Messages

I deleted the Rules and the Pipes, and rebuilt them using the same documentation.  I can confirm that the shaping is working again.

Hope this helps anyone else facing issues with shaping post upgrade to 24.7 from 24.1

Hello,

I have noticed post upgrade that I no longer have the same limits as before and I now can consume the pipe with a speed test, where as before, I would not exceed the set value in the shaper. 

I had used this process with the previous versions of OpnSense --> https://docs.opnsense.org/manual/how-tos/shaper_limit_per_user.html

Thank you for you input.

Regards, 

I may be making this more complicated then necessary, but I am hoping there is a solution that I am not seeing.

Using the Opnsense documentation for both roadwarrior and the selectiverouting to a Mulvad wireguard endpoint, I have both working. Finally :)

For example, I can re-IP my host to one that matches an Alias that is allow to use the Mulvad VPN, and DNS is resolved locally on my PiHole.   Additionally, I can VPN back to my Opnsense from my cell phone while also using my PiHole.  Now, if I were to try to mash the two together, such as adding the phone's IP to the Alias list that is allowed to use Mulvad, I do get to the desired endpoint, but I am not using my local PiHold for DNS.   

Here is my outbound NAT,  allowed mulvad IPs are single host IPs from the LAN net and there are also 10.10.10.x that are from the Wireguard configurations.   ( I hope that you are seeing this screenshot as I cant  :) )  These are the same as the documentation here and here
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html
 


Wireguard and the LAN Rule basically are the same where the Host alias list allowed to the RFC1918 then out out Mulvad_GW.

I feel that if I have a working VPN connection back to OPNsense, and I just added the IP to the Alias, I would be in busness.  Well technically I am, but just not using my local DNS via PiHole as I desire.  My gut feeling is there is something with NAT, but I cannot visualize this, and I hope I can get pointed in the correct direction.   

Thank you for your time,

Hello,

I have been trying to get this working, however I am stuck.

detals....
OPNsense v 23.1.6-amd64
Has this worked before? No, just trying to get this to work for the first time.
Documentation used - https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html ( used for firewall rules and routes ) & https://listed.to/@lissy93/18842/how-to-mullvad-vpn-using-wireguard-on-opnsense (used to help with getting IP for endpoint & local WireGuard configs )

Where I am at now:

I have a configured WireGuard VPN endpoint with Handshakes and the Mulvad GW is responding to ICMP.  I can see, from my Mulvad admin page,  the new Wireguard key that matches the pubkey from my instance.

If I configure my PC's interface to an IP that is in the Alias list to use the Mulvad VPN end point and I try to open a web page, I am presented with what looks to be a portal request, but no page renders. I get a message 'You must open network log in page' when using Firefox, and when using Brave, I am presented with a Cert issue. 

I can ping my local GW as well as the Mulvad GW, but not beyond that.

This leads me to believe that I may have a correct configuration, but I am not permitted to route my traffic to the endpoint? The other possibility is that traffic is not making it back, but I am not seeing hits in the logs.

Any assistance to get this working would be much appreciated.

Regards,   


Issue was resolved with a mis-configuration on the Gateway monitoring IP

Hello,

Did you end up getting this working?   I moved from qume/kvm to proxmox and I too was having an issue.  My settings for the Pattern Checker was Hyperscan, and when I moved it to the default Aho-Corasick I was back in business.

Regards,

For duck DNS,
I recall using DuckDNS in the dropdown,  no username, token as the PW, then my domain   xxxxx.duckdns.org under hostname.

I noticed in the log, it failed a couple times with the KO, the updated. 

Good luck

Hello,

I was able to get unbound DNS configured using DoT and the block list appear to be working just fine.  I was able to turn on logging for DNS queries, however I am not seeing logs for blocked queries.  Is this a feature? The other thought too would be that if the DNS query resolved to 0.0.0.0, as that too would indicate that the DNS was blocked, however I don't see the resolutions.

Hopefully I can be pointed in the right direction to how one can troubleshoot a possible DNS block.

Much appreciated.

Hi Franco,

I am following what you are saying, I would think if I have just the LAN selected, and there was a signature that was matched, IPS would trigger on the communication from the Inside device out back?

I fully understand that the FW will catch any incoming, unsolicited request, however I have port forwards, and just want to block bad actors that may be scanning the Internet.

I really don't want all the noise, just trying to mimic the configuration that I had with pfsense.

Regards,

JC

UPDATE:

Seems that if I have LAN and WAN interfaces selected ( my modem is in bridge mode, and I us PPPoE ) I will see blocks with the public IP of the SRC without any IP or network listed in the 'Home Network' under administration.

I created a user rule for a site - Gibson Research "Shields Up" with an alert.  When I would run a scan, it would show in the logs. This leads me to believe that IDS is working without having to manually ( or automagically via script ) input an IP in the Home Networks.

sample logs:
2022-02-06T09:58:46.797271-0700   4294967294   allowed       4.79.142.202   443   192.168.50.70   59168   test IP from grc.com to scan    
2022-02-06T09:58:46.796621-0700   4294967294   allowed       4.79.142.202   443   192.168.50.70   59158   test IP from grc.com to scan

Agree? 

Thank you.

Hello,

I am brand new to OPNsense. Coming from pfSense.

I have a few questions about the interfaces selection to use with IDS.

Couple this first:
OPNsense 22.1-amd64
FreeBSD 13.0-STABLE

I have OPNsense in a qemu/kvm with a dual nic card with each physical interface configured as a bridge, one WAN and the other LAN.

For IPS configuration I have enabled: Enabled, IPS mode, and Promiscuous mode.  I have hyperscan as my pattern, interfaces of LAN and WAN.  I have also selected several downloads and enabled them as well.
 
I have a policy that is set to the downloads, with the Action of alert, and drop with the New Action of Drop.  All else default.

I hope that the above is correct for my configuration  ::)   and if suricata works with VM br0 interfaces?

Question one:  I read that you need to have the IP of the WAN in the settings administration home networks?   Is this true?  What if you have the dd-client configured to update dynamic DNS? Otherwise how to do you keep that updated?

Question two: I am coming from pfSense with suricata so I am familiar with how 'noisy' IDS can be. I seem to see only a trickle of alerts, as where before it would have a lot of blocked session attemts in a short period of time ( I do have port forwarding, hence more alerts )

Seems to work at times, but not a constant flow of new alerts.  I have looked at the documentation, and it is not too much of a how-to, but it does make me wonder if it will work in a kvm or if I have the proper configuration.

I appreciate any insight or direction.

Best Regards,