Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - datenimperator

Pages: [1]

German - Deutsch / DNS AAAA Filter möglich?

« on: October 13, 2018, 04:08:50 pm »

Hallo zusammen,

ich verwende ein Dual Stack Setup mit HEnet IPv6, da mir Unitymedia keinen nativen IPv6 Support bietet. Das klappt auch alles prima. Nur Netflix gucken kann ich nicht, und das liegt daran, dass deren Hosts IPv6 DNS-Adressen haben und Netflix HEnet als Proxy klassifiziert und den Zugang blockt.

https://forums.he.net/index.php?topic=3566.0

Es gibt viele Lösungsansätze, am vielversprechendsten ist es, die DNS Antworten zu filtern, sodass Clients für gewisse Netflix-Domains nur noch A Antworten erhalten und keine AAAA Einträge mehr.

Es gibt Anleitungen, wie man diese Domains an einen separaten DNS Server (zB BIND) delegiert und diesen anweist, keine IPv6 Ergebnisse auszuliefern. Ich frage mich: Geht das auch ohne separaten DNS Server? Kann das die opnsense allein? Fällt jemandem was dazu ein? VG

Christian

17.7 Legacy Series / PHP error on 17.7.9?

« on: December 13, 2017, 10:59:04 am »

Hi,

my 17.7.9 install reports errors like this:

Code: [Select]

[07-Dec-2017 15:15:01 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/etc/inc/filter.inc on line 1640

Is this something with my installation, does it require me to do something? Regards

Christian

17.1 Legacy Series / Filtering by MAC address

« on: March 21, 2017, 07:47:31 am »

It'd be great if I could use MAC addresses in alias lists, e.g. for filter rules by source. Usecase: Restrict access for certain devices on the network, no matter what IP address they use.

I understand that there is a way using the captive portal to achieve something similar but it feels rather complicated. One could also use static DHCP assignments although this would be trivial to circumvent. As I understand, FreeBSDs ipfw is capable of filtering by MAC address [1] although I'm not sure how opnsense builds on ipfw (or pf). Also I see that spoofing of MAC addresses is possible, although it's probably a little harder than just requesting/configuring another IP address.

Any thoughts on this? Regards,

Christian

[1] https://www.freebsd.org/cgi/man.cgi?ipfw(8)

17.1 Legacy Series / Blocked traffic from LAN

« on: February 14, 2017, 11:15:58 am »

Hi,

I've started to use Graylog to analyze opnsense logs and others, and it occurred to me that lots of blocked traffic originates from our local lan. This puzzles me since our LAN has exactly those 3 rules:

Anti-Lockout Rule
Default allow LAN to any rule (IPv4)
Default allow LAN to any rule (IPv6)

Why is traffic from LAN blocked on our firewall? Regards

Christian

ps: Where do I find documentation on the log format opnsense uses? Read: It logs a number of values separated with comma. Where can I find the attribute names?

General Discussion / Separate guests on subnet from each other

« on: November 24, 2016, 05:42:18 pm »

I'd like to set up rules on a subnet so that hosts on that network may access the gateway ip and external IPs but not each other. opnsense is the gateway for that /24 subnet as well as DNS forwarder. Is there a way to set this up? Regards

Christian

Pages: [1]