run your own controller (meaning, not using the cloud controller -or- USG), your privacy is safe. With the UniFi APs rated at less than 100 bucks - they are ideal.

We actually have access to fiber but, am waiting on that. It will get cheaper eventually, and it is always nice to have a significant improvement to look forward to.

If I may be so free to ask: where do you live? I live in the Netherlands, a 100/100Mbit line costs about 50 euro/month. In the areas where a GBit uplink is available, a subscription can be obtained for ~75 euro's (or less).