Messages

1

21.7 Legacy Series / attached file size problem

« on: August 26, 2021, 04:44:15 pm »

Hi,

I have an High Availability setup with 2 opnsense nodes, which are direclty connected to Draytek VDSL router.
My opensenses are at latest version.
I have been struggling with this problem for a long time, so i have to disable packet filtering to work with my other tasks. Now i want to give it a try on more.
Infact it was difficult for me to find out what is happening but at last i know the problem but dont know the solution.
Problem; when i try to send an email with an attachment, or syncing dropbox, or getting whatsapp images from my desktop inside the lan i  cannot send, sync or get the files if it is bigger that a certain size.
I measeured before but dont know exact number for now but it should be about 45kilobyte.
There is nothing blocking in firewall log.

If i disable packet filtering everything works fine.
I do lots of things which i dont remember now, but a few things;
changed the rules state types from keep to sloppy.
Disabled interface scrub from normalisation.

If I dont resolve the issue again i will shut the packet filtering off forever and i will only use opnsense boxes for
other uses; ntp, proxy etc,... which i wont prefer.

Regards,

2

High availability / Outbound NAT

« on: March 27, 2021, 09:16:08 am »

Hi,

I have a working HA setup.
From the tutorials I had implemented "Manual outbound NAT rule" with virtual inteface IP on both opnsense machines.

Now there is a different demand.
I want to "Disable outbound NAT rule generation (outbound NAT is disabled)".
Is there a problem to do this in the scope of HA?

Thanks,

3

21.1 Legacy Series / Re: alienvault ossim

« on: March 27, 2021, 09:10:59 am »

There is an option for eve log but for only suricata.
And unfortunatelly that doesnt work for suricata either, there should be a bug in plugin according to my searches.

4

21.1 Legacy Series / Re: alienvault ossim

« on: March 19, 2021, 10:37:31 pm »

it is also an option but there are lots of plugins in ossim but much fewer siem solutions for opnsense.
So I thought it is more likely to find the answer here.
I searched there before asking here, but there is no opnsese plugin there.
there is just a suricata option afaik.
may be there is someone here who had an experience.

5

21.1 Legacy Series / Re: alienvault ossim

« on: March 19, 2021, 07:49:59 am »

Where did you find a Plugin for ossim?

I think there is a misunderstandig.
There is no ossim plugin in opnsense, or i dont know. Logs are send via opnsense remote logging menu.
I am looking for an opnsense plugin in ossim.

6

21.1 Legacy Series / alienvault ossim

« on: March 18, 2021, 09:54:42 pm »

Hi,
Does anyone has alienvault ossim plugin for opnsense?
Or how can i integrate opnsense logs with alientvault ossim?
I forwarded the logs via "System: Settings: Logging / targets" menu.
I could just see syslog plugin in ossim, but log results are kind of meaningless.
Thanks,

7

Tutorials and FAQs / Re: [Tutorial] Adding custom rules to Intrusion Detection

« on: February 04, 2021, 10:31:31 am »

Thanks fou your tuturial, i applied and succesfully worked.
I add an "alert" rule to my custom.rule.
When i change its action to "drop" from "alert" via Opnsense GUI, it doesnt drop the related packets.
it continues passing.
What am i missing?

EDIT:
Ok I got it, custom rule should be enabled in policy, after that drop worked

8

Intrusion Detection and Prevention / syn flood

« on: February 02, 2021, 04:25:59 pm »

Hi,
I am experimenting suricata with syn flood.
I observered that it could discard the certain floods but interestingly there is no alert on IDS alert screen.
I am sure that IDS blocked, because when i am disabling the IDS, packets are arriving to the client.
No other parameters were changed.

My opnsense is at the latest version and I am only using ET Pro telemetry rules not others.
Only attack to port 22 is giving "SSH scan" alert.
What is the reason for no alert?
Thanks

9

20.7 Legacy Series / cascaded firewall clusters

« on: January 26, 2021, 10:03:15 am »

Hi,

I have 2 opnsense HA clusters: FW1&FW2 as one group (A) and FW3&FW4 as one group (B)

When i connect the groups directly to the modem they can reach to internet without any problem
However, if I put group B behind group A so that group B internet traffic goes through group A,
my modem(draytek) classifies gr B virtual mac as "ARP spoofing attack" and blocks.

Btw, on WAN interface of gr B, i disabled "block private networks", since gr B WAN interface is connected to gr A LAN interface.

Client --> (LAN - Gr B - WAN) ---> (LAN - Gr A - WAN) ---> Modem

What do you think? Can it be a NAT issue, which was tailored for HA?
I couldnt understant the reason, any help is appreciated.
Ali

10

High availability / Semi active configuration

« on: January 08, 2021, 10:00:27 am »

Hi,
I am experimenting opnsense capability while rebuilding the network design of my business.
Firstly thanks to the developers and the contributors.

My question:
I have 2 different purpose opnsense firewalls with IDS/IPS enabled.
I want to do high avalibility between them.
I will merge configuratons and policies in both firewalls to make them identical.

** However I want to use both of them in active mode.

Say;
For each firewall, there will be 2 pair of LAN<>WAN connections.
Under normal conditions:
At FW1; LAN1<>WAN1 will be active, LAN2<>WAN2 will be passive
At FW2; LAN1<>WAN1 will be passive, LAN2<>WAN2 will be active

If FW1 fails, LAN1<>WAN1 will be active at FW2
If FW2 fails, LAN2<>WAN2 will be active at FW1

Is this configuration possible?
Thanks
Ali