OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of minime »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - minime

Pages: [1]
1
17.1 Legacy Series / Using Proxy also through an OpenVPN connection
« on: February 08, 2017, 05:16:58 pm »
Hi guys,

Might be a simple question for you, but I can't figure this quite out. I have a working squid for my LAN, but now I would also make use of it when connected through a OpenVPN connection. How can I achieve this?

Many thanks,
Minime

2
General Discussion / Living in a not so safe country => call for guidance/advice
« on: January 10, 2017, 11:52:57 pm »
Hi,

Soon I will relocate to a not so safe country. I already have a OPNsense box at the moment up and running incl. OpenVPN. However, at the moment it is not that much important whether I did a configuration mistake or not, but soon I have at least the perceived feeling that it is critical to get it right. Hence I am asking the expert on this forum for guidance, advice and tips. Any help is much appreciated!

Scenario: Living in a not so safe country and getting a secured connection into a safe country
Goal: Routing ALL internet traffic securely from Country B through Country A, while making sure the OPNsense boxes themselves are secured as well

Country A (safe)
  • Modem (1gbit symmetric)
  • Dedicated OPNsense box
  • NAS connected to the OPNsense box

Country B (not so safe)
  • Modem (1gbit symmetric)
  • Dedicated OPNsense box
  • Wireless Router connected to a Switch that is connected to the OPNsense box

Line of thinking
  • Creating a site-2-site OpenVPN connection on the two OPNsense boxes
  • Attaching the Wireless Router to Switch that is connected to the OPNsense box in Country B
  • Mobile devices directly connect to the OPNsense box in Country A

Questions
  • Without a OpenVPN connection I can saturate my 1gbit line (achieving ~950mbit), with a OpenVPN I achieve on my current OPNsense box (i5-6200u) ~350mbit. Is that to be expected? What system would allow me to saturate the line with a OpenVPN connection? Any experience?
  • Inline Intrusion Prevention System is currently deactivated as the performance impact is without a OpenVPN connection already quite high (down to 500-700mbit depending on the activated options). From a security point of view, do you recommend having this feature activated? If yes, in combination with my previous questions, what system would allow me to saturate my line and do you have experience with this?
  • As the configuration options in OPNsense exceeds my full understanding and I can't make a mistake here, is there any configuration guidance/recipe for a scenario like I have? No frills, just having a secured connection and secured OPNsense boxes (like login/management, certificates/keys, making sure the system can't get manipulated => read-only system, etc.)?

Many thanks for your support!

3
17.1 Legacy Series / BBR from Linux Kernel 4.9
« on: January 07, 2017, 05:27:53 pm »
Hi,

Will this (http://queue.acm.org/detail.cfm?id=3022184) eventually also adapted by FreeBSD and consequently by OPNsense?

Best regards,
Minime

4
General Discussion / [SOLVED] Firewall rule question=>Blocking Incoming Traffic 4 Single Destination
« on: November 13, 2016, 06:04:32 pm »
Hi guys,

I don't quite understand that my added block rule (see attached) doesn't only block the traffic for the specified destination (it's my NAS), but all traffic into my LAN. I tried a dozen different combinations (also with Floating Rules) and also made sure that I did reset the states and did a reboot afterwards...

What am I missing?

Thanks,
minime

5
General Discussion / [SOLVED] DNS filtering instead of using Squid
« on: November 09, 2016, 02:09:21 pm »
Hi guys,

I might misunderstand the underlying concepts, so pardon me for the following:

I am currently using Squid in transparent mode to block unwanted webpages and advertisements, which works quite well. However, when it comes to SSL encrypted pages it fails respectively I don't want to issue a certificate and play MITM...for various reasons.

I wonder now, wouldn't it be possible to have in OPNsense an own DNS service, which is referring to whatever DNS service you actually want to use, fi. from your ISP, BUT first running through your blacklist before handing over the request to the actual DNS server?

Many thanks for any comment on this!

6
16.1 Legacy Series / [SOLVED] AES-NI not working? => nope all ok
« on: July 23, 2016, 04:50:17 pm »
Hi,

I tried now with Chrome and IE, but the board seems to have an issue with the toolbar...I can't make use of it and can't format or insert a picture...sorry about that.

It seems that AES-NI is not working, what am I doing wrong?

I have the following system:

Versions   OPNsense 16.1.20-amd64
FreeBSD 10.2-RELEASE-p19
OpenSSL 1.0.2h 3 May 2016

CPU Type   Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz (4 cores)

I set the "Cryptographic Hardware Acceleration" option to "AES-NI CPU-based Acceleration (aesni)" unter >System>Settings>Miscellaneous

root@OPNsense:~ # /usr/bin/openssl engine -t
(rsax) RSAX engine support
     [ available ]
(rdrand) Intel RDRAND engine
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]

root@OPNsense:~ # openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 89939962 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 25695979 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 6574131 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 1024 size blocks: 1656024 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 8192 size blocks: 206741 aes-128-cbc's in 3.02s
OpenSSL 1.0.1p-freebsd 9 Jul 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     480932.23k   546757.04k   558085.82k   560874.36k   561615.68k

7
General Discussion / [SOLVED] Squid - Replace message by a single pixel
« on: May 30, 2016, 01:50:36 pm »
Hi,

I have tried to replace the current error message with a single pixel (I also tried with different images), without any luck.

While I am able to change the text message and also the look of the page by editing:

/usr/local/etc/squid/errors/en/ERR_ACCESS_DENIED
/usr/local/etc/squid/errorpage.css
/usr/local/etc/squid/icons

I wasn't able to replace the default icon "SN.png" found in the CSS with something else, nor replacing the message altogether with a single transparent pixel.

What am I missing?

8
General Discussion / [SOLVED] Adblocking as easy as on OpenWRT
« on: April 24, 2016, 05:39:36 pm »
Hi,

First, sorry for the provocative title of my post, but it got your attention, isn't it?  :-)

I'm looking for something like this: https://github.com/teffalump/adblock
Which is incredible easy to handle.

I know there is Squid, but it's not as easy to handle as the referred above, I think, or do i miss something?

Many thanks!

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2