Messages

its working fine now....one last thing I need to get running is the KillSwitch

but it disconnects when I do these two rules

1. Go to the tab of Firewall > Rules, Floating tab
2. Please set up a rule with these configurations:

Action: Pass
Disabled: unchecked
Quick: checked
Interface: WAN
Direction: out
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination port range: 1194-1194

Then below that rule:

Action: Reject
Disabled: unchecked
Quick: checked
Interface: WAN
Direction: out
Address Family: IPv4
Protocol: any
Source: any
Destination: any
Destination port range: any

Yes you are right.....I have had many problems too. I will wait for updates.

I have exactly the same issue with the NordVpn guide. The trafic is comming and you can ping......but webside does not work.

I think NordVpn dont care - they say I will get an answer

Did you figure this out? I even tried with a downgrade 19.1 but same as 20.1.

Spend many hours with  ::) No sense but maybe to the open sense....

Well not its triggering the eicar text - BAM :-)

I have a bridge interface. The LAN option was making the system crashing after 5 min - but coosing the interfaces one but one its working OPT1 OPT2 OPT3. But its still the WAN that is blocking. Should I be happy now because it should be the OPT thats blocked? Does it make " open" sense?  ::)

2020-04-08T14:03:30.166112+0200   7999999   blocked   WAN   212.32.245.132   80   XXXXXXXX   43325   OPNsense test eicar virus   
2020-04-08T14:03:30.166112+0200   7999999   blocked   WAN   212.32.245.132   80   XXXXXXXX   43325   OPNsense test eicar virus   
2020-04-08T13:47:05.100852+0200   2011716   blocked   WAN   45.143.220.214   36636   XXXXXXXX   5060   ET SCAN Sipvicious User-Agent Detected (friendly-scanner)   
2020-04-08T13:47:05.100852+0200   2011716   blocked   WAN   45.143.220.214   36636   XXXXXXXX   5060   ET SCAN Sipvicious User-Age

you're welcome, reading our docs again, we probably should state more firmly why you shouldn't use a wan type interface if you're depending on nat.

I have been reading and im very confussed.....beacuse everything is running but the TEST is not getting an alert....

I really like some help to set this up in the right way...

Here runing Suricata on opnsense on WAN and all LAN interfaces. No alerts on WAN, however, as seen frequently (tons of tbh) with Snort on WAN...

So you are running snart and suricata?

I have discovered why the WAN interface practically showed no alerts/blocks. There is a note on the OPNsense documentation page for intrusion detection which states that if you are using NAT, which most home users will be doing, that you need to set the WAN interface IP address to the list in "Home network" section of the intrusion detection settings page. You will need to click the "Advanced" button at the top of the page to see this configuration option. It should already have all private IP address space included.

Simply add your WAN IP address. If your WAN address changes, this will need updated. It may be possible to use a dynamic DNS service and put the hostname in the list. I do not know if hostnames are supported but it quite possible it will work. I have found that hostnames will work in places where IP addresses can be entered (like firewall rules and aliases).

THAT works - but dont reboot :-)

Well I can read there is a lot of confussion about Suricata. My X86 tells me that proofpoint its running - but its not. The other day it told me my vpn was running but it was not - but I will not accept not to have at least tried the IPS running.

Can anyone help me to get the IPS running. Thats why I wanted to the Open sense in the first place.

Im running 20.1.3 on a X86 with a lot of power.

A have tried to test it with eicar, but it seems dead. I have removed all lokal networks and its set to Wan.

One other thing is that telemetry is not autoupdating - but all the others are inside IPS.