Topics

1

Intrusion Detection and Prevention / IPS only shows allowed actions in alerts

« on: January 23, 2019, 09:25:36 am »

Hello
I'm still on 18.7.9 and Suricata 4.0.6. I followed the instructions on https://wiki.opnsense.org/manual/how-tos/ips-feodo.html and downloading all abuse.ch rules daily via cron. I also enabled them and changed Filter to drop. If I check my alerts I only can find log entries with action allowed. I can't find not one blocked action. Strange.

Does my IPS really do his job? How can I test it and force a blocked action?

Thank you very much for your help.

Greetings,
Manuel

2

18.7 Legacy Series / Update to 18.7.10 broke my WAN Interface on apu2

« on: January 09, 2019, 07:12:07 am »

Hello friends
I'm having two different opnsense installation in two different location each on a apu2d4 which are both connected to a cable modem and the same provider. One box was update to 18.7.10 automatically this Monday 7th January. The second box still has 18.7.9 installed and is working fine.

After updating to 18.7.10 I don't get anymore an IP address on the WAN interface from my provider via DHCP. If I reboot the firewall and go to the dashboard I can see an IP from the range of my provider for a couple of seconds. After that, the IP is gone and I have only 0.0.0.0 and at the end there is no IP at all.

I rebooted opnsense several times and also my cable modem. No luck. I also tried to downgrade with

opnsense-revert -r 18.7.9 opnsense

but then I only get a

Fetching opnsense.txz: .. failed

I checked the release notes from 18.7.10. There are some changes in the code for the interfaces.

I attached my kernel message log and also some ifconfig commands. igb0 is my internal interface and igb1 for WAN.

Thank you very much for your help.

Regards Manuel

3

18.7 Legacy Series / IDS and IPS

« on: October 02, 2018, 09:29:42 am »

Hello
I enabled IPS/IDS according to the howto "IPS SSLBlacklists & Feodo Tracker". Enabled all abuse.ch rulesets and set filter to drop. If I check the alerts tab I only see actions which were allowed. Do I have to edit each action manually and change configured action from alert to drop?

2018-10-02T09:17:28.703243+0200   allowed   WAN   80.218.168.190   53516   23.205.182.44   443   SURICATA STREAM Last ACK with wrong seq   
2018-10-02T08:43:02.760728+0200   allowed   WAN   80.218.168.190   60441   203.119.201.255   443   SURICATA TLS error message encountered   
2018-10-02T08:43:02.252406+0200   allowed   WAN   203.119.201.255   443   80.218.168.190   60441   SURICATA Applayer Detect protocol only one direction   
2018-10-02T08:43:02.252406+0200   allowed   WAN   203.119.201.255   443   80.218.168.190   60441   SURICATA TLS error message encountered

I expected that if I change the Filter Action of the rulesets to drop that they will be dropped automatically.

Thank you very much for your help.

Regards Manuel

4

18.1 Legacy Series / WAN Interface down after reboot of modem

« on: September 24, 2018, 09:53:12 am »

Hello
Today we had a problem on the ISP and had to reboot the modem which is connected to my opnsense box. Unfortunately the WAN interface didn't come up again after rebooting the modem. Does opnsense try to open the WAN port several times until it times out and then give up?

Because I like long uptimes very much I hate to reboot my opnsense FW. Is there a way without rebooting it through the GUI to bring up WAN Interface again without rebooting it?

Thank you very much for your hints.

Manuel

5

General Discussion / OpenVPN Connection Status to Grafana

« on: August 17, 2018, 06:14:20 pm »

Under VPN --> OpenVPN --> Connection Status there is a really nice statistics about every user bytes sent and bytes received. Is there a way to send this information via collectd to grafana?

Thank you for your answer.

Manuel

6

General Discussion / Manual changes in /usr/local/etc/collectd.conf

« on: August 17, 2018, 06:51:47 am »

Hello
Did some manual changes in  /usr/local/etc/collectd.conf  to add openvpn plugin in collectd.conf. After reboot of opnsense my changes were gone. Are there any plans to add an "Advanced" field also in collectd
to simply appended to /usr/local/etc/collectd.conf?

There was already a thread https://forum.opnsense.org/index.php?topic=6072.0 about this matter.

Thank you for your answer.

Regards Manuel

7

General Discussion / openVPN Server --> Inactivity timeout (--ping-restart), restarting

« on: July 24, 2018, 11:19:48 am »

Hello
I have setup a openvpn server according to the "Setup SSL VPN Road Warrior" including TOTP. Login works fine but after about 30 Minutes openvpn Client Login pops up and I have to login again using the token from google authenticator and my password. Renegotiate time (reneg-sec 0) is set to 0 in the openvpn server config.

I would like to be connected to the vpn server even there is no activity/traffic. How can I achive this?

Thank you very much for your help.

Regards Manuel

Tue Jul 24 10:02:16 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Jul 24 10:02:16 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 24 10:02:16 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Tue Jul 24 10:02:46 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:46 2018 UDP link local (bound): [AF_INET][undef]:0
Tue Jul 24 10:02:46 2018 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:47 2018 [myopenvpn Server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:48 2018 open_tun
Tue Jul 24 10:02:48 2018 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{AB71E12E-4CCE-42DE-84BA-E28854305B69}.tap
Tue Jul 24 10:02:48 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of xx.xx.xx.xx/255.255.255.xx on interface {xxxxxxxxx} [DHCP-serv: xx.xx.xx.xx, lease-time: 31536000]
Tue Jul 24 10:02:48 2018 Successful ARP Flush on interface [15] {xxxxxxxxx}
Tue Jul 24 10:02:48 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 24 10:02:53 2018 Initialization Sequence Completed
Tue Jul 24 10:31:57 2018 [myopenvpn Server] Inactivity timeout (--ping-restart), restarting
Tue Jul 24 10:31:57 2018 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jul 24 10:42:58 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:42:58 2018 UDP link local (bound): [AF_INET][undef]:0
Tue Jul 24 10:42:58 2018 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:42:59 2018 [SSLVPN Server Certificate] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:43:00 2018 Preserving previous TUN/TAP instance: Ethernet 3
Tue Jul 24 10:43:00 2018 Initialization Sequence Completed

- Server Config File
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
client-disconnect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
local xx.xx.xx.xx
tls-server
server xx.xx.xx.xx 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'TOTP VPN Access Server' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'SSLVPN+Server+Certificate' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route xx.xx.xx.xx 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
reneg-sec 0

- Client Config File
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
reneg-sec 0
resolv-retry infinite
remote myopenvpnserver.com 1194 udp
lport 0
verify-x509-name "myopenvpn Server" name
auth-user-pass
pkcs12 Home.p12
tls-auth Home.key 1
#ns-cert-type server
remote-cert-tls server
comp-lzo adaptive
auth-nocache

8

General Discussion / Access Point on third interface

« on: September 09, 2017, 02:17:31 pm »

Hello
I would like to connect an AP to the third interface on my OPNsense FW. The plan is that some dedicated and authorised WLAN Clients in the office can access everything on the LAN Net (Windows Servers and NAS) and also access the internet. But if a hacker from outside the office gains access through the AP to the net he can do nothing and all traffic to the WAN (Internet) and LAN will be blocked.

How would you do that? Create some MAC based firewall rules? Is that possible? FW rules based on IP doesn't make sense and also MAC addresses could be spoofed. What would be the most secure approach?

Thank you very much for your answer.

Manuel