Messages

151

17.1 Legacy Series / Re: How to give clients IP Address, Gateways and DNS using OPNSense?

« on: January 29, 2018, 09:06:34 am »

A lot of SOHO routers use this network and if you plan to do a Site to Site tunnel, it will not work because the network would be overlapping.
If no VPN is planned, this network should work without issues as well.

True!

I higly doubt that there will be any S2S VPN envolved... But if @agustinrojen foresee it, (s)he would act accordingly.

152

17.1 Legacy Series / Re: How to give clients IP Address, Gateways and DNS using OPNSense?

« on: January 27, 2018, 03:35:14 pm »

It has 4 ports LAN ports.

LAN1 -- LAN2 -- LAN3 --LAN/WAN

Where should I connect it? From modem to opnsense.

Theoretically, any of the 4, but I would go with LAN1, it will definitely work.

PS The last port is named LAN/WAN because your router is a mixed router, it can have WAN on a SIM (like it already does now) but also can be configured as a wired only GW, WAN being also a UTP cable, which case your last LAN port becomes the wired WAN port.

Still, try and see if you can configure your modem as a bridge. It would be perfect.
If not, at least in the modem configuration, try to DMZ OPNsense (192.168.254.110 - or whatever IP address will be in OPNsense for WAN)

153

17.1 Legacy Series / Re: How to give clients IP Address, Gateways and DNS using OPNSense?

« on: January 27, 2018, 03:25:40 pm »

@Fabian, why a static LAN IP + reconfiguring the DHCP, since by default OPNsense would auto configure static LAN + DHCP on 192.168.1.0/24 that would not overlap 192.168.254.0 on the WAN?

I ask this only because he states (repeatedly) that's a novice in OPNsense/ networking, and leaving everything on default should do the trick perfectly for him, no fuss...

154

17.1 Legacy Series / Re: How to give clients IP Address, Gateways and DNS using OPNSense?

« on: January 27, 2018, 11:32:23 am »

I strongly advise you to do the following:

1. Reset OPNsense to its factory defaults.
2. Connect your devices this way: internet ->modem (WAN); modem (LAN) -> OPNsense (WAN); OPNsense (LAN) -> switch -> clients.

It will definitely work, and is secure by default. In fact, it is so secure that maybe (just maybe) it will get into DNSSEC issues with DNS servers of your ISP. If this happens it looks like you did something wrong, but you didn't. Get back here to advise you accordingly if the case.

Last but not least, I strongly encourage you to ask your ISP to put the modem in bridge mode and to tell you how the public IP address is allocated for that case.
If bridge mode for modem is not possible, try setting in the modem the WAN IP of OPNsense as DMZ.

Goodluck, and cheers!

155

General Discussion / Re: How to open specific ports?

« on: January 26, 2018, 11:36:18 am »

A simple google search for "change dns forwarders windows server" returned first, foremost and on top:

    Setting up DNS Forwarding for Windows Server 2012 and 2012 R2

    From the Start menu, start typing DNS, then select DNS from the search results.
    Choose the server you want to edit, then select Forwarders.
    Click the edit button.
    Add OpenDNS addresses in the IP address list. ...
    Click OK once more.

Seems to be from a support page of OpenDNS. Replace "OpenDNS addresses" with the internal IP address of your OPNsense machine/ viartual appliance, and should be OK

Cheers!

156

General Discussion / Re: How to open specific ports?

« on: January 26, 2018, 09:07:44 am »

if opnsense have to be only dns then i have another problem because domain controller also have to be there

Of course. And you have 2 ways to solve that problem:

1. If you have already set OPNsense as the only DNS for devices your network, then create a domain override in Unbound so that DNS queries made for either your domain, or your internal IP address range, to be forwarded to your domain DNS server(s) (your domain controllers having that role).

2. If all network devices have your domain DNS server set, then set OPNsense as the forwarder only in your domain DNS service.

What of the 2 ways you will choose, it depends on how difficult is for you to change your DNS (and DHCP) settings for clients, or DNS settings on domain controller/ OPNsense.

PS If you choose the first, be very carefull to set domain overrides for both forwarding (name to IP addresses) and reverse (IP addresses to names) DNS queries.

Reverse domain ovverride example:
Domain 1.168.192.in-addr.arpa IP "your-domain-controller-internal-IP-address" will send to domain controller every query for "ping -a 192.168.1.XXX"

157

General Discussion / Re: Using same hardware as file server

« on: January 26, 2018, 08:46:33 am »

Just a side note: OPNsense has an SSH server which supports SCP and SFTP (both are protocols for file access).
You can create a user that can use SSH to store files on the drive.

It's not just a side note at all, thank you for your pointing in this useful direction.

158

General Discussion / Re: How do I setup OPNSense as a router?

« on: January 25, 2018, 10:20:26 am »

By default it should work, it creates all the necessary rules for complete access to internet (from LAN to WAN).

It is a very common situation with DNSSEC default settings, DNSSEC is enabled and hardened, because most ISP's DNS services don't cope well with DNSSEC, especially if hardened (so, not OPNsense fault, since it tries to be as secure as possible).
Try disabling Hardened DNSSEC at first [Services: Unbound DNS: Advanced: "Harden DNSSEC data"], and if it still doesn't work, try disabling DNSSEC completely [Services: Unbound DNS: General: "Enable DNSSEC Support"].

It is a issue that will be addressed at the next major release (v. 18.1 - in a few days), I have opened a bug report on github and developers are taking action.

159

General Discussion / Re: How to open specific ports?

« on: January 25, 2018, 09:55:32 am »

I have found guilty ruleset ET open/emerging-policy it is. Even if its set on alert its blocking my joomla panel access, when i disable it is working and i can login. Its a bug?

"Policy" is the keyword here: the Policy ruleset contains rules regarding use policy (companies/ corporations). Be very careful with these sets, since are organized as a template of rules, and as a template of enabled/ alert/ block pattern. Most likely, and by default, are going to "break" things. Any ruleset should be activated on a "one-by-one rule" approach, and especially that type of rulesets.

So, I guess it's not a bug, it's a "different than template/ default" need.

160

General Discussion / Re: Using same hardware as file server

« on: January 25, 2018, 09:41:35 am »

I get the point about using separate machines but that means buying another computer or dedicated NAS, and the associated running costs, both in terms of power consumption and space to have it. As this computer is always on, has a multi-core CPU & plenty of RAM I would rather dual purpose the one set of hardware.

If you want to run both OPNsense and NAS software on your single machine, don't go "ready-made", go custom. First, search the web for expressions like "freenas and pfsense" etc. and you will get a good and close enough picture of how it has to be done.

I only strongly emphasize the idea that you would need much more powerful HW (CPU, especially), than one found in ready-made solutions of NAS providers (Drobo, Synology, Asustor etc etc etc etc). These NAS providers are building their ready-made HW around storage tasks only (most of them, at least, and those which specifies that can do other "tricks" are way more expensive), which doesn't require too much FLOPS to get an excellent storage/ file server job done. But since you want to run on top and beside of NAS, at least a FW like OPNsense, and maybe you want to use most, if not all of its functions (I'm thinking traffic shaping, IDPS first and foremost), you will definitely need much more processing power than for storage only.

And, since you are a photographer, maybe multimedia sharing for customers (photos and especially videos) for preview purposes wouldn't be something out of usual. That case, think about that if only streaming is involved, a decent priced "ready-made" NAS will do the trick; but maybe some customers will attempt to play those videos on devices that require different format and/ or resolution, and then you will definitely need the most processing power available, since trans-coding is a very demanding task.

Also, since you have a NAS, maybe you would prefer your NAS to do some multimedia tricks (like HTPC stuff/ trans-coding) for yourself too (even if not for your customers).

I would dare to recommend you a HW machine based on Ryzen CPU (at least 1700 model), since it offers at a quite fair price enough powerful cores/ CPU + SMT (Hyper-Threading: two simultaneous threads per core) in order to dedicate enough CPU resources for multiple Virtual Machines you might have. Intel is a very good option also, but for virtualization/ parallel resource allocation would require server grade CPUs like Xeon (very pricey), since (yet) no desktop/ consumer CPUs (i7 included) offer more than 4 cores/ 8 threads (no go for virtualization), and those who does (i9) are "bank breakers".

Anyway, do your homework, do your research, chose wisely, and let us know what did you chose, why, for what purposes, and how well it works for you.

Cheers!

161

17.1 Legacy Series / Re: OPNsense vs. pfSense article - any thoughts on that?

« on: January 25, 2018, 08:43:24 am »

I was 99,9% sure you are thinking about the redundancy offered by ZFS as the main reason to be used in OPNSense.

Completely agree that ZFS provides redundancy, completely agree that ZFS is a very robust and resilient FS, but it is designed to make the data checks (immediately after the read of that data, on-the-fly check-ups) and periodic scrubs on storage considering that data and/ or hashes in RAM are the correct one. So, it implies that RAM memory should be ECC RAM, so that no RAM memory errors would get pushed to storage as "correct", overwriting the really correct, but mistakenly considered as corrupted, data on storage.

If ZFS, and if production, you wouldn't risk a RAM failure being considered as a storage failure - multiple points of failure. Also, I guess many user wouldn't like to be "forced" to use ECC RAM in their HW setups - look at pfSense and the storm they provoked getting more and more pushy, hammering the "my way or the highway" approach on users.

I'm sure there are alternative ways to get redundancy on your OPNsense setup, and ZFS could be, IMHO, at most an option, not the only option.

162

General Discussion / Re: Using same hardware as file server

« on: January 23, 2018, 12:21:30 pm »

I was reading about some guys that installed a virtualization platform (ESXi, and last version of FreeNAS with integrated Docker support) and had 2+ VM (OPNsense being one of them) configured in a SDN/ Virtual Switch approach, but you really must know what you're doing, since the solution saves HW but seriously adds up administration overhead.

163

Tutorials and FAQs / Re: OPNSense as WiFi Client + WiFi access piont + LAN Router

« on: January 23, 2018, 12:12:10 pm »

monstermania must be right, sorry for my first answer, I wasn't paying attention to the ath0 & ath0_wlan0 thing.

164

Intrusion Detection and Prevention / Re: OpenVPN interface + IDS/IPS

« on: January 23, 2018, 12:06:42 pm »

Indeed, but we also have some advantages though, fiber cables in our homes, gigabit-ish bandwidth everywhere (not just in the country), DDNS (without software clients), most places the link quality is above average...
And I really do have these speeds most of the times, as in my signature, even though they are "best effort" links.

Exactly! This is the reason I said what other people around here would think of us since we are complaining and qualifying as "craps" services and devices that offer like 10 to 20 times the medium bandwidth of Europe & America (as continents). And for less than 10$ NETO (final price).

I had to know, so I called them again, asked about the business links and devices, routing only modes etc. They use the same devices and firmware and modes for them as well. Oh well..

No, they're not: I know for sure that business clients I service have a simple and straight Media Converter with only 2 ports: UTP and OF (and power supply, of course). No Wi-Fi antennae, no Web UI, no network services (DHCP, DNS etc...). MCs made to work in bridge mode only.
For residential services it's somehow understandable to use cheap, all-in-one devices, since without them 1) clients would perceive the service as incomplete (gone are the days we used a single UTP internet link connected directly in a PC or Laptop), and 2) 99.9% of residential clients would buy even more crappy devices, like Tenda or Netis, since most of them are not choosy, nor experienced enough to tell the difference.

But I guess we're quite off-topic and quite for a while, so let's get beck to VPN + IDPS (or close the case)

165

17.1 Legacy Series / Re: OPNsense vs. pfSense article - any thoughts on that?

« on: January 23, 2018, 11:46:38 am »

Why do you want ZFS so badly?

I remember you asked for it in the past (or maybe I'm wrong, and wasn't you?), and I answered that ZFS has particular HW requirements without which it wouldn't bring any significant advantages over other file systems. Quite contrary, without those HW reqs ZFS has the potential to do more harm than good.

But maybe I miss some info, and your arguments would be really welcome.