Topics

1

Zenarmor (Sensei) / Unsatisfactory TLS inspection.

« on: November 05, 2024, 05:37:30 pm »

I am testing the SSE version of Zenarmor and I am having problems accessing various websites of different types with TLS inspection enabled. There are times when it works fine but suddenly it stops loading the page and you can not access, to access that particular website you have to wait a few minutes trying again and then it is allowed, meanwhile you can not access any other website because the same thing happens. When the above is solved for a while everything works normally but soon happens again. When not being able to access the browser gives DNS error but I doubt very much that this is the problem.

2

Zenarmor (Sensei) / zenoverlay vpn interface

« on: October 27, 2024, 12:59:40 pm »

Reviewing my interfaces in Opnsense I found a new one that may have been around for a while but I hadn't seen it until now called zenoverlay vpn and I think it is related to zenarmor and its monitoring of the wireguard interface. I have searched for information about it and have not found anything so I don't know if it is necessary to activate it or not and what it is for.

3

Zenarmor (Sensei) / 1.18 Wireguard is disconnected

« on: October 24, 2024, 09:06:09 pm »

With the new update zenarmor prevents the wireguard connection, disabling the WG interface in zenarmor solves the problem, if you re-enable wireguard it connects but after a few minutes it disconnects again. All this can be seen in the Opnsense widget:

4

24.7 Production Series / 24.7.6 worrying comment.

« on: October 09, 2024, 05:21:42 pm »

Valuable feedback and code changeshave come from this process that will also find their way into otherrelated projects in the near future.


Let's hope that this is not a new ‘Pfsense case’ and that the free version of Opnsense will be maintained under the current conditions.

5

24.7 Production Series / 24.7.1 perfect

« on: August 08, 2024, 04:07:36 pm »

A long awaited update from my side, many thanks to franco for his work.

Clean install 24.7

Update to 24.7.1 perfect

Some components of the update took a long time to update but everything is fine.

6

Virtual private networks / Port Shadow Attack Allows VPN Traffic Interception, Redirection

« on: July 19, 2024, 06:05:40 pm »

https://www.securityweek.com/port-shadow-attack-allows-vpn-traffic-interception-redirection/

https://petsymposium.org/popets/2024/popets-2024-0070.pdf

7

Intrusion Detection and Prevention / Hyperscan Proprietary Licensed Software

« on: May 12, 2024, 05:11:18 pm »

Intel Takes Open-Source Hyperscan Development To Proprietary Licensed Software:


https://www.phoronix.com/news/Intel-Hyperscan-Now-Proprietary

8

24.1 Legacy Series / Pfsense leaves FreeBSD for Linux

« on: April 01, 2024, 03:50:48 pm »

https://www.netgate.com/blog/pfsense-software-embraces-change-a-strategic-migration-to-the-linux-kernel

9

24.1 Legacy Series / Changes in the update of GeoIP databases

« on: March 13, 2024, 04:56:13 pm »

https://www.reddit.com/r/opnsense/comments/1bchr5v/maxmind_transition_to_r2_presigned_urls/

https://dev.maxmind.com/geoip/updating-databases?utm_campaign=R2%20presigned%20URLs&utm_medium=email&_hsmi=297747371&utm_content=297747371&utm_source=hs_email#directly-downloading-databases

https://github.com/maxmind/geoipupdate/issues/290

10

Zenarmor (Sensei) / High ram consumption Zenarmor 1.16.1

« on: January 05, 2024, 03:08:30 pm »

Mini-pc Opnsense 8 GB ram
Suricata deactivated

With version 1.16 I had 55% of ram memory used and with the new version 1.16.1 I am now using 80 - 85% of ram memory used.

11

Intrusion Detection and Prevention / Suricata in Wan does not work with ppoe

« on: December 19, 2023, 06:27:51 pm »

So far I had Suricata working correctly on Wan but I have changed internet provider and use ppoe. I have created the corresponding ppoe VLAN assigned to Wan and I have configured the Wan interface with ppoe with user - password. In interface assignments I have assigned the VLAN ppoe created earlier to Wan. With this configuration I have access to the internet without any problems. The problem is that Suricata in Wan does not work even if I put the Wan ip that I have assigned something that before if it worked perfectly, with that it does not work I mean that it does not block absolutely nothing, it is as if it did not recognise the interface. So that it recognizes it in interface assignments I have to put Wan in igb xxxxxx and create a new virtual interface for ppoe.

12

23.7 Legacy Series / Native/Emulated Mode Netmap

« on: September 06, 2023, 02:08:34 pm »

Mini-Pc Opnsense 23.7.3

-Wireguard
-Suricata ( Wan )
-Zenarmor ( Routed mode L3 native Netmap ) Lan + LAGG

Interfaces ( Igb ):

-Wan
-Lan
-Wg
-LAGG

Access to Opnsense via SSH: sysctl -a |grep netmap

Native Netmap does not work.

13

Zenarmor (Sensei) / The futility of Zenarmor in Opnsense

« on: August 09, 2023, 01:13:44 am »

Zenarmor started as Sensei and at the beginning it required a huge amount of resources to work, later those requirements were lowered but it still did not work well giving problems of all kinds and today it still does despite the time elapsed, a good example of this is the new update 1.4 that despite having had its testing time is a real disaster including subsequent patches which is incredible. Suricata is a good example of user-friendly integration with its Telemetry rules that provide an extra benefit to Opnsense, however, Zenarmor in its free version is still a bad and cheap ad blocker with very limited settings and features, provided it works well, which it never does. It doesn't even bother to work in the Wireguard interface. Without going any further, Adguard or even Pfblocker do it much better and without needing so many resources for its operation. Does it make sense today to keep Zenarmor as a plugin? Clearly not, it would be much better for Opnsense users that Franco integrates Adguard as has been done with Wireguard-kmod and Zenarmor is abandoned. If something works and benefits users it should be promoted, but if something like Zenarmor not only does not provide any value but it is a real disaster better to abandon it and replace it with something better.

14

23.7 Legacy Series / Suricata 7

« on: August 01, 2023, 02:05:00 am »

After formatting my mini-pc with the Opnsense 23.7 Release Candidate today I upgraded to the stable version. Once upgraded I decided to try Suricata 7 and I had the same problems as mentioned here:

https://forum.opnsense.org/index.php?topic=34997.0

To solve these problems I have added the command mentioned in this post in Suricata's custom.yaml file and indeed these problems are solved. Suricata 7 brings a lot of changes and among them are the support for http2 and quic but in the suricata.yaml file they don't appear unlike the suricata.yaml file in Github. I don't know if I did it right but to activate this support I added the following commands in the custom.yaml file

stream.midstream-policy: ignore

http2:
enabled: yes

quic:
enabled: yes

This way Suricata 7 works great, in fact it has a much better performance compared to Suricata 6.x.x.
The problem comes when I restart Opnsense, the custom.yaml file appears blank without the modifications added and I have to put it back by accessing Opnsense via ssh. That is, the custom.yaml file does not survive Opnsense restarts.

The custom.yaml file is located in the path usr/local/etc/suricata

I don't know if there is another custom.yaml file elsewhere that survives Opnsense restarts.

15

23.7 Legacy Series / Firewall block rules not working

« on: July 27, 2023, 07:10:28 pm »

NAS ( 192.168.1.3 - 192.168.1.6 )
Computer ( 192.168.1.2 )

I want to block all outgoing connections to my nas except one. By setting the nas blocking rules at the top, my entire local network is cut off from the internet. If I create a rule that allows traffic to the internet for my computer and put it at the top the computer has internet connection but no outgoing connection from the nas is blocked.