Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ReDaLeRt

Pages: [1]

22.7 Legacy Series / Re: Intel X520-DA2 producing Errors IN

« on: October 16, 2022, 08:33:20 am »

Have you tried the following settings?

Interfaces -> Settings -> Disable hardware checksum offload
Interfaces -> Settings -> Disable hardware TCP segmentation offload
Interfaces -> Settings -> Disable hardware large receive offload
Interfaces -> Settings -> Disable VLAN Hardware Filtering

Virtual private networks / Re: Wireguard Site-to-site with selective routing

« on: December 29, 2021, 10:03:13 pm »

The solution was adding a NAT outbound rule such as the the one attached.

Source address is the IP LAN range from the site "B".

Hardware and Performance / Re: J3445m vs Ryzen 2600

« on: December 29, 2021, 08:09:52 pm »

Consider managing the CPU through the BIOS configuration to achieve lower power consumption on idle for the Ryzen 2600 CPU.

Also, use powerd to force the CPU to lower clock speeds as much as possible. On my i5 4690k, its idle power consumption at the power plug is around 60W. The CPU load on my firewall usually is below 20%.

Hardware and Performance / Re: Poor routing speed on i5-7200U

« on: December 29, 2021, 08:01:04 pm »

Hello.

If you're using the intrusion detection service, turn it off for testing.

Also, set the following parameters to ensure no power management is messing with the CPU clock speed:

System -> Settings -> Miscellaneous -> Power Savings -> All to "Maximum" and "Use PowerD" ON.

Ensure both iperf3 server and client can handle the load on a switch first, rather testing straight from a router.

Repeat the tests with: iperf3 -c 10.0.2.200 -t 180 -P 8

For reference, I can manage 1 gigabit routing with IDS+IPS both enabled, on a i5-4690k, with > 50% CPU load on the 4 cores. So, consider upgrading the CPU from an under-powered and under-voltaged model to a more muscular one.

Best regards.

Virtual private networks / Re: Wireguard Site-to-site with selective routing

« on: December 28, 2021, 03:24:48 pm »

Additionally, I manage to capture a traceroute from a client on the B site, to the IP range 213.13.24.0/24:

Virtual private networks / Wireguard Site-to-site with selective routing

« on: December 28, 2021, 12:10:11 pm »

Hello.

My issue with selective routing is accessing a specific public ip range (213.13.24.0/24) from an Openwrt Site "B" connected site-to-site through an OPNsense Site "A".

Configuring that subnet range on the Site "B" as "allowed ips" to the tunnel, so that Site "B" could access it through the Site "A", it isn't working as expected:

Code: [Select]

tracert 213.13.24.11

Tracing route to 213.13.24.11 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  OpenWRT.lan [192.168.0.1]
  2    17 ms    14 ms    15 ms  10.0.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.

The site "B" LAN range is 192.168.0.0/24 with tunnel IP 10.0.0.2/32, the Site "A" is 192.168.10.0/24 with tunnel IP 10.0.0.1/32, and the WG tunnel range is 10.0.0.0/24. Both sites are connected to the internet with public IP addresses on their WAN interfaces.

The OPNsense configuration is presented within the attachments bellow.

A half workaround on the site B is to enable masquerading to get selective routing, but blocks site A to access site B:

Code: [Select]

uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart

I'm hoping that someone could shed some light into this. :-)

Thanks.

Intrusion Detection and Prevention / Re: IPS in VLAN only environment

« on: October 06, 2021, 08:38:10 pm »

Quote from: Oliver on July 25, 2019, 09:46:12 pm

After some experimentation I was able to successfully run Suricata in IPS mode with local VLANs on OPNsense 19.7.

Hardware tested:
ZOTAC ZBOX PRO CI329 nano: Intel Celeron N4100, 2 x Realtek PCIe GBE (re), 8 GB RAM
Thomas Krenn LES v3: Intel Celeron N3160, 2 x Intel i211AT (igb), 4 GB RAM
Topology:
WAN: pppoe on igb1/re1
LAN on igb0/re0 (not used directly)
VLANS with LAN as parent (all internal hosts connect to one of the VLANs)
The primary problem I have experienced was the total loss of network connectivity (on all interfaces) when switching from IDS to IPS mode. Several workarounds posted elsewhere did not solve the problem but rather introduced new ones (cf. this posting).

It turned out that the most important setting change to avoid total loss of network connectivity was:
In Interfaces > Settings set VLAN Hardware Filtering to Disable VLAN Hardware Filtering
Other configuration details:

Services > Intrusion Detection > Administration - Settings (in advanced mode):
Enabled: (checked)
IPS mode: (checked)
Promiscuous mode: (checked)
Pattern matcher: Hyperscan
Interfaces: LAN
Home networks: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
Log package payload: (checked)
(Other settings left at their defaults.)
I have downloaded and enabled all rules offered by OPNsense with actions set to Drop, except for ET emerging-policy (downloaded and enabled, but action unchanged). Some individual rules were then disabled as deemed necessary.

In the above setting, Suricata did block VLAN traffic and reported "SID 7999999: OPNsense test eicar virus" on the "Alert" tab when running this test on an internal Linux host (on a VLAN):

Code: [Select]
curl http://malware.wicar.org/data/eicar.com > /dev/null
So far everything seems to run pretty stable with a scheduled reboot every 24 hours.

This post should be fixed.

You saved my day!

Thanks, Oliver!

Virtual private networks / Re: [SOLVED] Wireguard selective routing

« on: September 19, 2021, 01:16:58 am »

Hello.

I'm sorry if this thread hijack would seem unproper.

My issue with selective routing is accessing a specific public ip range (213.13.24.0/24) from an Openwrt Site "B" connected site-to-site through an Opnsense Site "A".

Configuring that subnet range on the Site "B" as "allowed ips" to the tunnel, so that Site "B" could access it through the Site "A", it isn't working as expected:

Code: [Select]

tracert 213.13.24.11

Tracing route to 213.13.24.11 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  OpenWRT.lan [192.168.0.1]
  2    17 ms    14 ms    15 ms  10.0.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.

The site "B" LAN range is 192.168.0.0/24 with tunnel IP 10.0.0.2/32, the Site "A" is 192.168.10.0/24 with tunnel IP 10.0.0.1/32, and the WG tunnel range is 10.0.0.0/24. Both sites are connected to the internet with public IP addresses on their WAN interfaces.

The opnsense configuration is presented within the attachments bellow.

I'm hoping that someone could shed some light into this. :-)

Thanks.

General Discussion / Re: Backup: Nextcloud configuration

« on: October 16, 2020, 11:24:24 am »

Quote from: baqwas on August 01, 2020, 08:33:44 pm

Thx, @Fabian.

The error message on the page is:

The following input errors were detected: Saved settings, but remote backup failed.

There are two (I think, entries related to the attempt to setup the backup to Nextcloud:
Settings in JSON format
"Cannot get real username"

(...)

This is still an issue for me on OPNsense 20.7.3 and Nextcloud 19.0.4.

Code: [Select]


2020-10-16T10:15:55	config[31428]	{"url":"https:\/\/192.168.10.67:443\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":1,"redirect_count":0,"total_time":0.022022,"namelookup_time":6.4e-5,"connect_time":0.000381,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.10.67","certinfo":[],"primary_port":443,"local_ip":"192.168.10.1","local_port":33230,"http_version":0,"protocol":2,"ssl_verifyresult":0,"scheme":"HTTPS","appconnect_time_us":0,"connect_time_us":381,"namelookup_time_us":64,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":22022}
2020-10-16T10:15:55	config[31428]	Cannot get real username

Pages: [1]