Topics

Thought I'd give OPNSense another shot but loadbalancing still won't work - PFSense load balancing works out of the box and is a breeze to configure compared to OPNsense. Even if configured to the letter OPNsense makes no attempt whatsoever to balance load - yes even with the appropriate gateway set in the 'all LAN traffic' rule all traffic is pushed on the default regardless.

All the guides I have read to make loadbalancing work in OPNsense require the use of unbound - don't use it, no intention of doing so - I run my own internal DNS / DHCP systems.

There's a lot to like about OPNsense but this is a showstopper for me.

Is there a solution to make load balancing work without unbound OR any kind of gateway monitoring.

I need a server behind the firewall to use a specific gateway but no longer seem able to.

Just rebuilt the firewall on new hardware but now I can't add a rule to force a specific internal IP to leave by a specific gateway - firewall says outgoing connections cannot use policy based routing - what kind of ridiculous nonsense is this ??

Is there any solution or is it time to put my Cisco 1900 back in service ?

I have two WAN connections, I have tried numerous times to get load balancing working 'reliably' but although I can get it to function performance is far from satisfactory, DNS becomes unreliable and unacceptably slow.

I can configure load balancing but I run my own DNS server, I don't see why I should need to configure ANY DNS rule in the firewall to get load balancing to function, but if you don't then no outgoing connections are possible at all. I neither need nor desire any of the DNS facilities offered by OPNSense or FreeBSD, I can't even fathom why load balancing would require a DNS rule unless the implementation of load balancing is flawed.

I decided therefore that I'd do some manual balancing by changing gateway priorities - i.e. 255, 254, 253 ... where the lowest number is supposed to be the highest priority and therefore used, even after a reboot and clearing states the system flat refuses to use the lowest number unless I disable the other connection (with a priority of 255) entirely and seems to take the default to be the lowest / first defined 'physical' WAN NIC.

Although I have a different priority set for each WAN and the 'Allow default gateway switching' is enabled the system ignores the priorities and sticks to the gateway with the highest number i.e. 255.

This is starting to get a tad frustrating - this load balancing hasn't worked reliably since V19.

[lost connection after CONNECT from house.census.shodan.io[89.248.172.16]\nMay]

Can somebody have a look at priorities for blocking traffic vs port forwarding / NAT

I've just spotted this in my email server logs

lost connection after CONNECT from house.census.shodan.io[89.248.172.16]\nMay

but house.census.shodan.io is in a block list - (Alias configured as URL (IPs) and allocated to a floating block rule applied to all interfaces). The fact that this log entry exists tells me that something isn't working - shodan should have been blocked.

I don't want to debate the value of blocking such people - I don't invite strangers into my house to look around - this kind of intrusive scanning is no different to me.

I've also seen some 'attacked blocked' notices to port 80 on a system from Kaspersky but considered Kaspersky at fault as there is no port 80 forwarding to that system - now I'm not so sure OPNsense is doing what I expect.

For now I've moved the block rules to the interfaces and put them before any NAT generated rules, I'll be a bit disappointed if I see entries that I shouldn't in event logs going forward.

Has anyone here configured an MTA using OPNSense and packages OS-POSTFIX and OS-RSPAMD ?

How did you deal with the potential for back scatter ?

http://www.postfix.org/BACKSCATTER_README.html

I currently run an old version of PFSense with Postfix internally as an incoming relay for all incoming port 25 traffic, I do not use it for sending and never will. I use header and body checks to detect forged headers where those headers actually contain my domains as the sender (such mails will NEVER come from 'outside').

There are a few things that I'm not seeing in the OPNSense implementation, the principle one being no way to detect forged domain headers (check out the postfix 'backscatter' link).

I still don't see the opportunity anywhere (in what I use now or in the OPNSense implementations) to decline any response whatsoever - basically I don't want my mailserver to respond with any 2xx/4xx/5xx messages if the sender is not legit - I just want an option to drop the message into a black hole so scenarios such as when no valid recipient exists that the system does not respond with a friendly 'unknown user' - in such cases I don't want a response of any kind - this and rate limiting would go a long way to prevent brute force type harvesting since spammers can no longer blanket a server with random names and check the responses (harvesting).

That said my biggest concern is stopping backscatter - any tips on how to achieve this with the OPNSense implementations ?

In the latest 'update' notice I see this phrase

"Three mentionable changes are included: We are switching back to single-source NAT on the primary IP instead of using all additional VIPs on the interface. "

This means what to me exactly - since I DO use VIP's (well Alias's) - I have an allocation of IP's and I use 4 of them for NAT onto internal servers - I don't use the 'primary' IP for any of this which I am taking to mean the root IP of the allocation.

If I read this correctly it is 'cannot use VIP for NAT any more' - which is a show stopper for me.

Has the option to permit users to save login details in the browser GUI been removed ?

If not where is it - why does 18.1 now force me to log in all the time - I can't find the option in any settings window to allow this ( I know it used to be a setting - been using a form of pFSense or OPNSense for years ).

I'm not interested in lectures why saving login details is a bad idea.

One of the things that brought me to OPNSense was the arrogance of the pFSense team, particularly surrounding the implementation of Postfix as part of a valid firewall IPS / IDS strategy.

Instead of stopping the traffic at the door 'their' opinion is that I should waste server resource and network by processing such things internally i.e. setting up an internal Postfix 'filter'.

Afraid I disagree with this philosophy and whilst it is currently what I'm forced to do I don't plan this as a long term strategy.

I don't use postfix for outgoing e-mail at all - I filter only port 25 incoming to prevent such things as directory harvest attacks, account bruteforce attacks, invalid e-mail i.e one that fails reverse DNS / SPF validation, mail to non existent recipients (such mail just gets black holed). By implementing this I've cut the amount of 'spam' hitting our mail server by 98% - it never gets to the server.

So is anyone planning to implement a similar solution on OPNSense ?

I'd take this on maybe, I can code but I'm no expert on FreeBSD or Linux architectures, I find the configuration inconsistencies between the distro's a massive frustration - how many 'etc' folders scattered in how many locations !!! - and who puts what where just isn't consistent.

If this isn't on anybody's radar how easy is it to convert an already existing pFSense package (Postfix by Marcelloc) into something viable in the OPNSense arena.

Running V17.4 OPNSense, upgraded from 16.7 to 17.1 yesterday, then updated to 17.4, no real issues so far other than intrusion detection.

Suricata service is running but no events are being generated - nothing - so either the internet has become well behaved or somethings not right. I've deliberately port scanned my system from 'outside' and nothing is reported. Re downloading rules makes no difference, I also cannot list the available rules although I can see the configured ones - and .scan is one of those.

I also see this error in syslog when I try to view suricata events - despite me trying to view events it seems to be asking for rules.

02-04-2017   14:08:55   User.Error   xxx.xxx.x.xxx   Apr  2 13:08:55 configd.py: [5e357ad1-56f7-40fd-82de-c2817ddc7a07] Script action failed with Command '/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"' returned non-zero exit status 1 at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 477, in execute     stdout=output_stream, stderr=error_stream)   File "/usr/local/lib/python2.7/subprocess.py", line 541, in check_call     raise CalledProcessError(retcode, cmd) CalledProcessError: Command '/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"' returned non-zero exit status 1


OPNSense is also reporting 'port closed' on scans to ports 135 to 139 - I'd rather it didn't report anything but can find no way to stop this response behaviour.