Messages

1

Zenarmor (Sensei) / Re: ACME cert for TLS Block Page?

« on: March 27, 2023, 10:12:14 pm »

Hi @FullyBorked,

Yes, we're shipping this capability with 1.13 (OPNsense UI only). You'll be able to import your own CA key/cert.

Would that be helpful?

Yes that would be very useful, keeping in mind ACME renews regularly would only be useful if it was automated on the Zenarmor side.   

2

Zenarmor (Sensei) / ACME cert for TLS Block Page?

« on: March 26, 2023, 01:09:51 am »

I enabled the feature Zenarmor > Configuration > Enable Block Notification Page for TLS encrypted connections (BETA).  It has the ability to download the CA cert, however I'm using ACME for my OPNsense instance, since the hostname name is the same any way to just use that cert?  Passing out a Root CA Cert to a bunch of devices esp. mobile is tough. 

3

22.7 Legacy Series / Re: Cant get nextcloud config backup working.

« on: March 26, 2023, 12:41:05 am »

It's probably a self signed cert issue.  I just went through this nonsense. If your nextcloud instance has a self signed cert that's your problem. I finally just set-up my next cloud without a cert.  Not ideal but it works now without issue.  The error reporting is terrible imo.  Not able to retrieve file list might technically not be wrong but doesn't even come close to leading you towards it being a cert issue.

Sent from my Pixel 6 Pro using Tapatalk

what method did you use to install your nextcloud instance?

I installed it on Ubuntu Server using snap -

Code: [Select]

sudo snap install nextcloud

4

Zenarmor (Sensei) / Re: Is export to CSV from Live Session Viewer a Paid feature?

« on: February 16, 2023, 02:51:55 pm »

Hi FullyBorked,

You are right. Export CSV feature is available on Paid subscriptions.

https://www.zenarmor.com/docs/opnsense/reporting-analytics/live-session-explorer#exporting-csv

Excellent, thanks for finding that, the doc i was looking at mentioned nothing of that being a paid option.  Seems like a weird flex to paywall CSV export     

5

Zenarmor (Sensei) / Is export to CSV from Live Session Viewer a Paid feature?

« on: February 14, 2023, 12:48:36 am »

Was helping a friend who is using the free version of Zenarmor, he's trying to do an export from the session viewer, however when I instructed him to simply click the export to CSV button.  That button doesn't show for him, so this made me curious is export to CSV from Live Session Viewer a Paid feature?  That's the only difference between mine and his deployments that I can think of. 

6

23.1 Production Series / Re: Still having problems with using OTP for auth

« on: February 08, 2023, 08:16:20 pm »

For me MFA works like a charm.
What I did was I extendend the Grace Period to 15 seconds so the old token is valid for 15 seconds after the new one is issued.
If you do not change the config you type in the token code that is on your device followed by the password.
For Example the password is Password1! you type 23456789Password1! with no space in between.
Hope that helps.

This is good feedback, extending the time can be helpful.  I did this for OpenVPN back in the day as end users struggled to get their code and their password in within the short duration. 

7

23.1 Production Series / Re: Still having problems with using OTP for auth

« on: February 07, 2023, 03:12:26 pm »

I've not used the OPNsense implementation, so I don't have a lot of guidance.  The major thing that has hung me up in the past is time, it has to be near perfect on your device and your server for it to work.  Make sure your OPNsense box is getting proper time sync, and make sure your mobile device is as well.  Use an online time source like time.nist.gov to make sure it's perfect.  Secondly anything in your logs? Might lead you down a path to resolution if you know what seems to be failing. 

8

22.7 Legacy Series / Re: Plugin warnings for Gateway status

« on: January 23, 2023, 07:23:41 pm »

oops. I'm sorry, I completely forgot that I'm testing on a "gridstack.js" lobby..
opnsense-patch -a kulikov-a 7ea01a3
(don't revert previous)
(https://github.com/kulikov-a/core/commit/7ea01a3)
shoud make this work
sorry

No worries, that final patched worked as expected.  This is a fantastic addition, thank you for working on that. 

9

22.7 Legacy Series / Re: Plugin warnings for Gateway status

« on: January 23, 2023, 05:26:13 pm »

@FullyBorked
can you test log widget with the

Code: [Select]

opnsense-patch -a kulikov-a 626651eapplied, please?
(https://github.com/kulikov-a/core/commit/626651e)
widget was refactored before the RFC5424 migration and i would be happy to add an severity filter if @franco doesn't mind )

I installed it but doesn't look like I can see any option other than debug.  See attached screenshot.

10

Intrusion Detection and Prevention / Re: IDS/IPS performance hit - does that look normal...

« on: January 06, 2023, 07:56:06 pm »

New to OpnSense, but really liking it so far. Using abuse.ch* and ET.telemetry* on the LAN interface on - Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (4 cores, 4 threads), w/8G memory, 2 Broadcom BCM57xx single port cards with a typical NAT setup (FiOS single static IP, and ~75 or so devices behind the firewall on a single /24).

I'm seeing about a 20% performance hit when in IPS mode on outbound traffic thru the FW to the internet with the above setup. Seem about right? (216,358 rules)

Jeff

I wouldn't expect a huge hit, your CPU is decent.  Have you disabled hardware offloading Interfaces > Settings?  I have an i3-9100 8GB of ram as well, and 1200Mbps Xfinity and the performance hit in imperceivable to me.  However I haven't used Suricata on my internal interfaces in some time now.  I only use it on my DMZ interface that hosts a few sites/game servers and Zenarmor on my other interfaces. 

11

General Discussion / Re: Casting to and controlling Google devices on different VLANs

« on: December 28, 2022, 10:16:11 pm »

You've gotten farther than I have, in three years with OPNsense I've attempted this several times and never made it even as far as you have.  I use Ubiquity gear, so very similar to the Omada kit.  If you figure this out please post up.  I'd love to move my Chromecasts etc off my LAN. 

12

22.7 Legacy Series / Re: Communication between two LANs

« on: December 28, 2022, 10:01:25 pm »

I don't mean this as harsh as it might sound, but are you sure they can't communicate?  How are you testing?  Are you sure local firewalls (i.e.,windows firewall) aren't blocking at the device level, that's caught me a few times?  What are you seeing in the live logs in OPNsense?

13

22.7 Legacy Series / Re: Plugin warnings for Gateway status

« on: December 22, 2022, 08:55:40 pm »

The commit can very likely be reverted with the patch:

 # opnsense-patch b493c543039d

I'm not sure what we will do but I can bring it up for when we start planning for 22.7.11.


Cheers,
Franco

Personally for me it's not that big of a deal.  Might look into filtering that widget though.  It has a filter option but I'm not sure how it works.  I'll mess with that and see if I can filter by log level. 

14

22.7 Legacy Series / Re: Plugin warnings for Gateway status

« on: December 22, 2022, 08:40:47 pm »

Where was the log output copied from? It's not a "warning" either, not by syslog priority nor by content.

It's about https://github.com/opnsense/core/commit/b493c543039d but the message was always there as a debug message. Since it didn't go into the log because the minimum level is notice it now goes into the log by magic of log_msg().

I'm not convinced the log messages in plugins.inc hold any value, but so far it was discussed to keep them and make them visible.



Cheers,
Franco

I see then in System > Logfile > General.  Yes they are labeled as notice not warning.  I hadn't seen them before, is the reason I posted.   

Edit: I use the syslog widget to get a quick view of the log file to see if anything is there I should take notice of, this log spam fills up that widget so any useful log is pushed off quickly.  Otherwise it seems harmless.

15

22.7 Legacy Series / Re: Scheduled Restart

« on: December 22, 2022, 04:10:24 pm »

Yup, System > Settings > Cron > + to add job > Set time and select "Issue a reboot".  If you also want to do automatic updates there is also a job for "automatic firmware update".  Hope that helps.