Messages

Another finding: Snort with default settings and the same plugins on Pfsense does no cap my bandwidth (aka 120/150 Mb/s).
I am now using snort and understood that multi threaded is very interesting for 1GB+ bandwidth.
Suricata and IPS is capping too much bandwidth from my available bandwidth.

I did a reinstall with Pfsense and found out that:

a) it's normal that your bandwidth is being capped - same results with Suricata on OPNSense and PFsense with IPS an Netmap/Hyperscan enabled
b) PFsense alerts are shown under Alerts, not with OPNsense *except* for the OPNSense test rules

A nmap is being triggered by ET scan rules on PFSense, not on OPNsense.

I like OPNSense more but if no alerts are triggered with the same box + setup (suricata setup on FreeBSD with the same suricata settings via the GUI - not sure what is done in the config files) then I rather choose PFsense then OPNsense for the sake of stopping bad traffic and when needed, drop traffic related to ransomware.

My 0,02$.

I also tried to change the workers to autofp but that decreased the speed even more -> https://forum.opnsense.org/index.php?topic=4683.msg20289#msg20289

I also noticed that no alerts are triggered when I run multiple portscans against my monitored device (WAN), same behaviour : https://forum.opnsense.org/index.php?topic=4937.msg19895#msg19895

So I got an IPS that detects the OPNsense default ruleset but no others are triggered and a decrease in internet speed which I can not explain :(

Is there a way I can troubleshoot this since all mentioned options sound/feel like a shot in the dark..
top shows 130% CPU but since I have 4 CPU's I don't expect that should be an issue?
Memory wise I have 2 GB free and the microssd should also be fast enough..

I tried all 3 options and also disabling plugins and enabling them one by one, I do see an increase in bandwidth after changing suricata options like syslog or promiscuous settings but then it drops to 8-10 MB/s.
I also tried disabling Netflow to save some resources but to no effect.
I also experienced a strange thing with the OPNSense eicar rule: It blocks the eicar.txt download the first time, when I refresh the website (hard refresh) and download the eicar.txt file again it allows it to download.
I really have to refresh my cache of my browser to let it block again..this is imho unwanted behaviour as users could retry their download and succeed in downloading potential malware.

I did not find an improve, perhaps it did but very small..still <10 MB/s with almost everything disabled except the malware ones + the OPNsense test plugin..:(

Cool! :)
I will try that, did you also changed the default to Hyperscan? I see some improvements there too.

Hello,

I am very happy with the OPNsense 17.1.6 amd64 box I am running on a PCengines APU2d4 (4 cores, 4 GB memory and 3 gigabit interfaces with a microSSD of 14 GB) :)
I am trying out the IDS/IPS to block malware using the ET malware/trojan/shellcode and 3 more plugins + the 4 SSL (gedotracker etc.) plugins and the OPNsense test plugin.
All works well and the eicar.txt is happily dropped when the IPS is enabled and default action is drop.
Whenever I try to download a large file, for example an ISO from ftp.nluug.nl, the speed is capped at 5 MB/s wheres my max speed would be around 17,3 MB/s.
I have tracked it down to the IDS/IPS/Suricata service and disabling the service gives full blown internet again but I was wondering if the IDS/IPS could really gave such a performance hit knowing that there is not a lot of traffic going through (it's an ziggo cable connection at home so not much users or devices), the APU2D4 has 4 GB ram and 4 cores (suricata can use all cores if I'm not mistaken) and I just enabled a few plugins.
Perhaps also good to know is that I have a VLAN1 interface linked to the igb0 (or LAN interface) which is 1 GB + have enabled netflow + insight.

Is this normal behaviour and should I really run a very expensive i7 hectacore with 32 GB of RAM or should the APU2D4 be able to track its traffic?

Cheers and thanks :)

Michiel

- Is there an option to add scripts for dnsmasq adhost blocking? and keep it stored on the disk after an upgrade?

I am doing this via a transparent proxy but you may be able to do this via firewall rules as well.

I rather use something like DNS then a HTTP or HTTPS solution ... there are multiple dnsmasq/unbound scripts out there that I really want to use.
And I rather not block 5000 hosts by hand via the gui with a firewall rule..;)

- Is there an easy way to enforce all outbound DNS requests (transparent) to the OPNsense box so I can enforce DNS in my network? Should I remove the automatic outbound rules and use the hybrid rules intead and create a new outbound NAT rule?

You just need to create a "Port Forward" rule, which sends all requests to the local IP of the firewall.

But shouldn't the outbound nat rule not be used for this?
Port forward sounds like inbound connections for the WAN interface which I am using it for the forward HTTP, HTTPS and SSH from the WAN to the inside.

-EDIT: the port forward for DNS seems to work  8) but I am still questioning why the outbound NAT rules did not work since their names make more common sense (as it is an outbound NAT rule).

Hi,

Got some questions about the new beta which I am using (and very happy with :) ) :

- Can I easily upgrade to the 17 final when its ready from the current beta version?
- Is there an option to add scripts for dnsmasq adhost blocking? and keep it stored on the disk after an upgrade?
- Is there an easy way to enforce all outbound DNS requests (transparent) to the OPNsense box so I can enforce DNS in my network? Should I remove the automatic outbound rules and use the hybrid rules intead and create a new outbound NAT rule?

Thanks for any pointers :)

Michiel

Do you mean the first port will have IP 192.168.1.1 or will it get a DHCP lease?
I already got a router running at 192.168.1.1 with DHCP, if Port1 already has 192.168.1.1 then I have to hook up a seperate switch or crosslink cable to connect to Port1 and use static ip on my laptop over the crosslink I guess.

Hi,

How can I install OPNsense 17.1 beta on an PCEngines APU 2 over SSH?
I can create an USB installation and boot from USB but what should I do next to install OPNsense over SSH?
Connect port 1 to LAN DHCP and connect to SSH (find out which DHCP lease OPNsense installer has with nmap) and then use which credentials?
I tried the documentation/wiki and reading the blog but could not find anything related except for the mention:
'installer now boots up with SSH for headless remote installation'

Any help is much appreciated :)

PS..I want to try to avoid using the console installation as it is a b!t(ch to run with the different speed settings etc.
I rather do it relaxed from my couch over SSH ;)

Cheers,

Michiel

Hi Franco,

I am storing the script in /usr/local/bin/get-ads.sh, I ran it manually but am looking to add it to crontab.
The script creates a /var/unbound/ads.conf where all known ads servers are redirected to 127.0.0.1.
It is OK if that file is removed during an upgrade since the script/cronjob will recreate it the next day.
I am using the amd64 with serial install on an apu2.

Cheers,

Michiel

Hi,

I want to store a bash script on the opnsense filesystem without it get overwritten after an upgrade.
It's a script that downloads an ads block list for unbound and stores it in /var/unbound/ads.conf and reloads unbound.

My question; how do I make the script and the ads.conf file persistent on the opnsense file system so it survives an upgrade.