Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - akanarya

Pages1
#1
21.7 Legacy Series / attached file size problem
August 26, 2021, 04:44:15 PM
Hi,

I have an High Availability setup with 2 opnsense nodes, which are direclty connected to Draytek VDSL router.
My opensenses are at latest version.
I have been struggling with this problem for a long time, so i have to disable packet filtering to work with my other tasks. Now i want to give it a try on more.
Infact it was difficult for me to find out what is happening but at last i know the problem but dont know the solution.
Problem; when i try to send an email with an attachment, or syncing dropbox, or getting whatsapp images from my desktop inside the lan i  cannot send, sync or get the files if it is bigger that a certain size.
I measeured before but dont know exact number for now but it should be about 45kilobyte.
There is nothing blocking in firewall log.

If i disable packet filtering everything works fine.
I do lots of things which i dont remember now, but a few things;
changed the rules state types from keep to sloppy.
Disabled interface scrub from normalisation.

If I dont resolve the issue again i will shut the packet filtering off forever and i will only use opnsense boxes for
other uses; ntp, proxy etc,... which i wont prefer.

Regards,
#2
High availability / Outbound NAT
March 27, 2021, 09:16:08 AM
Hi,

I have a working HA setup.
From the tutorials I had implemented "Manual outbound NAT rule" with virtual inteface IP on both opnsense machines.

Now there is a different demand.
I want to "Disable outbound NAT rule generation (outbound NAT is disabled)".
Is there a problem to do this in the scope of HA?

Thanks,
#3
21.1 Legacy Series / Re: alienvault ossim
March 27, 2021, 09:10:59 AM
There is an option for eve log but for only suricata.
And unfortunatelly that doesnt work for suricata either, there should be a bug in plugin according to my searches.
#4
21.1 Legacy Series / Re: alienvault ossim
March 19, 2021, 10:37:31 PM
it is also an option but there are lots of plugins in ossim but much fewer siem solutions for opnsense.
So I thought it is more likely to find the answer here.
I searched there before asking here, but there is no opnsese plugin there.
there is just a suricata option afaik.
may be there is someone here who had an experience.
#5
21.1 Legacy Series / Re: alienvault ossim
March 19, 2021, 07:49:59 AM
Quote from: mimugmail on March 19, 2021, 06:11:54 AM
Where did you find a Plugin for ossim?
I think there is a misunderstandig.
There is no ossim plugin in opnsense, or i dont know. Logs are send via opnsense remote logging menu.
I am looking for an opnsense plugin in ossim.
#6
21.1 Legacy Series / alienvault ossim
March 18, 2021, 09:54:42 PM
Hi,
Does anyone has alienvault ossim plugin for opnsense?
Or how can i integrate opnsense logs with alientvault ossim?
I forwarded the logs via "System: Settings: Logging / targets" menu.
I could just see syslog plugin in ossim, but log results are kind of meaningless.
Thanks,
#7
Tutorials and FAQs / Re: [Tutorial] Adding custom rules to Intrusion Detection
February 04, 2021, 10:31:31 AM
Thanks fou your tuturial, i applied and succesfully worked.
I add an "alert" rule to my custom.rule.
When i change its action to "drop" from "alert" via Opnsense GUI, it doesnt drop the related packets.
it continues passing.
What am i missing?

EDIT:
Ok I got it, custom rule should be enabled in policy, after that drop worked
#8
Intrusion Detection and Prevention / syn flood
February 02, 2021, 04:25:59 PM
Hi,
I am experimenting suricata with syn flood.
I observered that it could discard the certain floods but interestingly there is no alert on IDS alert screen.
I am sure that IDS blocked, because when i am disabling the IDS, packets are arriving to the client.
No other parameters were changed.

My opnsense is at the latest version and I am only using ET Pro telemetry rules not others.
Only attack to port 22 is giving "SSH scan" alert.
What is the reason for no alert?
Thanks
#9
20.7 Legacy Series / cascaded firewall clusters
January 26, 2021, 10:03:15 AM
Hi,

I have 2 opnsense HA clusters: FW1&FW2 as one group (A) and FW3&FW4 as one group (B)

When i connect the groups directly to the modem they can reach to internet without any problem
However, if I put group B behind group A so that group B internet traffic goes through group A,
my modem(draytek) classifies gr B virtual mac as "ARP spoofing attack" and blocks.

Btw, on WAN interface of gr B, i disabled "block private networks", since gr B WAN interface is connected to gr A LAN interface.

Client --> (LAN - Gr B - WAN) ---> (LAN - Gr A - WAN) ---> Modem

What do you think? Can it be a NAT issue, which was tailored for HA?
I couldnt understant the reason, any help is appreciated.
Ali
#10
High availability / Semi active configuration
January 08, 2021, 10:00:27 AM
Hi,
I am experimenting opnsense capability while rebuilding the network design of my business.
Firstly thanks to the developers and the contributors.

My question:
I have 2 different purpose opnsense firewalls with IDS/IPS enabled.
I want to do high avalibility between them.
I will merge configuratons and policies in both firewalls to make them identical.

** However I want to use both of them in active mode.

Say;
For each firewall, there will be 2 pair of LAN<>WAN connections.
Under normal conditions:
At FW1; LAN1<>WAN1 will be active, LAN2<>WAN2 will be passive
At FW2; LAN1<>WAN1 will be passive, LAN2<>WAN2 will be active

If FW1 fails, LAN1<>WAN1 will be active at FW2
If FW2 fails, LAN2<>WAN2 will be active at FW1

Is this configuration possible?
Thanks
Ali




Pages1