Messages

1

General Discussion / Re: NAT Reflection - Was working, not sure why it stopped.

« on: January 09, 2023, 01:15:20 am »

I think it's broken and it would seem that there is a bug open for this (below).  It's probably worth going in there and voicing your opinion to get some visibility that it isn't just a few of us being green about firewall configuration.  I note there are a lot of other threads about this issue going back many versions, one of them logged in 2020 has had 11093 views so I think that says a lot.

https://github.com/opnsense/core/issues/5941

2

General Discussion / Re: Dealing with port forwarding for a laptop which may be WAN or LAN based.

« on: January 05, 2023, 11:37:26 pm »

I feel that with all there issues in here with NAT reflection that either it is broken or needs an overhaul to make it make sense.  I too have this issue.  I want to use NAT reflection for my mail server because Split DNS is causing issues with my security certificates.  Basically the internal different IP keeps questioning me why the certificate has changed and blocks the traffic.

Hopefully someone at OpnSense will make it a priority after so many years of unanswered questions.

3

21.7 Legacy Series / Re: Plex.direct - Unbound DNS - 21.7.1

« on: August 27, 2021, 09:33:49 pm »

For completeness (now that 21.7 has removed the Unbound Custom options from the GUI), the way I have continued to use the GUI to address this is as follows:

Under System, Administration, Alternate Hostnames: plex.direct otherhost (where other hosts are separated by spaces)
Under Services, Unbound DNS, Blocklist, Whitelist Domains: plex.direct
Under Services, Unbound DNS, Blocklist, Private Domains: plex.direct

This works well for me.  It pays to note that the reason I have it under both whitelist and private is I found it solved a problem when connecting to a remote plex server (not my own) which was reporting indirect connections.

For those of you missing the aforementioned way of doing this via custom options, that can still be done manually by editing /usr/local/etc/unbound.opnsense.d instead.

Hope that helps someone out there!

Marshalleq

4

21.1 Legacy Series / Auto Firmware Update Missing?

« on: June 06, 2021, 11:24:44 pm »

I've been googling this one and I'm unclear if this basic feature exists or not.  What I'm looking for is some method whereby the firmware can be auto downloaded, updated and rebooted if necessary at a scheduled time.  Seems like a pretty basic feature for a firewall to me.

There are a few discussions e.g here https://github.com/opnsense/core/issues/1798

What am I missing?

Many thanks,

Marshalleq

5

21.1 Legacy Series / Scheduled Reboot Missing?

« on: June 06, 2021, 11:21:35 pm »

I stumbled upon this old thread, complete with code to resolve the issue, but for the life of me I can't find this feature in the GUI anywhere.  Perhaps I'm misunderstanding it.

Anyone know if there still exists a scheduled reboot feature in the GUI?

Thanks,
Marshalleq

https://forum.opnsense.org/index.php?topic=4471.0

6

21.1 Legacy Series / Re: Suricata 6

« on: January 16, 2021, 01:03:16 am »

Hi, I hope it's OK to add to this thread - I don't think Suricata works very well, if at all for many people right now.  The documentation here has left a lot to be desired and in my case I can only get it to kind of work by protecting the LAN instead of the WAN which is not at all what I want.

I am quite frustrated about it and not really sure what to do other than bail on Opnsense and go to pfsense.  However, I've been with Opnsense a long time and would prefer to stay for all the reasons I chose it in the first place.

I suspect, that bringing forward Suricata 6 would allow us to iron out these challenges.  So if we could have it added I would be happy to help.

I assume there is a downloadable beta somewhere I can get my hands on?  (Looking now).

Thanks,

Marshalleq

7

Intrusion Detection and Prevention / Re: First Time User

« on: January 03, 2021, 11:31:30 pm »

This seems to be the known unknown in Opnsense.  No-one seems to be able to support Suricata, it's a black art.

I can't even get mine going - no alerts ever show up.

8

Intrusion Detection and Prevention / Re: Suricata doesn't filter anything with telemetry pro

« on: January 03, 2021, 11:09:59 pm »

Sadly, while there was one step missing, it still doesn't work.

9

Zenarmor (Sensei) / Failed installation, must reset reporting but doesn't work

« on: December 23, 2020, 11:49:23 pm »

So I've installed and I've tried a few different things, including using an external DB, but always get told to reset reporting, which fails as per attached screenshot.

Admittedly, I do only have 4GB RAM in the box, I could upgrade it, but was lead to believe it would work, particularly with an external database, which installed, but did not present any data.

Any ideas?

Thanks.

10

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: December 23, 2020, 11:46:44 pm »

Deleted my post and moving to a separate topic

11

Intrusion Detection and Prevention / Re: Suricata doesn't filter anything with telemetry pro

« on: December 19, 2020, 02:32:53 am »

Yeah, I think this is happening to most people and they just don't realise.  My posts about it have been met with no replies and I suspect unfortunately the experience (or the will) does not exist in these forums.  Good on you for going out of here, I shall join you to see if I can solve it for me too.

12

20.7 Legacy Series / Has anyone seen any way to integrate Polyswarm Threat detection?

« on: December 02, 2020, 07:07:24 am »

https://polyswarm.io

13

Intrusion Detection and Prevention / SMTP / IMAP IDS/IPS Not working?

« on: November 26, 2020, 10:48:53 pm »

Hi everyone, for some time I've been having some issues with dictionary attacks locking out my mail server accounts.  I'm not sure if the IPS is not working, because if it was I'd expect that this wouldn't happen.  Perahaps I have misconfigured something.

Can anyone help as to:
1 - What rules I would need to prevent this
2 - Any obvious configuration issues - how I might know IPS/IDS is actually working?

I've done some searching, but haven't found anything conclusive.

I'm using the free in return for some data ruleset you get from the opnsense store.

Had this message up here for a week or two, no replies, so I edited it just now.  Perhaps nobody knows how to check if it's working....

Thanks.

14

Hardware and Performance / Re: Opnsense hardware upgrade

« on: November 06, 2020, 04:20:26 am »

I've been looking at the Qotom.  I don't understand why everyone says the price is good.  Circa US$400 for a firewall is premium money for a home solution.  And while there are cheaper options, to run gigabit with IPS - that's what I keep reading I need.  If I didn't need it in the cupboard, I'd just continue using an SFF PC, which are a lot cheaper and more powerful.

15

Hardware and Performance / Re: 1Gb with IPS / help me decide

« on: November 06, 2020, 04:13:27 am »

Why more people don't ask this question I don't know

Ironically I have an SFF and have been looking at the Qotom, but am not happy how much I have to spend for a home network.

The reason I want to move away from the SFF is simply that in the cupboard, it runs too hot.

Granted it's an older E8400 CPU.

There seem to be a lot of people recommending I5 or higher for gigabit throughput with IPS/IDS.  Given my current CPU I'm questioning if it's required or if I've just not noticed that it's slowing some traffic down.  I'd be interested in your experience on that.  $290+tax brings it up to about US$350 which seems too much for a home firewall.  I can pick up a gruntier SFF for about US$60 which other than the power consumption and I assume similar heat to the E8400 CPU, seems like a comparative bargain.  When you expand that to NZD, it's saying $150-200 vs $600.  A typical consumer grade router goes between $50 and $200 here.

If I could find a laptop grade CPU in a desktop that could work from a heat perspective.

Also regarding the NIC - there are tons of Dual / Quad Intel PCI cards that work in Opnsense which you can pick up quite cheaply.