Messages

1

General Discussion / Re: Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS

« on: November 19, 2024, 03:50:32 pm »

*bump*

anyone? I would like to understand what kind of (security) implications this could have

2

German - Deutsch / Präferiertes GPON für Telekom FTTH

« on: November 19, 2024, 03:45:12 pm »

Hi allerseits,

was ist derzeit das beste GPON SFP für einen Telekomanschluss? Huawei schließe ich allerdings aus.

Meine Protectli 6630 unterstützt allerdings nur 1 oder 10gbit. Bei 10GBit scheint die Telekom anscheinend noch mal eine andere Technik einzusetzen. Von daher kann ich schätzungsweise bei nem 1Gbit SFP bleiben.


Nebenher habe ich Bauchschmerzen, dass die Dinger mit ner/nem CLI/Webinterface und IP daherkommen. Kann man das komplett ausschalten? Habe keine Intention, dass der ISP da selbst drauf rumspielen kann.

Und noch was: Kann mir jemand erklären wie die Telekom in die Wohnungen kommt? Also was dort genau endet? Ich gehe davon aus, dass ein Verteiler hier in die Garage kommt, von da geht es in die Wohnungen. Aber was kommt hier an? Will den fibre link direkt an der FW haben.

lg

fastboot

3

General Discussion / Re: Feedback requested: Network design, moving away from pfSense

« on: November 13, 2024, 01:29:57 pm »

Hi.


Seems you took some time to think about it. I would say you take the things serious

Either way the topology looks quite fine for me.

I am a little unsure what Domotica is. A search revealed it's some kind of home automation. I have a similar setup, but smaller. Like for instance with the UPS. I just want to protect the server. Because if the lights go out on the streets, either way internet is not working anymore.
What I don't understand is, why you want a physical connection for this device to anywhere? Maybe I am just misinterpreting the layout?

Edit: I've also searched for the Qotom-Q750G5. From the Specs and putting this together with your Topology, I would assume its to low sized for your environment. I had a similar CPU before, in a way smaller setup. With some Services enabled like IPS, it was already maxed out under heavy load.

Maybe the others have more experience with this specfic device as I don't. But I would check for something more reliable with more power and even better support. I have a Protectli 6630. What I can say so far, the device is amazing and the support (EU) superb.
Additionaly I would try to get rid of the modem. I'm also waiting for the fibre link, that I can get rid of the DSL Modem to connect the internet directly to the FW.

4

General Discussion / Re: [SOLVED]Put dedicated LAN port in VLAN?

« on: November 13, 2024, 01:08:51 pm »

I followed this thread because I was in the process of migrating my router (ER-605) to OPNsense and the rest of my infrastructure is TP-link Omada devices.
I had also gotten that recommendation from Patrick about not mixing untagged and tagged on trunks (can't say I ever had issues before and unclear if I had a choice).

As of today, my VLAN 1 is unused. It still exists in Omada (no choice), but it's set for an IP range not handled by OPNsense. I ended up deleting the OPNsense LAN interface entirely, and all VLANs are parented off of the igcN device used on the LAN side. The Omada devices now are in their own management VLAN (that part was easier to setup with a router that is not Omada compatible!). I'll keep using the "All" profile (1 untagged, all VLANs tagged included) because it's the only one that's managed automatically when VLANs are added/deleted...

I was also thinking of this Omada switches. But I read I need to have some crappy app or even cloud to configure them. Definitely nothing for me. With my cheap TP-Link Switch I am forced to stick with VLAN 1. I guess sooner or later I'll switch either way to other hardware, that I can use the second fibre slot of my new FW.

What do you mean with "All" Profile? For my "not so" trusted networks, I changed as well now the PVID from 1 to something which is not in use. Just some random VLAN which is nowhere used. This way I can keep at least the trunk port clean where my other subnets belong to.

5

General Discussion / Re: I am having trouble with my DNS and NTP settings getting bypassed

« on: November 12, 2024, 12:23:50 pm »

I also do not get what you're talking about.


For DNS on the OPNsense: System - Settings - General:  Allow DNS server list to be overridden by DHCP/PPP on WAN  (UNCHECK)

For NTP and DNS on other interfaces: Allow DNS & NTP to the Interface which belongs to the Subnet and block everything else.


"My ISP router was destroyed due to the hijacking MITM"
Wondering how a ISP router should be destroyed though. Either way its compromised or not. But destroyed?

6

General Discussion / Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS

« on: November 10, 2024, 09:39:50 pm »

Hi Folks,


so I come literally back to my own line of thoughts what kind of difference it makes if a parent interface is assigned or not. Anf if assigned should it be enabled or disabled.

My conclusion so far: I do not know.

1. I would like to understand technically what would be the difference if I assign a parent interface and have it enabled or disabled. Like what happens to the system. Is there anything ongoing on that interface? I know the VLANs are encapsulated, but how about the parent? What is the best practice?

2. How about IPS? Should the parent be assigned and enabled or disabled? If so, why? What is the best practice with this as well?

3. When using IPS and set promiscious mode in the Suricata config, is it still needed to do enable it on the parent or in the vlan config? Should the parent be used for IPS or the VLAN? Like mentioned, for some it works with the parent (likewise the doc mentioned) and for some it works via choosing the VLANs without the parent. I am a little lost with this.


Cheers

7

General Discussion / Re: Put dedicated LAN port in VLAN?

« on: November 10, 2024, 09:26:00 pm »

@Patrick Thanks again for kicking me in the right direction.

I tried at first to work with a backup and change the settings. But it completely failed. No idea why tbh. I changed the naming of the interfaces to the new firewall. Everything came up and ran, but I could not reach any hosts in the different subnets. For what ever reason. Tried to change it via GUI, then via changing the XML file. So even the official way did not work.... Well.... I started from scratch and also changed some things I wanted to change already before

Now I have two trunks.
1. igc1 covers vlan for LAN and for the vlan 1 mgmt
2. igc2 covers all other vlans for wifi, iot, test networks and stuff.

So far I am quite happy with this. And I do not mix tagged and untagged anymore

Funfact: As I read discussions about vlan naming, ppl were complaining about the naming scheme and so on. I learnt it can have only 15 chars. And its not possible to have it like igc0_vlan123. So I was quite suprised when I added the vlan directly in the setup and it was named igc0_vlan123. Whats not possible via the gui though...


EDIT: Ah, yes. For the ones who also would like to configure it like that. I had a hard time to try this via the GUI, so I ended up doing a factory reset, declared WAN and LAN from the CLI and created directly the LAN VLAN there. Booted up and configured the rest. Tested and works...

8

General Discussion / Re: Put dedicated LAN port in VLAN?

« on: November 09, 2024, 01:57:46 pm »

Exactly - so you did get it  What's the problem with that?

If you are short of ports, run 192.168.0.0/24 where the PC is connected also tagged over the trunk port and plug the PC into the switch.

Sometimes you do get it, but you prefer not to believe it

Okay, now I am thinking. Because if I just put the LAN tagged as well over the trunk where the other VLANs pass through, then I'll share just 1gbit with all of them. uhm...

I guess I would favour then to go back to my intital line of thought. I will put the LAN interface dedicated on a port and give it a tag. Let's say VLAN 50. Create a Trunk on the switch, connect both, set PVID to something. At least this way I can keep the sh*** VLAN 1 on the other trunk to do the mgmt of the devices.

Are there any pitfalls or disadvantages if I do that?


Tbh I am thinking to just get a new switch where I can do that differently. Especially since I paid now ~800 Bucks for the new Firewall to make it right once I have fibre via gpon sfp. But finding a good switch which does not have a huge power consumption is not that easy as well The TL-SG608E  is very moderate in its power consumption. Either way I wanted to hand over later the other VLANS via 10gig on fibre to the firewall, too. Thinking....

9

General Discussion / Re: Put dedicated LAN port in VLAN?

« on: November 09, 2024, 12:37:53 pm »

Use a dedicated untagged port of OPNsense to connect to the switch on a port with VLAN 1, equally untagged. This is either LAN or a dedicated management network depending on your needs.

Put all other VLANs tagged on a trunk port.

Sorry, I don't get it.

That would mean I lose one port on the FW just for mgmt of switch and ap, as I do not want to have the Switch and AP mgmt IP in the same subnet as my LAN is?

e.g
igc0  <-> Switch Port 1 = 192.168.1.0/24 untagged for switch and ap mgmt,
igc1 <-> PC = 192.168.0.0/24 untagged LAN interface where the PC is connected
igc2 <-> Switch Port 3 = Tagged with WIFI VLANs

I would like to have an OOB for the Mgmt of Switch and AP and not share the same subnet with my LAN.

10

General Discussion / Re: Put dedicated LAN port in VLAN?

« on: November 09, 2024, 12:17:04 pm »

Use a dedicated untagged port for VLAN 1 and a trunk port carrying only tagged VLANs to connect OPNsense to the switch. On the switch configure PVID on that trunk port as something unused like 99 or so.

But how should I manage then the switch itself?

So for instance.
igc0 <-> PC = LAN Interface (untagged) 192.168.0.1/24
igc1 <-> Switch Port 1 = Mgmt, WIFI (tagged with VLAN 1, 10,20,30) 192.168.1.0/24,10.10.X.X/24, 10.20.X.X/24, 10.30.X.X/24
Switch Port 3 <-> AP = (WIFI Networks VLAN 10,20,30, Mgmt of AP is VLAN1)

Mgmt of Switch and AP is in VLAN 1. I cannot change the MGMT of the TP-Link switch to another VLAN.
Also when I change the PVID of Switch Port 1 and Port 3 to PVID different as VLAN 1, I cannot conect anymore to the Switch or AP
For the AP(OpenWRT) I could change the VLAN != 1, but unfortunately not for the switch. So I have to stick with PVID and Tag = 1

So I am a little stuck with this. That was the reason why I was thinking to configure a tagged port for the LAN on the FW, connect the FW to the switch as tagged, and create another untagged port for the PC on the switch. As surely I do not want to waste a needed port on the FW unnecessarily for managing the Switch and the AP.

Perhaps I am overseeing something?

Thanks a lot for your inputs so far!

11

General Discussion / Re: Put dedicated LAN port in VLAN?

« on: November 09, 2024, 10:10:49 am »

Because I do not want to interfere with the VLAN 1 of a TP-Link Management switch.
On top of that I wanted to have an easier way to spread the LAN subnet over other physical ports which run as trunk.

My assumption from what I read here
- the normal LAN Port is VLAN 1(native vlan) e.g on igc0, even if not declared in the GUI/CLI
- if I configure for switch mgmt VLAN 1 on igc1 (and other vlans) then I would bridge this vlan 1 from my LAN with the mgmt vlan of the Switch

Or do I mix here something up?

I just want to have it as clean as possible.

Documentation:"Do not mix tagged and untagged VLANs on the trunk connecting the OPNsense Appliance and the Managed Switch. Side effects include leaking Router Advertisements, DHCP, CARP and other broadcasts between tagged and untagged VLANs. This depends on the brand of the deployed switch, so avoiding untagged frames for trunk ports is the safest method. Additionally, the interface statistics of the untagged VLAN would show all traffic, which can be confusing."
Ref: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Also for the WAN (pppoe) port, for being able to connect to the mgmt of the modem. Following this:
https://forum.opnsense.org/index.php?topic=36936.msg180650#msg180650
or this:
https://forum.opnsense.org/index.php?topic=33497.0
would mix it up I guess.
 

12

General Discussion / [SOLVED]Put dedicated LAN port in VLAN?

« on: November 09, 2024, 12:56:54 am »

Hi.

As I bought a new Firewall for my hopefully coming soon Fibre Link, I am struggeling if I should use the LAN port as a VLAN.
In my old setup on the LAN port only my PC is connected. But it came to the situation that I wanted to add another PC into the same subnet. I dont have that many ports on the new FW. 4x 2.5 gigs copper and 2x 10gigs fibre.

Are there any disadvantages when I do that?

So in steps:
1. Add VLAN 500
2. Assign Interface
3. Remove IP from physical LAN interface
4. Add prior LAN IP to the VLAN
5. Connect FW to trunk port on a switch and finally connect the PC to an access port which the same vlan

The physical LAN Port would only cover the VLAN for the LAN itself. Nothing else. For all the other stuff I use other dedicated ports as trunk.

Or is there a better approach? Not sure how I would share the LAN subnet over a switch. Beside I put it on an access port with VLAN 500 and would configure more ports for the same VLAN

13

24.7 Production Series / Re: Solved: ntp restrict noquery

« on: September 27, 2024, 03:15:46 pm »

Thanks a lot for the explanation and the super fast feedback.

So everything is fine then.

Keep up the good work!

14

24.7 Production Series / Solved: ntp restrict noquery

« on: September 27, 2024, 03:01:56 pm »

Hi,

following the release notes I would like to understand what the following means.

"Also take note that the NTP default changes to "restrict noquery" so that
the system cannot externally be queried for revealing system internals
anymore unless explicitly allowed."

Where can I find that setting?

"The interface selection must therefore include a WAN type interface so that normal routing to the internet can take place."
Ref: https://docs.opnsense.org/manual/ntpd.html

That was my mistake at the beginning. So I had to add the WAN interface, but did not add any rules. As of course I did not want anyone in the internet to be able to connect to 123/UDP to my system.
https://docs.opnsense.org/manual/ntpd.html

15

23.7 Legacy Series / Re: Suspicious DNS queries with new Draytek Vigor 166 setup

« on: December 08, 2023, 09:51:20 pm »

@fastboot

1. can you confirm if the V166 has been configured in Modem/Bridge Mode or in Router Mode?

2. the V166 (like all the Draytek modem/routers) have Google DNS IP addresses hardcoded (I'm afraid), but in bridge mode it doesn't make any difference as the appliance is a 'dumb' modem, so they are not being used.

1. can you confirm if the V166 has been configured in Modem/Bridge Mode or in Router Mode?
=> Yes, I do confirm

2. the V166 (like all the Draytek modem/routers) have Google DNS IP addresses hardcoded (I'm afraid), but in bridge mode it doesn't make any difference as the appliance is a 'dumb' modem, so they are not being used.
=> That's correct. But so far no queries to 8.8.8.8


But I did some changes here to test even more.

What I did

1. Remove all DNS Servers (IPv4+6) from System - Settings - General
2. Enable unbound DNS, configure several DNS Servers for IPv4+6 under DNS over TLS and hardened the settings.

Result so far: The DNS requests are silent. The IP I mentioned in the previous posts is not called again.
Also interesting is, that I even found way more DNS queries from the FW itself to random DNS Servers, which are nowhere configured.

So that the queries stopped now  due to the changes and that I found even more DNS queries in the logs to random servers, raises way more questions to myself. 

I will check to get a network tap next week, to put it between FW and Modem. Furthermore I've asked someone of our RedTeam to help me to reverse the firmware of the Draytek. When I started to use the Draytek, it was delivered with an older firmware. Due to a open CVE I updated and then the mess started. But let's see.

Still... If anyone could tell me which tool I can use on the shell to see which process calls an IP, I would be very gratefull. (like lsof on linux?) netstat does not work that well for this.