Messages

1

24.7 Production Series / Re: ISP hacked OPNSense Router

« on: November 28, 2024, 12:56:42 pm »

Yepp, IPS is not "fire and forget" but I like to get a feeling for what is going on the various levels-of-trust LANs. Warnings/blockings by Suricata give a feeling if some client tries e.g. to resolve fishy domains or contact known malware IPs.

Problems normally originate from the LAN side and IPS should be active on LAN, not WAN, correct.

2

24.7 Production Series / Re: ISP hacked OPNSense Router

« on: November 27, 2024, 03:48:46 pm »

,,,: "Operative Hektik ersetzt geistige Windstille".

Operative Hektik verdeckt geistige Windstille. ;-)

3

24.7 Production Series / Re: Queries for DNS, not sure what they are for

« on: November 24, 2024, 09:48:51 pm »

Or maybe

System -> Settings -> General -> Networking -> DNS

127.0.0.1

4

24.7 Production Series / Re: DNS Over TLS Broken

« on: November 22, 2024, 09:32:05 pm »

...works just fine and stable here for years. Why complain?

5

24.7 Production Series / Re: DNS Over TLS Broken

« on: November 22, 2024, 08:56:05 pm »

I would never use DoT with less than 4-5 servers configured...

6

24.7 Production Series / Re: [SOLVED] WebGUI reachable from other not allowed interfaces

« on: November 22, 2024, 04:01:23 pm »

If I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)

Well... I have a lots of different subnets. And for some clients the traffic is surely allowed to reach the LAN, depending on the use case of the VLAN/Subnet. But I was still surpised, that its just routed.
Like already mentioned, this is a OPNsense design then. Because with any enterprise FW you do not have this behavior. For a good reason.

But maybe an additional Help-Text would be good to make this clear.
"Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care."
This is definitely not that clear. At least not to me. Because the initial connection was not coming from the LAN interface ingress.
If you know this behavior, sure its clear then.

If you allow HTTPS to any, I see no good reason why this should not include any random LAN/VLAN in your setup. It might be "surprising", but it's absolutly covered by the general rules of logic ;-)

7

24.7 Production Series / Re: [SOLVED] WebGUI reachable from other not allowed interfaces

« on: November 22, 2024, 03:21:37 pm »

If I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)

8

General Discussion / Re: Where is the log in prompt!

« on: October 31, 2024, 08:48:22 pm »

That's why I proposed booting linux to see which hardware exactly lives in this box... ;-)

9

General Discussion / Re: Where is the log in prompt!

« on: October 31, 2024, 04:48:59 pm »

Serial for serial, VGA if you plan to have a monitor pluged in (from time to time).

Haven't tried recently installing with only one interface.

There should be a login promt at that stage, as can be seen here:

https://docs.opnsense.org/manual/install.html

under "Live Environment"...

10

General Discussion / Re: Where is the log in prompt!

« on: October 31, 2024, 03:49:50 pm »

Try to install your favourite linux (or BSD, if applicable) distro and have a look for the details of the hardware. Post info...

11

General Discussion / Re: Champagne anybody?

« on: October 31, 2024, 09:01:57 am »

Auja! Wir verlinken hier die schönsten Kommentare vom Heise-Forum! Dafür sollten wir ein eigens Board einrichten! :-D

12

General Discussion / Re: Champagne anybody?

« on: October 30, 2024, 11:35:40 am »

Can we summarize the discussion:
ipv6 is perfect, just the users are to dull to realize it?

A solution to the problem "smartphone", nothing else. Hmm, imho it's not worth the trouble.

13

24.7 Production Series / Re: Can't extract latest ISO after download

« on: October 29, 2024, 05:50:02 pm »

Checked the sha256sum of the downloaded file?

Downloaded from Courier and

Code: [Select]

bunzip2 OPNsense-24.7-vga-amd64.img.bz2
works flawlessly.

14

General Discussion / Re: Champagne anybody?

« on: October 29, 2024, 04:27:06 pm »

...too much champagne now? :-O

15

24.7 Production Series / Re: How edit or delete sshlockout firewall rules?

« on: October 29, 2024, 02:48:47 pm »

openAI?