Messages

1

Intrusion Detection and Prevention / Re: DShield Rules in ET Pro

« on: November 08, 2019, 10:09:26 am »

Ok, I looked in the corresponding rules files (the problem applies also to other rules) and found "#@opnsense_download_hash:ec786a61cb5d93b6eb0907e29ca4c166" in the file.

So this seems to be the same problem as https://forum.opnsense.org/index.php?topic=12119.msg55567#msg55567 .

But I wonder -- in the open version there are DShield rules. So why should there be no rules in the Pro edition? And I see traffic that is NOT blocked, but listed on the Dshield website.

ET Open rules:
http://rules.emergingthreats.net/blockrules/emerging-dshield.rules

The same problem applies (at least) to:
drop.rules
compromised.rules
botcc.rules
botcc.portgrouped.rules
ciarmy.rules

2

Intrusion Detection and Prevention / DShield Rules in ET Pro

« on: November 08, 2019, 09:58:40 am »

Hi!

I activated the ET Pro Telemetry edition. Since then, the DShield Rules which I had in the ET Open version disappeared.
In the download section I have "ET telemetry/dshield" set to activated/drop. But when I search for "dshield" in the rules tab, there are no associated rules. How can I get them back?

Best wishes,
Adrian Schneider

3

19.7 Legacy Series / Re: 19.7.3: Fallback to Master HA member not working

« on: September 09, 2019, 04:03:12 pm »

He just writes that these values shouldn't be the defaults. But can be changed when needed.

It solved my problem, so I'm fine with it.

4

19.7 Legacy Series / Re: 19.7.3: Fallback to Master HA member not working

« on: September 06, 2019, 10:15:54 pm »

Hi,

I had the same problem and fixed it with the following tuneables:

net.inet.carp.preempt = 1
net.inet.carp.senderr_demotion_factor = 0
net.pfsync.carp_demotion_factor = 0

There is a pfsync thread to this topic.

Hope it works for you!

5

19.7 Legacy Series / Re: OpenVPN RADIUS Accounting

« on: September 03, 2019, 01:49:31 pm »

https://github.com/opnsense/core/issues/3694

6

19.7 Legacy Series / Re: OpenVPN RADIUS Accounting

« on: September 02, 2019, 05:18:24 pm »

How is auth for OpenVPN implemented?

I found this OpenVPN plugin:
https://github.com/brainly/openvpn-auth-radius

which would do both... But I guess it‘s not advised to install external stuff, right?

Could you advise me, how you would do it?

7

19.7 Legacy Series / OpenVPN RADIUS Accounting

« on: September 02, 2019, 03:52:06 pm »

Hi,

does the OpenVPN server support accounting/can I make it do that?
I need regular updates (Acct-Interim-Interval) so I can manage my IP pool.

Best wishes
Adrian Schneider

8

19.7 Legacy Series / Re: Multi-wan FailOver (FO) issue

« on: August 29, 2019, 10:13:31 pm »

Just patch it:

opnsense-patch 7bfadb2

as root.

9

19.7 Legacy Series / Re: Multi-wan FailOver (FO) issue

« on: August 29, 2019, 12:59:02 am »

For the traceroute point:
Could be related to a problem I had.
https://forum.opnsense.org/index.php?topic=13832.0

10

19.7 Legacy Series / Re: Failover

« on: August 28, 2019, 12:39:25 pm »

For the incoming data: Setup port forwarding (NAT -> Port forward) and assign both interfaces for every rule. It's important, that "Diasble Reply-To" in the advanced settings is not checked.

This enables port forwarding, but does not do failover. I set up a dynamic IP from behind the firewall with ddclient so that a domain always points to the active WAN.

11

19.7 Legacy Series / OpenVPN (tun) Authorization via Framed-IP-Address

« on: August 27, 2019, 05:58:53 pm »

Hi there!

I‘m planning an OpenVPN Server (tun) with authentication/authorization from Radius. My approach is: Radius sets the Framed-IP-Address so that for example admins have an address in the range 10.0.0.0/24 and normal users 10.0.1.0/24. With the firewall I can then define access to the different resources.
My little test setup works perfectly, but now the crucial question:

Is there any chance that a user changes his IP address in tun mode?

Kind regards
Adrian Schneider

12

19.7 Legacy Series / Re: [RESOLVED] Force gateway broken?

« on: August 18, 2019, 05:37:50 am »

No need to take care of all combinations, I think unit testing would be mostly sufficient. Is there a testing repo? I‘m prepared to contribute.

It also sounds like a very interesting task to set up a full virtual lab 

13

19.7 Legacy Series / Re: Force gateway broken?

« on: August 17, 2019, 02:02:45 pm »

I think I‘ll go with the patch.

But besides: Isn‘t there automatic testing for such stuff? I think this could have easily been prevented.

Nevertheless: Great work you‘re doing here! It‘s quite enjoyable to work with OPNSense!

14

19.7 Legacy Series / Re: Force gateway broken?

« on: August 17, 2019, 01:19:48 pm »

I think I found the cause:

https://github.com/opnsense/core/commit/7bfadb2acd4660b05d11059152dec7d88a90b288

15

19.7 Legacy Series / Re: Force gateway broken?

« on: August 17, 2019, 12:45:12 pm »

I‘m not sure, this is related, @tong2x, this sounds different to me.

@mimugmail:

Tried it, does not change anything. BTW, I can use port forwarding on both WANs without ‚disable force gateway‘ without any issue. Access from outside does work perfectly fine.
The only thing that does not work is to use a gateway other than the default gateway for traffic originating from the OPNSense machine itself. (It works perfectly fine for traffic from the LAN(s)).

Even when I use ping -S on the secondary interface: The packet leaves OPNSense on the interface with the default gateway and does not find its way to the secondary gateway.