Messages

1

Hardware and Performance / Re: Qotom hardware

« on: May 28, 2022, 02:34:35 pm »

these fanless mini pc x64/amd64 are too pricey, power hungry, overheated, so better idea to move to arm64/aarch64. 

maybe rpi usb router or cm4 module with gbe carrier board. 

Can someone give me some hints to compile a build for Compute Module 4?

2

Hardware and Performance / Re: Qotom hardware

« on: April 14, 2022, 02:54:50 pm »

i’m looking for a second unit, any experience here with the new Q1000X models?

https://qotom.net/product/91.html

3

Intrusion Detection and Prevention / suricata initial setup/test

« on: December 03, 2021, 02:04:37 am »

i need some help with initial setup of suricata 6.0.4 on opnsense 21.7.6 ..

For those wanting to get started with IDS/IPS, this is an excellent tutorial - https://www.youtube.com/watch?v=_yIq3GM4gjA&t=6s

is the youtube tutorial from last year now outdated? i tried:

Interfaces > Settings > Network Interfaces
hardware acceleration x3 turned off

Services > Intrusion Detection > Administration > Settings
enabled
IPS mode off so IDS will alert only
Interfaces > LAN only because Firewall > NAT > Outbound is Automatic

Administration > Download
enabled and downloaded/updated the test ruleset OPNsense-App-detect/test

Administration > Rules
7999999   alert   opnsense.test.rules   bad-unknown   OPNsense test eicar virus

Administration > Schedule
enabled default daily update

Code: [Select]

2021-12-02T19:50:48 suricata[27873] [100250] <Notice> -- all 1 packet processing threads, 4 management threads initialized, engine started.
2021-12-02T19:50:48 suricata[26200] [100160] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode

Code: [Select]

$ curl http://pkg.opnsense.org/test/eicar.com.txt
but no luck getting the client download of eicar.com.txt to trigger an alert

Administration > Alerts
No results found!

so i tried adding a policy but still no luck

Services > Intrusion Detection > Policy
enabled
priority: 0
rulesets: opnsense.test.rules
action: alert
rules classtype: nothing selected
new acton: alert

4

18.7 Legacy Series / Re: android adb rules firing inconsistently

« on: November 19, 2018, 04:06:48 pm »

i am thinking this is an asymmetric routing issue, because the gateway (ddwrt) is on the internal LAN interface. 

there is this article https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html under "gateway set when it should not be set" which talks about the ill effects of pfsense. 

i am not sure how the adb protocol works though.  the DF flag in some of the blocked packets makes me think there is some fragmentation/MTU issue. 

5

18.7 Legacy Series / android adb rules firing inconsistently

« on: November 19, 2018, 12:29:53 am »

my first time working with android adb and i can't figure out why the LAN firewall rule to port 5555 is firing inconsistently.  the 2.220 host (tinkerboard) is behind a gateway (ddwrt).  any ideas why the second and third packets below would skip the rule entirely?

Code: [Select]

$ ifconfig | grep inet
inet 192.168.1.232 netmask 0xffffff00 broadcast 192.168.1.255
$ adb connect 192.168.2.220         
failed to connect to 192.168.2.220:5555
$ ping 192.168.2.220
PING 192.168.2.220 (192.168.2.220): 56 data bytes
64 bytes from 192.168.2.220: icmp_seq=0 ttl=63 time=10.513 ms
64 bytes from 192.168.2.220: icmp_seq=1 ttl=63 time=8.080 ms


__timestamp__	11/18/18 17:55:54	11/18/18 17:55:54	11/18/18 17:55:53
ack		190817746	190817746
action	[pass]	[block]	[block]
anchorname
datalen	0	0	0
dir	[in]	[in]	[in]
dst	192.168.2.220	192.168.2.220	192.168.2.220
dstport	5555	5555	5555
ecn
id	0	0	5636
interface	igb2	igb2	igb2
ipflags	DF	DF	none
label	USER_RULE: allow LAN to tinkerboard	USER_RULE: default block IPv4 LAN	USER_RULE: default block IPv4 LAN
length	64	40	40
offset	0	0	0
proto	6	6	6
protoname	tcp	tcp	tcp
reason	match	match	match
ridentifier	0	0	0
rulenr	122	124	124
seq	3901304184	3330648330
src	192.168.1.232	192.168.1.232	192.168.1.232
srcport	49965	49910	49910
subrulenr
tcpflags	S	RA	A
tcpopts
tos	0x0	0x0	0x0
ttl	64	64	64
urp	65535	2058	2058
version	4	4	4

6

General Discussion / firewall aliases in live view?

« on: November 15, 2018, 02:13:24 pm »

hello i think i remember reading about alias enhancements in one of the recent releases ..

is there some way to translate ip addresses back to aliases or local domain names in the Firewall: Log Files: Live View?

or can i set up remote logging to do this somehow?

7

18.7 Legacy Series / openvpn client disconnects

« on: September 29, 2018, 06:59:10 pm »

hello i am trying to replace a ddwrt/atheros router with opnsense/esxi/x86.   to provide openvpn client to nordvpn.  i followed these pfsense configuration instructions (https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/) as closely as possible.  the openvpn client connects but then disconnects .. any advice what i can try?


compression: enabled without adaptive

advanced options:

Code: [Select]

vtls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
auth-retry nointeract;


Code: [Select]

Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: Client disconnected
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: CMD 'status 2'
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: CMD 'state all'
Sep 29 12:44:41 openvpn[49048]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Sep 29 12:44:31 openvpn[49048]: Initialization Sequence Completed

 

8

Hardware and Performance / Re: Realtek 8168C

« on: September 23, 2018, 07:04:21 am »

extension cable fits barely above the speaker mount.

9

Hardware and Performance / Re: Realtek 8168C

« on: September 23, 2018, 07:02:47 am »

so now i have two more ethernet ports to work with.  the mini pcie extension from adt-link works very well with the jetway/intel card.  at some point i will try to mount the cards inside the chassis.  if anyone else tries this, i would recommend longer than 15cm extension.  maybe 30cm or more so you can mount the full size mini pcie card at the back.  there isn't enough space at the front unless you remove the usb and audio card.

10

General Discussion / Re: Firewall: Log Files: Live View

« on: September 12, 2018, 09:53:59 pm »

thank you that's exactly what i was looking for.

System: Settings: Logging
Log Firewall Default Blocks    
XLog packets matched from the default block rules put in the ruleset   
XLog packets matched from the default pass rules put in the ruleset

11

General Discussion / Re: Firewall: Log Files: Live View

« on: September 12, 2018, 07:50:28 pm »

or maybe there is a way to disable logging for 'anti-lockout rule' and 'block all ipv6'?  the log fills with these and i can't see logging for my user rules.  i always have to change the default from 25 to 250 or 500.  so it would be nice if this were reconfigurable somehow.

12

General Discussion / [SOLVED] Firewall: Log Files: Live View

« on: September 10, 2018, 03:45:21 pm »

hello is it possible to change the defaults (25, auto refresh) for the live view? thank you

13

18.7 Legacy Series / Re: openvpn vs ipsec ikev2

« on: September 09, 2018, 07:16:19 am »

i got pretty close by following the point to point setup to add tunnel settings (https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html) ..

but still something wrong with UDP encapsulation and the install route:

Code: [Select]

Sep  9 01:01:24 opnsense charon: 00[DMN] signal of type SIGINT received. Shutting down
Sep  9 01:01:37 opnsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.1-RELEASE-p13, amd64)
Sep  9 01:01:37 opnsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Sep  9 01:01:37 opnsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Sep  9 01:01:37 opnsense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep  9 01:01:37 opnsense charon: 00[CFG]   loaded ca certificate "XXXXXXXXXXX"XXXXXXXXXXX"XXXXXXXXXXX"XXXXXXXXXXX'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Sep  9 01:01:37 opnsense charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Sep  9 01:01:37 opnsense charon: 00[CFG]   loaded IKE secret for XXXXXX@XXXXXX
Sep  9 01:01:37 opnsense charon: 00[CFG] loaded 0 RADIUS server configurations
Sep  9 01:01:37 opnsense charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Sep  9 01:01:37 opnsense charon: 00[JOB] spawning 16 worker threads
Sep  9 01:01:37 opnsense charon: 05[CFG] received stroke: add connection 'con1'
Sep  9 01:01:37 opnsense charon: 05[CFG] added configuration 'con1'
Sep  9 01:01:37 opnsense charon: 16[CFG] received stroke: route 'con1'
Sep  9 01:01:37 opnsense charon: 16[KNL] can't install route for 192.168.2.0/24 === XXX.XXX.XXX.XXX/32 out, conflicts with IKE traffic

14

18.7 Legacy Series / Re: openvpn vs ipsec ikev2

« on: September 09, 2018, 04:52:34 am »

thanks .. i have the new box up now and finally getting to the vpn config..  i would appreciate advice on how to configure ipsec/ikev2 strongswan.   

i would like to set up a vpn client running on the local router which would allow local machines (maybe restricted to a separate subnet on OPT1 or a particular VLAN) to access remote lan resources through a ipsec/ikev2 tunnel.

15

Hardware and Performance / Re: Qotom hardware

« on: September 08, 2018, 01:58:17 pm »

so far the qotom cpu peak temperatures are not too bad .. only about 35C .. hopefully no heat sink shenanigans will be required.

i tested the NAT throughput of qotom/opnsense using iperf between wan and lan ports .. without filtering it's easily doing true gigabit 900+ Mbps.