Messages

1

Hardware and Performance / Re: Dedicated low-power hardware

« on: November 17, 2023, 10:36:11 pm »

https://www.amazon.de/Firewall-Appliance-pFsense-Mikrotik-OPNsense-Celeron-J4105/dp/B0BJQ5JHXR/ref=sr_1_1_sspa?crid=2B5ADB26DWW1B&keywords=hunsn%2Brj12&qid=1700256564&sprefix=hunsn%2Brj12%2Caps%2C771&sr=8-1-spons&sp_csd=d2lkZ2V0TmFtZT1zcF9hdGY&th=1

199€ with two Intel NICs, 4GB/128GB, fanless, with an adequate processor for a firewall and for testing, or did "two LAN" mean 3+ ports total?

2

General Discussion / Re: Traffic from LAN -> OPT

« on: November 07, 2023, 12:45:47 am »

That's a relief. I am pretty new to this so this was no time to have my rules world up-ended!

3

General Discussion / Re: Traffic from LAN -> OPT

« on: November 06, 2023, 05:40:34 am »

Cookiemonster, should that not be IN to the LAN interface, creating the rule on the LAN interface?

For example, I have a rule (which works)
Action: pass
Quick; [√]
Interface: LAN
Direction: in
TCP/IP: (as required)
Protocol: any
Source: LAN net
Destination: (any in my case, 'OPT net' in s3c's case)
Dest port range: any to any

4

Hardware and Performance / Re: Want to know what current hardware models are good to use?

« on: October 31, 2023, 12:42:15 am »

Among the passively cooled Chinese options, I found that you could get the same fundamental system of the same brand with three different cases. I checked size, wings, fins, buttresses, and bought the best-cooled rather than most compact. The boxes in question were labelled Hunsn.

5

General Discussion / Re: Bridge two ports, not including LAN

« on: October 30, 2023, 10:12:06 am »

That is what I thought should be the case, thank you Patrick. I did not isolate the meaning of those words you quoted.

@bartjsmit, I will. I excused myself because my test router was still packed from a recent trip. I could read a book while away, or play with a router. 

6

General Discussion / Bridge two ports, not including LAN

« on: October 30, 2023, 04:53:44 am »

I would like to bridge two low-traffic interfaces which have the same essential uses, rules, security requirements.
Documentation and examples I have seen assume that the LAN port is added to the bridge, but that would not be the case here.

Would the general steps be:

• Remove current configuration from the two interfaces (call them Opt2 & 3)
• Create a bridge
• Add Opt2 & Opt3
• Skip steps 3-5 in the documentation
• Set tunables as in step 6
• Set DHCP and rules on the bridge interface

Alternatively for my steps 1 & 6, set those rules on one of the two interfaces added to the bridge.
Thus the question: is configuration set on the bridge or derived by the bridge from one of its interfaces? The former makes more sense to me but discussions seem to imply the second case.

7

Virtual private networks / Re: My DNS is leaking! DNS leak check sites know my home IP somehow

« on: October 25, 2023, 07:29:25 am »

Frozen, if I use Mullvad’s check while on VPN it does not know my home static IP. Is there a problem with your protonVPN connection, or routing things through it? This should have nothing to do with Pi hole.

Please clarify the exact context of your problem.

8

Intrusion Detection and Prevention / Re: [Resolved] Crowdsec bouncer error in default rule

« on: October 22, 2023, 08:29:18 am »

Resolved by the hotfix released. Crowdsec now operating normally.

Owing to travel I did not get to the task until today.

9

23.7 Production Series / Re: WAN outbound rules and "let out anything from firewall host itself"

« on: October 20, 2023, 11:57:01 pm »

acieslar, you have described that you want to allow only certain devices to connect to the internet, and that you have IN rules in place on those vlans. Good. What cannot get in one end won't get out the other end, so with IN restrictions any further OUT rule is superfluous, even if it operated as you expected.

Your comment about "lock firewall itself and allow only selected traffic (like updates)" implies that you think updates are initiated from the internet? Not so. Without NAT or a specific address rule, the firewall blocks everything on the internet by default. Updates are initiated by device enquiry, which we discussed in the first paragraph.

Without specific reason and knowledge, leave the "outside" of the firewall alone. It knows what it's doing.

10

Intrusion Detection and Prevention / Re: [Unsolved, Abandoned] Crowdsec bouncer error in default rule

« on: October 18, 2023, 01:01:17 pm »

I’ll try it, thanks.

11

Intrusion Detection and Prevention / Re: [Unsolved, Abandoned] Crowdsec bouncer error in default rule

« on: October 15, 2023, 12:45:06 pm »

I installed crowdsec with bouncer successfully on a test box connected to the internet. Comparing .yaml files and examining logs for the working and failing instances yielded no new clues that I observed.

I am in any case replacing the problematic instance with the freshly installed system, so with no-one else coming forward with similar experience it seems expedient simply to mark this as unsolved and move on. I do so.

12

Tutorials and FAQs / Re: Can Not Access Web GUI

« on: October 15, 2023, 04:04:47 am »

You ran through assigning interfaces and setting interface IP address I presume, so your interfaces and IP addresses should be noted above the menu, to verify these are as you expect. If things are awry then reset to factory defaults also exists in that menu.

Though I am no expert I have found initial setup of a couple of Opnsense instances on bare silicon to be pretty straightforward by following the dots. Finding what is wrong and getting this one going will happen.

modified after I remembered that the information is displayed in the console, so ifconfig is superfluous

13

Intrusion Detection and Prevention / [Resolved] Crowdsec bouncer error in default rule

« on: October 13, 2023, 11:58:56 am »

Running 23.7.6 with corresponding crowdsec versions.

I can start Crowdsec and Lapi without a problem. If I add the bouncer then System Status turns red and shows the following message:

Code: [Select]

There were error(s) loading the rules: /tmp/rules.debug:137: syntax error - The line in question reads [137]: block in log quick inet from $crowdsec_blacklists to {any} tag .CW label "<some hex>" # CrowdSec (IPv4)This is cleared by disabling bouncer and rebooting OPNsense.

There is a corresponding ipv6 line after that one, not flagged.

The rule pattern looks like valid other lines in /tmp/rules.debug. Any ideas on the problem or where I should look further please?

14

23.7 Production Series / Re: new lan not getting access to internet

« on: October 13, 2023, 06:46:58 am »

Sorry 

RFC1918 is short for these addresses to enter in your no_go ACL: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
It is discussed under “Private network” on Wikipedia.

Remember to invert that ACL destination. Source is any, IN to the Lab address.

15

23.7 Production Series / Re: [RESOLVED] Update stalled

« on: October 12, 2023, 11:21:00 pm »

I selected option 1, wait, and went to sleep, it being nighttime on this part of the planet. This strategy worked perfectly. 23.7.6 is up this morning.