Messages

1

19.1 Legacy Series / Re: Call for testing: New netmap enabled kernel

« on: February 21, 2019, 01:03:46 pm »

mb, reverted to stock kernel and suricata is working as intended.  Please let me know if there’s anything I can do to help with your investigations.

2

19.1 Legacy Series / Re: Call for testing: New netmap enabled kernel

« on: February 12, 2019, 10:22:37 pm »

Thanks mb, here are the outputs for both kernels:
Edit: also need to note that I’ve followed this guide https://forum.opnsense.org/index.php?topic=6590.0 and disabled VLAN_HWTAGGING in order for suricata to function with my vlans.

Stock Kernel

dev.netmap.ixl_rx_miss_bufs: 0
dev.netmap.ixl_rx_miss: 0
dev.netmap.iflib_rx_miss_bufs: 0
dev.netmap.iflib_rx_miss: 0
dev.netmap.iflib_crcstrip: 1
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 163840
dev.netmap.buf_num: 163840
dev.netmap.buf_curr_size: 2048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 200
dev.netmap.ring_num: 200
dev.netmap.ring_curr_size: 73728
dev.netmap.ring_size: 73728
dev.netmap.priv_if_num: 1
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.flags: 0
dev.netmap.adaptive_io: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.mitigate: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0
dev.netmap.ix_rx_miss_bufs: 0
dev.netmap.ix_rx_miss: 0
dev.netmap.ix_crcstrip: 0

New netmap kernel

dev.netmap.ixl_rx_miss_bufs: 0
dev.netmap.ixl_rx_miss: 0
dev.netmap.iflib_rx_miss_bufs: 0
dev.netmap.iflib_rx_miss: 0
dev.netmap.iflib_crcstrip: 1
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 0
dev.netmap.buf_num: 163840
dev.netmap.buf_curr_size: 0
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 0
dev.netmap.ring_num: 200
dev.netmap.ring_curr_size: 0
dev.netmap.ring_size: 36864
dev.netmap.priv_if_num: 2
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 0
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 0
dev.netmap.if_size: 1024
dev.netmap.ptnet_vnet_hdr: 1
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.generic_hwcsum: 0
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.txsync_retry: 2
dev.netmap.mitigate: 1
dev.netmap.no_pendintr: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0
dev.netmap.ix_rx_miss_bufs: 0
dev.netmap.ix_rx_miss: 0
dev.netmap.ix_crcstrip: 0

3

19.1 Legacy Series / Re: Call for testing: New netmap enabled kernel

« on: February 10, 2019, 01:18:50 am »

Current system sysctl dev.netmap output
dev.netmap.ixl_rx_miss_bufs: 0
dev.netmap.ixl_rx_miss: 0
dev.netmap.iflib_rx_miss_bufs: 0
dev.netmap.iflib_rx_miss: 0
dev.netmap.iflib_crcstrip: 1
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size_ 2048
dev.netmap.priv_curr_num:  163840
dev.netmap.buf_num: 163840
dev.netmap.buf_curr_size: 4048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 200
dev.netmap.ring_num: 200
dev.netmap.ring_curr_size: 73728
dev.netmap.ring_size: 73728
dev.netmap.priv_if_num: 1
dev.netmap.priv_if_size: 1024
dev.netmap.if_cirr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.flags: 0
dev.netmap.adaptive_io: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.mitigate: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0
dev.netmap.ix_rx_miss_bufs: 0
dev.netmap.ix_rx_miss: 0
devlnetmap.ix_crcstrip: 0

4

19.1 Legacy Series / Re: Call for testing: New netmap enabled kernel

« on: February 09, 2019, 11:20:10 pm »

mb, thanks for your inquiries and apologies for the delayed response.  As of now, suricata (set to promiscuous mode) is on a single interface (Lan) which has two vlans.  It will be a day or so before I’ll have the chance to get the rest of your requested information.

5

19.1 Legacy Series / Re: Call for testing: New netmap enabled kernel

« on: February 07, 2019, 11:26:50 pm »

Bare metal with 4GB memory, core i3, and i211 nics.  Apologies for the lack of info in previous post.

6

19.1 Legacy Series / Re: Call for testing: New netmap enabled kernel

« on: February 07, 2019, 09:09:53 pm »

Upgraded to the new kernel, rebooted and was met with errors.  Glad to provide any pertinent information.

7

General Discussion / Re: Making the switch

« on: July 07, 2017, 10:11:54 pm »

Hello Fabian,

Thanks for responding.  I’m currently researching a few ideas, came across this https://devinstechblog.com/block-ads-with-dns-in-opnsense/ Haven’t had the chance to give it a go but in general sounds very similar to what I used on pfsense (dnsbl).  Also have a Raspberry Pi 3 that I used for ad blocking prior to pfsense, so that’s an option I’m also considering.  I appreciate your suggestions and will look into all that you provided.  Once I become more familiar and confident using opnsense I’m considering creating a few basic guides that include graphics (would this be something that would help the community?).  I hope this suggestion hasn’t stepped on anyone’s toes, just looking for a way to repay the community. 

Thanks again,

Rob

8

General Discussion / Re: Making the switch

« on: July 07, 2017, 08:37:10 pm »

Just a quick update, had some downtime today and decided to give it another go.  Thankfully I took the time to familiarize myself with the GUI this time, everything went without a hitch.  Just need to tune suricata, figure out how to block ads across the network (lan and vlan) and finally setup ups monitoring.  Definitely well on my way now.

9

General Discussion / Re: Making the switch

« on: July 05, 2017, 10:15:42 pm »

Just have to say, after spending a short time perusing the forums, I sense a much friendlier and polite community.  This is a welcomed surprise and I hope eventually I’ll also be able to contribute in my ever so small way.  FYI...fired up the laptop to explore opnsense and have begin to understand where I went wrong in yesterday’s endeavor.

10

General Discussion / Re: Making the switch

« on: July 05, 2017, 07:36:23 pm »

Hello Bart,

Appreciate the response and suggestion.  I’ll have to admit, yesterday’s fiasco was unplanned and poorly implemented (last minute rush on my part-currently have family visiting so no internet = no good).  Unfortunately, I failed to familiarize myself with the opnsense interface before tackling the task at hand.  Like I mentioned before, grew tired of the negativity and allowed my emotions to direct instead of taking the logical approach.  Over the next several days I plan to study the provided documentation and scour the forums for guidance.  Once I have a better understanding and the allotted time, I plan to give this another go (have a laptop that I may use to better familiarize myself with the GUI and will give me the opportunity to go exploring).  Quite excited to dive in and learn (enjoyed learning and exploring what pfsense had to offer, over the course of time I managed to accumulate enough to provide basic assistance to some others as well).  Again I appreciate your response and suggestions (which I will definitely follow), in the meantime if you or anyone else has any tips please don’t hesitate to post (all information is welcome).

Thanks for your time and consideration,

Rob

11

General Discussion / Making the switch

« on: July 05, 2017, 02:27:47 pm »

Hello all,

I’m fairly new to the whole firewall appliance idea.  Granted networking isn’t anything new to myself (the very basics anyways), played around and successfully implemented a Cisco (isdn) router years ago.  Just like alot of home users, I’ve used dd-wrt and tomato without problems (nothing crazy configured).  As the years passed, I begin to feel that those options just weren’t enough especially with the Snowden revelations and all that has come afterwards.  So began my quest to find something better, just by sheer luck, I stumbled across pfsense and opnsense.  Why I choose pfsense to begin with, well I’m at a loss.  I purchased a dell desktop that would become my firewall, added an additional nic and off I went.  In the beginning, I kept everything simple; no Ips/Ids, no vlans, just barebones.  As I begin to learn, services were added, such as; openvpn client (don’t like the idea of my isp tracking my online presence), snort (well because I thought it was cool, using suricate now), pfblocker/dnsbl (no ads), and finally a single vlan (for gaming consoles and IOT).  Anyways, getting to the point, begin to notice a not so friendly community (especially on reddit).  Lots of negativity flowing there towards those who question pfsense decisions and directions.  For that matter, you don’t dare criticize the software or the lack of lending a helping hand when those new need assistance (lots of post go without help on the official forums to).  Now I understand those offering help are doing so by their own accord and I definitely appreciate that.  Just plain tired of a select few netgate employees berating those opinions that differ.  So begins my search for a new and helpful community (I’m fairly confident setting up pfsense and what’s needed on my side). Yesterday afternoon, I finally made the decision the time had come to move over to something better.  Downloaded and installed opnsense, unfortunately it wasn’t long before I felt overwhelmed, namely because of the GUI layout differences.  Struggled to make much progress, got the vpn up but wasn’t able to push anything out the interface (firewall rule in place directing all lan traffic that way).  Fiddled around for a hour or so without making any progress and time was of essence.  Jumped back to pfsense and threw my on backup configuration only to be greeted by a non responsive box.  Finally managed to get things squared away, had to restore one thing at a time.  So here I am, asking if anyone would mind pointing me in the right direction to making the switch to opnsense permanent.  If needed I can provide any pertinent information pertaining to my current pfsense setup.  I know everyone is busy and the last thing you need is someone looking for you to hold their hand (hopefully that’s not the case for me). 

Thanks in advance, I greatly look forward making this happen.

Rob