Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Kuragari

#1
16.1 Legacy Series / Unbound and CNAME
June 25, 2016, 09:42:43 PM
Hello, i use Unbound (DNS Resolver) on OPNSense and i want use google safe search on my LAN.

Google say to use a CNAME entry for www.google.com to forward to forcesafesearch.google.com. My problem is i don't have option to add CNAME in the Web GUI of DNS Resolver (only A and MX entry).

Anyway to do this.

My final goal is to have the most secure web access for my child. I think use Squid Remot ACL to disable some category (i have make some test but these Remote ACL don't block google image of porn images).

best regard
#2
Hi, here want i want to do. I have a public DNS resolution to my internal server (office.yannqueniart.com). I want to make working this resolution on my LAN.

Actually I use DNS entry on my LAN to forward to the LAN private IP address but for some reason I want keep the real public DNS translation and forward datas with NAT.

Anybody have do this ? Use NAT One to One or outbound rules ?

Best regards.
#3
Hello, just a little question, I see in release note category-based remote block list selection for the proxy, that mean in proxy server --> Remote Access Control List we can have a ready to use list ?

If yes I don't see it.

Best regards,
#4
16.1 Legacy Series / IPS Stability ?
February 29, 2016, 06:56:13 PM
Hello, i have a little problem with IPS mode.

With only IDS activated everything work correctly (i try simply ICMP on my domaine name), result :
--- yannqueniart.com ping statistics ---
91 packets transmitted, 91 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.564/11.063/35.916/2.849 ms

If i check IPS i lost packet, same test :
--- yannqueniart.com ping statistics ---
79 packets transmitted, 71 packets received, 10.1% packet loss
round-trip min/avg/max/stddev = 9.479/59.938/2452.720/307.091 ms

In System --> parameters --> network, i have check that (as asked) :

  • Disable hardware checksum offload
  • Disable hardware TCP segmentation offload
  • Disable hardware large receive offload

I don't do other thing than activated IPS mode, no more rulesets.

I think i have enough CPU power and memory (Atom Quad core 1,86Ghz and 4Gb RAM).
My LAN is : re0: <RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigabit Ethernet>
My WAN is : re1: <RealTek 8169/8169S/8169SB(L)/8110S/8110SB(L) Gigabit Ethernet>

Somebody have the same problem ?
#5
16.1 Legacy Series / [SOLVED] Can't save Alias
February 24, 2016, 11:19:07 AM
Hello, i think i have find a little bug.

I try to create alias (firewall > Alias), when i click on save nothing happen and can't save my new alias.

I have try different sort of alias (ip, port, network), i have opnsense version 16.1.3.

I think it is only the save button who have a problem.

Best regards
#6
General Discussion / Features request : Proxy ACL Rules
January 30, 2016, 06:34:20 PM
Hi, just a little feature request who could interest come people.

Like for IDS who have out of box a list of rulesets and we just need to check or uncheck the box, is there anyway to have the same thing for proxy server ?

Administrator could like that easily lock some category like porn, forum, etc.

Best regards
#7
Hello,

Just a little feature request, could it possible to have TOR server integrated in OPSense ?

Best regards
#8
Hello,

In DNS Resolver i can't change the number of hosts to cache. Normally by default the value is 10,000. If i change the value when i click on save i always go back to 1,000 hosts to cache.

Best regards,
#9
J'ouvre ce post pour pouvoir discuter entre les personnes qui traduisent car l'autre interface est bien mais on peut pas échanger.
#10
Hello, I try to make working my VPN with my iPhone and MacBook.

I have make IPSec VPN IKEv1, all work correctly on LAN (so i think my IPSec VPN configuration is correct). Now i just switch in phase 1 the interface LAN to WAN and i try to connect thought WAN interface and that don't work.

My configuration OPNSense --> ISP modem --> Internet. IPS Modem can't do bridge so i have double NAT and OPNSense is in DMZ. The problem don't come from double NAT because i have try with my computer between OPNSense and ISP modem.

I have try to authorize everything come from WAN, same result (so the problem normally don't come from rules, anyway my rules accept UDP 500, UDP 4500 and ESP).

Any ideas ?

My log (last entry) :

Oct 5 17:43:13   charon: 12[JOB] deleting half open IKE_SA after timeout
Oct 5 17:43:07   charon: 12[NET] sending packet: from 192.168.1.2[500] to 80.12.55.122[1011] (408 bytes)
Oct 5 17:43:07   charon: 12[IKE] sending retransmit 3 of response message ID 0, seq 1
Oct 5 17:43:07   charon: 12[IKE] <con1|60> sending retransmit 3 of response message ID 0, seq 1
Oct 5 17:42:54   charon: 12[NET] sending packet: from 192.168.1.2[500] to 80.12.55.122[1011] (408 bytes)
Oct 5 17:42:54   charon: 12[IKE] sending retransmit 2 of response message ID 0, seq 1
Oct 5 17:42:54   charon: 12[IKE] <con1|60> sending retransmit 2 of response message ID 0, seq 1
Oct 5 17:42:47   charon: 12[NET] sending packet: from 192.168.1.2[500] to 80.12.55.122[1011] (408 bytes)
Oct 5 17:42:47   charon: 12[IKE] sending retransmit 1 of response message ID 0, seq 1
Oct 5 17:42:47   charon: 12[IKE] <con1|60> sending retransmit 1 of response message ID 0, seq 1
Oct 5 17:42:43   charon: 12[NET] sending packet: from 192.168.1.2[500] to 80.12.55.122[1011] (408 bytes)
Oct 5 17:42:43   charon: 12[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V ]
#11
French - Français / Traduction
October 02, 2015, 09:23:52 AM
Bonjour,

Je vais m'attaquer à la traduction de opnsense en français. Si vous avez des suggestions je suis là.

Je pense ne pas tout "franciser" car certaines choses n'ont pas lieu d'être, je pense par exemple à la traduction de proxy en mandataire (c'est actuellement traduit comme cela), je ne connais personne qui utilise le terme mandataire. Que cela soit dans Windows ou OSX un proxy est appelé proxy.
#12
15.7 Legacy Series / Disable log for default WAN rules
October 01, 2015, 03:24:49 PM
Hello,

Here my problem, i have enable the option Block private networks on my WAN interface, my issue is i make double NAT because a need to use my ISP modem and this modem can't do bridge mode (no other solution).

Everything work correctly my only problem is when the option is checked there is a WAN rules who block RFC 1918 networks and by default logs for this rule are enable. My ISP modem make a lot of broadcast so all my Firewall log come from 192.168.1.1 (ISP modem IP).

Anyway to disable log for this rule ? Or anyway to create a pass rule with 192.168.1.1 as source and ask don't log this ?

Best regards
#13
French - Français / Retour d'expérience
October 01, 2015, 10:00:04 AM
Bonjour,

Petit retour sur ma première installation d'OPNSense.

J'ai découvert le produit récemment, j'étais comme une grande majorité parti à l'origine sur pfSense mais pour moi OPNSense a plusieurs avantages :

  • Multilangue réellement en cours de traduction (sur pfSense on attend toujours les versions étrangères depuis belle lurette)

  • Intégration du service Squid. Sur pfSense Squid existe sous forme de package, donc non pris en charge officiellement et en plus cela pose parfois souci, j'ai par exemple des taches CRON créé par le package qui ralentisse la machine. Sur OPNSense pas de souci de ce genre. L'intégration permet par exemple en plus lors de l'utilisation du proxy en mode transparent la création de la règle automatiquement dans le NAT.

  • Intégration de SNORT. Je ne l'utilise pas a l'heure actuel mais étant intégré dès l'origine au système cela devrait le rendre bien plus fiable.

  • Interface moderne. C'est cosmétique mais c'est quand même vraiment sympa.

  • Pour ceux qui utilise des SSD (comme moi) TRIM est activé par défaut. Sur pfSense faut le faire à la main, ce n'est pas bien compliqué mais c'est toujours ça de pris.

  • La QoS a l'air plus logique, même si a priori ce n'est pas encore tout a fait finalisé au niveau de la gestion de règles mais au moins on cours pas entre différents menus (dans pfSense il faut gérer les règles dans le firewall et les appliquer dans le traffic shaper)

  • Mise a jour toute les semaines. On ne met pas a jour tout le système mais juste les nouveau package, c'est de l'incrémental. Cela permet d'avoir les dernières versions des daemons. On est par exemple actuellement dans la dernière version de squid 3.5.9. Chose impossible avec pfSense car on met à jour l'ensemble du système, donc moins régulièrement.

Voila, J'espère que cela en décidera certain a essayer ce produit qui a l'air vraiment prometteur. C'est un belle évolution de pfSense qui va dans le sens des produits moderne.