Messages

1

20.7 Legacy Series / Re: Installing 20.7-RC1 via Firmware -> Update possible?

« on: July 21, 2020, 08:05:19 pm »

Update to latest 20.1.8, then go to console:

opnsense-update -t opnsense-devel
opnsense-code core
cd /usr/core && make upgrade

Then again to UI and check for updates to go to 20.7r1

Can this be done remotely (SSH) or does this need to be done at the console?

SSH is ok.

Is this version compatible with Sensei?

2

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: July 09, 2020, 07:18:55 pm »

Is there any way to check current installed database content (like what urls are included for each category)?

I'd like to test some policies but I need this info 

3

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: July 09, 2020, 03:56:15 pm »

Hi @Rickytr, it's not expected. Does resetting reporting help ? (Sensei -> Configuration -> Reports & Data -> Reset Reporging)

I have the same problem. Resetting the reports does not solve the problem.

Live session explorer of connections and TLS works though. It's failing in DNS and Blocks.

Edit. Solved after opening a bug report.

4

Intrusion Detection and Prevention / Re: Suricata vs Sensei

« on: June 22, 2020, 08:59:46 pm »

Remaining question is which one is more secure? Is paid Sensei subscription close to 0 day / ET Pro?

As of now, Suricata.

Sensei is more focused on policing your outgoing traffic than "protecting your network" (even though that will change/improve in the near future).

5

Intrusion Detection and Prevention / Re: Suricata vs Sensei

« on: June 22, 2020, 06:35:35 pm »

Wait for 20.7 when, hopefully, both would be able to work in the same interface.

By both you mean running Suricata and Sensei in parallel? Wouldn't it be a big performance penalty?

Well, it depends on the resources the server has. It doesn´t have to impact the traffic.

6

Intrusion Detection and Prevention / Re: Suricata vs Sensei

« on: June 22, 2020, 06:19:10 pm »

They are quite different in their approach. I´m currently using Sensei (home license) and loving it so far.

Wait for 20.7 when, hopefully, both would be able to work in the same interface.

7

General Discussion / Re: noob of noobs need help in configuring and placing

« on: June 21, 2020, 06:35:58 pm »

Thank you very much for your prompt reply.

Yes. Just to clarify

OPNsense server > managed switch> powerline adaptor  (you called it plc) > ac87u.

What other topologies can i configure?

So Far i designed the 4 ports on the r710 I would have 1 for wan, 1 for lan, 1 for wifi, and the last one for IOT. I still need to install opnsense. 

This is a vast learning curve for me

Once again thank you

Ok, so basically there are 2 paths:

Routed:

OPNSense connected to the WAN of the AC87U (same network) and then the WiFi (lan) in a different one

Switched:

OPNSense connected to one of the LAN ports of the AC87U so it´s in the same network as the LAN in the AC87U. WiFi devices should be configured to use the OPNSense IP in that LAN as gateway and that´s it.


Second option is probably the best unless you need/prefer to route it for some reason.

8

General Discussion / Re: noob of noobs need help in configuring and placing

« on: June 21, 2020, 04:11:21 pm »

Hello all; I am a noob of noob. I have been watching on youtube various videos relating to choosing, installing and configuring opnsense.

I live in a very old house in Italy. The house is built in stone and concrete and it has 3 floors. Although i remodelled some of the house infrastructure I have no way of running cables.

At the moment I have 2 servers running freenas and one of the servers is based on a consumer pc architecture. Currently the whole house is connected via gigabit powerline and they are connected to simple switches and it all works well. Currently I have an asus rt ac87u as a router that is sitting in the living room. It currently provides me with my wifi needs.

So because i have too much time on my hands I decided to have a more robust and flexible router. (I have IOT, remote users such as my daughter who lives in the UK and friends in Canada and home automation).

So I buy a dell r710 because it has 4 lan ports. Yes it is an overkill but I will replace it next spring with an R610. I receive my internet service from EOLO (which transmit via radio waves and I receive the signal via a dish in turn connects to a eolo box (which is a small brick that has the satellite feed in and the out goes to the wan port of my current router in the living room.

My next step Is to install all IT equipment in a rack and move it to the loft.
I will move the internet feed from the living room to the loft.

So now opnsense will be in the loft which will be connected to a managed switch which will have direct connection to the server environment. Then I plan going from the switch to a powerline connection which will connect all my pcs in my house fine.

Finally my question:
I want to use current router as an AP (I read that this is possible)

Can I leave the current router in the living room and have it fed by a powerline and still act as an AP?

I fear that moving the asus to the loft i will not have sufficient band strength to feed my guests and I when we are on the ground floor or outside in the yard.

Thank you for taking the time to read this and responding

So, do you mean:

OPNSense -- Switch -- PLC -- AP (ac87u)

Is that so? Yes, that´s totally fine. However there would be different topologies you could configure.

If not, maybe if you explain your final l3 topology would be easier to understand.

9

General Discussion / Re: DNS requests to localhost

« on: June 21, 2020, 10:44:07 am »

Hi all

In the firewall log I see a lot of DNS requests from localhost to localhost (see screenshot attached). Why does OPNsense do this and what is it good for? Can I get ride of these requests somehow?

Thank you and regards,
Peter

Any service that has to communicate with Internet has to do that.

Like, checking for new firmware, signature updates ... anything.

10

General Discussion / Re: Blocking single device by IP access to Internet

« on: June 14, 2020, 03:50:13 pm »

Are you sure this device is being allowed to contact other destinations (non 443/TCP) in Internet?

Could you please upload another screenshot showing it (blur whatever is needed).

If you configure it like:

LAN Interface inbound
Source -> Device IP
Destination -> Invert LAN
Protocol -> ANY
Action -> Block/Drop

And apply, it should work.

11

General Discussion / Re: Blocking single device by IP access to Internet

« on: June 14, 2020, 02:05:40 pm »

If I place it on the LAN interface it blocks the device's access to any services on the firewall itself e.g. the time service on 192.168.1.1:123, and I only want it blocking traffic out through WAN to the Internet - the firewall and other interfaces are fine to be accessible.

Do not use the ANY in the rule as ip dst.

There are some options. For example put your LAN as destination and invert.
Or create a new rule before the one already created and allow the traffic from that IP to the LAN.

12

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: May 23, 2020, 10:02:12 am »

How could we join this testing?

May i just use the beta update from the GUI (20.1.7 with Sensei here)?

13

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: May 21, 2020, 03:11:53 pm »

Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any

Really? Not seeing this?

No i don't have the options you show me.
see the attached file

Could you show the session being blocked in the Blocks / Live web explorer?

14

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: May 18, 2020, 12:48:18 pm »

super stupid question:
Once I enable the app control i have a few websites i can't access anymore.
Is there a way to whitelist these as exception?

i'm using engine version 1.5 and App & Rules DB Version: 1.5.20200501062917

It´s via what binaryanomaly said or in policies / web control / Whitelist

15

General Discussion / Re: Unbound DNS problem with Cache or config, not clearing?

« on: May 13, 2020, 02:20:44 pm »

Alghough adding to whitelist resolves my problem and I don't worry about it, my brain is not able to understand why this is happening..

You can troubleshoot this with a dig trace.

If the domain answer is a CNAME you need to be able to query its "alias".