Messages

1

Intrusion Detection and Prevention / Re: 100% Load when scanning huge downloads

« on: May 17, 2019, 01:03:33 pm »

found out, that its neither suricata, nor squid. I have this load even without those. So it either seems to be a problem on the net itself or my apu2 is no longer good.

Somebody else with this?

2

Intrusion Detection and Prevention / 100% Load when scanning huge downloads

« on: May 17, 2019, 09:14:10 am »

Hi,

i have a apu2c4 (4 gb RAM) running opnsense with suricata in ips-mode. All physical interfaces are select (vlans are not selected.

While normal surfing, nothing exceptional happens on the cpu-load. But whilst e.g. updating my system or downloading a whole dvd, the load of the cpu jumps up to 100% and as a result, the rttd on the gateway goes up to 700 ms...

I've already used the whole bunch of optimizations, but i have no further idea, how to get rid of this.

If i stop suricata, no problems with load.

Hast anybody else the same effect?

Thx!

3

19.1 Production Series / Re: Block a device by IP

« on: May 11, 2019, 06:13:02 pm »

Thats quite easy. Create e.g. an alias for blocked_internal_IP (type URL (IPs))

Put all the ips in that alias. Create a blocking rule within the interface/net you want to block. Choose as source the newly created alias. If using target any/any, they will be blocked.

4

19.1 Production Series / Re: No User Import Option when setting LDAP server

« on: May 07, 2019, 08:10:10 am »

you'll have to set ldap also as login for the sense in system-settings-general. just add to local also ldap.

afterwards, you'll see the download icon.

5

19.1 Production Series / Re: a VLAN Per SSID

« on: May 01, 2019, 06:42:22 pm »

it's also my usecase at home, for separate wifi for kids, using ubiquiti ap ac lr an ubiquity pa ac lite. both work well. As controller, i use a ubuntu lxc-container, not the cloud-thingy.

with this, my kids have to stop youtubing, instagramming, gaming and snapchatting ab 2030

6

19.1 Production Series / Re: setup for DNS/WEB Server in DMZ

« on: May 01, 2019, 06:39:57 pm »

it's been quite a difference for me with pf, as linux with iptables handles those things litte other...

Usually, the firewallrules have to be made per interface. Except LAN, a interface has no rule at all, meaning, that all traffic is blocked. This is why specially the LAN interface has an outgoing/allow any/any rule, so all outgoing traffic is allowed.

I have nearly the same setup as you want to, i had to make all the rules on the dmz-interface, as there was no rule at all, meaning no traffic at all is allowed.

Your rule on the wan port allows just to step into the wan port of the firewall. If you have to redirect to DMZ-Interface, you will also have to open the incoming ports there and enable port forwarding (it might be, that port forwarding also opens the ports on the destination interface, but i am not sure at all).

Your target is on DMZ, not on wan, so you will have to redirect the ports to the target server on the dmz interface.

The rules are on per interface basis executed from top to bottom, whilst the first match stops further examination of the packets. Also, its important to know that it seems the be, that forwarding is done before rule checking, so (abstract example):

Request for Port 25 on WAN: Allowed on WAN-Interface
If Forwarding to DMZ: All traffic on port 25 will be redirected, but no target server specified
If Forwarding to specified target on Port 25 on DMZ-Interface: All traffic from WAN to specified target on Port 25 will be made, but
Request for Port 25 on DMZ: If not allowed, it will be blocked or
Request for port 25 on DMZ; if allowed, it can pass or
Request for port 25 for your target on DMZ: if allowed, it can pass to your target, everything else in DMZ except your target will be denied.

Try it, if i am wrong, let me know, if it resolves your problem, much better. There is just one exception, which i do not use, "fliessende Regeln"...*sigh*

7

19.1 Production Series / Re: setup for DNS/WEB Server in DMZ

« on: May 01, 2019, 10:22:11 am »

You need to Port forward under Firewall -> NAT to the target server. On the incoming interface then (DMZ) you will also have to open the ports, i think.

8

19.1 Production Series / Re: setup for DNS/WEB Server in DMZ

« on: April 30, 2019, 04:16:04 pm »

What ports do you plan to provide? Above, there are mentionned a lots, which have no need to be presented to the internet.

If you serve also Web- and Mailservices, i propose to install fail2ban on the host, which runs those services.

And as almost mailclients support IMAP4 as of today, i would recommend no longer using the pop3 and pop3s-protocol.

If you really want to server ISP Config to your "customers" (assumption, youre talking of 15 domains), i would definitively use a reverse proxy as haproxy or nginx. Both of them are well documented on the opnsense page.

9

German - Deutsch / Re: UniFi AP AC LITE erhält keine IP-Adresse vom DHCP

« on: April 29, 2019, 07:51:26 am »

Siehst Du den AP in Unifi oder nicht?

Ich hatte auch einen, mit demselben Effekt, der liess sich nicht provisionieren, meldete sich als Client an und weigerte sich standhaft sich provisionieren zu lassen. Habe den dann Werkresetted (10 Sekunden Resettaste drücken), danach hatte er eine IP bezogen.

Provisionieren liess er sich danach dann auch. Bin nicht sicher, ob die bei neuen nicht was komisches an der FW gedreht haben.

Wies funktioniert, falls Du einen Cloudkey hast, weiss ich leider nicht

Gruess
Roge

10

Web Proxy Filtering and Caching / Re: [SOLVED] get rid of host forgery detected

« on: April 29, 2019, 07:34:41 am »

Hi Franco,

Sorry for not replying, also i still have the issue, using transparent proxy.

btw. looking at the logs above, also i see almost feelinsonice.com. This seems to be snapchat.

Roger

11

19.1 Production Series / Re: Unable to import LDAP users

« on: April 24, 2019, 08:31:35 pm »

Hi,

Firewall-Port  for LDAP/LDAPS open? Otherwise, please post your config. Btw. i went in troubles using ldap when browsing the whole subtree. So, i indicated just 1 level, not the whole subtree in search area.

12

19.1 Production Series / Re: Locked out / No root login possible anymore

« on: April 24, 2019, 03:19:47 pm »

if i remember right, you should be able to connect via serial console and boot into single user mode.

On reboot, i thought, there was the option single user mode. Means not network at all, but if i am right, also no login (you should be root).

Therefore, you should be able to change the authentication via console.

13

19.1 Production Series / Re: Freeradius broken since 19.1.6

« on: April 12, 2019, 06:47:51 am »

done.

https://github.com/opnsense/plugins/issues/1303

14

19.1 Production Series / Freeradius broken since 19.1.6

« on: April 11, 2019, 09:29:39 pm »

Hi,

After updating to 19.1.6, i got lots of errors with ubuntu clients, using wpa2/eap/mschapv2 using freeradius. Auth is LDAP.

21:25:50 2019 : Auth: (38) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/<via Auth-Type = eap>] (from client Radius-Clients LAN 1 port 0 via TLS tunnel)

erm...i do not user nt/lm passwords...where does this come from?

15

19.1 Production Series / Re: How do i add DNS entries for LAN systems?

« on: April 08, 2019, 01:29:05 pm »

you might talk from name resolution of your ips.

You will find this in unbound, bridging. Add a hostname and the appropriate IP of the host there.