Topics

1

Intrusion Detection and Prevention / [bridge] Which interface to attach Suricata?

« on: July 26, 2022, 03:46:54 am »

Hello

I want to deploy transparent bridge firewall
by bridging eth0 and eth1 interfaces together into br0

Then I also want to run Suricata
Question is, whats the difference between attaching Suricata to
eth0 and br0 ?

Thanks

2

19.7 Legacy Series / Intel i350 SR-IOV + VLAN does not work properly in OPNSense

« on: July 30, 2019, 08:23:22 pm »

Hello
My setup is:

Host machine: Arch Linux + KVM, has Intel i350 NIC.

Created SR-IOV virtual function, VF on physical interface enp5s0,
then tagged it with VLAN ID 20.
```
echo 1 > /sys/class/net/enp5s0f0/device/sriov_numvfs
ip link set enp5s0f0 vf 0 mac blahblah
ip link set enp5s0f0 vf 0 vlan 20
```
Passed this VF to OPNSense VM.

Also I created VLAN interface on the same port, which is enp5s0,
tagged with VLAN ID 20.
```
ip link add link enp5s0f0 name VIRT type vlan id 20
```
Created bridge on top of this VLAN interface VIRT, for other VMs(Let's call them clients).

I could capture packets on three places: Client VM, OPNSense VM and Host physical interface(enp5s0f0).


When OPNSense VM sends packet to the guest VM(ping):

On OPNSense VM: ping packet is untagged
On Host enp5s0f0: ping packet has VLAN ID 20 (Which is expected, for VF is tagged with VLAN ID 20)
On client VM: ping packet is untagged (Which is expected, for interface that libvirt network bridge is sitting on(VIRT) is VLAN interface on enp5s0 with VLAN ID 20)

Here is the problem.

When client VM sends DHCP request to OPNSense VM,
On client VM: DHCP Req packet is untagged
On Host enp5s0f0: DHCP Req packet is tagged with VLAN ID 20 (Expected)
On OPNSense VM: DHCP Req packet is tagged with VLAN ID 1024 (??)

DHCP Req packet had VLAN ID 20 at the moment it was passing Virtual Function for it passed VF with VLAN filter of VID 20.

After passing Virtual Function device, it should have changed into untagged packet
But instead, it got VLAN ID 1024.
There must be something wrong with igbvf driver with OPNSense I suspect

3

19.7 Legacy Series / OPNSense on KVM (Virtio) ?

« on: July 25, 2019, 10:27:25 pm »

Hello
I've heard before that BSD has a problem with Linux KVM Virtio network driver implementation.
Is it still a problem today?
Would it be okay if I turn off offload functionalities in OPNSense VM?

4

General Discussion / 1 to 1 NAT external subnet to internet subnet but one(IP for firewall) !!

« on: June 15, 2019, 06:48:44 pm »

Hello

my firewall has WAN side IP of 10.130.10.2 / 24, under gateway 10.130.10.1
And firewall has LAN side IP of 172.17.10.1 / 24.

I want to map 10.130.10.0/24 subnet to 172.17.10.0/24 by 1 to 1 BINAT
only except 10.130.10.2, which is firewall itself

I'm not sure how can I do this
Adding  /32 mapping one by one will take too much time

5

General Discussion / NGINX: Connection gets dropped

« on: February 25, 2019, 10:54:20 pm »

Hello

I am using NGINX on latest version of OPNSense production distro
Problem I've encountered is, seems like connection is being dropped
after certain amount of time.

I was using openstack-dashboard behind the OPNSense NGINX,
which requires websocket for displaying VNC on web.

Should I explicitly set some options for keeping connection alive?

6

General Discussion / Outbound NAT does not work!

« on: February 13, 2019, 09:48:31 am »

Hello

I've configured my OPNSense box but
my servers in LAN network can't ping 8.8.8.8

When they do so, in OPNSense firewall log, OPNSense passes icmp packet from 192.168.x.y to 8.8.8.8
but server itself cannot get reply back

I'm not sure what is the problem

7

General Discussion / How can I make my VPN use certain gateway?

« on: January 22, 2019, 06:21:02 pm »

Hello
I am using a Zerotier on my OPNSense box and
it has two gateways.
I need my Zerotier traffic to go through one gateway among them
How can I enforce this through OPNSense setting?

8

General Discussion / Virtual IP?

« on: November 23, 2018, 03:36:50 am »

Hi

Is virtual IP (alias) assigning multiple IP addresses for one interface of the firewall?
I want to do 1:1 NAT using virtual IPs

I want to map 10.180.20.X (Virtual IP assigned to WAN interface on firewall) to
192.168.20.X (Some machine inside LAN)

How can I easily add range of IP for virtual IPs?

9

Intrusion Detection and Prevention / [SOLVED] Interface ?

« on: November 21, 2018, 11:39:40 am »

What does "interface" option mean in Suricata setting page?
Is it interface for Suricata to inspect?
Can I select multiple ones?

10

General Discussion / How can I make OPNSense load kernel module at startup?

« on: November 19, 2018, 06:31:30 pm »

I have a mellanox 10 gbe NIC and it requires mlx5 and mlx5en modules to function
So I had to type "kldload mlx5en" manually in CLI
I wanted to automate this by writing entry in "/boot/loader.conf" but it is being
flushed at every reboot

How can I setup my OPNSense to load certain kernel module at startup?

11

General Discussion / NGINX detailed configuration

« on: October 17, 2018, 08:26:13 am »

Hi
I really like OPNSense and I'm using NGINX for reverse proxy
But I can't find how to set options like headers
Adding few lines of custom options in locations field would be good enough
Do you have any plans to add that?