Topics

1

Intrusion Detection and Prevention / 100% Load when scanning huge downloads

« on: May 17, 2019, 09:14:10 am »

Hi,

i have a apu2c4 (4 gb RAM) running opnsense with suricata in ips-mode. All physical interfaces are select (vlans are not selected.

While normal surfing, nothing exceptional happens on the cpu-load. But whilst e.g. updating my system or downloading a whole dvd, the load of the cpu jumps up to 100% and as a result, the rttd on the gateway goes up to 700 ms...

I've already used the whole bunch of optimizations, but i have no further idea, how to get rid of this.

If i stop suricata, no problems with load.

Hast anybody else the same effect?

Thx!

2

19.1 Production Series / Freeradius broken since 19.1.6

« on: April 11, 2019, 09:29:39 pm »

Hi,

After updating to 19.1.6, i got lots of errors with ubuntu clients, using wpa2/eap/mschapv2 using freeradius. Auth is LDAP.

21:25:50 2019 : Auth: (38) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/<via Auth-Type = eap>] (from client Radius-Clients LAN 1 port 0 via TLS tunnel)

erm...i do not user nt/lm passwords...where does this come from?

3

Web Proxy Filtering and Caching / Squid wrong response on filtered Page through https

« on: March 21, 2019, 09:06:11 am »

Hi,

I filter pages (example http://1000gratisproben.com) through shallalist. Using http, i get the message "access denied" within the browser. Using https, i get a certificate-error within the browser.

Squidlogs show tcp denied, in both cases. For https i get a strange string before, could be the certificate or whatever.

Why do i get a certificate error, using transaprent proxy? Using proxy direct, non-transparent gives me in both cases "access denied" in the browser.

Roger

4

Web Proxy Filtering and Caching / [SOLVED] wpad only without https?

« on: March 16, 2019, 05:20:01 pm »

Hi,

i try to setup wpad.dat für my proxy. unfortunately, it seems that it's just possible for mobile clients to get a wpad.dat by http, not by https.

So, one need to change the firewallgui to http *shiver* to get this working. would it be possilbe to have port 80 and 443 for the webfrontend? this makes management by https and wpad by http possible.

Roger

5

Web Proxy Filtering and Caching / Ports used by Squid 3128/3129

« on: March 13, 2019, 01:45:34 pm »

Hi,

Can anybody tell me, on which port SNI is called? Is it still 3128 for non-https, or is it on Port 3129 for ssl? I wanted to disable 3129, as i don't do ssl-inspection, but its needed for sni, correct?

Also, i have all NAT- and Firewallrules für transparent proxy, but i still get often drops to 127.0.0.1:3129, i have no explanation for this.

6

19.1 Production Series / Bug in German translation

« on: March 13, 2019, 01:38:38 pm »

Seems there is a small bug in translation of /Proxy/Manage/PAC/Rule:

Match type "if" is translated as "Schnittstelle" which means interface. Could it be, that the meaning was "Wenn"
? As Unless is not translated, it would say, leave also if untranslated.

Roger

7

19.1 Production Series / DNS with Squid always giving forgery errors in squid logs

« on: January 26, 2019, 01:42:43 pm »

Hi,

I use dnsmasq as first dns, it gives me more possibilities for resolving internal dns (cnames etc.). But i do not get off that head forgery errors, which say, you should use the same proxy for squid as clients do.

so, all my clients use the ip from the firewall. In squid, i also entered the ip of the firewall (and tried localhost, and the external from my provides as also a glassbowl )

The messages stay, whatever i do. Has somebody got this working, without that messy errors in squid log? I use it as a transparent proxy and sni.

Thanks a lot in advance, community!

Roger

8

Web Proxy Filtering and Caching / SNI Howto

« on: December 25, 2018, 01:35:08 pm »

Hi,

After reading lots about SNI and setting up my transparent proxy, i expected that squid recognized a eicar ssl-virus according to sni, but it didn't.

How can i test this?

Thx!

9

19.1 Production Series / Proxy: lots of ssl record too long since last update [solved]

« on: December 24, 2018, 08:08:01 am »

Hi,

Since the last beta, i have a lots of error-messages about ssl record to long. Haven't had it before.

Reproducible: always

go to https://www.google.com

Search and find unless you get the message. Close the browser, get the message, do some F5, sometimes its getting back working again.

10

19.1 Production Series / Wireguard no longer working since update to 0.8 [solved]

« on: December 13, 2018, 07:41:05 am »

Hi,

Since the last update, Wireguard ist connecting, but no longer routing. Config hasn't been changed in between. I see also handshakes, but not traffic is going through.

11

18.7 Legacy Series / HAPROXY: Connections show local ip instead remote client [solved]

« on: December 13, 2018, 07:03:41 am »

Hi,

i recently installed successfully haproxy, it's working fine. i redirect webtraffic to my webhost.

Now, a problem occurs with fail2ban on this host. Each connection to the webserver is made by the internal gateway ip instead of the remote ip from the internet. With this, fail2ban will block my gateway and i am completely out. How can i forward the ip-information from the external, the calling id to my webserver?

FYI: the forward-x-header is checked.

12

18.7 Legacy Series / HAPROXY: Which Ports to which target to open for reverse proxy [solved]

« on: December 10, 2018, 10:25:00 am »

Hi,

Which ports do i have to open on the wan-interface, when using haproxy (listening on 127.0.0.1:80 and 127.0.0.1:443) public frontend?

Do i just have to set on wan interface allow all to this firewall port 80 and 443?

13

18.7 Legacy Series / Haproxy and Letsencrpyt integration [solved]

« on: December 08, 2018, 04:01:51 pm »

Hi,

i installed haproxy and the le-plugin according to the documenation. i have now 2 things:

1) calling my website from the internet brings me a certificate error. this is, i think, according to the fact, that i cannot install a le-certificate for haproxy

2) trying to have a certificate from le, just ends up in status '202' after acknowleding token and nonce and what else..

I installed the le-plugin with the ha-integration, leaving all to standard, but i cannot ge le certifying my haproxy.

and btw.: which firewall-rules do i have to set to have haproxy as a reverseproxy for my webserver? is a rule (allow from wan to this firewall, port 80 and 443) enough? Portforwarding does not work in that case.

14

19.1 Production Series / Default Gateway indication in Dashboard [solved]

« on: December 07, 2018, 12:07:43 pm »

Hi,

In the Dashboard, under Gateways, my WAN_DHCP-Gateway is show as offline, but i have connection. Is this a bug?

Roger

15

18.7 Legacy Series / HA-Proxy problem: error_ssl_protocol

« on: November 27, 2018, 12:07:39 pm »

Hi,

I installed 2 backend-servers, one with ssl, one with nossl. I installed 1 frontend for both, with actions and conditions. HAProxy works, but if i want to connect via wan, i get a ssl-error in my browser.

The certificate still is on my server, it's a letsencrypt-cert. I think, i did someting wrong in the config. Does the webserver (the backend) still need a certificate? Or does this error come because of not having an official cert (not a selfsigned one)?

I think, except this, it would work...

Thx!