"
Thanks for the feedback, it's appreciated.
∕MM
∕MM
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Hardware and Performance / Re: HW performance with Zenarmour and/or Suricata IDS
June 13, 2025, 01:19:08 PM #2
25.1, 25.4 Production Series / Re: 25.1.6 hotfixes?
May 16, 2025, 03:24:07 PM
Thanks for your quick reply, and for the great work you do.
/MM
/MM
#3
25.1, 25.4 Production Series / 25.1.6 hotfixes?
May 16, 2025, 02:20:59 PM
Hi, noticed today tday that there was 2 hotfixes for 25.1.6 available without no info here in the forums or in the dashboard on my OpnSense firewall.
The hotfixes was 25.1.6_2 and 26.1.6_4.
Any particular reasons for the missing notifications? We tend to regularly check this in our production environments.
/MM
The hotfixes was 25.1.6_2 and 26.1.6_4.
Any particular reasons for the missing notifications? We tend to regularly check this in our production environments.
/MM
#4
Virtual private networks / VPN deployment - best practice for securing connection access
May 13, 2025, 09:40:37 AM
Good morning, we´re in the process of deploying our VPN on one of our OpnSense firewalls. In that reguard, what is best practice in regards to securing the service? Currently we´re planning for Wireguard for our external users due to its lightwight and ease of deployment.
We´re looking into limiting external acces with Geoip blocking-rules, effectly only allowing access from the required geographical locations. But are there any other options that is recomended, would Suricate IPS/IDS provide any benefit in securing the setup?
Any advise or recomandations would be grately appreciated.
Thanks
/Mming
We´re looking into limiting external acces with Geoip blocking-rules, effectly only allowing access from the required geographical locations. But are there any other options that is recomended, would Suricate IPS/IDS provide any benefit in securing the setup?
Any advise or recomandations would be grately appreciated.
Thanks
/Mming
#5
Hardware and Performance / HW performance with Zenarmour and/or Suricata IDS
May 05, 2025, 05:10:39 PM
I'm currently running Opnsense on a Protectli VP2420 appliance with an Intel J6412 CPU and 16G ram. So far performance is excellent, but as the heading indicates I contemplate to add Zenarmour and/or Suricata IDS. I wondered if anyone have experience with the same appliance or at least the same CPU who can tell me their experiences with the overall performance when these additopns are enabled?
/MM
/MM
#6
Hardware and Performance / Protectli Vp2420 performance experiences
June 30, 2024, 04:33:10 PM
Good afternoon,
Considering purchasing a Protectli VP2420 for my network. As far as I understand this uses the Intel J6420 CPU. I was wondering if anyone have any experience using this, or a similar device, with this CPU for Opnsense and Zenarmor NG Firewall. The current network is not large, I would estimate to 25-30 devices.
Storage will not be an issue and I plan for 16GB of ram.
/Mming.
Considering purchasing a Protectli VP2420 for my network. As far as I understand this uses the Intel J6420 CPU. I was wondering if anyone have any experience using this, or a similar device, with this CPU for Opnsense and Zenarmor NG Firewall. The current network is not large, I would estimate to 25-30 devices.
Storage will not be an issue and I plan for 16GB of ram.
/Mming.
#7
General Discussion / Upnp challenges
May 01, 2024, 04:25:42 PM
I'm setting up a new OpnSense FW for my homelan, but have issues with Upnp to work properly.
Upnp is currently been set up to service my Xbox on a dedicated vlan, vlan2. This vlan is assigned on a network interface without any additional IP adresses. The interface is NOT asssigned to lan either. vlan2 is assigned to a 3.rd interface.
Installed upnp, tagged Enable, "allow UPnP IGD Portmapping". Extgernal interface is WAN and interfaces is assigned vlan2.
Tried both "default deny" as on and currently off. For "user specified permissions" I added the following for the test then I enabled "default deny": allow 1024-65535 192.168.2.28 1024-65535
When I check NAT from my Xbox I get "strict nat" and "upnp not successfull".
When I check status on UPnP service in Opnsense I get n entries, it just blank.
I get the sense that I'm missing something here, because this is, as far as I understand, something that now should just work.
Any feeback highly appreciated.
/Mming
Upnp is currently been set up to service my Xbox on a dedicated vlan, vlan2. This vlan is assigned on a network interface without any additional IP adresses. The interface is NOT asssigned to lan either. vlan2 is assigned to a 3.rd interface.
Installed upnp, tagged Enable, "allow UPnP IGD Portmapping". Extgernal interface is WAN and interfaces is assigned vlan2.
Tried both "default deny" as on and currently off. For "user specified permissions" I added the following for the test then I enabled "default deny": allow 1024-65535 192.168.2.28 1024-65535
When I check NAT from my Xbox I get "strict nat" and "upnp not successfull".
When I check status on UPnP service in Opnsense I get n entries, it just blank.
I get the sense that I'm missing something here, because this is, as far as I understand, something that now should just work.
Any feeback highly appreciated.
/Mming
#8
General Discussion / Re: Isolating and controlling web access for multiple vlans
April 28, 2024, 05:29:32 PM
Hi, and thanks for the confirmation and suggestion about the RFC 1918 groups. Tried that and it worked really well.
Do you recommand to have the general rule as a floating rule, or defined in the "grouping" for each interface. It was my understanding that floating rules would be checked first and if any traffic matches that further processing would stop. But what I see is that if I have the default allow rule for http(s) for !rfc_1918 inter vlan traffic would be stopped, as intended since this is a match. But If I add and additinal rule for vlan1 with ANY as the destination I will be able to access both external sites AND the internal http(s) sites.
Shouldn't the floating rule take presedens and stopp traffic intended for the internal vlans even though I have an allow any/any directly on the vlan?
What am I missing here?
/Mming
Do you recommand to have the general rule as a floating rule, or defined in the "grouping" for each interface. It was my understanding that floating rules would be checked first and if any traffic matches that further processing would stop. But what I see is that if I have the default allow rule for http(s) for !rfc_1918 inter vlan traffic would be stopped, as intended since this is a match. But If I add and additinal rule for vlan1 with ANY as the destination I will be able to access both external sites AND the internal http(s) sites.
Shouldn't the floating rule take presedens and stopp traffic intended for the internal vlans even though I have an allow any/any directly on the vlan?
What am I missing here?
/Mming
#9
General Discussion / Isolating and controlling web access for multiple vlans
April 27, 2024, 11:56:30 AM
So, fairly new to Opnsense, but I think I've figures out the most. But have some questions regarding default FW rules and limiting access to vlans.
The goal is to deny all intervlan traffic, as it currenty is by default. And initially open up for each vlan in a controlled manned. By default I want to allow web browsing only to the internet, not intra-vlan.
I tried to apply the default allow rule for lan,
which is
Interface: lan
Direction:in
tcp: IPv4
Protocol: tcp
source: lan
destination:any
destination port: web_browsing (changed this from any to m y defined alias group).
So far this makes perfect sence, but the problem is related to destination. Since there is no defined "endpoint" for the internet as a whole, only the "any" destination. So by using this http traffic is allowed to each vlan as well. This is not something that should be widely allowed.
So my question is (or feedback) for what I plan to do, for this seems to solve my challenge:
I create an alias group containing all my vlans (vlan1, vlan2, vlan3,vlan4, vlan5), this is called local_networks. I've alse created an alias for http and https called web_browsing. All my vlans are assigned to the lan interface and the lan interface has no IPs assigned, it only servers the vlans I've defined.
Then I create a new default rule which will be the last "allow" rule to evaluate before my default drop rule. The rule would look like this (If I would put it on my vlan1):
Interface:vlan1
Direction:in
tcp: IPv4
Source: vlan1 net
Destination/invert: yes
Destination: local_networks
destination port range: web_browsing
As far as I understnad this will achieve my goal to still limit traffic between the vlans, all webtraffic is only allowed for the internet, and it will not be possible to browse websites on the internal lans, if I need that I should create dedicated rules, explicitly allowing access to web traffic on the vlans, and place those rules above this default rule.
Any feedback would be grately appreciated, either confirmation that this makes sense or if there are better ways to achieve my endgoal.
/Mming
The goal is to deny all intervlan traffic, as it currenty is by default. And initially open up for each vlan in a controlled manned. By default I want to allow web browsing only to the internet, not intra-vlan.
I tried to apply the default allow rule for lan,
which is
Interface: lan
Direction:in
tcp: IPv4
Protocol: tcp
source: lan
destination:any
destination port: web_browsing (changed this from any to m y defined alias group).
So far this makes perfect sence, but the problem is related to destination. Since there is no defined "endpoint" for the internet as a whole, only the "any" destination. So by using this http traffic is allowed to each vlan as well. This is not something that should be widely allowed.
So my question is (or feedback) for what I plan to do, for this seems to solve my challenge:
I create an alias group containing all my vlans (vlan1, vlan2, vlan3,vlan4, vlan5), this is called local_networks. I've alse created an alias for http and https called web_browsing. All my vlans are assigned to the lan interface and the lan interface has no IPs assigned, it only servers the vlans I've defined.
Then I create a new default rule which will be the last "allow" rule to evaluate before my default drop rule. The rule would look like this (If I would put it on my vlan1):
Interface:vlan1
Direction:in
tcp: IPv4
Source: vlan1 net
Destination/invert: yes
Destination: local_networks
destination port range: web_browsing
As far as I understnad this will achieve my goal to still limit traffic between the vlans, all webtraffic is only allowed for the internet, and it will not be possible to browse websites on the internal lans, if I need that I should create dedicated rules, explicitly allowing access to web traffic on the vlans, and place those rules above this default rule.
Any feedback would be grately appreciated, either confirmation that this makes sense or if there are better ways to achieve my endgoal.
/Mming
Pages1
