Topics

1

Hardware and Performance / Disk 109% full, how to increase size

« on: February 24, 2022, 10:30:25 am »

Hi,

My OPNSense 19.1.10_1-amd64 is running FreeBSD 11.2-RELEASE-p10-HBSD as a VIRTUAL MACHINE on ESX 6.5 server. It says DISK USAGE: 109% (100G/100G)

I dunno how is this even possible, and it is still running, but I will obviously need to act NOW.

Please...I have only copy/paste Linux knowledge - any reliable instructions on how to resize disk?

2

22.1 Legacy Series / Should I migrate 19.1. to 22.1 performance wide?

« on: February 02, 2022, 07:33:14 pm »

Hi,

I have 19.1. on ESX 6.5 server and yes, it's working. A lot of rules, a lot of NAT translations, and a lot of blocklists (aliases, external lists). Cannot auto-upgrade to any newer version, dunno why, but it does not work.

I am thinking about manually rewriting all rules to 22.1 version.
What ya think - will there be any benefit performance-wise or security-wise?

3

21.7 Legacy Series / Any performance gain from 19.1 to 21.7 version?

« on: September 14, 2021, 09:48:49 am »

Hi,

I have production on 19.1 version on this:
- Host is FUJITSU server on ESX 6.7.0 Update 2
- OPNSense is 19.1 with approx. 4000 active states on average
- it has some 40 NAT rules
- it also has quite large BLOCKLISTS on FW Aliases (loading external files of up to 4000 IP addresses to block
- WAN is 1 Gbps bandwidth in datacenter

What do you think - will I gain or loose performance wise if I upgrade to 21.7?
It is PITA, because I will "upgrade manually", meaninig I need to rewrite by hand all rules and settings. Auto upgrade is not possible.

4

Intrusion Detection and Prevention / [SOLVED] How often is ALIAS URL table refreshed, if ever?

« on: January 09, 2020, 11:15:10 pm »

Hi,

related to this: https://forum.opnsense.org/index.php?topic=15226.0 I am wondering, if ALIAS URL table, pulled from external source, is ever refreshed?

I have it configured to pull bad IPs to block them from external URL, but if I manually inject one testing IP there, it does not get blocked not after 1 hour, not after 1 day.
So I guess, whether list does not get updated ever, or maybe CRON for this update is not configured.

Any idea where refresh rate (update) can be set?

5

Intrusion Detection and Prevention / How to check if Firewall blocking rule is working?

« on: December 07, 2019, 11:03:39 pm »

Hi,

I have kinda smart FW rule, made of collected IP addresses from numerous web sites (Joomla and Wordpress) on many of our servers, which have some sort of security plugin installed. Every few minutes I pull all blocked/attacker/hacker IP addresses from thosee website plugins (mysql) and inject them via TXT table into firewall ALIAS table.
If anyone interested, here's the list: http://secureit.si/lockouts/list.php

Now, I want to check if firewall is really blocking these IPs.
Where can I see LOGS, if this rule is doing the job? "Logging" is enabled inside this rule, but where can I see those logs?

6

19.7 Legacy Series / Large IP Blacklists...performance impact?

« on: April 22, 2019, 01:27:31 pm »

Hi,

I am thinking about to aggregate all IP blacklists from various web sites (WP, Joomla, custom builds...), which write logs of attacking (brute-force, dictionary attacks...) IP hosts/addresses into database. I have a script in PHP to extract IP's from database for past 7 or 14 days.
Then I have plan to try/test retreive these into BLocked ALIASES list of OPNSense.

Now, since this list will contain hundreds or even thousands of IP addresses, I am wondering how a 1000's of BLOCK ALIASES LIST would affect firewall performance?

7

18.7 Legacy Series / Each update hiccups upon reboot

« on: January 19, 2019, 05:52:29 pm »

Hi,

with last 2 versions 18.x upon update I had problems when rebooting. Firewall stuck on some disk mapping/mounting (or something disk-related...I do not know where to find those info) and was able to boot properly after some 3-4 soft-resets. Console showed it stuck on intializing or mounting some device, do not remember which one exactly, but it was always DIFFERENT stuck point.

Once it booted, then it worked fine, fast, no problems, and consequent reboots did NOT cause further problems.

I am running on ESX 6.5 with Virtual SCSI disk controller.
VMWare tools are (probably?) installed, but still for past 2 years I see constant warning in ESX GUI: "The configured guest OS (FreeBSD (64-bit)) for this virtual machine does not match the guest that is currently running (FreeBSD 11.1-RELEASE-p18). You should specify the correct guest OS to allow for guest-specific optimizations."

Is there something slightly wrong with my config, or has OpnSense kernel changed in past version?

8

18.7 Legacy Series / Create DNS override TXT records for ACME-02 LE challenge

« on: January 17, 2019, 12:03:49 am »

Hi,

is it somehow possible to create Unibound DNS override for TXT record? I only see A (AAAA) or MX records override.
Adding custom TXT records locally would be super useful for DNS ACME-02 challenge to generate wildcard LE certificates locally.

9

19.1 Legacy Series / Get back the Apply changes warning stripe on top

« on: December 23, 2018, 05:05:32 pm »

Hi,
just my 5 cents - the "Apply changes" warning stripe on top of previous versions was annoying, but now I see VERY HANDY and USEFUL! Now I am on 18.7 version and I really miss this annoying warning, as I am never 100% sure, whether I applied/saved the settings or not.
So my suggestion is to come back with some similar functionality in further releases.

10

18.7 Legacy Series / suricata.log: Operation not supported by device

« on: September 09, 2018, 06:16:20 pm »

Hi,

I think after updating to 18.7 I see on terminal screen:
syslogd: /var/log/suricata.log: Operation not supported by device

Did this came from update?
Is this critical?

11

Intrusion Detection and Prevention / Integration with Mail, Joomla, Wordpress security

« on: April 02, 2018, 02:52:32 pm »

Hi,

I host hundreds of Wordpress, Joomla and other web sites behind OPNSense firewall. Beside those, I also have few MAIL servers here.
Now, some of web sites have good security measures via plug-ins, which detect brute-force attacks, some web sites use public black lists of compromised IP addresses to prevent access from...while other web sites do not have any of those.

My idea is to somehow connect those best security mechanisms of Wordpress, Joomla and others and then use "I don't know which mechanism" to block those  attackers at OPNSense entry level, so I would prevent those hackers to attack ANY of my web sites and to access to ANY of mail servers, which are behind my OPNSense.

Any ideas?

12

17.7 Legacy Series / Reverse traffic problem

« on: December 29, 2017, 12:14:55 am »

Hi,

does anybody have a clue about my specific problem.
It's about DNS (or any other traffic), where packets origin from within LAN, then go to WAN adapter and return back into LAN for destination - it seems those are rejected.

For example, I have 3 DNS servers:
- DNS 1 is on LAN, behind OpnSense
- DNS 2 is on LAN, behind OpnSense
- DNS 3 is on different WAN subnet
I have ALL DNS servers configured to sync to each other PUBLIC WAN IP address.
- Syncing inbetween DNS1 or DNS2 and DNS3 (and vice versa) is OK.
- But between DNS1 and DNS2 does not happen. I must configure manually DNS1 and DNS2 to sync using LAN IP addresses, not WAN...then sync is OK.

I guess OPNSense blocks the DNS traffic on port 53, if it originates from LAN and is setined via WAN back to LAN.

Any idea, what rule must I add to allow such traffic? (for DNS 53 port only)

13

17.1 Legacy Series / How to handle IPS properly

« on: June 27, 2017, 11:46:42 pm »

Hi,

I am looking at IPS rules and I am a bit confused. I do not expect IPS being plug-n-play solution, and I know you need to watch the logs and alerts for weeks and months to select proper rules.
But still...this seems an enormous project!

Correct me if I am wrong:
- first, you need to ENABLE IPS and download rules
- they are all in ALERT only mode
- then you need to watch ALERT logs
- ...and click on EACH SUSPICIOUS log entry, switch rule from Alert to Drop, and click APPLY
- now I've got 1 of gozillion rules in real action

- then also many rules have direction $HOME_NET any -> $EXTERNAL_NET... I do not need those, because I protect only incoming traffic. But I can only see the rule direction when I click on rule, then click on description link. That's time consuming, very time consuming.

Do I really need to go through all IPS alert entries, one by one, day by day and click on each rule action from Alert to Drop? Aren't there any preconfigured set of rules for, say, "webhosting" or "home user" or such?

14

17.1 Legacy Series / Protect websites from brute force password guessing

« on: June 27, 2017, 10:10:13 pm »

Hi,

I use OPNSense as main firewall for my webhosting servers. NOT for browsing, as behind OPNSesne there's only a bunch of servers, hosting web sites, like Wordpress, Joomla, Magento and others.
Among 300+ websites there's a dozen of my own sites and I can see hundreds of Brute Force attacks and vulnerability scans from all over the world. I can fight and protect by installing some Wordpress or Joomla security plugins, but I would like to mitigate attacks before they reach website engine - I'd like to configure some protection on OPNSense firewall for incoming attacks.

I do have most of IPS rules active, but here's problem no.1:
If I put rule on ALERT, I need to know exact source IP to find the alert in IPS log. I cannot search for, say "1.2.3.*" or "brute force". Is there some other way to see IPS alerts?

Now problem no.2:
Is there some better plugin or protection method to fight against brute force, password guessing and other attacks at firewall level, without impacting performance too much?

15

General Discussion / [SOLVED] Outbound binding to specific WAN IP

« on: May 28, 2017, 01:45:27 am »

Hi,

I've asked this question elsewhere, so hoping maybe I get answer here.

What's the proper method to specify, for example LAN server with IP xy to use outbound masquerade using WAN IP xz? I have multiple WAN IP addresses and I want each local server to use it's own public IP (not all going out via the same IP...especially I want to specify outbound WAN IP for mail server).
I have 17.1.6 and I've tried OUTBOUND NAT using Virtual WAN IP, but no joy.Tried also with floating NAT rule, direction out, use different Wan IP as a gateway...but this does not pass traffic to real Wan gateway, instead traffic is stuck at WAN port.

I know this is one of hte basic functions, but how to approach?
...or is maybe 17.1.x buggy?

### EDIT ###
It was obviously a bug in FreeBSD kernel, as update to 17.1.8 solved the problem instantly:
https://forum.opnsense.org/index.php?topic=5229.msg21189#msg21189