Messages

Never mind, I figured it out myself. Just for anybody else searching for this, it stands for 'standard deviation' and is a reflection of the deviation from the standard baseline on latency (and possibly also packet loss).

Pretty self explanatory once you know what stddev stands for  :P

Hello,

my girlfriend has been complaining about work connections sometimes getting disrupted, while I have no issues (except for once). I have been looking at the graphs in OpnSense and have a question about the stddev in the graph, what does this tell me? It is unclear to me. Loss and latency are pretty clear, but stddev is also not mentioned in the documentation.

So in the end I decided to upgrade to OpnSense 20.7 which solved the problem of not detecting anything. It did introduce another issue, which is that as soon as I enable IPS mode OpnSense crashes (but alerting is fine with me).

IPS mode enabled?

See my original post:

I tried with IPS mode on and off

Hello, I am running OPNsense 20.1.9 on VMWare ESXi 6.7. All my interfaces are VMXNET3 interfaces, with which I am very happily can achieve perfect gigabit network speeds.

I wanted to give IDS a shot, and enabled Suricata according to the guidance:

• disabled offloading (and rebooted)
• enabled IDS/Suricata
• selected my WAN and LAN interface
• Selected a bunch of rules for downloading
• enabled the rules (including OPNsense test rule for Eicar)
• Checked the log file which to me looks all good (see below)

Unfortunately I am still able to download the eicar virus, and there are no alerts logged or packets dropped (eicar test rule is set to drop). I tried with all different pattern matchers, I tried promiscious mode, I tried with IPS mode on and off, but nothing helps. It just wont match any rules as if it is not looking at any traffic.

After reading a bit about this, I am thinking it might be the VMXNET3 interfaces, but would like your experiences with these and see if I missed anything. Below my logfile.

Code Select Expand


2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx0+':  pkts: 32259, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx0':  pkts: 143337, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx1+':  pkts: 195350, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx1':  pkts: 97232, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Signal Received.  Stopping engine.
2020-07-31T01:24:07 suricata: [100182] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 2 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 2 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2011544 and 3 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
2020-07-31T01:23:53 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-07-31T01:23:53 suricata: [100243] <Notice> -- This is Suricata version 4.1.8 RELEASE


Hey, I have flashed my modem using this guide: http://blog.asiantuntijakaveri.fi/2015/07/convert-huawei-e3372h-153-from.html

I have the SETPORT to AT^SETPORT="FF;12,10,16" as in Opnsense you need to use the PPP device and can't use the NDIS modem provided by the stick (don't know why, it is available in PFSense).

Try to connect to the modem using command below. Make sure you replace x.x with the port the modem is listening on.

Code Select Expand

cu /dev/cuaUx.x

and get the mode using

Code Select Expand

AT^SETPORT?

There might be a different mode set in the device.

Hey Mattia,

sorry for taking so long to respond. Did you manage to get it to work? I used this guide: http://blog.asiantuntijakaveri.fi/2015/07/convert-huawei-e3372h-153-from.html

It worked pretty well for me. Also make sure you use the correct port on the stick. Depending on the mode you have set it to, you got one or more ports.

I guess what you could do, although it isn't the prettiest, is either use two different mDNS services - or see if your mDNS provider has multiple IP adresses that you could use, and add a static route for each IP tied to the interface that is using that service/IP endpoint.

I think the option you are looking for is: Strict User/CN Matching

I think he mentioned explicitly that he is not looking for that and is aware of that feature  ;)

What he wants to know is what is the value of linking certificates to users when not enabling this feature. My 2 cents; it probably does not provide any value except for administrative purposes and the ability to enable the strict linking.

Hey Markus,

does it expose any serial ports on the system? You can find out by running

Code Select Expand

ls /dev/cuaU*

In turn you should be able to use these ports as PPP devices. If there are no serial ports, try to see if you can find any documentation from the vendor that might let you change the mode of the device.

If there is a serial port; try if it accepts AT commands using

Code Select Expand

cu -l /dev/cuaU0.0 and replace 0.0 by whatever port is created on your system. There is also some documentation of setting up a 4G modem as PPP device https://wiki.opnsense.org/manual/how-tos/cellular.html.

[Reporting -> Health]

Hello Pfirepfox,

I spent the last few days setting up 4G on my OpnSense machine. There is built-in signal strength metering available (at least with my Huawei E3372h USB 4G modem). Signal strength in the real world is measured using RSSI. If you go to Reporting -> Health there should be a tab called Cellular which shows a graph of the RSSI.

RSSI shown is using the scale that is retrieved using AT commands to the modem. These are not the absolute RSSI numbers. For an overview of RSSI values see https://m2msupport.net/m2msupport/atcsq-signal-quality/

Hope this helps.

Hello Mattia,

I recently dived into the world of 4G as my fiber isn't being delivered for the next few months and I was struggling with working from home full-time over an 8/1Mbit ADSL connection.

I went with a Huawei E3372h USB modem in PPP mode. I had to flash the stick from router firmware 22.x to Modem firmware 21.x which took me about an hour all together.

There are basically two types of modems supported by FreeBSD in general without special drivers; PPP modems and NDIS modems. I however discovered that modems in NDIS mode are NOT supported by OpnSense (although they are in many other *BSD based distro's).

I know it does not answer your question, but hopefully it gives you some insights. I manage speeds of 80-90Mbit download and 12Mbit upload over the USB drive in an USB3 slot.

Hello,

I've spent configuring my new Opnsense router at home and want to add 4G capabilities to it. I have a Huawei E3372h flashed to stick mode and have it working with PPP. PPP mode however does not attain the maximum 4G speed, and NDIS mode is recommended for this. In PFSense (don't want to swear) or other FreeBSD distributions the stick is recognized with the two ports (NDIS and PPP) and after that the NDIS network card is recognized:

Code Select Expand

Mar 24 16:32:01 pfSense kernel: ugen0.3: <HUAWEIMOBILE HUAWEIMOBILE> at usbus0
Mar 24 16:32:01 pfSense kernel: u3g0 on uhub0
Mar 24 16:32:01 pfSense kernel: u3g0: <HUAWEIMOBILE HUAWEIMOBILE, class 0/0, rev 2.10/1.02, addr 2> on usbus0
Mar 24 16:32:01 pfSense kernel: u3g0: Found 2 ports.
Mar 24 16:32:01 pfSense kernel: cdce0 on uhub0
Mar 24 16:32:01 pfSense kernel: cdce0: <NCM Network Control Model> on usbus0
Mar 24 16:32:01 pfSense kernel: cdce0: faking MAC address
Mar 24 16:32:01 pfSense kernel: ue0: <USB Ethernet> on cdce0
Mar 24 16:32:01 pfSense kernel: ue0: Ethernet address: 2a:d0:7c:ff:7f:00


You can after that initialize it with a single AT string to set the APN:

Code Select Expand

echo 'AT ^ NDISDUP = 1,1, "live.vodafone.com"' > /dev/cuaU0.1

On Opnsense it seems there are no drivers available for the NDIS modem as the initialization looks like this (it detects the two ports, but no NDIS network card loaded):

Code Select Expand

Mar 24 16:56:12 OPNsense kernel: ugen0.3: <HUAWEIMOBILE HUAWEIMOBILE> at usbus0
Mar 24 16:56:12 OPNsense kernel: u3g0 on uhub0
Mar 24 16:56:12 OPNsense kernel: u3g0: <HUAWEIMOBILE HUAWEIMOBILE, class 0/0, rev 2.10/1.02, addr 2> on usbus0
Mar 24 16:56:12 OPNsense kernel: u3g0: Found 2 ports.


Would it be possible to include NDIS drivers in Opnsense as well and allow to set an init string for it in the GUI (even without this last part would be amazing as I can set it using a script or something)?