Topics

Anyone tried IDS/IPS in a KVM vm recently with virtIO drivers?

Last time I tried it (Think it was 16.x) it tended to just cause the firewall to stop passing traffic wondering if anyones managed to get it to work since then.

Pretty sure 17.1.1 doesn't fix all the policy routing issue as I've got a teamspeak server running on a host with 2 WAN uplinks on the DNS points to WAN2, since upgrading no-one can connect to it.

It's a NAT port forward from the secondary uplink.

Any chance of some kind of NDP proxying support since there are ISP/Datacentre providers out there that seem to think giving you a /64 in your wan interface is a valid way of providing IPv6. 

It makes using the IPv6 on a LAN interface or for something like OVPN rather painful.

Opnsense doesn't seem to handle IPSEC overlapping PH2 very well compared with pfSense and most other platforms I've used which seems to be fine with it.

For instance say I have

192.168.1.0/24 > 10.0.0.0/8 in one tunnel with it's own PH1/PH2

Then in a separate tunnel i have

192.168.1.0/24 > 10.1.0.0/24 with it's own PH1 and PH2

I'd expect the more specific PH2 to match (I.e the /24 as that's a more specific route than /8) but it looks like it's just whatever is the highest connection in the list (E.g Con1)

Looks like the VirtIO IDS/IPS problem is still there in proxmox  :-\

Essentially any interfaces the IDS is enabled on die after about 30s or so.

Not sure if I just got lucky but imported the config from a PfSense 2.3x VM by changing version to 11.1 in the xml tags.

Had to reset the passwords for some ovpn users and had to re-save the config on the WAN interface before the firewall rules showed up (did pfctl -d in the cli to get back into the box)  Other than that it seemed to work which saved me rebuilding the OVPN config on a load of other devices  :D

I've had a it a few times where I lose PPPoE for whatever reason, traffic switches over to the other wan, PPPoE recovers and when traffic switches back I cannot access the internet.

Any ping/tracert.etc just return destination host unreachable coming from OpnSense's lan interface Ip.  ???

Gateway status shows the gateway is up (I have it ping openDNS at the moment to check that)

Actually this is pretty much what happens all the time if IDS is ON (which is why I can't use the inline IDS)

This is running in Proxmox/KVM with VirtIO Nics, 4x multiqueue (Although that doesn't make much difference as far as I can tell)


2 of my virtual NIC's do connect to the same vswitch and physical NIC atm as I'm waiting on addational network cards (one is DHCP the other is PPPoE) so I'm not sure if that's related although it shouldn't be as only one of the ISP's is PPPoE and the NIC's have their own MAC.

Proxmox config for the Opnsense vm is below, the vmbr's are using openvswitch NOT linux bridging.

Code Select Expand

                 

bootdisk: virtio0
cores: 4
cpu: host
cpuunits: 99999
ide2: none,media=cdrom
memory: 3096
name: OpnSense
net0: virtio=32:66:62:33:36:30,bridge=vmbr0,queues=4
net1: virtio=32:37:38:33:33:33,bridge=vmbr1,queues=4
net2: virtio=32:36:31:39:34:35,bridge=vmbr1,queues=4
net3: virtio=32:39:37:36:31:65,bridge=vmbr4,queues=4
numa: 0
onboot: 1
ostype: other
smbios1: uuid=84331f80-4308-4407-ae79-045178613e26
sockets: 1
startup: order=1
virtio0: local-lvm:vm-104-disk-1,size=20G


Also the ports get mirrored to the secuirty onion vm.

Rebooting OpnSense fixes the problem, as long as I don't try and enable IDS

Does anyone know a good list of known gaming/download servers I could load into Opnsense.

I want to load balance steam/origin.etc downloads across both my WAN's but I can't just do it by Port as Steam now uses HTTP for downloads and I don't want to balance all web traffic as then I get the headaches associated with Ip's changing.etc

Or any other way to do it  ???

Still seems to be a problem with IDS and VirtIO (Or at least something in my setup) that tends to brings griding to a halt if I turn it on.

For now I mirror the traffic to a secuirty onion VM and that seems to work, although it can't block automatically based on the results

DHCPV6 advertisements

Set subnet, select 64 from subnet size dropdown and save

On refresh it goes back to showing 128

I know it would offer far weaker protection but I'd like an option to see the IPS/IDS done out of band/low priority then use the firewall for blocking (IPS) for those of us running lower end Hardware.

I tried running opnsense's IDS on my N3050 based board in proxmox and with virtIO it just breaks all traffic, with E1000's it seemed to work but it wouldn't manage more than about 40Mbit/s with an noticeable increase in latency.

Currently I'm mirroring the traffic to Security Onion VM running snort and doing the IDS scanning there, this seems to work and I've been able to set the CPU priority in such a way that the Opnsense VM gets prioritised.  That said I can't (Unless I script something) then block anything automatically based on the scan result

I managed 100Mbit/s earlier (which is the max of both my VDSL2 lines combined), not sure if the IDS was able to keep up but since it's my home network it's not world ending if it doesn't (Beforehand I used an ER-X and didn't do any IDS scanning at all)

Looks like the health report screen on the packet section doesn't use the interface names but rather the original names like opt1.etc which is confusing if you've renamed them.

Edit:

The traffic one is the same.

Please add hit counters to the rules in the firewall view if possible, it saves sifting through the logs to see if a rule is getting hits.

It also makes it easier to look out for old rules that are no longer needed. (I.e 0 hits after clearing counters)

does the gateway monitoring work with IPv6 or is it trying to do something daft like ping a v6 address using the v4 ping command as it's showing both my v6 gateways as down yet if i Ping the one for the PPPoE-0 interface from the commandline with ping6 it seems to respond just fine  ???

Can someone confirm the correct config for IDS on PPPoE?

If i set the interface to the PPPoE interface I don't get any errors but I'm not sure if it's working as I've not seen any alerts for that wan.

If I set it to the physical (well virtual) NIC that the PPPoE is on it tends to break my access to the internet (badly)

The other WAN (ISP uses DHCP) seems to work and generate alerts.

Just wondering as it appears the insights is looping back netflow can that be exposed/accept netflow data from other devices?

Yet to find an affordable analyzer and there's a couple places I have UBNT edgeOS devices that I'd like to pickup the netflow data from that currently opensense isn't in the traffic path. (I might do something about that eventually)

Will the IDS be better intergrated with the firewall in newer releases

At the moment it looks like you can either allow or block an IPS match but I'd like to use the IPS in conjunction with the firewall to block P2P but only for certian hosts for example.

Is there an easy way to set rulesets to block, sadly I forgot to set the import filter before downloading some of the rules (E.g known compromised hosts)?

I don't really want to go through each individual rule and change it as there's quite a lot of them.

Edit:

Oh looks like pressing the download button again might have done it.

Draytek have come up with a VDSL2 router on a PCI-E card (VigorNIC 132)

I guess it presents itself as a NIC to the host but they're not available till august so I guess we won't know for sure untill someone gets their hands on one but I'm hoping it going to be some commonly supported chipset.

If it is then it might go quite nice with openSense as you can configure it to bridge (so it ends up being just a fancy DSL modem)

No Half height bracket though dispite it being a half height card (I asked their sales, but apperently they'll look into if it's feasible)

Edit:  They later replied saying there would be a half height bracket.

Can someone post an example of how the NATPT is supposed to work as I seem to keep getting a Syntax error in the firewall reload log when I try to use it.

I create a ULA prefix for the lan and also tried with a Public /64 and neither worked (I was hoping to use the public /64 on the lan with no prefix translation for my primary ISP and tranlate it to a /64 from my backup ISP when failing over)