Messages

1

General Discussion / Re: Quality reporting

« on: November 09, 2020, 10:16:42 am »

Never mind, I figured it out myself. Just for anybody else searching for this, it stands for 'standard deviation' and is a reflection of the deviation from the standard baseline on latency (and possibly also packet loss).

Pretty self explanatory once you know what stddev stands for 

2

General Discussion / Quality reporting

« on: November 09, 2020, 09:41:59 am »

Hello,

my girlfriend has been complaining about work connections sometimes getting disrupted, while I have no issues (except for once). I have been looking at the graphs in OpnSense and have a question about the stddev in the graph, what does this tell me? It is unclear to me. Loss and latency are pretty clear, but stddev is also not mentioned in the documentation.

3

20.1 Legacy Series / Re: Suricata not doing anything on VMXNET3 interfaces

« on: August 01, 2020, 10:19:16 am »

So in the end I decided to upgrade to OpnSense 20.7 which solved the problem of not detecting anything. It did introduce another issue, which is that as soon as I enable IPS mode OpnSense crashes (but alerting is fine with me).

4

20.1 Legacy Series / Re: Suricata not doing anything on VMXNET3 interfaces

« on: July 31, 2020, 10:28:05 am »

IPS mode enabled?

See my original post:

I tried with IPS mode on and off

5

20.1 Legacy Series / Suricata not doing anything on VMXNET3 interfaces

« on: July 31, 2020, 01:45:33 am »

Hello, I am running OPNsense 20.1.9 on VMWare ESXi 6.7. All my interfaces are VMXNET3 interfaces, with which I am very happily can achieve perfect gigabit network speeds.

I wanted to give IDS a shot, and enabled Suricata according to the guidance:

• disabled offloading (and rebooted)
• enabled IDS/Suricata
• selected my WAN and LAN interface
• Selected a bunch of rules for downloading
• enabled the rules (including OPNsense test rule for Eicar)
• Checked the log file which to me looks all good (see below)

Unfortunately I am still able to download the eicar virus, and there are no alerts logged or packets dropped (eicar test rule is set to drop). I tried with all different pattern matchers, I tried promiscious mode, I tried with IPS mode on and off, but nothing helps. It just wont match any rules as if it is not looking at any traffic.

After reading a bit about this, I am thinking it might be the VMXNET3 interfaces, but would like your experiences with these and see if I missed anything. Below my logfile.

Code: [Select]

2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx0+':  pkts: 32259, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx0':  pkts: 143337, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx1+':  pkts: 195350, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Stats for 'vmx1':  pkts: 97232, drop: 0 (0.00%), invalid chksum: 0
2020-07-31T01:26:25 suricata: [100182] <Notice> -- Signal Received.  Stopping engine.
2020-07-31T01:24:07 suricata: [100182] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 2 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 2 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2011544 and 3 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 0 other sigs
2020-07-31T01:23:59 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
2020-07-31T01:23:53 suricata: [100182] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-07-31T01:23:53 suricata: [100243] <Notice> -- This is Suricata version 4.1.8 RELEASE


6

20.1 Legacy Series / Re: 4G Connection Strength

« on: April 23, 2020, 11:46:18 am »

Hey, I have flashed my modem using this guide: http://blog.asiantuntijakaveri.fi/2015/07/convert-huawei-e3372h-153-from.html

I have the SETPORT to AT^SETPORT="FF;12,10,16" as in Opnsense you need to use the PPP device and can't use the NDIS modem provided by the stick (don't know why, it is available in PFSense).

7

Hardware and Performance / Re: Opnsense NDIS support

« on: April 23, 2020, 11:39:25 am »

Try to connect to the modem using command below. Make sure you replace x.x with the port the modem is listening on.

Code: [Select]

cu /dev/cuaUx.x
and get the mode using

Code: [Select]

AT^SETPORT?
There might be a different mode set in the device.

8

Hardware and Performance / Re: Recomended 4G PCIe modems

« on: April 23, 2020, 11:35:20 am »

Hey Mattia,

sorry for taking so long to respond. Did you manage to get it to work? I used this guide: http://blog.asiantuntijakaveri.fi/2015/07/convert-huawei-e3372h-153-from.html

It worked pretty well for me. Also make sure you use the correct port on the stick. Depending on the mode you have set it to, you got one or more ports.

9

20.1 Legacy Series / Re: Multi-wan, default gw, traffic from this firewall

« on: March 29, 2020, 12:45:54 pm »

I guess what you could do, although it isn't the prettiest, is either use two different mDNS services - or see if your mDNS provider has multiple IP adresses that you could use, and add a static route for each IP tied to the interface that is using that service/IP endpoint.

10

20.1 Legacy Series / Re: What's the point of linking users to certificates for OpenVPN?

« on: March 29, 2020, 12:43:31 pm »

I think the option you are looking for is: Strict User/CN Matching

I think he mentioned explicitly that he is not looking for that and is aware of that feature 

What he wants to know is what is the value of linking certificates to users when not enabling this feature. My 2 cents; it probably does not provide any value except for administrative purposes and the ability to enable the strict linking.

11

20.1 Legacy Series / Re: Help with modem

« on: March 29, 2020, 12:29:35 pm »

Hey Markus,

does it expose any serial ports on the system? You can find out by running

Code: [Select]

ls /dev/cuaU*
In turn you should be able to use these ports as PPP devices. If there are no serial ports, try to see if you can find any documentation from the vendor that might let you change the mode of the device.

If there is a serial port; try if it accepts AT commands using

Code: [Select]

cu -l /dev/cuaU0.0 and replace 0.0 by whatever port is created on your system. There is also some documentation of setting up a 4G modem as PPP device https://wiki.opnsense.org/manual/how-tos/cellular.html.

12

20.1 Legacy Series / Re: 4G Connection Strength

« on: March 29, 2020, 12:10:00 pm »

Hello Pfirepfox,

I spent the last few days setting up 4G on my OpnSense machine. There is built-in signal strength metering available (at least with my Huawei E3372h USB 4G modem). Signal strength in the real world is measured using RSSI. If you go to Reporting -> Health there should be a tab called Cellular which shows a graph of the RSSI.

RSSI shown is using the scale that is retrieved using AT commands to the modem. These are not the absolute RSSI numbers. For an overview of RSSI values see https://m2msupport.net/m2msupport/atcsq-signal-quality/

Hope this helps.

13

Hardware and Performance / Re: Recomended 4G PCIe modems

« on: March 29, 2020, 12:02:50 pm »

Hello Mattia,

I recently dived into the world of 4G as my fiber isn't being delivered for the next few months and I was struggling with working from home full-time over an 8/1Mbit ADSL connection.

I went with a Huawei E3372h USB modem in PPP mode. I had to flash the stick from router firmware 22.x to Modem firmware 21.x which took me about an hour all together.

There are basically two types of modems supported by FreeBSD in general without special drivers; PPP modems and NDIS modems. I however discovered that modems in NDIS mode are NOT supported by OpnSense (although they are in many other *BSD based distro's).

I know it does not answer your question, but hopefully it gives you some insights. I manage speeds of 80-90Mbit download and 12Mbit upload over the USB drive in an USB3 slot.

14

Hardware and Performance / Opnsense NDIS support

« on: March 24, 2020, 05:40:49 pm »

Hello,

I've spent configuring my new Opnsense router at home and want to add 4G capabilities to it. I have a Huawei E3372h flashed to stick mode and have it working with PPP. PPP mode however does not attain the maximum 4G speed, and NDIS mode is recommended for this. In PFSense (don't want to swear) or other FreeBSD distributions the stick is recognized with the two ports (NDIS and PPP) and after that the NDIS network card is recognized:

Code: [Select]

Mar 24 16:32:01 pfSense kernel: ugen0.3: <HUAWEIMOBILE HUAWEIMOBILE> at usbus0
Mar 24 16:32:01 pfSense kernel: u3g0 on uhub0
Mar 24 16:32:01 pfSense kernel: u3g0: <HUAWEIMOBILE HUAWEIMOBILE, class 0/0, rev 2.10/1.02, addr 2> on usbus0
Mar 24 16:32:01 pfSense kernel: u3g0: Found 2 ports.
Mar 24 16:32:01 pfSense kernel: cdce0 on uhub0
Mar 24 16:32:01 pfSense kernel: cdce0: <NCM Network Control Model> on usbus0
Mar 24 16:32:01 pfSense kernel: cdce0: faking MAC address
Mar 24 16:32:01 pfSense kernel: ue0: <USB Ethernet> on cdce0
Mar 24 16:32:01 pfSense kernel: ue0: Ethernet address: 2a:d0:7c:ff:7f:00

You can after that initialize it with a single AT string to set the APN:

Code: [Select]

echo 'AT ^ NDISDUP = 1,1, "live.vodafone.com"' > /dev/cuaU0.1
On Opnsense it seems there are no drivers available for the NDIS modem as the initialization looks like this (it detects the two ports, but no NDIS network card loaded):

Code: [Select]

Mar 24 16:56:12 OPNsense kernel: ugen0.3: <HUAWEIMOBILE HUAWEIMOBILE> at usbus0
Mar 24 16:56:12 OPNsense kernel: u3g0 on uhub0
Mar 24 16:56:12 OPNsense kernel: u3g0: <HUAWEIMOBILE HUAWEIMOBILE, class 0/0, rev 2.10/1.02, addr 2> on usbus0
Mar 24 16:56:12 OPNsense kernel: u3g0: Found 2 ports.

Would it be possible to include NDIS drivers in Opnsense as well and allow to set an init string for it in the GUI (even without this last part would be amazing as I can set it using a script or something)?