Topics

1

Intrusion Detection and Prevention / IPS questions, topology, platform requirements

« on: April 25, 2020, 12:44:41 am »

Hi all.
I've been asked to look into an IPS for a small Lan.

The need is for an active type of thing that would block traffic. I imagine the platform needs to to be installed behind the router, running the IPS process over an anonymous bridge, correct?

Do you think a gen-9 Poweredge running OVPN, with 2xDual Core 51xx Xenon, and the dual broadcom NetxtremeII Gigabit ethernet interface can be a good (transparent) platform?

Thanks in advance for your advice.

2

18.1 Legacy Series / FYI: weird non-deletable OVPN_VPNV4 Gateway created by OVPN client

« on: April 17, 2018, 01:01:06 pm »

As an aside to my previous question, I have noticed on both 17.7.12 and 18.1.6 that a strange gateway is created by OPNsense when using a client tap OpenVPN deamon bridged to an anonymous (no IP) bridge.

The thing is called "OVPN_VPNV4 Gateway" (or VPNV4 Gateway?) and I have no idea which purpose it serves.
I tried deleting it and it comes back stubbornly in the list of gateways. Since it is created, renaming it is not possible either.
However it is possible to disable it, which hides it from the Dashboard. That's what I elected to do.

3

18.1 Legacy Series / Q 17.7.12 vs 18.1 - VLAN in bridge working?

« on: April 17, 2018, 12:10:02 pm »

Hi there.
I was asked to setup a site to site bridge between 2 sites with identical networks. The router at each site is an APU2 running OPNsense 17.7.x.

I elected to use OpenVPN over an anonymous bridge in order to avoid the routing issue.
On 17.7.12, my remote clients were able to get a DHCP lease from the other side, but then they couldn't ping anybody except their neighbours on the switch.
I traced that down to my use of a VLAN over ibg1 as a bridge member. As soon as I used a VLAN-free opt1 (igb2) interface, my clients were ok.

I've found a rather old thread (15.7 ?) relating to issues using VLANs as bridge members.
I didn't test with 18.1, I would like to know if someone can confirm the issue still exists, and if there is a workaround?

Thanks!

4

17.7 Legacy Series / Tragic mistake: remotely disabling OVPN server is too easy

« on: December 02, 2017, 06:15:40 pm »

This just happened to me...

I wanted to check the settings for an OpenVPN server, while using the tunnel at the same time.
I don't know why but I am attracted to the "play" icon in the list of tunnels.
A swift click to the left of that line instead of the right and I promptly shot myself in the foot by disabling the tunnel

Would you consider adding a confirmation step when disabling a server config?
Thanks!

(I will survive, the server is not too far away.)

5

17.7 Legacy Series / [17.7.8-i386] Aliases - Nested port aliases no longer working?

« on: November 28, 2017, 09:59:30 pm »

In 17.7 I was using aliases like this:
 - "TCP_web" -> 80,443
 - "TCP_hostX_allowed" -> 1194,TCP_web

It looks like this is no longer working in 17.7.8-i386?

6

General Discussion / Monitoring and processing multicast frames?

« on: August 11, 2017, 12:39:48 pm »

I am looking at a LAN that uses a 239.X.X.X multicast address to convey alarms generated by users or machines.
I thought I would get advantage of OPNsense's reliability and great GUI to log and display alarms the firewall hears passing on the LAN interface.
Of course looking into the frames and parsing alarms details (sender, cause, scope) would be great.

For now, the only thing I have in 17.7 is a floating rule that matches the address and UDP port, and logs the hit in the firewall's log...

Lets say the final goal is a public access monitoring page, showing alarms details, with some alarms hooked to email notifs (etc.), and log retention for 30 days.
How would you do it in OPNsense?

7

Tutorials and FAQs / How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7

« on: August 11, 2017, 12:23:20 pm »

(original thread)
With 17.7, here is how to setup OpenVPN in bridged mode. In this case this is for a "server", but this works for peer-to-peer mode as well.
I've run it lightly for a few days, I see no issue related to the bridge. As you'd expect DHCP comes across.

First, how not to: make a backup, and have an optional interface active so that you can keep control of the firewall at all times. I managed to lock myself out, and if it wasn't for the awesome backup restore option on the console, I would have had to factory reset my install...

Ok, start:

• Interfaces: you need to have one interface assigned and enabled, set its IPv4/v6 config to "none". Lets say the interfaces is "LAN", I have renamed it "_LAN".
  Then in "Other Types", create a bridge, choose "_LAN" as its unique member, assign that interface, enable it and give it an IP configuration and a name. I chose to call that bridge "LAN"
• In VPN>OpenVPN create a server, device "tap", set your crypto options, don't specify any tunnel or client settings (unless some are dear to your heart), and in "Advanced" just put: "mode server" (no quotes). Hit Save.
  The OpenVPN daemon starts, it looks happy but in fact it is *not* bridged to "LAN".
• Come back to Interfaces, assign and enable the newly created interface "ovpns1", IP config set to "none". I renamed this interface "_TAP".
• Now in Other Types, revisit the definition of Bridge0 (aka "LAN") and add interface "_TAP" as a member.
  
• Your OpenVPN daemon is really bridged now. Go back to VPN and restart your server.
• In Systems>Settings>Tunables I've set net.link.bridge.pfil_member=0 and net.link.bridge.pfil_bridge=1. Otherwise you have to repeat rules on each interface members (+the bridge itself?) to allow traffic between members of the bridge.

I would advise rebooting, and then you should have OpenVPN running in bridged mode. The DHCP server operating on the "LAN" interface will take care of connecting clients.
You can override that and have OpenVPN serve DHCP leases himself. I don't like this faux-DHCP featureset much, and I don't think it is faster than the DHCP server built in OPNsense.
If the tunnel is too slow for clients to negotiate a DHCP lease, I'd consider a secondary DHCP server on the remote side, or simply a manual IP config for clients tap interfaces (opnvpn can also "push" these, YMMV according to the OpenVPN client type you're using.)

In the firewall rules you will now have an empty "OPENVPN" tab. If you look at the end of the thread I linked at the top of this post, you'll see admin Franco says the tab is useful. I think it is useless in this case, I just leave it alone empty.

HTH

8

17.7 Legacy Series / Infinite DHCP lease?

« on: August 06, 2017, 03:56:35 pm »

I would like to set a few hosts with an infinite DHCP lease on the LAN.
In dnsmasq I would set "infinite" next to the host entry.
Although I don't use ISC DHCPD much, I've read that setting the requested value to '-1' should do the trick.
In the web interface, -1 is not valid.

Is it possible to specify an infinite lease?
NB: Very minor issue for me. 1d is good enough and the target hosts will probably be set to static IP anyway --although not by me

Edit. To be clear: my question is about lease infinite duration.

9

17.7 Legacy Series / [SOLVED] Recommended location for a custom script for cron?

« on: August 05, 2017, 05:29:34 pm »

Hi.
I need to put an APU2C4 in double-nat mode (simpler and safer) behind some non-descript DSL box: box LAN IP 192.168.255.1, APU WAN IP 192.168.255.254, APU LAN IP 192.168.1.1

I want to run every services from OPNsense and the APU, and this includes OpenVPN for which I need a well-known address. The DSL box has a floating IP address.
I've looked at the dyndns plugin, but this one wants to monitor an interface that is on the LAN, so it won't do.
Instead I've read here a discussion about running a script via cron. This looks fine to me.

The script I would run is dnsactual.sh, I haven't tried it yet but it looks simple enough.
I have 2 questions :
 - Where should I put that snippet on the local disk, so that it doesn't interfere with OPNsense but doesn't get wiped out at the first upgrade?
 - In System>Cron I see a nice GUI but I don't see how to input a custom script. If I use the crontab facility from the command-line, will that resist an update/upgrade?

Thanks in advance. 17.7 looks pretty good so far!

10

17.1 Legacy Series / [SOLVED] Bridge+OpenVPN: possible? how?

« on: July 26, 2017, 01:43:15 am »

Hello all.
I have a new APU2C4 running 17.1.11 (very smooth install process) and I am back to looking at the state of OpenVPN in kernel bridged mode.

I start with 3 interfaces activated and assigned: LAN, WAN, OPT1.
I want an OpenVPN server that use a tap device that gets bridged to the LAN. I don't want any fancy features offered by OVPN, I want my clients to use the regular DHCP, DNS etc. available on the LAN.

I've selected WAN as the value for option "Interface", I understand this is the address OVPN listens on.
I can select "tap" as  the OVPN device. But what then?
There is a "bridge interface" option in settings, it is stuck to "none".
I don't understand the help text that comes with it: "The interface to which this tap instance will be bridged. This is not done automatically. You must assign this interface and create the bridge separately. "

I created a bridge, added LAN to it, even added a half-baked ovpns1 interface that got somehow created, that didn't help and overall it doesn't make much sense.

Can I bridge an OpenVPN tap and the LAN interface? How?

Thanks in advance.

11

17.1 Legacy Series / Just to say an RPi3 distro would be huge

« on: January 27, 2017, 05:45:44 pm »

I apologize for not visiting often the forums...
There is still a little bit of time for new year wishes, so all the best to OPNsense and its team for 2017.

I came across 2 threads about ARM/RPi, I just want to say a build for Rpi3 would be huge.
I dwell around the raspberrypi forums quite a bit, and I predict an OPNsense distro could save the bacon of quite a few youngsters and their family networks
I think RPi3 should be a primary target platform because setting up an AP is a common need, and that is not so simple for beginners under Linux. Another sore point is setting up NTP (the Pi does not have an RTC clock). And general security of course, many Pis are run headless with ssh enabled (and not really secured.) You get the picture.

Availability would be great news. Do not miss announcing on Raspberrypi's forums when the time comes.
I'll try to pass by more often and see if I can kick the tires of a beta (for RPi 3 or RPi2)
Cheers!

12

16.1 Legacy Series / Using apinger to monitor VPN endpoints

« on: April 30, 2016, 04:47:51 pm »

I want to monitor how my openvpn (created outside OPNsense) tunnel fares.
For this I have defined the LAN IPs of both vpn server ends as gateways.
Generally speaking it looks like it's working. A reload on the web interface is needed to flip from "offline" to "online", but the rest of the information refreshes without reload.

However I don't understand what it reports. From the firewall I have a very stable ping at ~45ms to a remote tunnel endpoint. But the dashboard never shows an RTT value that resembles that.

I would like to ping my remote endpoints either every 30 secs or 60 secs, and local endpoints either every 10 secs or 30 secs.
What kind of parameter values should I enter in settings to get a reasonably accurate report?

13

16.1 Legacy Series / Resolving LAN hosts (reverse) in log files with local DNS servers?

« on: April 30, 2016, 02:08:41 pm »

I have setup OPNsense 16.1.12-amd64 to use the following servers:
127.0.0.1
208.67.220.220
208.67.220.222
8.8.4.4
8.8.8.8

DNS resolver is not configured (I don't know that I need it.)
DNS forwarder is configured as this:
Enable DNS Forwarder [X]
Register DHCP leases in DNS forwarder [X]
Register DHCP static mappings in DNS forwarder [X]
Resolve DHCP mappings first [X]
Query DNS servers sequentially [X]
Require domain [X]
Do not forward private reverse lookups [  ]
Listen Port [  ]
Interfaces [All]
Strict Interface Binding [  ]

Domain Overrides:
lan   192.168.1.253   Authoritative DNS on dns.lan
1.168.192-in.addr.arpa   192.168.1.253   Authoritative DNS on dns.lan - Reverse
(along with other "!" domain entries to selectively block forward or reverse lookups forwarding)

In dnsmasq logs I can read this:
Apr 30 13:35:43   dnsmasq[22219]: read /etc/hosts - 9 addresses
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 8.8.8.8#53
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 8.8.4.4#53
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 208.67.220.222#53
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 208.67.220.220#53
Apr 30 13:35:43   dnsmasq[22219]: ignoring nameserver 127.0.0.1 - local interface
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain foo
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain bar
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain baz
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain qux
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain 172-in.addr.arpa
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 192.168.1.253#53 for domain lan
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 192.168.1.253#53 for domain 1.168.192-in.addr.arpa
...

When I ask for a reverse lookup for, say, 192.168.1.252 in the firewall logs, I only get "cannot resolve."

This works from any other host on the LAN, eg:
$ dig +nocmd +noquestion -x 192.168.1.252
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26031
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:
252.1.168.192.in-addr.arpa. 1800 IN   PTR   odessa.lan.

;; Query time: 0 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Sat Apr 30 13:43:05 2016
;; MSG SIZE  rcvd: 68

I went to the shell on OPNsense. I can resolve forward:
# dig +nocmd +noquestion odessa.lan
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54598
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; ANSWER SECTION:
odessa.lan.      1625   IN   A   192.168.1.252

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 30 13:48:45 CEST 2016
;; MSG SIZE  rcvd: 55

But the reverse lookup gives this:
# dig -x 192.168.1.252

; <<>> DiG 9.10.3-P4 <<>> -x 192.168.1.252
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41946
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;252.1.168.192.in-addr.arpa.   IN   PTR

;; AUTHORITY SECTION:
252.1.168.192.in-addr.arpa. 10800 IN   SOA   localhost. nobody.invalid. 1 600 1200 604800 10800

;; Query time: 14 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 30 13:46:10 CEST 2016
;; MSG SIZE  rcvd: 114

How can I get OPNsense to forward reverse lookups to other private DNS servers?