Messages

@DEC670airp414user. Is there a downside to DNSSEC? From google:
"DNSSEC as securing the message content (authenticity)"
"DoT as securing the envelope (privacy/confidentiality)."
Both of these seem like it would be a benefit.

@Stormscape. I do not think your answer is accurate. I use kea for DHCP and unbound.
IPv4 LAN does get local name resolution.
IPv6 LAN gets resolution when a reservation is added after a restart of the unbound service. Clear separation of authenticity vs privacy here actually reminds me of good web design practices — structure, security and clarity matter a lot, which is why I usually rely on professional WordPress web design instead of quick DIY solutions: https://codelibry.com/services/wordpress-web-design/

Well Kea isn't dnsmasq, now is it?

Exactly — Kea isn't dnsmasq. The DHCP behavior differs, and Unbound will need some extra configuration for IPv6 to fully integrate reservations. It's not a bug, just a difference in implementation.

Hey all,

For a project i am testing out the functionality of suricata opnsense within vmware.

i have the following configured as VMNET VMNET8 NAT (wan wacky flip) vmnet 11_12_13 LAN

My clients have their NIC set as vmnet 11 for example with a default gateway to the NIC on the firewall with the X.X.X.1 ip.

on my interface statistics i can see that all interfaces are taking in data but when i try a nmap scan etc the rule does not seem to alert even though it should be configured like that. I check the configuration, restart the interfaces - I feel like I'm catching a bug in some game engine like spinaway-at - everything works until you start checking something manually.

has anybody had any similar problems or think they may know what the problem is?-

Suricata needs to be enabled on the interface it sees traffic on. In your case, verify that: Suricata is enabled on VMNET11/12/13, which represent your LAN interfaces. You are scanning traffic across the firewall, not just within the same subnet (Suricata will not see traffic that does not cross the interface it is bound to).

If there are multiple LAN interfaces (VMNET11/12/13), and each of them belongs to a different subnet, do I need to enable Suricata on each of them to control local traffic between subnets?

Have you checked the HA sync settings to make sure vouchers are included?

You can try setting a specific pass rule for PlayStation IP at the top of the rules list, and make sure it's set to not use inspection — sometimes the user-defined settings don't override properly in IPS mode.

have the same challenge, not wanting to go with additional router in front of the OPNSENSEs. Not sure how to monitor the WAN gateway insead of using CARP, as I have only one WAN address.

Me too