OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of scot »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - scot

Pages: [1]
1
General Discussion / Re: UDP Broadcast Relay
« on: March 06, 2024, 04:57:13 am »
I got this working after several failed attempts over the years (mostly with igmp proxy). But with UDP Broadcast realay it was pretty simple.

For my config there is an assumption or two

1. Devices on my "trusted" vlan can speak to the IOT vlan (but not the reverse by default) though the primary allow any any rule. The only outbound blocks it to a guest vlan.

https://imgur.com/DFy4cs1

2. Devices on the IOT vlan have a rule right above this specifically restricting access by default to all other vlans (with a few specific exceptions for things like DNS).

So for the setup.

First the UDP relay. I left the source addresses blank. Theres no NAT here. Which is really the main reason i could maybe see to need to spoof the source interface

https://imgur.com/rguquhN

THen when looking at the live view of the firewall on the IOT interface i noticed the drops to the specific devices...like my iphone.

Example: https://imgur.com/Rcpnyf4

So i whipped up a rule on that interface (or 2)

https://imgur.com/jeBAsBz

Airplay works. The roku app works as well. Private listening kinda always worked but i had to manually connect to the roku by typing the IP. Now its discoverable which is quite nice.






2
21.1 Legacy Series / Re: unable to login via ssh with non-root user
« on: April 15, 2021, 12:43:54 am »
So if you run

Code: [Select]
cat /etc/group | grep scott
What is the output

same for

Code: [Select]
cat /etc/group | grep testuser

Also is PasswordAuthentication set to yes or no in /usr/local/etc/ssh/sshd_config?

3
21.1 Legacy Series / Re: unable to login via ssh with non-root user
« on: April 14, 2021, 11:39:08 pm »
Is the shell listed next to the user account name in /etc/passwd
IE:

Code: [Select]
cat /etc/passwd | grep username

username:*:uid:gid::/home/username:/bin/sh
And similar in /etc/group

Code: [Select]
cat /etc/group | grep username

groupname:*:gid:username1,username2

I just changed my user to use /bin/csh over /bin/sh. It still works. FWIW i am on 21.1.4 OpenSSL as of today. 21.1.3_3 previously. Orignally installed/upgrade from 20.7

4
Intrusion Detection and Prevention / Re: noob question on how to set suricata to drop mode
« on: April 14, 2021, 11:12:01 pm »
By default, with no policy, they should just alert.

My setup is fairly simple.

Setup a single policy.  ONLY set the following

Enabled: Checked
Priority: 0
Rulesets: Select any rulesets you want to drop
Action: Alert,Drop
New Action: Drop
Descriptions: whatever you want.


Rules section dont touch. Just leave it all defaults.

Save it/apply and it should reload suricata.


Note: for me, the best configuration in settings is also simple.

Enabled: checked
IPS mode: Checked
Promiscuous mode: Checked (Note: Im running VLANS)
Syslog options: unchecked..dont need em
Pattern Matcher: Your call, Aho and Hyperscan have worked about the same for me
Interfaces: LAN ONLY

(note the help section: Select interface(s) to use. When enabling IPS, only use physical interfaces here (no vlans etc).)

Tick Advanced Mode: Home Networks: Add in my VLAN CIDR's i want to monitor

Defaults the rest of the way.


Selecting multiple interfaces was an issue for me with no benefit..

1. It spun up multiple threads inspecting the same traffic multiple times since the interface is already promiscuoud, so it increased load with no real help, if anything i saw multiple alerts.
2. Home net defines what you are alerting on. So even with VLAN's i get the same hits with promiscuous turned on.

Finally. I see no point in monitoring WAN. I dont use Sensei, so promisicous mode isnt a contention point and why inspect traffic before it hits the firewall. I really only want to protect against stuff that gets through or is egressing.

This was a change from how I adminstered Snort, so i felt it was worth noting.

5
21.1 Legacy Series / Re: unable to login via ssh with non-root user
« on: April 14, 2021, 11:00:10 pm »
That is normal. Should not affect anything.

Just make sure the account in question that you setup is correct.

To recap

Create a user account. Create a group account (ie: sshaccess)

Edit user account to have a shell (personally i just use /bin/sh). Add user to group in same page. Add the authorized key if you have one.

Go to System>Settings>Administration>Secure Shell

set the access to wheel,sshaccess

If you arent using key authentication (you should). Check the box to allow password logins. Save.

6
21.1 Legacy Series / Re: unable to login via ssh with non-root user
« on: April 14, 2021, 05:52:30 pm »
Did you set a login group in System>Settings>Administration>Secure Shell.

Create a group, add the user to the group and allow that and wheel to login.

Alternatively you can use the admins group, and just set Wheel,Admins

7
Hardware and Performance / Re: Routing between VLANs: how fast Atom C3558 can push?
« on: March 25, 2021, 03:25:35 am »
Cant speak to the atom directly. But i have a Celeron J1900 which is...similar if not slightly more performant.

http://cpuboss.com/cpus/Intel-Celeron-J1900-vs-Intel-Atom-C2558

My network can run gigabit non-routed without issue. aka switches arent an issue.

Pure routing mine does ~500-550 Mbits/s on standard iperf test (theres other streams routing while i run this test...maybe 15-30 Mbps). Both with and without -d (dual)

note: sorry for the external link, i dont know how to attach images inline here.

https://imgur.com/a/LxEVhhz

Throw Suricata in the mix and I'm closer to 130 inter-vlan as it inspects the traffic both ingress and egress.

https://imgur.com/a/XgS6ZIm

Though i can push my ISP tier (240 Mbps) across the WAN (where Suricata is only inspecting the traffic once)

Ultimately WAN is all I care about. Anything I want faster than 130 Mbps I'll stick on my main LAN.

8
Intrusion Detection and Prevention / Re: Policy Suricata not working
« on: March 24, 2021, 02:14:30 pm »
Quote
The Easiest I've found for basic policy layout is:
Download - Enable list you want
Policy - Policy 0 - Select lists you like to drop with.  Action:  Alert/Drop (both are selected) , New Action - drop
Policy - Policy 1 - No selected lists (all) - Action alert , New action - Default
Back to download rules - select all of them - download and apply
Settings - Apply

I actually do one easier.


Download - Enable list you want
Policy - Policy 0 - Select lists you like to drop with.  Action:  Alert , New Action - drop
Back to download rules - select all of them - download and apply (note: with snort rules, i had to run this twice the first time....possibly a timeout on the initial fetch)
Settings - Apply

The defaults seem to be set to "alert". So you shouldn't need a policy set for this. I have noticed multiple policies can have a direct impact on performance (though i have been onboarding and tweaking settings a ton and it may have been some of the other settings. I need to test policy layers specifically.)


And as I add new rulesets (assuming they haven't been previously selected in that policy) they will default to alert. When im ready to move them to drop i just edit the policy and select the rulesets/lists and hit apply.

You can generally verify in the rules tab using filters

action/alert and status/enabled

or

action/drop and status/enabled


Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2