Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - JohnDoe17

Pages: [1] 2

19.1 Legacy Series / Re: OPNsense 19.1.x and DNSoverTLS with Hostname Verification

« on: July 01, 2019, 01:16:20 am »

I *think* the configs need to be adjusted slightly...

NOTE the additional "dns" in the "dns.quad9.net" string.

Code: [Select]

	forward-addr: 9.9.9.9@853#dns.quad9.net
	forward-addr: 149.112.112.112@853#dns.quad9.net

NOTE the removal of "1dot1dot1dot1dot1" in the "cloudflare-dns.com" string.

Code: [Select]

	forward-addr: 1.1.1.1@853#cloudflare-dns.com
	forward-addr: 1.0.0.1@853#cloudflare-dns.com

Maybe someone can confirm this or not.

19.1 Legacy Series / Re: OPNsense 19.1.x and DNSoverTLS with Hostname Verification

« on: June 30, 2019, 05:18:00 am »

Good stuff! Thanks!

Development and Code Review / Re: Sensei on OPNsense - Application based filtering

« on: June 04, 2019, 06:08:42 pm »

@mb

Looks like this issue wasn't completely resolved afterall...

Code: [Select]

User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
FreeBSD 11.2-RELEASE-p10-HBSD  5e5adf26fc3(stable/19.1) amd64
OPNsense 19.1.8 dff8692b8
Plugins os-arp-scan-1.1 os-ftp-proxy-1.0_1 os-sensei-0.8.0.rc1 os-sensei-updater-0.8.0_21 os-vmware-1.5 
Time Tue, 04 Jun 2019 11:05:35 -0500
OpenSSL 1.0.2r  26 Feb 2019
PHP 7.2.18
PHP Errors:
[04-Jun-2019 11:02:51 America/Chicago] Exception: Cannot connect to 127.0.0.1 on port 4343 in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(155): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4343, 1, '', 0.5)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(138): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4343, 'ballyhoo#Recons...', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(93): OPNsense\Sensei\Sensei->runCLI(Array, 'ballyhoo#Recons...')
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main}
[04-Jun-2019 11:03:24 America/Chicago] Exception: Cannot connect to 127.0.0.1 on port 4343 in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(155): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4343, 1, '', 0.5)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(138): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4343, 'ballyhoo#Recons...', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(93): OPNsense\Sensei\Sensei->runCLI(Array, 'ballyhoo#Recons...')
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main}

Development and Code Review / Re: Sensei on OPNsense - Application based filtering

« on: May 29, 2019, 06:18:58 pm »

Hello @mb.

Yes, I can confirm the fix in rc1 did resolve the error I saw with the Sensei CLI API and OPNsense Crash Reporter.

Thank you!

Development and Code Review / Re: Sensei on OPNsense - Application based filtering

« on: May 28, 2019, 06:11:31 pm »

I got the crash to happen again.

Note that "Rainbow#Bicycle" is the password I was using for the test. Does Sensei handle the "#" symbol in a password?

Code: [Select]

[28-May-2019 11:08:17 America/Chicago] PHP Fatal error:  Uncaught Error: Class 'OPNsense\Sensei\Exception' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(151): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4346, 1, '', 1)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(134): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4346, 'Rainbow#Bicycle', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(89): OPNsense\Sensei\Sensei->runCLI(Array)
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php on line 111

Development and Code Review / Re: Sensei on OPNsense - Application based filtering

« on: May 28, 2019, 05:35:02 pm »

Quote

2) Installed Sensei 0.8.0.beta10.

Development and Code Review / Re: Sensei on OPNsense - Application based filtering

« on: May 28, 2019, 05:28:35 pm »

I'm new to Sensei, but I'm loving it so far! Great work!

I do occasionally get a "crash report" notification though.

Here is the sequence of events:

0) Sensei was not installed.
1) Upgraded OPNsense from 18.7.10_4 to 19.1.8.
2) Installed Sensei 0.8.0.beta10.
3) Successfully completed the initial Sensei configure wizard.
4) Noticed a "crash report" when I went to the OPNsense Dashboard.

Unfortunately, I don't have the crash report in front of me at the moment, but I *did* submit it, so hopefully you'll get it from the OPNsense team eventually. It was something about PHP crashing with bad data related to the "TCP Service Security" password. I'll keep you posted if I see it again.

19.1 Legacy Series / Re: OpenVPN DNS DHCP options not pushed to clients

« on: April 17, 2019, 04:05:26 pm »

No, you are not the only person to experience this. I have the same issue, but I am still running 18.7.x.

18.7 Legacy Series / Re: 18.7.10 and Suricata

« on: January 23, 2019, 05:49:28 pm »

Well, after reverting, I seem to be getting alerts again. And the rules lists are downloading again.

Thanks, Franco.

I assume if this gets sorted out in the future, when I upgrade to 19.1.x, the reverted version will upgrade at that time too?

18.7 Legacy Series / 18.7.10 and Suricata

« on: January 21, 2019, 10:35:05 pm »

Hello.

Are there known issues with Suricata and OPNsense 18.7.10_3? I just upgraded from 18.7.7, and Suricata doesn't seem like its working any more. Before the upgrade I would see a fair number of alerts from day to day (mostly informational), but after the upgrade I haven't gotten any! Seems hard to believe.

I have OPNsense configured to use it on a number of internal interfaces, but not WAN. And I have chosen Hyperscan as the matching engine. (I did try the default engine too, but that didn't seem to make a difference.)

I'm using http://testmyids.com to try to stimulate an alert. This has worked in the past, but nothing happens after the upgrade.

Any ideas?

P.S. I really love OPNsense. I've been using it for a couple of years, and I recommend it to others. Thanks for the great work!

18.1 Legacy Series / Re: How to setup and manage 18+ OpnSense centralized

« on: May 16, 2018, 09:39:33 pm »

I am very, very interested in this topic as well. Have you been able to make any progress on this front using the API?

Question for Opnsense developer's: What would it take to make this use case a higher priority? Do you accept private contracts to prioritize work? Or, in other words, what drives the priorities for developing new features?

Thanks!

17.7 Legacy Series / Meaning of letters in the Firewall Log Files "Proto" field

« on: September 26, 2017, 09:21:07 pm »

What does "TCP:SEC" mean in the Firewall Log Files "Proto" field?

I think the "S" means "Syn," but does "E" mean "ECE" and "C" mean "CWR"

OR

is it "S" and "EC" for "Syn" and "ECE"?

I have a lot of this kind of stuff in my Firewall Log files. Is that normal?

[Edited to add]: Also, do I need to be creating rules to allow this type of traffic? Or are simple rules to allow only "Syns" sufficient?

Thanks.

17.7 Legacy Series / Re: SSL VPN Road Warrior

« on: August 14, 2017, 04:56:02 pm »

Welcome to OPNsense and the forums!

I am a relatively new user too, but I just went through this procedure too.

Step 1
--------
Go to System > Access > Users and find a user authorized for the VPN.
Edit that user by clicking on the pencil icon.
Scroll down to the "User Certificates" section and note the "CA" listed there. It should be "SSL VPN CA" if you're using the same names as the "How To."

Step 2
--------
Now, go to VPN > OpenVPN > Servers and edit the entry for the newly created VPN server by clicking on the pencil icon.
Scroll down to the "Description" section and note the text there and the port number just above it. For example, "My SSL VPN Server" and port 1194 if you're using stuff from the "How To."
Scroll further down to the "Peer Certificate Authority" section and note the CA listed there. It should match the CA you recorded in Step 1 above (i.e. "SSL VPN CA").

Step 3
--------
Go to VPN > OpenVPN > Client Exports and select the Remote Access Server that matches the description and port number from Step 2 above. For example, "My SSL VPN Server:1194".
Scroll down to "Client Install Packages" and your stuff should be listed there.

If it STILL isn't listed, then my guess is you made a mistake in the "Adding a User" steps. You MUST "Create an internal Certificate" with the correct certificate authority selected here ("SSL VPN CA") or it won't work.

NOTE!!!

I believe there is an error in the How To's "Step 2 - Firewall Rules" section. I posted about that in the "Documentation and Translation" Forum. Check that out too.

Good luck!

[EDIT: for a small typo and added clarity]

Documentation and Translation / Error in "Setup SSL VPN Road Warrior" How to?

« on: August 08, 2017, 08:31:23 pm »

I think there may be a typo in the "Setup SSL VPN Road Warrior" How to:

Go to the second picture under "Step 2 - Firewall Rules"
It shows "192.168.2.0/24" as the Source, but I think it should be "10.10.0.0/24" according to the network diagram at the beginning of the article

Either that or I completely don't understand the setup like I thought I did because I don't see "192.168.2.0/24" referenced anywhere else in the article.

Thank you for the write-up though! I find the OPNsense How to's to be very high quality in general.

17.7 Legacy Series / Unbound vs. Dnsmasq

« on: August 02, 2017, 10:43:58 pm »

I noticed in the 17.7 release notes there is mention that Unbound is the new default DNS service.

I don't know enough about DNS or Unbound vs. Dnsmasq to understand the significance of that announcement.

Is Dnsmasq not as secure as Unbound? Is it not as fully featured? Does Unbound perform better? Is Dnsmasq deprecated or scheduled for removal in the future?

If I'm using Dnsmasq now, should I switch? Does the 17.1 -> 17.7 upgrade package do the switching for me? Will it transfer my Dnsmasq configuration to Unbound?

Etc.

Thanks for the help!

Pages: [1] 2